News

License plate reader firm releases dubious poll to show public support

Vigilant Solutions also makes cops vow secrecy before using its technologies.

BBC: Involve all staff in cyber security education

Every member of staff in an organisation should learn about cyber security and their responsibilities, according to David Jones, head of information security at the BBC. Speaking at security conference Infosec this week, Jones added that security inci...

Microsoft issues fix for IE zero-day flaw amid fresh attacks

Microsoft has issued an emergency security update for all versions of its Internet Explorer browser. The update will patch a zero-day flaw reported on 26 April that has already been used in live attacks. The software firm's next monthly update is due on Tuesday 6 May, but the latest fix was rushed out independently last night, underlining the seriousness of the threat. The fact that the software firm has issued an update in under a week outside its normal monthly update cycle, and included Windows XP, underlines the seriousness of the threat. Security commentators said businesses and consumers should ensure the security update is installed without delay. Microsoft said it was making an exception for Windows XP because the flaw was discovered so soon after the company officially ended support for the operating system on 8 April. But security firm FireEye has revealed that new exploits of the flaw are being used in live attacks against IE 8 to 11 and 7 and 8 on Windows XP. “We have also observed that multiple, new threat actors are now using the exploit in attacks and have expanded the industries they are targeting,” the firm said in a blog post. Besides previously observed attacks against the defense and financial sectors, organisations in the government and energy sectors are also facing attack. Microsoft issued a security advisory after reports of “limited, targeted attacks” to exploit the flaw affecting Internet Explorer (IE) versions 6 to 11. The company warned that attackers could exploit the flaw to gain the same user rights as the current user. This means that if the current user is logged on with administrative user rights, an attacker could take complete control of a targeted system. The attacker could then install programs and view, change and delete data, as well as create new accounts with full user rights. According to NetMarket Share, the affected versions of IE account for more than half of global browser market, affecting millions of businesses and consumers. Microsoft said that most IE users have automatic updates enabled and will not need to take any action. “Out-of-band updates are a big deal,” said Trey Ford, global security satrategist at security firm Rapid7. “To interrupt a scheduled development cycle for an emergency patch is a noteworthy event where a vendor is placing the public good ahead of their development and delivery lifecycle,” he said. Chris Goettl, product manager at security firm Shavlik said it is in Microsoft’s best interest to plug this vulnerability for Windows XP as the operating system  will be in circulation for a while yet.  “One can hope there are a few hackers out there wearing long faces knowing that this patch will likely be rolled out to XP systems as soon as possible,” he said. More on IE vulnerabilities Microsoft offers temporary fix for Internet Explorer zero-day Locking down Internet Explorer settings with Group Policy in IE 11 Microsoft patches vulnerabilities in Internet Explorer, Exchange Microsoft offers 'fix' for latest Internet Explorer zero day Critical RDP, Internet Explorer fixes included in Patch Tuesday update Internet Explorer vulnerabilities fixed in December 2012 Patch Tuesday Microsoft fixes critical issues in Internet Explorer, Windows Kernel City University London explores multi-sensory human communication via mobile Microsoft issues emergency security update for Internet Explorer New zero-day vulnerability targets Internet Explorer users Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Obama panel supports warrant requirement for e-mail, cloud content

Congress has punted on issue for years. E-mail, cloud data to remain exposed.

Facebook Unveils Anonymous Login at F8 Developer Meetup

The feature will enable Facebook members to log in to new apps namelessly until they feel comfortable trusting app makers with their personal data. Facebook made news April 30 at its F8 developers' conference in San Francisco by introducing a revamped mobile app development platform. It also broke some new ground by revealing that it will allow users to access applications without having to identify themselves each time to the app. In other words, users already logged in to Facebook won't have to reidentify themselves when opening an app from its store, risking a second identity connection with the app provider that could be compromised in some way. The 1.28 billion-member social network already knows so much about you, your friends, and your likes and dislikes that it needs to know less about who exactly uses its apps. It still wants to know how, when and where people are using them and for what purposes; the company just doesn't need to have names and faces attached to all those requests. Hope to Calm Increasing Privacy Concerns The strategy is designed to help calm increasing fears about better securing personal information, and users are likely to favor it. But Facebook needs to get its community of developers on board with this idea first, and that's much of what it laid out at the daylong F8 meetup. The new Anonymous Login feature will enable Facebook members to log in to new apps namelessly until they feel comfortable trusting app producers with their personal data. Facebook, however, will still need to transmit some form of unique identification to the app, most likely in the form of an encrypted ID number. "This is going to let you try apps without fear. And if you want, you can always sign in with your real identity," CEO Mark Zuckerberg told a full house at the Concourse in San Francisco. "People want more control over how they share their information, especially over apps." The new feature, however, is only one facet of the new Facebook mobile development platform introduced by the Menlo Park, Calif.-based social network on April 30. "We all want identity across platforms, sharing across platforms, push notifications across platforms, app installs, and even monetization. This is what Facebook Platform is all about," Zuckerberg said in rallying developers around the profit potential of the platform. "Building the cross-platform tools that you need to build, grow and monetize your apps everywhere." Facebook Working on These Tools Anyway Zuckerberg said that "it's natural for us to focus on these things, because a lot of these same tools we needed to build for ourselves in order to help more than a billion people connect across all these different systems." Facebook now is using a new log-in management system that allows users to choose from a list of personal information they want to share or keep private, including such items as email address, movie and music favorites, and others. There is significant use of this system; in 2013 alone, Facebook users logged in to apps more than 10 billion times. Facebook is now testing Anonymous Login with a small team of developers and plans to offer it to a wider group in a few months.  

Internet Users Failing to Protect Themselves From Heartbleed

New data from Pew indicates that while many have heard of Heartbleed, less than half of those Internet users have taken steps to protect themselves. The Heartbleed security vulnerability that was first disclosed...

Microsoft’s decision to patch Windows XP is a mistake

There will always be one more emergency.

Yahoo is the latest company ignoring Web users’ requests for privacy

“Do Not Track” has largely been a failure.

FindTheBest may be first to gain from Supreme Court’s patent fee...

Startup wants back the $200k it spent to quash troll with a "matchmaking" patent.

Original Mt. Gox founder: “I lost around $50,000” in site’s collapse

Jed McCaleb sold Mt. Gox to Mark Karpeles in 2011 and retains a 12 percent stake.

Global press freedoms fall in wake of Snowden revelations

Report underscores that deterioration of media rights is reaching open societies.

Microsoft Updates Windows XP Users for IE Zero-Day

Microsoft releases an emergency update for the Internet Explorer vulnerability. Microsoft isn't quite yet ready to abandon its Windows XP users to security threats. Today Microsoft is releasing an emergency out-...