Internet Explorer Zero Day Patch

Microsoft has announced that today (21-01-2010) at approximately 6pm (UK time), it will release an emergency out-of band patch to fix the Internet Explorer zero day security vulnerability that has been used by attackers in various high-profile targeted attacks, specifically the recent Trojan.Hydraq attacks waged against Google and a number of other companies. The vulnerability affects Internet Explorer 6, 7 and 8, which make up the bulk of the versions used today. However, the only in-the-wild exploit code for this vulnerability detected thus far is confirmed to affect just Internet Explorer 6.

Keep an eye on the Microsoft Security Site for more information.

Also check out the Mircrosoft Advisory on this matter (979352).

Here is the patch MS10-002

Adobe Zero Day…. Its like the duracell bunny

Earlier on this month we had yet another Adobe Reader Zero Day, its really becoming a common theme this year and who knows when its going to end.

Adobe are once again telling users to disable javascript to protect yourself from attack, now this just seems to be the ongoing standard response. Many customers I work with do not need or use the javascript functionality anyway so I recommend its disabled permanently. So some turn it off, and then turn it back on again when a patch is released, because for some reason they think its safe and another zero day isn’t just around the corner.

So my question has to be, who does actually need the javascript functionility? I have met very few individuals and organisations, so why not have this disabled as a standard and put the reliance on the user to enable with a caveat (it might mess you up).

I think Adobe make some good products, but they just seem to be having some issues with secure coding or something. Perhaps the tools are not being used the way they were intended I dont know, so why not do something about it.

I am by no means a PDF expert so I am not really the best person to comment, but I know a man who is. Didier Stevens is the master, just check out his blog.
Didier will be speaking to us on the first episode of the eurotrash security podcast.