...That ends today, as Microsoft's support documentation says that a Microsoft Edge browser update will fully disable Internet Explorer in most versions of Windows 10, redirecting users to Edge.

Edge will "automatically" transfer over bookmarks and other browsing data from IE and display a dialogue box letting users know what has happened so that the last few people using Internet Explorer out of habit, ignorance, or spite will be fully aware of what's going on. Clicking any IE icon or attempting to launch it from the Start or Run menus will automatically open Edge instead.

Microsoft has now released three cumulative updates for Windows 10. These updates combine security fixes with non-security bug fixes, and so far, Microsoft hasn't done a very good job of describing the contents of these cumulative updates. While the security content is quite fully described, explanations of the non-security fixes have been lacking.

Many, including your author, feel that this is undesirable and that a key part of the Windows-as-a-Service concept, in which Microsoft releases a steady stream of fixes and functional improvements, is a clear explanation of what those updates are. This is a new approach for Microsoft, and it seems like reassuring users and administrators that issues are getting fixed—and that functional changes are clearly described—should be important.

This is doubly important in those unfortunate situations that a patch has a problem. Microsoft will tend to update such patches when the problems have been fixed, but it does a poor job of clearly communicating this.

Unfortunately, it does not seem that the company intends to change this approach. Company representatives told The Register that while the company "may choose" to perform "additional promotion" of new features depending on their "significance," there's no intention of providing full release notes. This means that future patches are going to continue to say nothing more than "This update includes improvements to enhance the functionality of Windows 10..."

Researchers at an HP security division have publicly detailed four code-execution vulnerabilities that can be used to hijack end-user machines running the latest versions of Microsoft's Internet Explorer browser.

The disclosures earlier this week came more than six months after researchers from HP-owned TippingPoint first privately reported the bugs to Microsoft security engineers. According to the advisories published here, here, here, and here, Microsoft officials acknowledged the bugs and in each case asked for an extension beyond the four months TippingPoint officials normally wait before publicly disclosing vulnerabilities. All four of the extensions expired Sunday, leading to the public disclosure of the bugs.

It remains unclear why Microsoft hasn't issued fixes. TippingPoint alerted Microsoft to three of the vulnerabilities in January and one of them last November. A Microsoft spokesman told Ars he was looking in to the matter...

Serious bug in fully patched Internet Explorer puts user credentials at risk | Ars Technica

arstechnica.com

A vulnerability in fully patched versions of Internet Explorer allows attackers to steal login credentials and inject malicious content into users' browsing sessions. Microsoft officials said they're working on a fix for the bug, which works successfully on IE 11 running on both Windows 7 and 8.1.

The vulnerability is known as a universal cross-site scripting (XSS) bug. It allows attackers to bypass the same origin policy, a crucially important principle in Web application models that prevents one site from accessing or modifying browser cookies or other content set by any other site. A proof-of-concept exploit published in the past few days shows how websites can violate this rule when people use supported versions Internet Explorer running the latest patches to visit maliciously crafted pages...

arstechnica.com

Microsoft has released an unscheduled update to patch a critical security hole that is being actively exploited to hack Windows-based servers.

A flaw in the Windows implementation of the Kerberos authentication protocol allows attackers with credentials for low-level accounts to remotely hijack extremely sensitive Windows domain controllersthat allocate privileges on large corporate or government networks. The privilege elevation bug is already being exploited in highly targeted attacks and gives hackers extraordinary control over vulnerable networks...

arstechnica.com

Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning.

The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the secure sockets layer and transport layer security (TLS) protocols, according to aMicrosoft advisory. A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server.

While the advisory makes reference to vulnerabilities targeting Windows servers, the vulnerability is rated critical for client and sever versions of Windows alike, an indication the remote-code bug may also threaten Windows desktops and laptop users as well. Amol Sarwate, director of engineering at Qualys, told Ars the flaw leaves client machines open if users run software that monitors Internet ports and accepts encrypted connections...

Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.  Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

arstechnica.com

A botnet that redirected clicks from millions of PCs has been, at least for the moment, shut down by Microsoft and Symantec. Based on the fraudulent traffic generated by the Bamital botnet, the two companies estimate that its operators netted more than $1 million a year by redirecting unsuspecting computer users to websites they didn't intend to go, cashing in on the traffic with online advertising networks.

Acting on a court order they obtained from the US District Court in Alexandria, technicians from the two companies—accompanied by federal marshals—showed up at two data centers today to take down the servers controlling the Bamital botnet. A server in an ISPrime data center in Weehawken, New Jersey was seized, while the operators of a LeaseWeb data center in Manassas, Virginia voluntarily shut down a server at the company's headquarters in the Netherlands. LeaseWeb is providing an image of that server to Microsoft and Symantec. "These servers were command and control servers, and were also absorbing the malicious traffic the botnet was creating," said Vikram Thakur,  Principal Security Response Manager at Symantec in an interview with Ars...