back to article New hacker peril for older IE versions

Internet Explorer users are at risk from a newly discovered and unpatched vulnerability in older versions of Microsoft's browser. A security flaw involving a dangling pointer in Microsoft's HTML Viewer (mshtml.dll) creates a possible mechanism for hackers to crash the browser and inject malware, providing they can trick marks …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Coat

    Oh crap

    So our "lead developer" insists on using IE6 as "It's the best one" and won't allow us to update.

    Did I mention, that I was told to give him domain admin rights on his user, not power user. Not even local admin rights but DOMAIN ADMIN rights.

    Is it time to find a new network to manage?

    Mine's the one with the Opera badge on it.

  2. Anonymous Coward
    Stop

    @why the heck is anyone still using IE6 anyway?

    Well, there are two reasons.

    1. Most home users haven't got a clue what IE6 even means.

    2. Most businesses don't want to spend the huge amounts of money that testing an upgrade to a new browser/version would cost, when the one they have works well and is protected by company firewalls/whitelists/other blocking measures anyway.

  3. Bilgepipe

    IE6

    Still stuck with IE6 here. Well, I snuck Firefox onto my machine, but I *should be* stuck with IE6...

  4. Anonymous Coward
    Grenade

    Why IE6?

    Every enterprise I know has a half-baked, poorly-designed, badly-implemented, legacy CRM system that is 'company critical' but will never be upgraded. IT departments are forced to inflict IE6 on their users because application vendors won't provide official support for much else. Try having to support several CRM systems at various versions (some legacy) as well as Oracle applications and you quickly find that IE6 is the only official browser supported.

    Yes 'most' of it works on Firefox but then 'most' isn't good enough when on any random day a senior manager has browser/application compatibility issues.

    Don't get me started on Java compatibility between this type of application mix and the security implications. (Yes Oracle I am talking to YOU)

    1. Anonymous Coward
      Alert

      Spotted

      I smell another NHS worker here!

      we've the same issue, 4-5 different applications just don't work or are not supported on IE7-8 or alterntives.

  5. sath
    Alien

    As a work-mate has just pointed out

    Its clearly Microsoft trying to get people to upgrade to their IE 8, considering IE8 is considered to be in the clear but not 6 or 7

  6. Anonymous Coward
    Black Helicopters

    Why is anyone still using IE6?

    Because of bureaucratic inertia. I work for a large, over-stretched and under-resourced government department.

    To re-assure the powers that be, at the highest levels, that a new browser would still work with all our legacy applications, and would be at least as secure as our current specially crippled version of IE6 would take a significant investment of time, money and personnel, all of which are in rather short supply right now. (We've just had a departmental-wide moratorium on coffee in meetings as a cost-saving measure.)

    Anonymous and helicopters because, for all that the IT here is quite painful at times, I still want to keep my job.

  7. Anonymous Coward
    Anonymous Coward

    @why the heck is anyone still using IE6 anyway?

    ... because our IT dept cannot roll-out anything else due to apps that were written for IE 6 , combined witha total hatred of anything not MS such as Firefox.

    Do we have a virus / malware problem.... yep!!!

  8. shyted
    Linux

    ie 6

    IE 6 would be those on windows 2000. Still used on half the machines where I am and perfectly capable, course those machines are also running firefox as default.

    1. Petter

      Lumbered with I.E. 6

      How right you are. I have two machines, one running XP, the other 2000 pro. Both machines carry Sea Monkey and Firefox, but some software, such as Power Producer for my video camera, insists on access to I.E. Worse still, it wants IE 6, or later but Windows 2000 came with IE5. This I could upgrade to 6, but no higher, as Microsoft says it isn't compatible. So how come the very latest versions of Firefox and Sea Monkey don't have "compatibility" issues? Ah well. My 2000 machine is getting ready to retire, after seven years of reliable service and countless hardware upgrades, so I guess I'll be joining the ranks of those who have jumped right over Vista - twice. And my first priority will be to over-ride I.E 8, 9 (or quintillion) with Mozilla - and over-ride any pre-installed copies of office with good old OpenOffice.org

  9. Simon 6
    Grenade

    We need this!

    MS stopped supporting IE6 ages ago.

    A growing number of web sites and web designers have stopped supporting IE6

    The world would be a MUCH better place without IE6

    If it needs worms and viruses to force people to dump it then so be it. You don't even have to upgrade, just install a better and more secure browser which still gets updated with security patches (Firefox, Opera, Safari etc).

    Grenade because IE6 should have been blown to smithereens years ago...

  10. TB

    why the heck is anyone still using IE6 ...

    ... (why the heck is anyone still using IE6 anyway?)

    Because MS will not legitimately allow an upgrade to a higher IE version on Windows 2000 machines.

    So, I suppose the next question is why run Windows 2000? Which is easy to answer: it is less bloated than XP, boots faster and rarely crashes, it can go months between re-boots ! On the Windows 2000 machine I normally use Firefox, but occasionally when there is a badly formatted web page or one which REQUIRES activeX the old IE6 has to be called into action (then closed down quick). I have XP machines too, but didn't like Vista at all. I will try Windows7 once I've dug a bit deeper into the licensing and DRM implications.

  11. Anonymous Coward
    WTF?

    Anyone for win 2000

    Cause we're stuck with IE 6 whether we like it or not. Could use firefox though that brings in it's own bloody issues of keeping it up to date as mozilla doesn't see fit to provide an .msi and as you have to to have elevated rights to patch firefox its an arse pain.

  12. Petey
    FAIL

    @anonymous coward who talks about Oracle

    If you read up on this at ALL you would realise that Oracle addressed Java compatibility issues ages ago.

    Get a half-decent DBA who can update the JRE on your Oracle Apps server and you will never be stuck with IE6 or any other crap browser again.

  13. Simon.W
    Alert

    IE6 the bane of my life...

    but the darling of lazy internal developers and external vendors.

    'fraid to say we have swathes of PCs that required to stick with IE6 because the web apps just don't work with anything else.

    One would think that when the decision is made to use a particular architecture for web apps, such as Internet Explorer, then the developers would follow the life cycle. But oh no, it's not to be - who knows why, they've years to plan a change, probably that most of them catch up with sleep when in the office ;)

  14. Anonymous Coward
    Grenade

    Internet Explorer users are at risk

    "Internet Explorer users are at risk" - yep, that's as far as you need to read. Heh-heh (waits for flames).

  15. Anonymous Coward
    Anonymous Coward

    @Anonymous Coward

    Oracle has supported >IE6 and FF for a long time. The problem is in getting businesses to spend time/money applying/testing the patches to enable that support.

  16. Anonymous Coward
    Anonymous Coward

    why the heck is anyone still using IE5.5 anyway?

    ...Perhaps because I have better things to do with my money that buy new computers every three years because MS et al are determined to have people chace the latest "big shiny".

  17. Octopoid

    @Perhaps because I have better things to do with my money that buy new computers every three years

    What on earth has that got to do with IE5.5?

    IE8 is considerably faster and more effecient - it'll run way better on old machines.

    Try it - you'll find the web starts actually working properly again.

  18. Anonymous Coward
    Anonymous Coward

    Keep the focus where it belongs

    ".. because our IT dept cannot roll-out anything else due to apps that were written for IE 6 , combined witha total hatred of anything not MS such as Firefox."

    "If it needs worms and viruses to force people to dump it then so be it. "

    and others bemoaning lazy developers.

    You need to think about IT in a large corporation, not just as a home user. They are completely different things and from some of the quotes on here not everyone understands that.

    To some it is as simple as "just download <insert browser of choice> and the world will be a better place. That might work for home and novice users. However, corporate environments are usually (should be!) pretty locked down and users can't do that. Only the IT department can do that and they were involved in commissioning applications years ago, which they were assured by MS and others that the best way to future proof was to code to IE6 which was ubiquitous. Of course it became apparent that IE6 despite being ubiqitous did not conform to standards other than the MS "extended" ones, which means standards based browsers of any sort now will often not work correctly with an application developed for IE6.

    Of course, the apps *should* have been coded to work with standards, but then they would never have worked with IE. So we are left supporting legacy applications that only work with IE6. As MS have actually attempted to support some standards in the later versions of IE, then so those later versions of IE do not always support pages writen for IE6 either. You can sometimes get away with setting compatibilty mode which was paradoxically introduced to make the standards compatible browser INcompatible with the standards in a similar way to earlier versions of IE in order to attempt to provide some backwards compatibilty - always overlooked by MS.

    Now those same people are being told to re-write their applications to get away from that crummy old browser (remember - the one that was going to provide longevity and standards if only you would write your apps to work with it?) and write them some other way that will provide longevity and standards. We promise we won't say the same again to you in a few years, and drop your support, honest.

    I agree with AC above:

    "...Perhaps because I have better things to do with my money that buy new computers every three years because MS et al are determined to have people chace the latest "big shiny".

    It is all about clever marketing, and the people who harp on about getting the latest browsers/OS are sadly being led by the nose by the marketing types, forgetting that IE6 on WIndows 2000 was once the latest browser/OS and that it would save us all.

    It's like Groundhog day.

  19. Anonymous Coward
    Gates Horns

    Still no excuse

    Got to use IE6 for your intranet? fine.

    But DON'T use it for anything else. Make a white-list that includes nothing but your intranet/crappy CRM software etc. Then use a real browser for the real internet.

    It's so simple that even you wintards have to agree it's a good idea.

  20. Nathan Williams
    Grenade

    @AC using 5.5

    If you are--as I suspect--a troll...then well played. If not, well then that's just...sad.

    IE 5.5 came out in 2000, and the only OS that IE 5.5 runs on that cannot also run at least IE 6 is Windows 95. If in the past TEN YEARS you couldn't be arsed to purchase a machine capable of running anything beyond Windows 95, then you deserve every bit of the torture you're putting yourself through. Penny pincher or not, it's time for an upgrade. It doesn't need to be the shiniest box on the shelf, but it should be a machine capable of running an operating system--be it Microsoft or not--that was written this millennium. Forget security--do it for your own sanity!

  21. Tim Jenkins

    Trick or Treat?

    "...providing they can trick marks into visiting maliciously constructed sites..."

    I know you're just using similar wording to that which Microsoft and others spout when they are forced to acknowledge flaws in their products, but in the real world isn't it rather more likely that this exploit (like many others) is deployed via hostile code injected into otherwise legitimate sites?

    The idea that an infected user must have been 'tricked' into going somewhere dodgy (and is by extension at least partly culpable due to their gullibility) is just an attempt by the originators of the vulnerable OS/browser/app to try and shift some of the blame, and repeating it smacks of lazy journalism...

  22. takuhii

    Here's a chance to dump IE6

    Fix it for IE7 and tell everyone to upgrade, IE^ is the worst browser on the planet and an absolute a*se to code for!!

  23. Anonymous Coward
    FAIL

    Wrong question...

    "Why is anyone using Internet Explorer?" is the correct one. It doesn't matter what version, they are all out-of-date, crippleware and it looks like IE9 is not going to make any difference to that.

  24. Anonymous Coward
    Stop

    Windows 2000

    Bring out IE8 for Windows 2000 and I'll upgrade, otherwise MS should just STFU.

    I use Firefox for everything except work, where I HAVE to use IE (due to stupid client's web site design).

  25. webster phreaky ate my iphone
    Happy

    Hey! Don't knock IE6!

    Some of us will miss needing to know the various bugs in IE6 when it does finally bite the dust. (Personal fave, float and margin in the same direction doubles the margin size, fixed by using display inline! Classic!). Anyway with (I believe) ~40% of corporate users still on IE6, it ain't disappearing anytime soon.

  26. Anonymous Coward
    Anonymous Coward

    @Trick or Treat?

    Hear hear! My thought exactly.

  27. Anonymous Coward
    Anonymous Coward

    Netscape 4 - A Warning From History

    Do you remember how NS4 lingered like a particularly bad smell whilst we all dreamed the everyone would upgrade to IE6 to make our lives easier?

    Well expect more of the same with IE6. Infact, expect worse because this time there are more computer systems out there that are deemed to be running happily as they are, and there is no Y2K-Bug opportunity to sweep what's left under the carpet under the pretence of a necessary major systems upgrade.

    IE9 and the other browsers need to create new vital functions that save businesses money, only then will they switch. SVG isn't it because Flash already works. Acid3 isn't it because bosses only care *that* it renders, not *how* it renders. PNG isn't it, firstly because you can already just flatten your layers in Photoshop and add all those shadows and transparent effects as images, and secondly because IE already has proprietary transparency that works. XHR works since IE5 - after all, they invented it, so no benefits there.

    So, why should a company upgrade from IE6 is it's been working for the last decade and still works now? McDonalds's ketchup isn't as high quality as Heinz Organic, but they still use it - because it's cheaper and they don't want to spend more money on something that isn't going to make a return.

  28. Richard 102
    Alert

    Lead

    "Internet Explorer users are at risk from a newly discovered and unpatched vulnerability in older versions of Microsoft's browser."

    The heck you say.

  29. Kevin (Just Kevin)
    Boffin

    (why the heck is anyone still using IE6 anyway?)

    Think about a large corporation with outsourced IT systems - CRM, Internal Staff systems, etc. They cost hundreds of thousands of dollars to upgrade. Maybe more once you include all the labour and testing.

    Now make sure they all work on 50,000+ PC's running different combos of applications (let's assume we're only talking about the official ones). Do you spend the fortune of money to fix something that isn't broken (from the point of view of management, not geeks) hoping IE6 continues to work and then work on the roll-out of a new browser to 50,000+ machines. Or do you have to synchronise the two?

    As "Keep the focus" said above, it's much harder in BIG IT environments. We only recently shut down our last official NT box (I'm sure there are still some out there). XP+IE6 is our standard install. And Office2003. They're currently looking at Win7+IE8 for some time next year but it's a HUGE undertaking. There's a trial going on of Offie2007. We're over 6 months (maybe more) into replacing our remote access solution because several legacy apps don't work on the new one (which is so much better than the previous ones).

    I stopped with IE7 on my machine and now run FF or Chrome because IE8 is cr*p at memory management -my machine just starts thrashing a half hour into my day as IE8 tries to page all those duplicate copies of its megabloat in and out. IE7 takes about 400MB, IE8 takes up 300MB per instance and get half a dozen of them.

    Now solve that for 50,000 other installs. It's hard. It's takes time. We bitch and moan about it in the trenches but when you stop and think it through, you get it.

  30. JC 2

    Why IE6?

    Simple really, once upon a time ago everyone used it. Those who knew what they were doing developed workarounds and safe computing practices, unlike those who feel it's a big change in their security to move on.

    A hint about that: No matter how insecure your box might be, you don't have to use the same environment to browse the net and open email as you use for banking and online purchases can use one-use credit card numbers.

    PC gets infected, nothing beats a full system backup and restore. Takes less time than just doing a full virus scan these days and then there's no question whatever it was is gone. There will always be vulnerabilities, and till MS is dethroned running the latest IE isn't an answer to security so let's call it for what it is:

    Some people value the new features in IE7 or 8, and some people don't. Some feel newer is better in a general kind of way, and others wait for need-based upgrades. They run IE6 because their system shipped with IE6. They'll run IE8 when they buy their next PC that comes with IE8 on it.

    The rest of us will use Firefox... gotta luv those add-ons.

  31. Mark Simon

    @why the heck is anyone still using IE6 anyway?

    No Reason.

    It may not be the individual users' fault, but any IT department which is still geared toward IE6 is run by morons.

    In fact gearing your intranet towards any specific browser is asking for trouble, and towards IE is asking for double trouble.

  32. dreamingspire
    Happy

    I'm with...

    ...TB@12.25:Firefox normally, IE6 when I have to use IE, but main systems are XP. But will have to pension off that W2K system soon as support for its s/w dwindles. So I'm dipping my toe in W7, mounted on one of those bargain basement systems that Morgans used to sell.

    One use for the W2K system is booking coach tickets by Nat Express: using Firefox with Noscript on XP fails at the transfer to the payment function: XSS use is reported and the transaction gets blocked. Rail bookings on other sites (those using Trainline s/w) go through OK on XP.

  33. Al fazed Bronze badge
    FAIL

    browser bollox

    @Nathan Williams,

    constantly upgrading my browsers and OS creates anything but sanity, where have you been ?

    Counting since Win 3.1 there have been six new Microsoft Operating Systems, Ubuntu Linux alone has released about the same number in half that time, and I can't be arsed to work out how many Red Hats etc, there have been.

    Netscape becomes Mozilla, becomes Seamonkey, par Firefox BLAH, BLAH, BLAH, BLAHHHHHH !

    Do any of them work in all situations ?

    The honest answer for all you Linuxtards is NO they don't !

    So if you want to get any work done, or design apps for the majority of web surfers, that's why I still need a version of IE 6. As with the UK's nuclear capability, which I believe is still running on Windows 2000, in some parts of the net, it is all that works, while the likes of Firefox and SeaMonkey on Ubuntu 9.04 - just don't work where you expect they should. I am talking MySpace you penguin heads. Every Flash advert I block still runs merrily along while the control panel required to play the tracks is in-bloody-visible, except in Opera on Ubuntu and IE6 on Windose 2000.

    SHOCK HORROR beware of the blind sick penguins.

    ALF

  34. N2

    @Oh crap

    Please tell me this is a joke?

    IE 6.0 may be folly but domain admin rights as well is really asking for it.

  35. Anonymous Coward
    Linux

    @ Al fazed

    "Firefox and SeaMonkey on Ubuntu 9.04 - just don't work where you expect they should. I am talking MySpace you penguin heads"

    World's most poorly designed website has issues running in certain browsers? Well blow me down.

    Mozilla could hard code MySpace into Firefox's blacklist and you wouldn't hear any complaints from me.

    Oh yeah I forgot, MySpace isn't a toy anymore, it's an important business opportunity - says the guys in the marketing department who spend all their time on MySpace regardless, go figure.

  36. Nathan Williams
    Pint

    @Al fazed

    I'm not trying to advocate _constantly_ upgrading. I am trying to point out that there have been significant improvements in hardware and software in the past decade--both in areas of performance and security--which the user I was responding to would likely find to his advantage.

    While I agree that attempting to stay on the bleeding edge of technology is a frustrating and ultimately fruitless exercise, it is my humble opinion that the benefits of updating outweigh the disadvantages for the person in question at this time, and that there are several negative aspects with such an outdated configuration that even further argue for an upgrade. Perhaps my original tone was off-putting, for which I apologize -- I was reacting to the IE5.5 subject line, which is one of the banes of my existence and some of that came through in my post.

This topic is closed for new posts.

Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022