http://www.extremetech.com/computing/143274-internet-explorer-flaw-lets-websites-track-your-every-mouse-movement-and-ms-refuses-to-fix-it

Internet Explorer flaw lets websites track your every mouse movement, and MS refuses to fix it

If you don’t want to be tracked, you do have options available. Firstly, you can switch to a different browser. Chrome or Firefox are fantastic options, and they aren’t affected by this flaw. Secondly, you could turn off JavaScript in IE. While this does hinder the usefulness of most modern websites, it will prevent IE from passing on your mouse movements. These aren’t optimal solutions, but Microsoft has given us little choice in the matter. Unless it steps up and patches this flaw, it just isn’t safe to use IE with JavaScript turned on.

http://www.computerworld.com/s/article/9231620/Clues_experts_say_Microsoft_knew_of_IE_zero_day_for_weeks_before_patching

Clues, experts say Microsoft knew of IE zero-day for weeks before patching

Bug-bounty program may have reported the browser flaw to Redmond in July

Thanks jimlin87

http://www.stuff.co.nz/technology/digital-living/7700385/Germany-urges-public-to-stop-using-Internet-Explorer

Germany urges public to stop using Internet Explorer

Some security experts had said it would be too cumbersome for many PC users to implement the measures suggested by Microsoft. Instead they advised Windows users to temporarily switch from Internet Explorer to rival browsers such as Google Inc's Chrome, Mozilla's Firefox or Opera Software ASA's Opera.

Internet Explorer was the world's second-most widely used browser last month, with about 33 percent market share, according to StatCounter. It was close behind Chrome, which had 34 percent of the market.

Hello hotdoge3

Thanks for this

for those that don't know about EMET here is some info on EMET and how to use it

EMET - A new Windows security mitigation toolkit

http://www.dedoimedo.com/computers/windows-emet.html

Regards

:)

http://www.stuff.co.nz/technology/digital-living/7695185/Microsoft-urges-IE-users-to-install-tool

Microsoft urges IE users to install tool

Microsoft has urged Windows users on Monday to install a free piece of security software to protect PCs from a newly discovered bug in the Internet Explorer browser.

The security flaw, which researchers say could allow hackers to take remote control of an infected PC, affects Internet Explorer browsers
The free security tool, which is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available on Microsoft's website.

McAfee security division, said it might be a daunting task for home users to locate, download and install the EMET tool.

"For consumers it might be easier to simply click on Chrome," Marcus said.

I use Firefox it up to you just don't use IE [IE6 not fix IE7 no good IE8 ?] was ok

https://www.zdnet.com/blog/security/attack-code-published-for-critical-ie-flaw-patch-your-browser-now/12493

Attack code published for 'critical' IE flaw; Patch your browser now
Summary: Microsoft has confirmed that this flaw is being used in “limited attacks” but the company has not (yet) updated its MS12-037 bulletin to make it clear that public exploit code is now widely available.
[ 'State-sponsored attackers' using IE zero-day to hijack GMail accounts ]
The vulnerability (CVE-2012-1875) is a remote code execution flaw in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
According to McAfee, the live attacks started as far back at June 1, 2012:
The exploit works across all major Windows platforms, including Windows Vista and Windows 7.

https://blogs.mcafee.com/mcafee-labs/active-zero-day-exploit-targets-internet-explorer-flaw

The exploit works across all major Windows platforms, including Windows Vista and Windows 7. It leverages return-oriented programming (ROP) exploitation technology to bypass with data execution (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections. It requires the victim’s system to run an old Java virtual machine that came with a non-ASLR version of msvcr71.dll. If Java is not installed or there is no non-ASLR version of msvcr71.dll in the system, the exploit won’t work, although it will cause IE to crash

http://www.theregister.co.uk/2012/06/22/firefox_new_tab_security_concerns/

Firefox 'new tab' feature exposes users' secured info: Fix promised
Unlucky version 13 not ideal, Mozilla admits
Privacy-conscious users have sounded the alarm after it emerged the "New Tab" thumbnail feature in Firefox 13 is "taking snapshots of the user's HTTPS session content".
Reg reader Chris discovered the feature after opening a new tab only to be "greeted by my earlier online banking and webmail sessions complete with account numbers, balances, subject lines etc.
"This content is behind a secure login for a reason," Chris added.
Firefox 13 was released on 5 June, adding new features including updated new tab and home tab pages. The updated new tab page feature is broadly akin to the Speed Dial feature already present in other browsers and displays cached copies of a user's most visited websites.

yes, Robert, I am unable to view my Comcast webmail personal folders - so I'll do what you suggest and see what happens. By the way, I never use standalone progams anymore (whether Outlook or other ones) - in case of hard-drive crashes & potential loss of mail.

Webmail is (and has been) my preferred method. Thanks for your advice.

You're still puzzling me...lol..you mean you're using the webmail interface and you can't see any folders?Or you just can't you see any of your messages?
Or are you using outlook or similar to retrieve/send messages?
Anyways,you could try compatibility view in IE or/and clean up all cookies/cache(IE/FF)for the webmail interface.

Actually, it's my Comcast webmail on IE9 & FF10. All other webmail is fine.
Thanks for any and all help you may provide - I'll also contact Comcast.

I know nothing about AOL or MSN...Which email program? And what versions of IE and FF?

bringing this back to top - doe someone know possible solutions? Thanks, in advance, for your help.

Hi all, am hoping to pick your intelligent brains, if I may.

Recently, my eMail folders have been invisible in FF & IE, but not in AOL or MSN. Am not sure what the problem is or what I may have done (if anything) to cause this.

Would appreciate your thoughts on the matter - and thanks (in advance) for your help.

Best,
Inas

http://www.yourbrowsermatters.org/#/home

http://www.zdnet.com/blog/networking/internet-explorer-is-the-safest-web-browser-ha/1546

Yes, that includes IE 9, the best and most up-to-date IE which is only available on Windows 7. Isn’t it funny how Microsoft claims that IE 9 is the most secure of its browser family, but somehow it has to have the same problems fixed that exist in IE 6, 7, and 8? Could it be that it’s really not that different after all from the rest of its historically insecure family?

http://www.zdnet.com/blog/networking/chrome-15-the-best-browser-keeps-getting-better-review/1584?tag=nl.e539
http://www.zdnet.com/blog/security/internet-explorer-9-haunted-by-critical-security-vulnerabilities/9590?tag=nl.e539

Summary: Microsoft fixes drive-by download flaws in the latest version of its dominant Internet Explorer browser and warns that exploits could emerge within 30 days.
Microsoft’s shiny new Internet Explorer 9 browser contains critical security vulnerabilities that expose users to drive-by download attacks, the company warned today.

http://blog.mozilla.com/addons/2011/08/11/strengthening-user-control-of-add-ons/
Strengthening User Control of Add-ons

http://www.techrepublic.com/blog/tech-manager/protect-your-systems-from-the-dangers-of-web-browsing/6749?tag=nl.e064
Protect your systems from the dangers of web browsing
Takeaway: Here are the most common myths around web browsing and the necessary steps to take to ensure a safe and secure browsing environment for all your users.
Mark Twain once quipped, “It’s not what you don’t know that gets you into trouble, it’s what you know for sure that just isn’t so.”

Firefox is the best only if you add MyWOT, NoScript, Adblock, Bitdefender Trafficlight.
All free from firefox add-ons

And who bothers to listen to Microsoft? Especially in regard to browsers!

http://www.v3.co.uk/v3-uk/news/2117316/mozilla-slams-microsoft-browser-testing-tool-rates-firefox-poor-security

"Microsoft's site is more notable for the things it fails to include: security technologies such as HSTS, privacy tools such as Do Not Track, and vendor response time when vulnerabilities are discovered."
Unsurprisingly, Mozilla, along with Google, supports the HSTS (HTTP Strict Transport Security)

http://www.zdnet.com/blog/hardware/diginotar-files-for-bankruptcy-following-hack-attack/14878?tag=nl.e539

Summary: Hack attack results in certificate authority bankruptcy.
Dutch certificate authority DigiNotar, the company hit by a cyber attack that caused fraudulent SSL certificates to be leaked into the wild, has filed for bankruptcy.
The hack was discovered July 19, and after 531 fake certificates were issued. Details of the hack weren’t made public until August.
Diginotar is not the first company forced to shut down because of online attacks. CloudNine and Blue Frog come to mind. There are others.

"banished" by Chrome & Firefox sounds so dramatic. This is actually exactly such a situation that certificates are able to deal with by design. When the security of a certificate is compromised - it is added to the list of "untrusted certificates" and it becomes worthless. In this situation DigiNotar would be issued with a new/different certificate, and DigiNotar would use it instead.

The "updates" are nothing more than adding the stolen certificates to the "untrusted" list - effectively "turning them off" (and any certificates that were created using the stolen certificates).

Sep 7 2011 - Microsoft have yet to respond in relation to their Internet Explorer browser.

Pretty poor research on their (http://hakin9.org/) part.

Revisions
• V1.0 (August 29, 2011): Advisory published.
• V2.0 (August 29, 2011): Revised to correct erroneous advisory number.
• V3.0 (September 6, 2011): Revised to announce the release of an update that addresses this issue.

http://www.microsoft.com/technet/security/advisory/2607712.mspx

All the important questions are answered in the FAQ (at the above advisory address)

Why was this advisory revised September 6, 2011?
Microsoft revised this advisory to announce the release of an update that addresses this issue. The update adds five DigiNotar root certificates to the Microsoft Untrusted Certificate Store. Typically no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically. For customers who do not have automatic updating enabled, see Microsoft Knowledge Base Article 2607712 for information on how to manually apply the update.

On August 29, 2011, Microsoft removed the trust from one DigiNotar root certificate by updating the Microsoft CTL. Why is Microsoft releasing an update?
Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority. Windows XP and Windows Server 2003 do not use the Microsoft Certificate Trust List to validate the trust of a certification authority. As a result, an update is needed for all editions of Windows XP and Windows Server 2003 to protect customers.

After the CTL update on August 29, 2011, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 users who accessed a Web site that was signed by an untrusted DigiNotar root certificate would be presented with a warning message indicating that the trust of the certificate could not be verified. Users were allowed to click through this warning message to access the site.

In order to protect customers more comprehensively against possible man-in-the-middle attacks, Microsoft is releasing an update that takes additional measures to protect customers by completely preventing Internet Explorer users from accessing resources of Web sites that contained certificates signed by the untrusted DigiNotar root certificates. Internet Explorer users who apply this update will be presented with an error message when trying to access a Web site that has been signed by either of the above DigiNotar root certificates. These users will not be able to continue to access the Web site.

What does the update do?
On all supported releases of Microsoft Windows, the update adds five DigiNotar root certificates to the Microsoft Untrusted Certificate Store.

How will this update change the user experience when trying to access a Web site that has been encrypted with TLS and signed by an untrusted DigiNotar root certificate?
Internet Explorer users who try to access a Web site that has been signed by an untrusted DigiNotar root certificate will be prompted with an error message. Due to the fact that this certificate is located in the Microsoft Untrusted Certificate Store, Internet Explorer will not allow users to proceed to the Web site. The Web site will remain unavailable until the Web site certificate is replaced with a new certificate that is signed by a trusted root certificate.

There are more technical questions and answers related to the issue - also in the FAQ.

http://www.v3.co.uk/v3-uk/news/2106861/diginotar-certificate-thief-revealed-iranian-comodo-hacker

The hacker behind the DigiNotar certificate authentication theft in August has been revealed as the Iranian Comodo Hacker after he admitted to the theft in a blog post.
Comodo Hacker hit the headlines in March when he hacked the Comodo system and stole nine SSL certificates. The company believed initially that the attack originated from the Iranian government, but it now seems to have been the action of one individual.

http://www.f-secure.com/weblog/archives/00002231.html

http://pastebin.com/u/ComodoHacker (This is the man)

http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html (pdf) DigiNotar public report version 1
PDF document | 13 pagina's | 407 KB | Rapport | 05-09-2011 | BZK

http://hakin9.org/dutch-ca-diginotar-banished-by-chrome-and-firefox-ie-up-next/

Dutch CA DigiNotar banished by Chrome and Firefox – IE up next?
The Dutch CA (DigiNotar) which had its network breached six days ago, in which 200 plus SSL certificates for more than 20 domains were stolen and used in the wild, has been banished into the abyss by Google Chrome and Mozilla Firefox. It appears DigiNotar hasn’t been very open when it came to the SSL system breach.
Mozilla now distrusts two DigiNotar certificates. Mozilla released Firefox 6.0.2 that removes trust exceptions for certificates issued by Staat der Nederlanden and therefore offers additional protection against fraudulent DigiNotar certificates. Firefox 6.0.2 also resolves an issue with gov.uk websites. Google has done the same with a new release of its Chrome browser which permanently blocks DigiNotars certificates. Microsoft have yet to respond in relation to their Internet Explorer browser.

LOL - "After weeks of searching.... we pwned Apple Safari... in 5 seconds".

(I guess the 5 seconds was to load the website "here's one we prepared earlier").

http://www.techweb.com/security/229300728/safari-ie-defeated-chrome-firefox-survive.html

Safari, IE Defeated, Chrome, Firefox Survive.
Shortly before the Pwn2Own hacking contest began on Tuesday, Apple released iOS 4.3 and Safari 5.0.4, patching 59 security vulnerabilities in its mobile operating system and 62 vulnerabilities in the desktop version of its browser.
The fixes affected some of the exploits security researchers had prepared for their attempt to win the hacking prize -- $15,000 for compromising the latest desktop versions of Apple's Safari, Mozilla's Firefox, or Microsoft's Internet Explorer, or $20,000 for compromising Google's Chrome.
But Apple's timely release wasn't enough. After weeks of searching for flaws with fuzzing software, security researchers from VUPEN, a penetration testing company based in France, defeated Safari 5.0.4 decisively.
"We pwned Apple Safari on Mac OS X (x64) at Pwn2Own in 5 seconds,"

http://www.techweb.com/security/229300931/google-issues-microsoft-ie-warning.html

http://googleonlinesecurity.blogspot.com/2011/03/mhtml-vulnerability-under-active.html

Google on Friday took the unusual step of issuing a security warning to users of Microsoft Internet Explorer.

http://www.pcworld.com/article/205304/chromes_and_firefoxs_plans_to_unseat_ie.html?tk=hp_new

http://www.infoworld.com/d/applications/the-best-web-browser-chrome-firefox-internet-explorer-opera-or-safari-516

http://www.infoworld.com/d/applications/hacking-your-web-browser-in-7-easy-steps-702

http://www.azarask.in/blog/post/tabcandy/ (Tab Candy: Making Firefox Tabs Sweet)

https://wiki.mozilla.org/Platform/2010-Q3-Goals

http://www.infoworld.com/d/applications/battle-the-web-browsers-html5-and-memory-tests-586?source=fssr

Yes Windows 7 64 bit is very hard to hack so say Mic$ Hear is a update,

http://www.theinquirer.net/inquirer/news/1598505/pwn2own-winner-hacks

Pwn2Own winner hacks all

THE WINNER of the Pwn2Own 2010 contest hacked everything in his path to claim £6,700 in prize money yesterday.
Miller eventually claimed the prize by breaking Apple's Mac OS X 10.6 on a MacBook, its Safari browser, Microsoft's PowerPoint, OpenOffice.org and a selection of Adobe's notoriously unsecure apps. Only Google's Chrome is left standing.

The Vole also got to watch Internet Explorer 8 bite the dust on a Windows 7 laptop thanks to the efforts of another hacker.

That's very interesting indeed,
apart of IE 8 vulnerabilities, I thought a 64 bit Windows O.S was the most difficult to be hacked.

Thank you

http://blogs.pcmag.com/securitywatch/2010/03/browsers_iphone_all_fall_like.php

The IE exploit is the most interesting because it bypasses both DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), albeit in a very cumbersome way, The researcher, Peter Vreugdenhil, explains exactly what he did in a paper on his web site.

Pwn2Own rules require the exploit code to read a particular file on the system in order to register that the exploit has run.

http://threatpost.com/en_us/blogs/hacker-exploits-ie8-windows-7-win-pwn2own-032410

Shorten URL: http://threatpost.com/en_us/OOz.

Hacker exploits IE8 on Windows 7 to Win Pwn2Own

hacking into a fully patched 64-bit Windows 7 machine using a pair of Internet Explorer vulnerabilities.
Vreugdenhil, an independent researcher who specializes in finding and exploiting client-side vulnerabilities, used several tricks to bypass ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two significant security protections built into the Windows platform.

If you have automatic updates on you will have sp3, as for sp2 updates will stop soon as for sp3 some time not work you may get can not fit roll back so I went to new,
http://www.h-online.com/security/news/item/Malware-could-be-cause-of-problems-with-Windows-XP-patch-930423.html

http://www.h-online.com/security/news/item/Symantec-says-rootkit-causes-Windows-XP-blue-screen-of-death-931280.html

Windows cannot even be started in safe mode.

What does this mean? I have Windows XP with Service Pack 2. Should I upgrade to Service Pack 3 and if so how do I do that? I currently have automatic updates turned off and only update occasionally.

hi, hotdoge3...

fortunately, my pc is not set to download & install updates automatically...for a while now, i've waited to see if there are any problems reported with the patches before installing............either way, a risk...lol...

MS ended up pulling one of the updates...if i understand correctly, some type of malware infection already on the pc will cause the BSOD if the patch is applied?...

i only read one article:
http://www.pcworld.com/businesscenter/article/189233/microsoft_says_malware_causing_blue_screen_crashes.html

http://www.theregister.co.uk/2010/02/11/ms_bsod_update_glitch/

MS update gives some XP boxes the Blue Screen. hope you all OK ?