BetaNews: Micropatch now available for Internet Explorer security hole. “Through its 0patch platform, ACROS Security is making the micropatch available to Windows users who are concerned about the security of Internet Explorer. While there are likely to be concerns voiced about installing a security patch from a third party, there are two things to consider here.”
Digital Trends: Internet Explorer zero-day exploit makes files vulnerable to hacks on Windows PCs. “There were already a number of reasons to not use Internet Explorer. But if you needed another one, here it is. According to ZDNet, a security researcher named John Page has published evidence of an Internet Explorer zero-day exploit that renders Windows PCs vulnerable to having their files stolen by hackers.”
Ars Technica: Microsoft patches zero-day vulnerabilities in IE and Exchange. “Microsoft’s Patch Tuesday this month had higher-than-usual stakes with fixes for a zero-day Internet Explorer vulnerability under active exploit and an Exchange Server flaw that was disclosed last month with proof-of-concept code.”
ZDNet: Microsoft releases security update for new IE zero-day. “Microsoft has released an out-of-band security update today, December 19, for an Internet Explorer vulnerability that is currently being abused in the wild. The OS maker credited Clement Lecigne of Google’s Threat Analysis Group with discovering and reporting the IE zero-day.”
Ars Technica: Internet Explorer bug leaks whatever you type in the address bar. “There’s a bug in the latest version of Internet Explorer that leaks the addresses, search terms, or any other text typed into the address bar. The bug allows any currently visited website to view any text entered into the address bar as soon as the user hits enter. The technique can expose sensitive information a user didn’t intend to be viewed by remote websites, including the Web address the user is about to visit. The hack can also expose search queries, since IE allows them to be typed into the address bar and then retrieved from Bing or other search services.”
Google has let the cat out of the bag about another Windows vulnerability.. “Google’s Project Zero research team has actively been detecting vulnerabilities in Microsoft’s software products for quite some time…. Just a few days ago, it disclosed yet another vulnerability in Windows, however, this time after its standard 90-day deadline had passed. Now, the company has revealed yet another weakness in Microsoft’s software products, and this time, the flaw pertains to Edge and Internet Explorer, which means that it does not only impact Windows 10 but other iterations of the operating system as well.”
More bugs: there’s a security flaw in Windows that allows attackers to steal Microsoft Account credentials – and apparently Microsoft isn’t going to fix it. “The flaw is widely known, and it’s said to be almost 20 years old. It was allegedly found in 1997 by Aaron Spangler and was most recently resurfaced by researchers in 2015 at Black Hat, an annual security and hacking conference in Las Vegas. The flaw wasn’t considered a major issue until Windows 8 began allowing users to sign into their Microsoft accounts — which links their Xbox, Hotmail and Outlook, Office, and Skype accounts, among others.” It looks like you can avoid this by not using IE, Edge, or Outlook. Or Windows, I suppose.