Microsoft Issues Emergency Update for Internet Explorer
Officially, Internet Explorer is dead. Microsoft has discontinued the browser as of IE11 and replaced it with Edge. IE is, however, still maintained alongside the operating systems that it ran on, which means it’ll keep getting security updates throughout the lifetime of Windows 7 and 8. Microsoft has just issued an emergency security update for the browser to fix a flaw it says is already under active exploitation, though details on exactly how it’s being exploited have not been provided.
The company has published CVE-2018-8653, describing an attack in which a remote code execution vulnerability is present in the IE scripting engine and how it handles objects in memory. By successfully executing the attack, an attacker would gain the same privileges as the currently logged-in user, including the ability to add and remove programs, view or change data, or create new user accounts with full administrator rights themselves. The update plugs the hole by changing how the scripting engine handles objects in memory.
Microsoft is particularly warning against potential web-based vulnerabilities, however, writing:
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
Microsoft learned about the exploit from Google engineer Clement Lecigne, according to ComputerWorld. The bug is a classic zero-day, meaning it’s already in the wild and being exploited — that’s why Microsoft is pushing a patch out now, instead of waiting for the usual update cycle on January 8.
The vulnerability affects the version of IE11 that shipped with Windows 7 to Windows 10, along with Windows Server 2012, 2016, and 2019. IE9 (Windows Server 2008) and IE10 (Windows Server 2012) are also impacted. Presumably, any older IE installations on Windows 7 are also impacted, but IE11 is the only version still supported. Users with Windows Update should have already received a security patch, but Windows 10 users can manually check for updates here. Other users can manually check here.
For anyone still using IE11 for any reason, users are generally advised to stop doing that, either by moving to Edge, Chrome, or Firefox. Unfortunately, even in 2018, there are still a handful of sites that only play well in IE. This is an indirect example of why allowing any single browser to so dominate the market is a bad idea (in relation to Chrome) — we’re literally still dealing with the fact that IE once held something like 95 percent of the browser market, even though that hasn’t been true for nearly 15 years.
Continue reading
Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities
Unlike the last few zero-days, Google didn't find these security holes itself. Instead, it was tipped by anonymous third-parties, and the problems are severe enough that it hasn't released full details. Suffice it to say, you should stop putting off that update.
Samsung Starts Rolling Out Galaxy S20 Android 11 Update on Verizon
Not only does this include the Googley Android 11 enhancements, but it also has numerous Samsung-specific changes as part of the One UI 3.0 revamp.
Apple Urges Immediate iPhone Update to Block Active Online Hacks
There's a new version of Apple's iOS software for iPhone and iPad devices, and as usual, Apple is going to start pestering users to update. This time, the nagging for iOS 14.4 comes with a little more urgency.
Samsung Promises to Update Its Android Phones Even Longer Than Google
Smartphone updates have been a mess for as long as the modern smartphone has existed, but Samsung just took a big step in the right direction: The company has decided to extend security update support to a full four years.