Windows Patch Tuesday – November 2011

It is that time again! Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8. If there have been 17 security holes in Java just since the last release If that doesn’t convince a person to uninstall Java, I’m not sure what will.

The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7.

Adobe’s Shockwave update also fixes critical flaws, but users should check to see if they have this program installed before trying to update it. To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

The vulnerabilities fixed by this update exist in versions ofShockwave 11.6.1.629 and earlier. The latest version, v. 11.6.3.633, is available here.  I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, like Adobe’s Flash Player, Shockwave demands two separate installation procedures for IE and non-IE browsers.

Hat tip to the SANS Internet Storm Center for the heads up on the Java fix from Apple. This update, available via Software Update or Apple Downloads, essentially brings Snow Leopard and Lion up to date with the Oracle patches released last month in Java 6 Update 29 (Apple maintains its own version of Java).

If you use Mozilla Firefox or Thunderbird, you may have noticed that Mozilla is pushing out another major upgrade that includes critical fixes to these programs; both have now been updated to version 8. If you’re still running Firefox version 3.6.x, Mozilla has updated that to3.6.24. Perhaps I’m becoming a curmudgeon, but I’m growing weary of the incessant update prompts from Firefox. It seems that almost every time I start it up it’s asking to restart the browser or to remove plugins that no longer work with the latest version. I’ve been gradually transitioning more of my work over to Google Chrome, which seems faster and updates the browser and any installed plugins silently (and frequently patches oft-targeted plugins like Flash Player even before Adobe officially releases the update).

I switched to Google Chrome when it first came out ago. I love it. It’s faster and makes updating easy and effortless. I still have Firefox, but Chrome is my default browser now on all my computers.

Microsoft Word Virus

A new virus has cropped up in various countries across the world and its target appears to be corporate networks. The Duqu virus, first noted last month by a laboratory at Budapest University, has now been spotted in several other countries and appears to be sent via Microsoft Word documents attached as emails. Microsoft has announced that it is working on a fix.

The point of the new virus seems to be to gather corporate information and then send it to some as yet unknown site. Thus, it’s a form of corporate espionage. Chillingly, researchers at Symantec, the giant antivirus company, say it looks like some of the code in the virus is the same as was found in the Stuxnet virus that wreaked havoc on Iran’s nuclear program, indicating that the perpetuators were either able to obtain the code from that virus, or, are the same people.

The virus is activated when a person to whom an infected Word document was sent, opens it. The virus infects that computer then seeks out other computers through the corporate network. As it goes, it collects data and then apparently, seeks a path out to the Internet where it can send the data it’s collected to a predefined destination. Thus far it has relied on a so-named zero day exploit to take advantage of a previously unknown weakness in the Windows kernel, which means getting in and doing its dirty work before victims have a chance to come up with a means of defense against it.

Thus far, it appears that the virus has been targeted at specific types of companies, as the data- collecting part of the virus seems to seek out information pertaining to industrial control-systems. So it’s likely that whoever unleashed the virus, did so in hopes of gaining information on how companies are designing and manufacturing their products; not something the average person would need to worry about, but still enough to cause concern about the growing sophistication of computer viruses.

So far, instances of the virus have been seen in Iran, India, France, Ukraine, the UK and at least eight other countries that have not been specifically identified.

In the mean time, Microsoft has released an advisory and a stopgap fix for the zero-day vulnerability exploited by the “Duqu” Trojan, a highly targeted malware strain that some security experts say could be the most important cyber espionage threat since Stuxnet.

According to the advisory, the critical vulnerability resides in most supported versions of Windows, including Windows XP, Vista and Windows 7. The problem stems from the way Windows parses certain font types. Microsoft says it is aware of targeted attacks exploiting this flaw, but that it believes few users have been affected.

Nevertheless, the flaw is a dangerous one. Microsoft said that an attacker who successfully exploited this vulnerability could run arbitrary code, install programs; view, change, or delete data; or create new accounts with full user rights. The most likely vehicle for the exploit is a poisoned email attachment. This means that a hacker deploying the Duqu Trojan against a Windows machine that hasn’t yet downloaded the temporary fix could gain nearly total access to a person’s computer.

Microsoft is working on developing an official security update to fix the flaw. For now, it has released a point-and-click Fixit tool that allows Windows users to disable the vulnerable component. Enabling this tweak may cause fonts in some applications to display improperly. If you experience problems after applying the Fixit solution, you can always undo it by clicking “disable” image in the Microsoft advisory and following the prompts. So in reality, some of you may not be to may not be able to fix this until the next ‘Patch Tuesday’ in December.

Mac Flashback Trojan

The security by obscurity myth is finally blown out of the water…Mac’s are pretty much mainstream these days and it yet again proves my points about Mac virus resistance, it may be virus resistant, but unless you upgrade the users, no platform is Trojan proof.

Apple has updated the malware protection built into its Mac operating system to flag a recently discovered trojan that hijacks users’ machines by masquerading as a benign document. Malware disguised as an Adobe Flash installer, meanwhile, remained unchecked.

The file quarantine, which Apple snuck into a prerelease version of Snow Leopard in 2009, was updated to include a definition for Trojan-Dropper: OSX/Revir.A, which antivirus provider F-Secure disclosed on Friday. According to an update on F-Secure’s blog, the malware disguises itself as a PDF file in an attempt to trick users into clicking on it.

“The malware then proceeds to install a backdoor, Backdoor:OSX/Imuler.A, in the background,” stated the F-Secure analysis, which was posted Monday. “As of this writing, the C&C of the malware is just a bare Apache installation and is not capable of communicating with the backdoor yet.”

By Tuesday morning, Apple had added a definition for Revir.A into the file quarantine feature, our review of a Mac running OS X Lion, aka 10.7, has shown. By our count, it’s the 10th definition to be included, although two of them cover malware with the identical label of “OSX.HellRTS.” The definitions are stored in a file called XProtect.plist tucked away in the /System/Library/CoreTypes.bundle/Contents/Resources/ folder.

Apple engineers pushed out the update around the same time that a new trojan was discovered menacing Mac users. According to Mac antivirus provider Intego, the Flashback trojan is built on a sophisticated code base that installs a backdoor on infected machines, and covers its tracks by using encryption when communicating with remote servers.

“The backdoor is able to download further software, but, for now, we are not seeing this activity,” Intego’s analysis stated. “It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed. If the Sha1 of the software version on the server is different from that installed, this means that an update is necessary.”

With the explosive growth of Macs, iPhones, and iPads, malware purveyors have finally begun targeting Apple products after years of almost exclusive focus on Microsoft users. Earlier this year, an outbreak of fraudulent Mac antivirus products ignited a huge spike in support calls from frantic Mac users who had been tricked into installing a piece of malware called MacDefender. Apple eventually added definitions for it to its file quarantine, as well.

I think the difference between Microsoft and Apple here is that Microsoft weren’t the ones to create a condescending “I’m a PC” commercial insinuating that their operating system was virus free…With the amount of braindead Apple fans who claim that Apple Virus / Malware is an oxymoron, that 30 second spot could turn out to be some of history’s most damaging tech-related FUD.

Early I wrote that actually most targeted vulnerabilities are in Flash, PDF or Java these days via Internet Explorer (IE) and once you take IE out of the equation, Windows does quite well, especially given the rich rewards and vast selection of low-hanging fruit users can offer.

Microsoft kills Start menu

Microsoft recently killed the Start Menu, and their explanation for it seems fairly straightforward: no one used it. This may be a bit of an exaggeration, but Microsoft explains that use of the Start menu dipped by 11 percent between Windows Vista and Windows 7, with many specialized Start functions — such as exploring pictures — declining as much as 61 percent.

Windows 8 Metro Start Screen

When you can’t figure out the easy way to launch stuff, look in the Start Menu. This is change for change’s sake. How is someone suppose to use this? You can’t, without much anguish.  Why?..because they didn’t like the look of the big, floor-to-ceiling look of the old XP system, they shrunk it all down so that it only shows 5-6 items at a time and has a scroll-bar. In short, they made it harder to use and less functional than the XP Start Menu, and to everyone’s amazement, people stopped using it, and then they claimed it was some sort of UX triumph.

Ditto with the control panel – rather than one big screen with 100+ tiny icons on it, they reworded a few things (“Display” becaome “Personalization”, and there are 2-3 different UIs rather than the tabs on the old-fashioned XP display.cpl) and made them all look like web-apps. Now that it’s unnavigable with words or icons, everyone uses “search” and it “feels faster”. You can’t write documentation that says Start-Settings-ControlPanel-Display-Screensaver, you have to say “search for ‘screen saver’ and clicky on whatever pops up”… *sigh*

Much like Firefox, most UX innovation is precisely that. If you don’t get the results that match your pet UI design philosophy, move the feature around, and while your users are trying to find the feature you don’t want, accumulate enough telemetry to claim your users aren’t using it as often, then take it away. (Status bar, full URL in the URLbar, etc.)

And the problem fundamentally isn’t that the Start Menu is too complicated. It’s that they’ve never provided a good tool for *managing* it. So the average person, being unaware that it’s just a bunch of directories and shortcut files, suffered with the floor-to-ceiling scrolling menu from hell. M$, on noting their complaints, responded by taking away most of the menu. This led to a different set of complaints, since now no one can find anything and the reaction is to give up on the start menu entirely.

But it still didn’t solve the real problem, which as I said is still that there’s no good tool that average non-savvy users can turn to for *managing* the Start Menu. How hard could it be to make a nice little interface (not relying on drag-and-drop in the live menu, which in my observation is usually a disaster) geared toward letting average folks sort out their programs into reasonable hierarchies, so the Start Menu isn’t always One Huge Mess??

Me being an avid user of Linux Mint , I much prefer using Cairo Dock and Mint Menu, both of which are configurable. I have to chuckle over this, and just shake my head.

It would be fine if I never changed computer, or never needed to re-install the OS, however, any time you used a different computer / OS, you would need to re-organize things, go against the defaults. The other problem I had was that sometimes it was hard to perfectly categorize things. Googles Chrome browser and it’s ChromeOS is working to conquer this aspect.

Without the Start Menu, how do I shutdown? Hold the power button down for ten seconds, just like always. 

So in Windows 8 (for those that tried the demo, yes I downloaded the ISO and setup a VM to try it) they replaced the simple little menu in the start button with a whole screen monstrosity that takes the entire desktop. Taking over my whole desktop because I pushed the start button isn’t the answer to this problem. IMO people don’t use the start menu much because they put icons of their most used programs in the quick launch tool bar and on the desktop itself. Instead they take a simple menu, blow it up full screen and if you decide you don’t want to pick a program and go back to what you have running, there is no logical way to do it (there isn’t a close button that’s obvious, ESC doesn’t work, right click doesn’t work).

Gnome3 and Ubuntu’s Unity solution to doing away with the start button is far better than what Microsoft has cooked up and I don’t really like those either but I can see them working better). If I fail that badly using their “NEW AND IMPROVED” start menu I can’t even comprehend how disastrous this will be for the less computer literate. The best part is, you cannot bring back the old start menu that I could find. It’s not in the control panel, the options are gone from the right click menu, etc.

Microsoft is making a huge mistake overlaying their Windows Phone 7 Metro interface on windows. This is a huge mistake that’s obviously being done to use the windows monopoly against the phone competition. It’s going to backfire and damage windows just like Vista did.

Microsoft killed the Start menu because they want to force everyone to use Windows Phone, even if they aren’t (initially) buying a Windows Phone. They failed for years to sell phones that look like a Windows desktop, so instead they’re changing the Windows desktop to look like their phones, and hoping that iOS and Android end up looking “foreign” to phone users as a result.

People click on the Start menu when they want to find something to Start. Imagine that. The bottom line is that the Windows 95 UI (which is to say, Microsoft’s ripoff of the RiscOS UI [guidebookgallery.org]) was the pinnacle of personal computer desktop UI design. Everything that’s happened since then has been change for change’s sake and has only served to annoy users and get in their way.

There is really nothing wrong with a start menu. Microsoft however never enforced a good practice with their start menu, the signal to noise ratio is VERY low. It’s cluttered with company names, uninstallers and readme files. Why should I have to know the name of the company if I want to use a program, looks very much like advertisement to me. Instead of enforcing a good practice they have extended the start menu with “most used programs” which really doesn’t cure the underlying problem, and to me it’s even more cluttered. They should get rid of everything but the program starters in correct folders, Games in games folder and so on, one program has one menu entry, this was probably how it was meant to be by the original designer but never enforced. Look at Gnome, very simple, and very effective. And now Microsoft have come to the conclusion that nobody uses their cluttered mess of a start menu, and are killing it. I say it could be fixed, but Microsoft doesn’t seem to know what’s wrong with it.

Windows 7 driver problem

Sometime ago, I came across a issue that so far I have never seen, and it’s a stubborn one. This time, it was an issue with a driver released for an integrated wireless NIC by RALink Technology. The issue? Windows 7 refuses to automatically install it because it doesn’t trust the source of the driver. The error that shows up for the properties of the device in Device Manager is:

Windows cannot verify the digital signature for the drivers required for this device. Error Code 52.

Now, while this may not pose as a big deal, the issue at hand is to have the Windows installer use the driver during an unattended installation of Windows 7. What’s even more frustrating, the manufacturer of the PC and the device itself only release InstallShield packages that the user must run to obtain the drivers in the first place. To get the raw driver files for the unattended installation, I must run the InstallShield package to install it on a PC that has the device in it, then go back and look at the properties for the device in Device Manager, and under Driver Details get the list of files to extract, as well as find the oem*.inf file in the c:\windows\inf\ folder. The driver can be successfully installed manually once Windows is installed, where it prompts for the user to allow it to install. What adds to this puzzle is that the driver itself IS signed, because after it is installed, it shows the “Name of signer” for the driver itself as “Ralink Technology Corporation”. So what is the deal here?

After doing some more research, it turns out this is a known issue with Windows, where it does not correctly determine that a driver is signed. Posts about this error show up all over. Microsoft’s article on the error code says:

If the device is a CD or DVD drive, use the Automated Troubleshooting Service, at the Microsoft Support Web site (http://go.microsoft.com/fwlink/?LinkId=192997).

Go to the device manufacturer’s Web site and download and install the latest appropriate driver for the device.

Search for possible solutions for your particular device on the Microsoft Support Web site (http://support.microsoft.com). For example, for issues related with an iPod, you might search for “code 52” iPod.

Well, the first option is not possible as there is no disc, and the manufacturer’s website already contains drivers are are signed and have the same issue. And no additional searches show show any useful information on this on Microsoft’s site. Searching the rest of the Internet on the issue mainly supplies links for downloading the drivers from 3rd party sites, or for software that should “fix” the problem, like “DLL Suite”. No thanks, I’m not about to start installing a bunch of unknown 3rd party products to try and help with a Windows problem.

Personally I think the whole driver model for Windows is a huge mess, especially when problems come up like this, they can be very difficult to fix. As a band-aid, Microsoft implemented its driver signing policy to help alleviate issues with unstable or malicious drivers being released by 3rd parties. Yes I know, most of the time drivers just install and all is good. I like to compare this to alternative operating systems like GNU/Linux, where all drivers for most Linux distributions are pre-compiled for the kernel and are automatically loaded when the kernel is running. There is no hunting for 3rd party packages, extracting driver files from system folders like there is in Windows, or driver signing. GNU/Linux is a huge improvement over Windows on how it handles drivers, since everything is included in the Linux distribution. There are cases where a driver might need to be compiled, but this is extremely rare, and I’ve never had to do this with the 2.6 series of Linux kernels.

This issue has a workaround for now, but it involves manually installing the driver for each PC. And yes, Windows 7 can be set to allow unsigned drivers after Windows is installed, and there are methods to address unattended setup for Windows XP, but so far haven’t discovered the right recipe for Windows 7′s unattended installation. This is not a big deal for a few PCs, but for a large batch it is time consuming, and people should be spending that time doing other tasks like installing additional software.

How Windows gets malware

When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java, Adobe Reader/Acrobat and Adobe Flash. This is revealed by a survey conducted by CSIS Security Group A/S. This group has been collecting data for 3 months on actual infections of computers by drive-by attacks on browsers.  Drive-by attacks are when you go to an innocent website and get a virus anyway.  This is typically from ads or hacked links.

Basis of the study

CSIS has over a period of almost three months actively collected real time data from various so-called exploit kits. An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits.

The purpose of this study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk.

CSIS monitored more than 50 different exploit kits on 44 unique servers / IP addresses. Figures come from the underlying statistical modules, thereby ensuring an as precise overview of the threat landscape as possible. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates.

Among the vulnerabilities we have observed abused by the monitored exploit kits, we find:

CVE-2010-1885 Microsoft Help & Support HCP
CVE-2010-1423 Java Deployment Toolkit insufficient argument validation
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2008-2992 Adobe Reader util.printf
CVE-2008-0655 Adobe Reader CollectEmailInfo
CVE-2006-0003 IE MDAC
CVE-2006-4704 Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability
CVE-2004-0549 ShowModalDialog method and modifying the location to execute code

The report above describes those operating systems, browsers, and applications that are vulnerable in the real world scenarios they have observed.  Here it is slimmed down:

Internet Explorer is the worst offending browser. Mozilla is second.
Windows XP, Windows 7, and Windows Vista are the worst offending operating systems.
Java, Adobe Reader, and Adobe Flash are the worst offending applications.

Salient point is that, fully updated and patched installs let 70% of the infections through. Mainly because the technology is reactive. Even more salient is that only 13% of the successful infections relied on software that was Windows only (10% were IE exploits, 3% were Windows Help exploits) All you folks encourgaging your friends and families to buy Macs for the specific reason of their security are in for a world of hurt in a few years when Mac hits ~30+% market share. Kits are already starting to appear.

Conclusion: 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages:

Java JRE 37%
Adobe Reader/Acrobat 32%
Adobe Flash 16%
MS Internet Explorer 10%
Windows HCP (Help) 3%
Apple Quicktime 2%

For the sake of security, I would not run Java, Adobe anything or Internet Exploiter.

We don’t want you getting viruses because it’s difficult to remove and more importantly, expensive and time consuming.

1. Uninstall java. Most end users never have a need for it and don’t update it.

2. Use Chrome to read PDFs or use Foxit. No need for Adobe, but to be fair Adobe’s new sandbox model in version X is resistant to viral infections and exploits.

3. Update flash as often as it says or switch to Chrome.

4. Use ESET NOD32 & HitmanPro for protection

Software updates: Adobe

Adobe issued it’s monthly update last week, to eliminate 13 security flaws in its PDF Reader and Acrobat products. Adobe’s patches for Reader and Acrobat correct critical vulnerabilities in the programs that could be exploited by attackers just by convincing users to open a booby-trapped file. Updates are available for Adobe Reader X (10.1) and earlier versions for Windows, Macintosh, Adobe Reader 9.4.2 and earlier versions for UNIX, and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh.

Affected software versions

• Adobe Reader X (10.1) and earlier 10.x versions for Windows and Macintosh
• Adobe Reader 9.4.5 and earlier 9.x versions for Windows and Macintosh
• Adobe Reader 8.3 and earlier 8.x versions for Windows and Macintosh
• Adobe Acrobat X (10.1) and earlier 10.x versions for Windows and Macintosh
• Adobe Acrobat 9.4.5 and earlier 9.x versions for Windows and Macintosh
• Adobe Acrobat 8.3 and earlier 8.x versions for Windows and Macintosh

Severity rating
Adobe categorizes these as critical updates.

Acrobat users should check out the Adobe security advisory. Heads up for users of older versions of Reader and Acrobat: support for Adobe Reader 8.x and Acrobat 8.x for Windows and Macintosh will end on November 3, 2011.

Unsolicited Skype Spam

Malware authors are using fake Skype profiles and robo-calls to drive you to infectious Web sites. It’s time for Skype to clean up its security act. While setting this evening at my office desk, I noticed a incoming call but with no ringtone on Skype, which I thought was a little odd.

Anyways, the incoming call said ‘usa.a1.online.alert.mac.win’ and with a title of ‘NOTIFICATION® URGENT ALERT‘. I ignored it for awhile and almost cancelled the thing, but decided to accept the phone call for the sake of curiosity and amusement.

On the other end, I heard a robotic voice telling me my PC security had been compromised, viruses were detected on my computer, and that I needed to visit some website to download software that would fix it. It then continually repeated this message until I hung up. Laughable, as I don’t run Windows, besides executable files do not function on my machine.

I thought: Skype voice spam. That’s a new one. And then I thought: Oh god, is that what we’re all in for from now on?

Remember the days when telemarketers used to call your home phone number at all hours of the night? This was especially irritating until you realized a “do not call” list existed. Shortly I answered, the recording began. Informing me of a serious computer virus that had attacked my system, the recording offered a solution that I could goto some website to repair. The moral of the story: If you receive a call from someone who you cannot immediately identify, be aware. There is no apparent harm done in answering these calls, besides time wasted, but at least you know now that they exist. Check out Skype’s security advice for more information on how to best protect yourself.

Here is a snapshot of the popup:

I also made a recording of the message, sorry for the poor quality, but you can still make it out. rec-20110920-18:57:38

After doing some research, this sort of thing has been on-going for years, and I suspect it will become even more prevalent now that Microsoft is taking ownership of Skype. Looking at Skype’s blog there is some mention of it: http://blogs.skype.com/security/2010/03/an_update_on_spam_on_skype.html

Skype’s consumer forum also mentions it as well: http://forum.skype.com/index.php?showtopic=814469

It turns out I am not alone in receiving this call. There have been a string of users on who’d received similar calls. Apparently, visitors that did visit the website as instructed, were prompted to download “security software” that would infect their PCs with malware.
 
A responder wrote:

Do NOT go to the site! I downloaded the program onto a safe computer (no Internet, and some fake contacts, emails, and a few fake passwords saved in Firefox.) I then went to monitor it and it was taking the passwords, emails, and contacts and trying to send them to a weird website. I wasn’t able to get [to the site], as it crashed the computer. When I got it back up [the software] turned Windows to frappe and nothing worked right. Happily that was a isolated computer with a backup Windows disk, so I was able to restore it.

Well, isn’t that special. Skype has infiltrated the newbies camp in sufficient numbers to become an attractive target for this kind of thing. What’s troubling me is that it’s unclear what Skype is doing to stop this problem. Skype support is notoriously hard to contact – a problem, I think, for a service that charges actual money – and that is something that needs to change. Paying customers (like me) deserve actual support, not FAQs and a “feedback” option.

I find it ironic this happened after Microsoft announced its intention to buy Skype. I doubt those two things are related, nah.

Skype security – or lack thereof – is now yet another thing we need to worry about. Let’s hope voice spam doesn’t turn into the next malware epidemic.

In closing,  do not answer this type of messages or go the website it tells you to go to. To avoid receiving any calls like this, you can adjust your privacy to not receive any call from a person outside your contact list, to do this open Tools > Options > Privacy > Show Advanced Options and adjust your settings accordingly.

Windows Patch Tuesday – September 2011

If you use Windows, it’s patch time.  Microsoft will address a variety of flaws across its Windows, Office and Server products. All five bulletins are listed as Important but not critical. One remote code execution bulletin affects Windows XP, Windows Vista and Windows 7. Microsoft does not detail the exact flaws until the security fixes are available on Windows Update. An updated security advisory Tuesday was also presented and it included six new DigiNotar root certificates, which were new additions to the Windows Untrusted Certificate Store.

Microsoft’s September Patch Tuesday is relatively quiet compared to August. The company issued 13 bulletins in August to address 22 vulnerabilities last month. Including some critical vulnerabilities in Windows, Internet Explorer, SMB server, MP3 codecs, Cinepak Codecs, Office, .NET and others.

This is the first patch Tuesday in recent times that does not have a single critical update. It is also a relatively small update and is consistent to the cycle of smaller patches every other month.

Top priority should be given to remote code execution Microsoft Office patches that affect Excel 2003 through Excel 2010 and Office 2003 through Office 2010. Another high priority is the Windows patch that fixes a remote code execution flaw in Windows XP, Windows Vista, Windows 7, Windows 2003 and Windows 2008. Other patches can be evaluated at a relatively lower urgency because attackers already need lower privilege access to the target system to execute the exploit. This includes the Windows 2003/2008 and SharePoint Server 2007 security update.

Watch out, sometimes patches add a mountain of stuff you do not want, in addition to fixing software which should never have been broken in the first place. So make a configuration system backup first, before inviting whatever comes with the patches.

Software updates: Adobe

Adobe is a vendor that often plays catch-up with security exploits; issuing emergency patches issued to fix zero-day vulnerabilities. But Adobe, like Microsoft, also has a regular Patch Tuesday update cycle. This regularly scheduled update is a way to give users and enterprises a predictable and stable timetable for Adobe updates.

For August’s Patch Tuesday, Adobe has issued update advisories covering to fix a slew of critical security flaws in its products, including Flash, Shockwave Player and Adobe AIR.

The Flash update corrects at least 13 critical vulnerabilities present in versions 10.3.181.36 and earlier for Windows, Mac, Linux and Solaris machines (the bugs exist in Flashversions 10.3.185.25 and earlier for Android devices). Windows, Mac, Linux and Solaris users should upgrade to version 10.3.183.5, and Android users should update to v. 10.3.186.2. According to Adobe, they are not aware of any exploits “in the wild” for the issues addressed in the update. Digging into the vulnerabilities, the vast majority are for memory and five buffer overflows, four memory corruption and three integer overflow issues. There is also a single cross-site information disclosure issue that is fixed that could have potentially led to arbitrary code execution.

To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser (Google Chromeusers should already have the latest version of Flash). To avoid using Adobe’s annoying Download Manager, IE users can grab the latest update directly from this link; the direct link for non-IE browsers is here.

Windows users can furthermore use the Flash Player Settings Manager that is part of the Windows Control Panel to check for updates. Here it is furthermore possible to check the Flash Player version that is installed on the system. The path is Control Panel > Flash Player (32-bit) > Advanced. Users with a 64-bit version of Flash Player installed need to change the 32-bit to 64-bit in the path.

The same flaws exist in Adobe AIR for Windows, Mac and Android. Using an application that requires Adobe AIR (Tweetdeck or Pandora, for example) should prompt you to update to the latest version, AIR 2.7.1. If you don’t see a prompt to update the program, the latest version of AIR is available here.

Adobe also shipped an update to its Shockwave Player that fixes at least seven critical vulnerabilities in the media player program. Adobe is urging users of Adobe Shockwave Player 11.6.0.626 and earlier  update to Adobe Shockwave Player 11.6.1.629.

I should note that you may not have or want Shockwave installed. I haven’t had it on my Firefox installation for some time now and don’t seem to have missed it. I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, it demands two separate installation procedures for IE and non-IE browsers.

To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.