Report from 9-17-2012 article in Huffington Post
I had an employee inform me of a comment her bank made to her about using Internet Explore to do online banking at this time because of the Microsoft Warning. I didn't see this warning until i researched it and even then I had a hard time finding recent information on it.
Internet Explorer Security Warning: Microsoft Cautions On Zero-Day Browser Exploit
* Company says PCs vulnerable to attack by malicious sites
* Microsoft says free security tool can protect against attacks
* Warning affects hundreds of millions of Internet Explorer users
* Security experts say it may be easier to use another browser
By Jim Finkle
BOSTON, Sept 17 (Reuters) - Microsoft Corp warned a newly discovered bug in its Internet Explorer web browser makes PCs vulnerable to attack by hackers and urged customers to download a piece of security software to mitigate the risk of infection.
The security flaw affects hundreds of millions of Internet Explorer browser users. Microsoft said attackers can exploit the bug to infect the PC of somebody who visits a malicious website and then take control of the victim's computer.
The software maker advised customers on its website late on Monday to install the security software as an interim measure, buying it time to fix the bug and release a new, more secure version of Internet Explorer. The company did not say how long that will take, but several security researchers said they expect the update within a week.
The free security tool, which is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available through an advisory on Microsoft's website:
The EMET software must be downloaded, installed and then manually configured to protect computers from the newly discovered threat, according to the posting from Microsoft. The company also advised customers to adjust several Windows security settings to thwart potential attackers, but cautioned that doing so might impact the PC's usability.
Some security experts said it would be too cumbersome for many PC users to implement the measures suggested by Microsoft. Instead they advised Windows users to temporarily switch from Internet Explorer to rival browsers such as Google Inc's Chrome, Mozilla's Firefox or Opera Software ASA's Opera .Message was edited by: sol on 9/20/12 9:18:05 AM CDT
Microsoft are actually pretty good at getting information out to users when something like this happens. Much better certainly than one company I know of with a vaguely Scottish-sounding name. Since news of a new zero-day vulnerability in IE first appeared about a week ago Microsoft have been releasing a stream of status updates. Those updates are on blogs on the Microsoft site, but they've made sure that the online computer news outlets - CNET, ComputerWorld, InfoWorld and others - have picked up the news and made it available. They even - other companies take note - talk to the press to make sure the news is spread as widely as possible.
IT pros will have picked up the news pretty quickly, but the mainstream news outlets were on to the story as well. There are reports about it on the BBC site (here and here). Short of taking out advertisements on prime-time TV, I don't see how much more they could have done.
As for the embarrassment factor, Microsoft haven't tried to downplay the importance of this. No point in doing so, when so many security analysts have been advising people to stop using one of their key products until the vulnerability is fixed. Especially not when the issue is important enough to be the subject of a US-CERT Vulnerability Note.
Thanks Hayden! I should eye my US Cert notifications better and maybe I would have seen it.
I have had times when someone alerts me to something and I can go online type it in the search and I find all kinds of information about it and from the sites you spoke of. However, this time those articles were not found in the search results.
All I could find was the huffington post article and now i see another post. I uses Microsoft Internet Explore warning as my search.
Oh well, I wanted to make sure others were alerted to this. I really didn't have a question but the discussion wanted me to post it as a question so i asked this question... lol glad it is Friday
Just updated all my non-Windows 8 systems with a critical update for IE9 and in Windows 8 a critical Flash update for IE10.
I finally got the IE update, but only because I went to the site and requested an update check. The servers must be busy, because there was a much longer wait than usual while the pre-download checks were carried out.
Peter, what's the version of Flash you have in IE10? That's about the third version update in the past couple of weeks.
And as for the Microsoft advice to install and use EMET to make malware exploits harder to achieve, I downloaded it and set it running without any problems, and it's sitting there with minimal memory use and no performance hit that I can see. There's a Notifier in the System Tray that will show a pop-up if EMET detects any potential attack or if a particular mitigation can't be used with an application it's monitoring.
I added a link in the original post to an article by Brian Krebs which discusses this IE issue and the use of EMET. The comments to the article are extremely useful, but perhaps the most noteworthy point Brian Krebs makes is that for Vista and Win7 the IE exploit would only have worked if Java were installed (it would have worked in XP even without Java).
According to IE10 > Manage Add-ons it is 11.3.347.7
According to Adobe it's the same plus Shockwave just asked to update and is now: 11.6.7r637
Sorry to jump in on this, but the latest (as of today anyway from Adobe) version of Flash (both plugin and activex) is: 11.4.402.278
Not sure if the activex version will work on Win8/IE10.
The latest version of Shockwave is: 18.104.22.1687 as Peter said.
In Firefox on Win 8 it's 11,4,402,265 but in IE10 the highest available according to Windows Update is as I said. Flash Player for IE10 must be updated through Windows Update only, it wont even allow you to install it directly from Adobe's website.Message was edited by: Ex_Brit on 22/09/12 12:45:09 EDT PM
No sooner than I posted this I also discovered that the Shockwave release, which has the same release numbers, was update to 9/19/2012 instead of the 9/16/2012 release I had previously. The are different in size. Not sure what the difference is, but noted that it Is different.