Security News #0x21: IE 0-day Fallout; Passwords

• The Internet Explorer hole from last week has been named CVE-2012-4969 and patched by Microsoft on Friday as MS12-063. The corresponding Metasploit module works for IE 8 and IE 9 on Windows 7, provided a version of Java 6 is installed. Though Java is required for the Metsaploit module, it is not required for the exploit, and Peter Vreugdenhil has said that he has a working PoC that does not require Java. One interesting thing about the MS12-063 patch is that it credits the Zero Day Initiative for informing them of the bug. Some have suggested this means that Microsoft knew about the bug for some weeks. This also leads to the question- are the attackers reverse engineering the IPS?
• Marta Janus has a great post over on SecureList that describes a number of common web site attack vectors.
• There really is no substitute for entropy in passwords, and that means long passwords with a large character set. Take a look at how Virgin Mobile USA dealt with this issue.
• Hotmail, oh woe is Hotmail. Sixteen characters is nice, but why, why truncate? What is the benefit?
• Bruce Schneier took a look at password generation methods some years ago.
• While I am thinking about passwords, the folks at data genetics put together a wonderful (and entertaining!) analysis of PIN numbers.
• Flame continues to make the news. Ars Technica has a piece suggesting that it too is the work of a nation-state. Wired has a similar piece, while Securelist has a post that provides some additional technical details of the command and control systems that were used.