Breach Brief – Microsoft Email and IE Browser
Microsoft, the world’s largest software maker, is having a bad week. The company’s Outlook email service was hit by a data breach that includes Outlook.com accounts, MSN and Hotmail addresses. The breach was ongoing for months and the hackers used a customer support agent’s credentials to gain access.
Microsoft issued an email confirming hackers may have accessed email addresses, subject lines of emails, folder labels, and the names of other email addresses that the user contacted. However, Microsoft believes the content of emails, including attachments and login passwords were not compromised.
Hackers conducted the attack from January 1st to March 28th. Microsoft quickly identified the credentials used by the hackers and disabled them.
It is not clear how many users are compromised or who the hackers are. According to Microsoft affected users can expect more spam emails and potentially phishing attempts. Microsoft urges users to stay on the alert for such attacks and to change their passwords. Hackers may be able to use the addresses for identity theft purposes.
As if that wasn’t enough bad news security researcher John Page discovered a new security flaw that allows hackers, using Microsoft’s obsolete Internet Explorer, to steal Windows user’s data. Windows users don’t even have to open the old browser for hackers to exploit the flaw. Just having it on your computer is enough!
According to Page, “Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally. This can allow remote attackers to potentially exfiltrate local files and conduct remote reconnaissance on locally installed program version information.”
A lot of techno speak just to say that hackers can get into your computer if you have the browser on your computer. Launching the the exploit just requires the user to simply open an attachment received by email, messenger, or other file transfer service.
According to Page upon speaking with Microsoft the company told him it would just “consider” a fix in a future update. Page says he notified Microsoft in March before going public with the issue.
Breaking It Down
Internet Explorer is an outdated browser software. If you are still using it you need to stop. Microsoft offers the Edge browser, a much better product that is definitely safer. And it’s available for mobile devices.
If you are using Explorer then you have a serious problem. Using outdated software is fundamental safety issue and something hackers look for. There are literally hundreds of thousands of malware and viruses that are programmed to exploit outdated software. And you can easily find one just surfing the web. Or more precisely; it will find you. Remember, you are always one click from destruction!