Despite looming end of life, study shows XP remains primary OS

Examining data from one million devices, Fiberlink, a mobile management firm, examined the often forgotten part of mobility in the workforce — laptops. While IT and security vendors focus on Google’s Android, Apple’s iOS, tablets, and smartphones, Lenovo’s ThinkPad and Dell’s Latitude chug along, remaining a stable fixture in the workplace. According to Fiberlink, almost 50 percent of the laptops observed in their study are running Windows XP.


Read the full article at Network World

The Windows Flaw That Cracks Amazon Web Services

Nerval’s Lobster writes “Developer and editor Jeff Cogswell decided to poke around the security of Amazon Web Services, and found a potential loophole that could theoretically allow anyone — a developer, an unscrupulous Amazon employee, the NSA — to access and copy data volumes stored on the system, using a slightly modified version of the popular ‘chntwp’ password tool. In this article, he breaks down how he did it, and suggests some ways for those who use cloud-hosting services to keep their data a little more secure in the future. ‘The key here, of course, is that an unscrupulous employee might be able to make a copy of any existing Windows volume, and go to work on it without the customer ever knowing that it happened,’ he writes. ‘Now let’s be clear: I’m not accusing anyone of having done this; in fact, I doubt anybody has, considering I was unable to find a working copy of chntpw until I modified it.’ It’s a security concern, and one that’s particularly insidious to patch.”

Original article at Slashdot

Internet Explorer security updates released [September 2012]

A 0-day vulnerability affecting all versions of Microsoft Internet Explorer except version 10 on all supported Microsoft operating systems was revealed recently. Microsoft, aware of limited attacks targeting the vulnerability, promised to release an out of band patch for the vulnerability to protect Internet Explorer users from exploits making use of it.

Internet Explorer users have to visit a specially prepared website where the attack is carried out on. A successful attack may give the attacker the same user rights as the user working locally on the computer. It became known that different types of attacks were carried out of which some dropped a trojan on the system.

Internet Explorer users can mitigate the issue by installing Microsoft’s Enhanced Mitigation Experience Toolkit and configuring it to protect Internet Explorer from exploits. Other options that Microsoft suggested to customers was to change the security zone of the Internet and Intranet to high.

A Fix It has been released yesterday that patches the vulnerability on Windows systems, with the promise to release a full patch today.The promised patch has now been released by Microsoft. Windows users can either use the operating system’s built-in Windows Update tool to check for the patch and install it on the system, or download the patch from Microsoft’s Download Center instead once it is released there.

This security update resolves one publicly disclosed and four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows servers. Internet Explorer 10 is not affected.

Original article at Ghacks

Assessing Internet Explorer 9

In September 2010, Microsoft commissioned a study to see how effectively Web browsers protect users against socially engineered malware and malicious websites, which are websites that look benign, but aim to convince visitors to download and execute malicious software. NSS Labs conducted tests involving six browsers using real-world threats that showed the beta version of Microsoft’s Internet Explorer 9 (IE9) does a better job of defending against real-world malware than any other browser. Continue reading “Assessing Internet Explorer 9”