A week in the news: IE zero days

Microsoft Internet Explorer and Adobe Flash Player zero-days replace OpenSSL Heartbleed as the primary topic of discussion in this week’s security news.

The OpenSSL Heartbleed bug may have finally fallen out of the headlines this week. In fact, thinking about it as I write this very article, it’s nearly 3 pm, and I haven’t read a Heartbleed article all day, which is wonderful. Don’t worry, though, even without the Heartbleed, we’ve got plenty to talk about:


Kaspersky Lab announced that it uncovered an Adobe Flash Player zero-day earlier this week. The company uncovered the bug – oddly enough – using one of the very same tools it uses to uncover new malware samples. When it was discovered, the zero-day exploit was being used to target victims in Syria with a type of threat called a watering hole attack. A watering hole is a type of targeted attack where an attacker plants a piece of malware on a website he thinks his victim is likely to visit. This way, when and if that victim visits the infected website, the victim then becomes infected with malware. Adobe has since provided a patch for the bugs here, so you should install any updates from that company as soon as possible.

Microsoft had its own zero-day problems in its Internet Explorer browser. I won’t go into the technical details of the vulnerability. However, I will tell you that the zero-day has been exploited in the wild to launch attacks against various targets and that it was apparently serious enough to warrant what Microsoft calls an “Out of Band” patch. Such patches are those that are shipped out on any day other than the company’s well-established monthly Patch Tuesday releases. If a bug receives an out-of-band patch, this is usually a pretty good indicator that the bug in question was a serious one.

Microsoft Internet Explorer and Adobe Flash Player zero-days replace OpenSSL Heartbleed as the primary topic of discussion in this week’s security news.

Just when I thought I was out, they pull me back in

Speaking of Patch Tuesday: remember earlier this month when we told you that Windows XP would no longer receive security updates? We were wrong (at least technically speaking). Because the Internet Explorer zero-day referenced above is being used to actively target Windows XP machines, Microsoft found it in their heart to send the out-of-band Internet Explorer patch to XP users as well.

AOL is back!

A number of AOL email users found themselves in a pickle recently after their accounts appeared to be used to send out spam messages to the people on their contact lists. We discussed this in last week’s news recap. AOL claimed that the incident was all part of what they called a “spoofing” attack. They said there was no compromise and that it only appeared as if the emails were coming from AOL user email accounts. In reality, the company initially claimed, the sender of the emails was merely making it appear as if the emails were coming from AOL user email accounts.

If I can recall correctly, last week we said that AOL’s explanation of events was odd in that – while there may have indeed been spoofing going on – it failed to account for how the attacker would have gotten his hands on all those contact lists. Sure enough, AOL admitted this week that it was in fact breached in an announcement urging users to change their passwords. So, if you have an AOL account, this is probably a good time to change up your password.

Facebook and privacy

Facebook announced a neat new feature called Anonymous Login. Mark Zuckerberg told developers at the company’s F8 conference yesterday that Anonymous Login would allow users to log in to third-party apps without using their Facebook credentials, and without sharing personal information with the third party.

“The idea here is that even if you don’t want an app to know who you are yet, you still want a streamlined experience for signing in that removes the hassle of filling out all these different fields,” Zuckerberg said. “This is going to let you try apps without fear.”

Anonymous Login is in beta and available only for certain applications; Flipboard, for example, is one of the first. At login, users will have the option of signing in to an app with their Facebook credentials or test-driving the app using Anonymous Login. Anonymous Login presents itself in a black screen, rather than Facebook’s customary blue, and affords users the ability to avoid sharing any of the data already shared with Facebook with an outside app.

The new Mozilla

The 29th version of Mozilla’s Firefox browser hit the scene this week with a radical redesign. The new Firefox, which look surprisingly Google Chrome-like, is receiving mixed reviews. Regardless of whether you like the new look, though, we are recommending that you install the update anyway on account of the 10-or-so highly- and critically-rated security vulnerabilities that were fixed in the new version.