19 August 2015

Microsoft issues emergency patch for all versions of Windows

This is the second "critical" out-of-band patch issued in as many months.

By Zack Whittaker for Zero Day | August 18, 2015
Source: ZDNet

It's all Internet Explorer's fault -- again.

Microsoft has released an emergency out-of-band patch for a "critical"-rated security vulnerability, affecting all supported versions of Windows.

The software giant said in an advisory Tuesday that users visiting a specially-crafted website can lead to remote code execution on an affected machine.

The zero-day flaw (classified as CVE-2015-2502) works by exploiting a flaw in how Internet Explorer handles objects in memory. If successfully exploited, an attacker could "gain the same user rights as the current user," the advisory said. Those running administrator accounts are particularly at risk, it said.

Simply put: this flaw could allow an affected Windows machine to be taken over by an attacker.

It does not appear that the vulnerability is currently being exploited by hackers.

Microsoft's new Edge browser, which lands in Windows 10, is not affected by the vulnerability. The patch is available over Windows Update or through Microsoft's website.

Google security researcher Clement Lecigne was credited with finding the flaw.

This latest critical patch comes a week after the company's scheduled monthly roundup of security fixes were released to customers.

Whether or not, however, this sets a trend for Microsoft remains to be seen. This is the second month in a row the company has issued an out-of-band update.

Last month, just days after its usual monthly round of security updates, the software giant released an out-of-band patch for a critical flaw that, if exploited, could allow a hacker to effectively take over an affected machine.

A Microsoft spokesperson said in a statement: "Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible."

"We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Today, Microsoft released Security Bulletin MS15-093 to further protect customer devices from security vulnerabilities affecting Internet Explorer. Microsoft Edge was not affected. Customers who have Windows Update enabled and applied the August Security Updates, are protected automatically," the spokesperson added.

12 August 2015

Attackers can access Dropbox, Google Drive, OneDrive files without a user's password

The so-called "man-in-the-cloud" attack is said to be a common flaw in most cloud-based file synchronization services.

By Zack Whittaker for Zero Day | August 6, 2015

Hackers don't even need your password anymore to get access to your cloud data.

Newly published research, released at the Black Hat conference in Las Vegas on Wednesday by security firm Imperva, shows how a "man-in-the-cloud" attack can grab cloud-based files -- as well as infecting users with malware -- without users even noticing.

The attack differs from traditional man-in-the-middle attacks, which rely on tapping data in transit between two servers or users, because it exploits a vulnerability in the design of many file synchronization offerings, including Google, Box, Microsoft, and Dropbox services.

This is not just an issue for consumers, but also businesses, which increasingly use cloud-based services to share sensitive customer and corporate data.

The report by Imperva, which has a research unit as well as having a commercial stake in the security space, said in some cases "recovery of the account from this type of compromise is not always feasible."