Internet Explorer 6 RIP
Friends don’t let friends use IE6
Many years late, Microsoft is celebrating the news that Internet Explorer 6 (IE6) use in the US has officially dropped below one per cent of internet visits. In March, Microsoft assembled a team to push for the destruction of IE6, and have succeeded in reducing the market footprint of the browser. Currently 7.7 per cent of worldwide internet site visits use IE6, according to Microsoft, but the figure is now 0.9 per cent in the US.
So Redmond threw a party to celebrate. (more…)
Anticipated Android Apps
2011 has almost come to an end, and we’ve already seen some great Android apps come out this year. But 2012, which is just around the corner and it looks like it will be another eventful year for Android. Now that the latest OS version, Android 4.0 Ice Cream Sandwich (ICS), has hit the market, several device makers are expected to release ICS handsets for a ready consumer market. LG is the latest to reveal its plans around ICS, kicking into high hear during the second quarter of next year. Among the first phones to get the upgrade are the Optimus 2X, which made waves as the world’s first dual-core smartphone earlier this year, and the Optimus LTE. Others in the Optimus lineup, including the 3D, Black and Big, will also receive the ICS update by Q3 of next year.
Android’s competition in the mobile and tablet market, Apple has had a long head start in mobile apps over it’s new archival Google. However, new data shows that the number of Android apps has grown 127 percent since August and offerings in Google’s Android Market should outnumber the total for iPhone apps by mid-2012.
2012 has some great apps in store for the open-source mobile platform. (more…)
BING!…your infected
Search engines from Microsoft and Yahoo! Have once again been caught displaying ads that direct users to malicious content, some that infects them with malware that’s hard to detect and get rid of, researchers said. I see that they put as much thought into who is allowed to advertise as they do in making a stable operating system.
Queries such as “FireFox Download,” “Download Skype,” and “Download Adobe Player” typed into the sites returned links promising to deliver the software requested but instead attempted to hijack people’s computers, GFI Labs researcher Christopher Boyd said in a blog post published Friday. Clicking on the links takes users to pages that look like the software maker’s official site, except for the URL.
Users who downloaded and installed the software are in for a nasty surprise.
“As an example, the fake Firefox file installs a rootkit, runs IE silently in the background attempting clickfraud and also performs Google redirects,” Boyd wrote. Microsoft and Yahoo were in the process of removing the malicious ads, he said.
It’s not the first time widely used search engines have been caught displaying ads intended to harm their millions of users. Ad services used by Google and Yahoo have repeatedly been duped into serving content that punts malware and other threats.
Criminals often go to elaborate lengths to pose as legitimate marketers in an attempt to get links to their toxic wares in front of as many eyeballs as possible.
“Microsoft’s Security Team has identified the source of this malware attack and is blocking those sites from loading additional malware,” the company said in a statement. “We are continuously monitoring our sites to protect customers; and also working with law enforcement authorities to find and prosecute the people responsible for these types of attacks.”
A Bing Forum thread has Wil from Bing telling a webmaster that it can take between 3 and 6 weeks to have a malware label removed from the search results.
This is in comparison to Google which normally can remove a malware label within 24 hours.
I am not sure if this is a special case or if most Malware reviews take 3-6 weeks at Bing. Wil from Bing said:
Your issue is already being reviewed. Malware re-evaluation requests take 3-6 weeks to finalize our review and create a new reputation ranking of the page/site. A representative will get in touch with you for updates.
When you are presented with Malware via Bing, Bing disables the link but does allow the searcher to ultimately visit the page at their own risk. I’d assume 99.999% of those searchers run.
Bing has a detailed post on Malware on their blog with more information.
Malware and hacked sites are a huge issue in search. Google has been very good at handling it for the most part recently and is excellent at removing the malware or hacked label quickly after the site is fixed. Bing takes 3-6 weeks? Well, that seems excessive. Maybe I am reading it wrong?
This is why I tell people to NOT use Internet Explore. If you must continue using Windows unfortunately, then please by all means use ESET NOD32 in conjunction with HitManPro.
Adobe Flash Update
Adobe has issued a critical software update for its Flash Player software that fixes at least a dozen security vulnerabilities in the widely-used program. Updates are available for Windows, Mac, Linux, Solaris and Android versions of Flash and Adobe Air.
The update fixes flaws present in Flash Player versions 11.0.1.152 and earlier for Windows, Mac, Linux and Solaris systems, and in Flash11.0.1.153 and earlier for Android. The vulnerabilities are rated critical, meaning they could give hacked or malicious Web sites an easy way to install software on your machine.
Adobe’s advisory says users of Flash version 11.0.1.152 and earlier should update to v. 11.1.102.55; those using Flash v. 11.0.1.153 and earlier versions for Android should update to Flash Player 11.1.102.59. Users of AIR 3.0 for Windows, Macintosh, and Android should update to AIR v. 3.1.0.4880. The company says it is not aware of any active attacks against these flaws at this time.
To find out if you have Flash and which version may be installed, visit the About Flash page. Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). Again, check the About Flash page with each browser you use to see whether you need to apply this update. To avoid using Adobe’s Download Manager, which tends to add little “extras” if you’re not careful, IE users can grab the latest update directly from these links; 32-bit IE installer, and 64-bit IE installer. Firefox and Opera users can grab the 32-bit installer here and the 64-bit version here. If you don’t know which one you need, you let Adobe’s site choose for you (although the download manager may try to foist other software unless you uncheck pre-checked options).
The installer for the latest Adobe Air version is available from this link.
Some Flash components also are bundled with Adobe Reader, so I asked Adobe whether current versions of Reader also were exposed to these vulnerabilities. Adobe spokeswoman Wiebke Lips confirmed that some of the issues fixed in today’s Flash Player update do impact the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.x) and 9.x for Windows and Mac. Lips said Adobe feels comfortable that its sandboxing technology built into the latest versions of Reader will protect users until January, when the company expects to issue the next quarterly update for Reader.
“These issues will be resolved in the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012,” Lips wrote. “Note that the Authplay.dll component is part of the ‘sandbox’ for users of Adobe Reader X (Protected Mode) and Acrobat X (Protected View), which would protect against potential exploits.”
Windows Patch Tuesday – November 2011
It is that time again! Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8. If there have been 17 security holes in Java just since the last release If that doesn’t convince a person to uninstall Java, I’m not sure what will.
The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7.
Adobe’s Shockwave update also fixes critical flaws, but users should check to see if they have this program installed before trying to update it. To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.
The vulnerabilities fixed by this update exist in versions ofShockwave 11.6.1.629 and earlier. The latest version, v. 11.6.3.633, is available here. I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, like Adobe’s Flash Player, Shockwave demands two separate installation procedures for IE and non-IE browsers.
Hat tip to the SANS Internet Storm Center for the heads up on the Java fix from Apple. This update, available via Software Update or Apple Downloads, essentially brings Snow Leopard and Lion up to date with the Oracle patches released last month in Java 6 Update 29 (Apple maintains its own version of Java).
If you use Mozilla Firefox or Thunderbird, you may have noticed that Mozilla is pushing out another major upgrade that includes critical fixes to these programs; both have now been updated to version 8. If you’re still running Firefox version 3.6.x, Mozilla has updated that to3.6.24. Perhaps I’m becoming a curmudgeon, but I’m growing weary of the incessant update prompts from Firefox. It seems that almost every time I start it up it’s asking to restart the browser or to remove plugins that no longer work with the latest version. I’ve been gradually transitioning more of my work over to Google Chrome, which seems faster and updates the browser and any installed plugins silently (and frequently patches oft-targeted plugins like Flash Player even before Adobe officially releases the update).
I switched to Google Chrome when it first came out ago. I love it. It’s faster and makes updating easy and effortless. I still have Firefox, but Chrome is my default browser now on all my computers.
Web Browser Defense
For most of us, the Web browser is the first application we use when we turn on a computer. It’s how we check email, read the news, chat with friends and do just about everything.
What many users don’t realize, however, is that the Web browser is the most important security defense our computers have — and yet 60 percent of the browsers accessing the Internet today are outdated. An outdated browser ends up impacting everyone’s security, privacy and performance.
I wrote about Microsoft warning us *rolls-eyes* last week, in that we were not using a “secure” browser like Internet Explorer” GASP!..the horror of us ignorant consumers!
To help users understand the importance of the browser you use, the Online Trust Alliance (OTA), a Web-industry trade group based in Bellevue, Wash., that promotes security and trust in online marketing and commerce, recently unveiled the “Why Your Browser Matters” initiative.
“The ‘Why Your Browser Matters’ initiative provides users overall recommendations to upgrade their out-of-date and legacy browsers for a more safe, more private and more compelling online experience,” said Craig Spiezle, executive director of OTA. “The Initiative is all about communicating with computer users to make them realize that an updated Web browser is one of the most important security steps you can take. It’s as important as running anti-virus/anti-malware software.”
Spiezle is quick to point out that while there is no magic bullet when it comes to computer security, the browser is on the front line of defense because it is used so frequently.
“Modern browsers detect malicious websites and phishing URLs, analyze downloads and support a broad suite of privacy features,” Spiezle said. “It’s critical to have these at your disposal when it comes to protecting yourself online, as well as protecting your machine in general.”
Modern browsers try to provide security for users in three different ways, explained Roger Thompson, chief emerging threats researcher for ICSA Labs in Mechanicsburg, Pa.
For example, said Thompson, all modern browsers have “blacklists” of known malware sites and try to prevent users from visiting them. This method works well if the malicious sites are well-known, but online criminals try to move websites around by changing domain names and IP addresses faster than security researchers can update the blacklists — so sometimes this doesn’t work.
Some browsers, such as Google Chrome, also run applets and executable code in a “sandbox,” meaning that the code and applets can’t affect other parts of the browser or the operating system. Again, this doesn’t always work.
And all modern browsers have a somewhat regular patch cycle, in which developers fix vulnerabilities to prevent direct attacks.
A good illustration of how a browser can act as the first line of defense is with regard to shortened URLs, or Web addresses.
URL-shortening services such as bit.ly, tinyurl.com or is.gd are handy to use when including links in instant messages, text messages or Twitter posts. Unfortunately, URL shorteners also mask the actual URLs they lead to, and give no warning that links might be drive-by downloads or exploits waiting for unsuspecting victims.
Fortunately, some enterprising software developers have created a way to find out where you’re going.
“There are plug-ins available for Chrome and Firefox that will automatically expand short URLs to their actual address when viewing pages containing such links,” said Harry Sverdlove, chief technology officer of Bit9, a Web security company in Waltham, Mass. “These are useful when using Facebook or Twitter from a browser, common places where malicious links are hiding in short URLs.”
How to protect yourself
As Thompson pointed out, browser vendors are good about providing updates and patches that improve security by fixing vulnerabilities that bad guys exploit. But after that, it’s up to the user himself to take action by actually downloading the updates, or upgrading the browser to the latest version.
You can check the version number of your browser by going to the Help button on your browser’s menu and checking the “About” section. (On a Mac, click the name of the application next to the apple icon in the upper left of the screen.) Often, the “about” pop-up window will prompt you to check where there might be updates available.
For those who use Internet Explorer, Spiezle has this important piece of advice: ”If it says Internet Explorer 6 … run, do not walk to the nearest free download of Internet Explorer 9.”
(If you’re still running Windows XP, update to Internet Explorer 8, the latest version you can install.) Which is the highest version you can run on Windows XP, unless someone figures out a hack for it, which they will. I rather you run Google Chrome.
Internet Explorer 6 has been the target of a number of malicious attacks over the past decade; newer versions of Internet Explorer are much more secure.
Does it matter which browser you use? Spiezle and Thompson disagree on that question.
While Thompson said that today’s browser upgrades have leveled the playing field when it comes to security, Spiezle pointed out that there still are differences among them, and each user has to assess which is best for his own uses.
“You need to look at not only the security features, but also privacy features, as well as support for the latest technologies,” Spiezle said.
Here is the link for a good start, https://otalliance.org/browser/ At first I was thinking that this was another Internet Explorer centered website, but at least they mention the alternatives.
Google Chrome at 3
It’s hard to believe it’s been only three years since the Google Chrome browser debuted. According to the latest market share statistics from usage-tracking firm Net Applications, Chrome now has 15.51 percent of the desktop browser market–a meteoric rise for an app that entered a crowded market dominated by neighborhood bully Microsoft Internet Explorer.
Chrome is third among desktop browsers, behind number one IE (over 55 percent of the market), and Mozilla Firefox (nearly 23 percent).
What’s the secret to Chrome’s success? “Speed, simplicity and security,” writes Google software engineers Ben Goodger and Darin Fisher in a Thursday post on the Google Data blog. Competing browsers, of course, are making strides in the Three S’s as well. But Chrome’s virtues are proving powerful enough to lure users away from IE and Firefox.
That’s the secret to Chrome’s success? “Speed, simplicity and security,” writes Google software engineers Ben Goodger and Darin Fisher in a Thursday post on the Google Data blog. Competing browsers, of course, are making strides in the Three S’s as well. But Chrome’s virtues are proving powerful enough to lure users away from IE and Firefox.
As Goodger and Fisher point out, Chrome has made great strides over the past 12 months, adding faster JavaScript performance, speedier page-loading times, a much-needed print preview feature, and various other upgrades. http://evolutionofweb.appspot.com/
Evolution of the Web
Is the Web better with Chrome? Satisfied users of other browsers would certainly disagree, but I think so. I switched to Chrome from IE last year and haven’t looked back.
I only hope that Google’s breakneck update schedule doesn’t pile on too many new features that turn Chrome sluggish. The browser’s peppy performance is its most appealing trait.
I totally dumped Firefox when for a few reasons: 1. Foxmarks Sync was ungainly slow. 2. Speedial was broken. 3. Sage RSS was broken and not being developed.
If your not using Google Chrome now, please try it for a week and see how you like it.
Mac Flashback Trojan
The security by obscurity myth is finally blown out of the water…Mac’s are pretty much mainstream these days and it yet again proves my points about Mac virus resistance, it may be virus resistant, but unless you upgrade the users, no platform is Trojan proof.
Apple has updated the malware protection built into its Mac operating system to flag a recently discovered trojan that hijacks users’ machines by masquerading as a benign document. Malware disguised as an Adobe Flash installer, meanwhile, remained unchecked.
The file quarantine, which Apple snuck into a prerelease version of Snow Leopard in 2009, was updated to include a definition for Trojan-Dropper: OSX/Revir.A, which antivirus provider F-Secure disclosed on Friday. According to an update on F-Secure’s blog, the malware disguises itself as a PDF file in an attempt to trick users into clicking on it.
“The malware then proceeds to install a backdoor, Backdoor:OSX/Imuler.A, in the background,” stated the F-Secure analysis, which was posted Monday. “As of this writing, the C&C of the malware is just a bare Apache installation and is not capable of communicating with the backdoor yet.”
By Tuesday morning, Apple had added a definition for Revir.A into the file quarantine feature, our review of a Mac running OS X Lion, aka 10.7, has shown. By our count, it’s the 10th definition to be included, although two of them cover malware with the identical label of “OSX.HellRTS.” The definitions are stored in a file called XProtect.plist tucked away in the /System/Library/CoreTypes.bundle/Contents/Resources/ folder.
Apple engineers pushed out the update around the same time that a new trojan was discovered menacing Mac users. According to Mac antivirus provider Intego, the Flashback trojan is built on a sophisticated code base that installs a backdoor on infected machines, and covers its tracks by using encryption when communicating with remote servers.
“The backdoor is able to download further software, but, for now, we are not seeing this activity,” Intego’s analysis stated. “It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed. If the Sha1 of the software version on the server is different from that installed, this means that an update is necessary.”
With the explosive growth of Macs, iPhones, and iPads, malware purveyors have finally begun targeting Apple products after years of almost exclusive focus on Microsoft users. Earlier this year, an outbreak of fraudulent Mac antivirus products ignited a huge spike in support calls from frantic Mac users who had been tricked into installing a piece of malware called MacDefender. Apple eventually added definitions for it to its file quarantine, as well.
I think the difference between Microsoft and Apple here is that Microsoft weren’t the ones to create a condescending “I’m a PC” commercial insinuating that their operating system was virus free…With the amount of braindead Apple fans who claim that Apple Virus / Malware is an oxymoron, that 30 second spot could turn out to be some of history’s most damaging tech-related FUD.
Early I wrote that actually most targeted vulnerabilities are in Flash, PDF or Java these days via Internet Explorer (IE) and once you take IE out of the equation, Windows does quite well, especially given the rich rewards and vast selection of low-hanging fruit users can offer.
Microsoft warns Firefox & Chrome users
Laughable at best, Microsoft has unveiled a website aimed at raising awareness of browser security by comparing the ability of Internet Explorer, Mozilla Firefox, and Google Chrome to withstand attacks from malware, phishing, and other types of threats.
The website doesn’t do any security checks at all, it just reads the ‘User Agent’ data from your browser, so if you use Firefox 7.0.1 masquerading as Internet Explorer 9 gets 4 out of 4. Microsoft is leading people into a sense of false security. The site does no “testing”, it just matches your browser to whatever it has in its lookup table.
Care to take a guess what they say about IE 9? This is pure Microsoft marketing at it’s best. EPIC FAIL, false security is no security at all. Really, you would have to be an idiot to fall for this…Can you say, FALSE ADVERTISING?
Your Browser Matters gives the latest versions of Firefox and Chrome a paltry 2 and 2.5 points respectively out of a possible score of 4. Visit the site using the IE 9, however, and the browser gets a perfect score. IE 7 gets only 1 point, and IE 6 receives no points at all.
The page is designed to educate users about the importance of choosing an up-to-date browser that offers industry-standard features. The ability to automatically warn users when they’re about to download a malicious file, to contain web content in a security sandbox that has no access to sensitive parts of the computer’s operating system, and to automatically install updates are just three of the criteria.
The site dings Firefox for a variety of omissions, including its inability to restrict an extension or a plug-in on a per-site basis, its failure to use Windows Protected Mode or a similar mechanism such to prevent the browser from modifying parts of the system it doesn’t have access to, and its lack of a built-in feature to filter out malicious XSS, or cross-site scripting, code. Among other things, Chrome lost points for not using Windows features that protect against structured exception-handling overwrite attacks.
Readers still stuck in the rut of critiquing Microsoft security based on products released a decade ago are likely to be unimpressed. The reality is that over the past few years, Redmond has endowed Windows and IE with measures such as ASLR, or address space layout randomization, and DEP, or data execution prevention, that significantly reduce the damage attackers can do when they exploit buffer overflows and other bugs that are inevitable in any large base of code. Apple didn’t pull ahead of Microsoft on this score until earlier this year with the release of its Mac OS X Lion.
It didn’t take long for Mozilla developers to take issue with the critique.
“Microsoft’s site is more notable for the things it fails to include: security technologies like HSTS, privacy tools like Do Not Track, and vendor response time when vulnerabilities are discovered,” Johnathan Nightingale, Mozilla’s director of Firefox engineering, said in a statement. He said: “Mozilla is fiercely proud of our long track record of leadership on security.
Software updates: Adobe
Adobe is a vendor that often plays catch-up with security exploits; issuing emergency patches issued to fix zero-day vulnerabilities. But Adobe, like Microsoft, also has a regular Patch Tuesday update cycle. This regularly scheduled update is a way to give users and enterprises a predictable and stable timetable for Adobe updates.
For August’s Patch Tuesday, Adobe has issued update advisories covering to fix a slew of critical security flaws in its products, including Flash, Shockwave Player and Adobe AIR.
The Flash update corrects at least 13 critical vulnerabilities present in versions 10.3.181.36 and earlier for Windows, Mac, Linux and Solaris machines (the bugs exist in Flashversions 10.3.185.25 and earlier for Android devices). Windows, Mac, Linux and Solaris users should upgrade to version 10.3.183.5, and Android users should update to v. 10.3.186.2. According to Adobe, they are not aware of any exploits “in the wild” for the issues addressed in the update. Digging into the vulnerabilities, the vast majority are for memory and five buffer overflows, four memory corruption and three integer overflow issues. There is also a single cross-site information disclosure issue that is fixed that could have potentially led to arbitrary code execution.
To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser (Google Chromeusers should already have the latest version of Flash). To avoid using Adobe’s annoying Download Manager, IE users can grab the latest update directly from this link; the direct link for non-IE browsers is here.
Windows users can furthermore use the Flash Player Settings Manager that is part of the Windows Control Panel to check for updates. Here it is furthermore possible to check the Flash Player version that is installed on the system. The path is Control Panel > Flash Player (32-bit) > Advanced. Users with a 64-bit version of Flash Player installed need to change the 32-bit to 64-bit in the path.
The same flaws exist in Adobe AIR for Windows, Mac and Android. Using an application that requires Adobe AIR (Tweetdeck or Pandora, for example) should prompt you to update to the latest version, AIR 2.7.1. If you don’t see a prompt to update the program, the latest version of AIR is available here.
Adobe also shipped an update to its Shockwave Player that fixes at least seven critical vulnerabilities in the media player program. Adobe is urging users of Adobe Shockwave Player 11.6.0.626 and earlier update to Adobe Shockwave Player 11.6.1.629.
I should note that you may not have or want Shockwave installed. I haven’t had it on my Firefox installation for some time now and don’t seem to have missed it. I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, it demands two separate installation procedures for IE and non-IE browsers.
To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.
