IT Security Blog

Today Microsoft will release two out of band patches: one to address a vulnerability in Internet Explorer that is rated as "critical" (which typically means that there are exploits available in the wild that predicate the need to have to release an update outside of the normal "Patch Tuesday" schedule which occurs on the second Tuesday of every month.  The second patch is rated as "moderate" by Microsoft and affects Visual Studio. 

It is recommended that any out of band patches released by Microsoft be tested before being deployed on any systems, particularly those critical to the function of your organization.  After the patch has been tested in your environment, deploy it is quickly and as responsibly as possible in order to minimize your window of exploitation.  Again, generally when out of band patches are released, exploits are already available in the wild.

For more information about the patches being released today see Microsoft's web site.  More information will be posted on the details of the vulnerabilities being patched after Microsoft releases the updates.


*** UPDATE 7/28/2009 12:00pm MST *** Microsoft has released the security updates and has named them MS09-034 and MS09-035.  MS09-034 is a cumulative update for Internet Explorer and MS09-035 is an update for the Visual Studio Active Template Library (ATL).  Both vulnerabilities allow for a remote hacker to execute arbitrary code on your system.  This includes the ability to install a backdoor or Trojan on your PC.  As stated before, please test and deploy these patches as soon as you can.

 

Obviously, the folks over at Microsoft would have you believe that IE 8 is the most secure browser yet, but does anyone else agree?  Is this just more Microsoft PR spin in an effort to squelch the laughter of security professionals who have gone so far as to recommend using text based browsers before using Internet Explorer?  The answer is "IE 8 is very secure" according to a recently released report from the folks over at NSS Labs. 

In a report released on March 12, 2009, NSS Labs' tests showed that Internet Explorer 8 (RC1) outperformed several other popular browsers (Safari, Firefox, Chrome, Opera, and IE 7) in detecting malicious sites hosting 0-day attacks and web based malware.  The report also showed that 7% of the threats tested were blocked by all of the browsers and 11% were not blocked by any of them.

One of the out of the box features that was also included in IE 8 was native Clickjacking protection, being the first browser to incorporate such a feature (You can add it to Mozilla browsers via a plugin).  I have not seen any updated to some of the original stories that came out criticizing how Microsoft's Clickjacking protection works in their new browser, so it might be safe to assume that it works the same as it did during the beta and RC release phases.

If you have not seen the report, it is certainly an interesting read and one that will certainly add more fuel to the Browser Security Debate fires that are always raging.  The true test of IE 8's security will not just be in its ability to protect users from malware infected web sites, but also in patching its own vulnerabilities.  Of course, it is still up to us to install those updates.

I admit it.  I am a Firefox user.  On my Windows PC at the office and on my Ubuntu Linux personal laptop at home I use the Firefox browser.  There, I've said it.

Some of the news coming out about some of the features that will be in future versions of Google's Chrome browser may force me to rethink my current allegiances, however.  Over the past year I have become more and more unhappy with some of the increases in memory that Firefox has required and the fact that it just doesn't seem as fast as it used to be.  Granted, many applications suffer from such software bloat over time, and being a technology geek I certainly have been accused of (and rightfully so) of having a short attention span as it relates to a technology when a newer, shinier version comes out.  These factors put together have had me toying with the idea of trying out Chrome here at the office to see what all of the buzz is really about.  The lack of extension support has been the primary driver behind my not making the jump up to this point. 

One of the topics that we covered in episode 24 of the Security Buzz podcast this morning was based on a blog post that I made last week with respect to browser security and how despite some of the inherent flaws that exist in today's browser design, some of those flaws can be made up for by extensions contributed by the community (Noscript with Clearclick being my favorite example as it is currently the only browser anti-clickjacking plugin that exists).   Granted, I would love to see some of these extensions make it into the standard build of the product, but be that as it may, the capability exists for the user to contribute to the Mozilla community.  I believe that attribute sets them apart from both the IE and Chrome communities.
With RSS and extension support coming to Chrome, I believe that this will greatly increase the number of users who start using Google's browser or are willing to at least give it the chance they might previously not been willing to.  Personally, I don't use the browser for RSS feed management (indirectly, through Google Reader.  Have I already sold my soul? :) ), but the support for community contributed extensions is going to be a big deal.  Bravo! 

User contributed content has fueled the growth of the Linux operating system (in its many flavors) and has made advancements to the Mozilla suite of browsers faster than the Mozilla developers were able to deliver the functionality themselves.  Congratulations to Microsoft on the release of the IE 8 browser, but I believe that they could learn a thing or two by taking a page out of the Mozilla and now Chrome playbooks.