Internet Explorer to upgrade automatically, unless you say no

SophosLabs: Microsoft's Ryan Gavin announced a new strategy to keep the web safe... Keep your Internet Explorer up to date.

It is great news for Windows users who don't appreciate the importance of staying up to date.

Microsoft has been struggling with browser stragglers for years. They even ran their own campaign comparing IE 6 to spoiled milk including shameful infopr0n.

Old versions of IE leave a considerable number of users vulnerable to old exploits, or in their parlance easy targets.

If Microsoft updates everyone's browser how will companies like Google have their "Aurora" moments?

While bringing everyone up to Internet Explorer 9 is a great initiative, and doing so automatically will help things along, there are still some big issues ahead for Microsoft.

Their new policy seems to rest somewhere between Google Chrome's "You don't know it but you just upgraded major versions" and Mozilla Firefox's "You know that our weekly major revision is available, would you like it now? Would ya? Please?"

This could be a big problem for some enterprises that followed Microsoft's advice 10 years ago and adopted a fully-integrated, Active-X, .aspx, optimized for Internet Explorer 6 (or 7!) internal web application.

Most organizations that use Internet Explorer are stuck on older versions because of IE-only proprietary code, and the fact that you can only have one version of Internet Explorer installed at the same time.

It only takes one application. Which is why Microsoft introduced the Internet Explorer 8 and 9 upgrade blocker. This allows you to stay as stale as Internet Explorer 7 if you wish.

Australians and Brazil will be the first to see the automatic upgrades in action, and users who have already said no to IE 8 or 9 will remain at their current version.

Good news for web developers, good news for security and most of all a demonstration of why open standards are such a good idea.

We could all be running Chrome 36 if it wasn't for that darned Active-X control for Accounting...

Adobe closes Acrobat and Reader security holes

The H-Online: The first patches for the zero-day flaw in Adobe's Acrobat and Reader applications, which the company confirmed was being exploited in the wild, have been released. The initial problem was caused by a memory corruption when processing Universal 3D (U3D) files, which could allow attackers to potentially take control of an affected system. The patches released also address a newly revealed critical flaw (CVE-2011-4369) which can cause memory corruption when processing Product Representation Compact (PRC) 3D files.

Adobe has now released updates for Adobe Reader 9.x for Windows and Acrobat 9.x for Windows. The updates can be installed by selecting Help ➤Check for Updates in either application. Manual downloads for Reader 9.4.7 and Acrobat 9.4.7 are also available. Adobe is not releasing updates for Reader X or Acrobat X at this time because it says the defensive technologies added to those products stops any exploitation of the flaws. It will be releasing fixed versions of those applications as part of the next quarterly security update on 10 January 2012, along with updates for the Unix and Mac OS X versions.

Adobe suggests that users of Reader and Acrobat X should verify the defensive mechanisms are enabled. In Acrobat X a user should go to Edit ➤ Preferences➤ Security (Enhanced) and make sure that "Enable Enhanced Security" is checked along with either "Files from potentially unsafe locations" or "All files". Adobe Reader X users should go to Edit ➤ Preferences ➤ General and ensure that "Enable Protected Mode at startup" is checked.

Visa looks into Eastern European security breach

SophosLabs: Visa is investigating a potential security breach that may have compromised payment cards of Eastern Europeans.

Although Visa hasn't disclosed which countries were hit, the Romanian state-owned CEC Bank has blocked and reissued 17,000 cards on suspicion that they had been compromised.

CEC Bank said in a statement that "a number" of cards issued by banks both in Romania and abroad might have been compromised via an international database.

Here's an excerpt from the statement, translated into English from Romanian by v3.co.uk:

The bank has been informed that a number of cards issued by banks in Romania and abroad have been potentially compromised through an international database. CEC Bank has decided to block the cards and reissue a new card and PIN, at no cost, for a number of cards in its portfolio 

This attack did not target CEC Bank's cards alone and was not due to any bank vulnerability. Our clients' money is safe.

Visa pinned the problem on a European payment processor and issued this statement:

Visa Europe has been informed of a potential data security breach at a European processor and an investigation is underway. We are working closely with our member banks to ensure cardholders are protected.

In his report on this incident, v3's Phil Muncaster pointed to a warning earlier this month from Trend Micro regarding a basic design flaw in some implementations of the 3D Secure protocol - aka "Verified by Visa" and "MasterCard SecureCode" - that could allow crooks to conduct ID fraud on some Visa cards.

The potential security hole in 3DS is a result in a weakness in the password reset process of some system versions, Trend Micro's Rik Ferguson explained the flaw on his CounterMeasures blog:

If you are making a purchase through a merchant that is subscribed to the program, you will be redirected, during the payment phase, to a 3DS verification page. On this page you confirm the details of the transaction, enter your password and hey presto, the transaction is complete. So far so good, the merchant never sees my password, no transaction with that merchant can be completed without it and I’m protected, but...

He then goes on to describe the password reset link, finding that three of four pieces of information used to verify identity - cardholder name, expiration date and signature panel code - are all contained in the card itself, either embossed or printed and contained in the magnetic stripe data.

The fourth piece of information, cardholder date of birth, would be drop-dead easy to track down, he says:

Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.

The Eastern Europe breach and the 3DS flaw are spelling one headache-y month for Visa so far. Yikes, now all the company needs is for the EU to contemplate carving away at its profits with big fines for privacy breaches or something like that.

But wait, that's exactly what the EU is mulling!

The way the Financial Times reads it, the proposed rule, slated to be introduced in January, will impact social media most sharply, serving as a significant tool to boost the EU's powers when it comes to combating data protection breaches.

But it will be interesting to see what happens (if in fact the rule doesn't get watered down to pointlessness, that is) in cases such as credit card payment breaches like the one Visa is now investigating, if it turns out that Visa or its payment processor was treating customer data with anything less than kid gloves.

Come join my forum

Hi Folks!

I would like to invite you to join my forum, its a small forum for now but by the time it will get better, a link to my forum is available in in my TechBlog, LifeBlog or in my site, feel free to join and express yourself in whatever you like, feel free to post whatever you like except advertisement, Thanks! :-)

forum.omidfarhang.com

Thank you for joining in advance
-Omid

Also posted in Omid's LifeBlog