Internet Explorer 6 RIP

Friends don’t let friends use IE6

Many years late, Microsoft is celebrating the news that Internet Explorer 6 (IE6) use in the US has officially dropped below one per cent of internet visits. In March, Microsoft assembled a team to push for the destruction of IE6, and have succeeded in reducing the market footprint of the browser. Currently 7.7 per cent of worldwide internet site visits use IE6, according to Microsoft, but the figure is now 0.9 per cent in the US.

So Redmond threw a party to celebrate. (more…)

Windows Patch Tuesday – December 2011

Patch up warmly this winter if you’re running Java, as Oracle’s software platform is the single biggest target for hackers. Java proved the single most popular target in the 12-month period to the end of June, according to Microsoft’s latest Security Intelligence Report has found here. Running Java as a Web-browser Plugin is much more dangerous than Flash, and you should disable the Java Applet Plugin.

Microsoft today issued software updates to patch at least 19 security holes in Windows XP, Vista, 2003 and 7 (no surprise there), including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software. (more…)

Bookseller Defends Itself

Microsoft has sued Barnes and Noble for use of Android in the Nook Color. The bookseller has filed a supplemental notice of prior art that contains a 43-page list of examples it believes counters Microsoft’s claim that Nook violates Microsoft’s patents. I posted the PDF and slides at: http://jet-computing.com/patents/barnes-noble/

Instead of focusing on innovation and the development of new products for consumers, Microsoft has decided to invest its efforts into driving open source developers from the mobile operation systems market. Through the use of offensive licensing agreements and the demand for unreasonable licensing fees, Microsoft is hindering creativity in the mobile operation systems market.

The complaint also notes some odd behaviors on Microsoft’s part, such as refusing to explain what patents it was threatening B&N over, unless B&N agreed to sign a non-disclosure agreement. (more…)

BING!…your infected

Search engines from Microsoft and Yahoo! Have once again been caught displaying ads that direct users to malicious content, some that infects them with malware that’s hard to detect and get rid of, researchers said. I see that they put as much thought into who is allowed to advertise as they do in making a stable operating system.

Queries such as “FireFox Download,” “Download Skype,” and “Download Adobe Player” typed into the sites returned links promising to deliver the software requested but instead attempted to hijack people’s computers, GFI Labs researcher Christopher Boyd said in a blog post published Friday. Clicking on the links takes users to pages that look like the software maker’s official site, except for the URL.

Users who downloaded and installed the software are in for a nasty surprise.

“As an example, the fake Firefox file installs a rootkit, runs IE silently in the background attempting clickfraud and also performs Google redirects,” Boyd wrote. Microsoft and Yahoo were in the process of removing the malicious ads, he said.

It’s not the first time widely used search engines have been caught displaying ads intended to harm their millions of users. Ad services used by Google and Yahoo have repeatedly been duped into serving content that punts malware and other threats.

Criminals often go to elaborate lengths to pose as legitimate marketers in an attempt to get links to their toxic wares in front of as many eyeballs as possible.

“Microsoft’s Security Team has identified the source of this malware attack and is blocking those sites from loading additional malware,” the company said in a statement. “We are continuously monitoring our sites to protect customers; and also working with law enforcement authorities to find and prosecute the people responsible for these types of attacks.”

Bing Forum thread has Wil from Bing telling a webmaster that it can take between 3 and 6 weeks to have a malware label removed from the search results.

This is in comparison to Google which normally can remove a malware label within 24 hours.

I am not sure if this is a special case or if most Malware reviews take 3-6 weeks at Bing. Wil from Bing said:

Your issue is already being reviewed. Malware re-evaluation requests take 3-6 weeks to finalize our review and create a new reputation ranking of the page/site. A representative will get in touch with you for updates.

When you are presented with Malware via Bing, Bing disables the link but does allow the searcher to ultimately visit the page at their own risk. I’d assume 99.999% of those searchers run.

Bing has a detailed post on Malware on their blog with more information.

Malware and hacked sites are a huge issue in search. Google has been very good at handling it for the most part recently and is excellent at removing the malware or hacked label quickly after the site is fixed. Bing takes 3-6 weeks? Well, that seems excessive. Maybe I am reading it wrong?

This is why I tell people to NOT use Internet Explore. If you must continue using Windows unfortunately, then please by all means use ESET NOD32 in conjunction with HitManPro.

Adobe Flash Update

Adobe has issued a critical software update for its Flash Player software that fixes at least a dozen security vulnerabilities in the widely-used program. Updates are available for Windows, Mac, Linux,  Solaris and Android versions of Flash and Adobe Air.

The update fixes flaws present in Flash Player versions 11.0.1.152 and earlier for Windows, Mac, Linux and Solaris systems, and in Flash11.0.1.153 and earlier for Android. The vulnerabilities are rated critical, meaning they could give hacked or malicious Web sites an easy way to install software on your machine.

Adobe’s advisory says users of Flash version 11.0.1.152 and earlier should update to v. 11.1.102.55; those using Flash v. 11.0.1.153 and earlier versions for Android should update to Flash Player 11.1.102.59. Users of AIR 3.0 for Windows, Macintosh, and Android should update to AIR  v. 3.1.0.4880. The company says it is not aware of any active attacks against these flaws at this time.

To find out if you have Flash and which version may be installed, visit the About Flash page. Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). Again, check the About Flash page with each browser you use to see whether you need to apply this update. To avoid using Adobe’s Download Manager, which tends to add little “extras” if you’re not careful, IE users can grab the latest update directly from these links; 32-bit IE installer, and 64-bit IE installer. Firefox and Opera users can grab the 32-bit installer here and the 64-bit version here. If you don’t know which one you need, you let Adobe’s site choose for you (although the download manager may try to foist other software unless you uncheck pre-checked options).

The installer for the latest Adobe Air version is available from this link.

Some Flash components also are bundled with Adobe Reader, so I asked Adobe whether current versions of Reader also were exposed to these vulnerabilities. Adobe spokeswoman Wiebke Lips confirmed that some of the issues fixed in today’s Flash Player update do impact the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.x) and 9.x for Windows and Mac. Lips said Adobe feels comfortable that its sandboxing technology built into the latest versions of Reader will protect users until January, when the company expects to issue the next quarterly update for Reader.

“These issues will be resolved in the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012,” Lips wrote. “Note that the Authplay.dll component is part of the ‘sandbox’ for users of Adobe Reader X (Protected Mode) and Acrobat X (Protected View), which would protect against potential exploits.”

Web Browser Defense

For most of us, the Web browser is the first application we use when we turn on a computer. It’s how we check email, read the news, chat with friends and do just about everything.

What many users don’t realize, however, is that the Web browser is the most important security defense our computers have — and yet 60 percent of the browsers accessing the Internet today are outdated. An outdated browser ends up impacting everyone’s security, privacy and performance.

I wrote about Microsoft warning us *rolls-eyes* last week, in that we were not using a “secure” browser like Internet Explorer” GASP!..the horror of us ignorant consumers!

To help users understand the importance of the browser you use, the Online Trust Alliance (OTA), a Web-industry trade group based in Bellevue, Wash., that promotes security and trust in online marketing and commerce, recently unveiled the “Why Your Browser Matters” initiative.

“The ‘Why Your Browser Matters’ initiative provides users overall recommendations to upgrade their out-of-date and legacy browsers for a more safe, more private and more compelling online experience,” said Craig Spiezle, executive director of OTA. “The Initiative is all about communicating with computer users to make them realize that an updated Web browser is one of the most important security steps you can take. It’s as important as running anti-virus/anti-malware software.”

Spiezle is quick to point out that while there is no magic bullet when it comes to computer security, the browser is on the front line of defense because it is used so frequently.

“Modern browsers detect malicious websites and phishing URLs, analyze downloads and support a broad suite of privacy features,” Spiezle said. “It’s critical to have these at your disposal when it comes to protecting yourself online, as well as protecting your machine in general.”

Download (PDF, 814KB)

How new browsers protect you

Modern browsers try to provide security for users in three different ways, explained Roger Thompson, chief emerging threats researcher for ICSA Labs in Mechanicsburg, Pa.

For example, said Thompson, all modern browsers have “blacklists” of known malware sites and try to prevent users from visiting them. This method works well if the malicious sites are well-known, but online criminals try to move websites around by changing domain names and IP addresses faster than security researchers can update the blacklists — so sometimes this doesn’t work.

Some browsers, such as Google Chrome, also run applets and executable code in a “sandbox,” meaning that the code and applets can’t affect other parts of the browser or the operating system. Again, this doesn’t always work.

And all modern browsers have a somewhat regular patch cycle, in which developers fix vulnerabilities to prevent direct attacks.

A good illustration of how a browser can act as the first line of defense is with regard to shortened URLs, or Web addresses.

URL-shortening services such as bit.ly, tinyurl.com or is.gd are handy to use when including links in instant messages, text messages or Twitter posts. Unfortunately, URL shorteners also mask the actual URLs they lead to, and give no warning that links might be drive-by downloads or exploits waiting for unsuspecting victims.

Fortunately, some enterprising software developers have created a way to find out where you’re going.

“There are plug-ins available for Chrome and Firefox that will automatically expand short URLs to their actual address when viewing pages containing such links,” said Harry Sverdlove, chief technology officer of Bit9, a Web security company in Waltham, Mass. “These are useful when using Facebook or Twitter from a browser, common places where malicious links are hiding in short URLs.”

How to protect yourself

As Thompson pointed out, browser vendors are good about providing updates and patches that improve security by fixing vulnerabilities that bad guys exploit. But after that, it’s up to the user himself to take action by actually downloading the updates, or upgrading the browser to the latest version.

You can check the version number of your browser by going to the Help button on your browser’s menu and checking the “About” section. (On a Mac, click the name of the application next to the apple icon in the upper left of the screen.) Often, the “about” pop-up window will prompt you to check where there might be updates available.

For those who use Internet Explorer, Spiezle has this important piece of advice: “If it says Internet Explorer 6 … run, do not walk to the nearest free download of Internet Explorer 9.”

(If you’re still running Windows XP, update to Internet Explorer 8, the latest version you can install.) Which is the highest version you can run on Windows XP, unless someone figures out a hack for it, which they will. I rather you run Google Chrome.

Internet Explorer 6 has been the target of a number of malicious attacks over the past decade; newer versions of Internet Explorer are much more secure.

Does it matter which browser you use? Spiezle and Thompson disagree on that question.

While Thompson said that today’s browser upgrades have leveled the playing field when it comes to security, Spiezle pointed out that there still are differences among them, and each user has to assess which is best for his own uses.

“You need to look at not only the security features, but also privacy features, as well as support for the latest technologies,” Spiezle said.

Here is the link for a good start, https://otalliance.org/browser/ At first I was thinking that this was another Internet Explorer centered website, but at least they mention the alternatives.

Google Chrome at 3

It’s hard to believe it’s been only three years since the Google Chrome browser debuted. According to the latest market share statistics from usage-tracking firm Net Applications, Chrome now has 15.51 percent of the desktop browser market–a meteoric rise for an app that entered a crowded market dominated by neighborhood bully Microsoft Internet Explorer.

Chrome is third among desktop browsers, behind number one IE (over 55 percent of the market), and Mozilla Firefox (nearly 23 percent).

What’s the secret to Chrome’s success? “Speed, simplicity and security,” writes Google software engineers Ben Goodger and Darin Fisher in a Thursday post on the Google Data blog. Competing browsers, of course, are making strides in the Three S’s as well. But Chrome’s virtues are proving powerful enough to lure users away from IE and Firefox.

That’s the secret to Chrome’s success? “Speed, simplicity and security,” writes Google software engineers Ben Goodger and Darin Fisher in a Thursday post on the Google Data blog. Competing browsers, of course, are making strides in the Three S’s as well. But Chrome’s virtues are proving powerful enough to lure users away from IE and Firefox.

As Goodger and Fisher point out, Chrome has made great strides over the past 12 months, adding faster JavaScript performance, speedier page-loading times, a much-needed print preview feature, and various other upgrades. http://evolutionofweb.appspot.com/

 

Evolution of the Web

Is the Web better with Chrome? Satisfied users of other browsers would certainly disagree, but I think so. I switched to Chrome from IE last year and haven’t looked back.

I only hope that Google’s breakneck update schedule doesn’t pile on too many new features that turn Chrome sluggish. The browser’s peppy performance is its most appealing trait.

I totally dumped Firefox when for a few reasons: 1. Foxmarks Sync was ungainly slow. 2. Speedial was broken. 3. Sage RSS was broken and not being developed.

If your not using Google Chrome now, please try it for a week and see how you like it.

Mac Flashback Trojan

The security by obscurity myth is finally blown out of the water…Mac’s are pretty much mainstream these days and it yet again proves my points about Mac virus resistance, it may be virus resistant, but unless you upgrade the users, no platform is Trojan proof.

Apple has updated the malware protection built into its Mac operating system to flag a recently discovered trojan that hijacks users’ machines by masquerading as a benign document. Malware disguised as an Adobe Flash installer, meanwhile, remained unchecked.

The file quarantine, which Apple snuck into a prerelease version of Snow Leopard in 2009, was updated to include a definition for Trojan-Dropper: OSX/Revir.A, which antivirus provider F-Secure disclosed on Friday. According to an update on F-Secure’s blog, the malware disguises itself as a PDF file in an attempt to trick users into clicking on it.

“The malware then proceeds to install a backdoor, Backdoor:OSX/Imuler.A, in the background,” stated the F-Secure analysis, which was posted Monday. “As of this writing, the C&C of the malware is just a bare Apache installation and is not capable of communicating with the backdoor yet.”

By Tuesday morning, Apple had added a definition for Revir.A into the file quarantine feature, our review of a Mac running OS X Lion, aka 10.7, has shown. By our count, it’s the 10th definition to be included, although two of them cover malware with the identical label of “OSX.HellRTS.” The definitions are stored in a file called XProtect.plist tucked away in the /System/Library/CoreTypes.bundle/Contents/Resources/ folder.

Apple engineers pushed out the update around the same time that a new trojan was discovered menacing Mac users. According to Mac antivirus provider Intego, the Flashback trojan is built on a sophisticated code base that installs a backdoor on infected machines, and covers its tracks by using encryption when communicating with remote servers.

“The backdoor is able to download further software, but, for now, we are not seeing this activity,” Intego’s analysis stated. “It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed. If the Sha1 of the software version on the server is different from that installed, this means that an update is necessary.”

With the explosive growth of Macs, iPhones, and iPads, malware purveyors have finally begun targeting Apple products after years of almost exclusive focus on Microsoft users. Earlier this year, an outbreak of fraudulent Mac antivirus products ignited a huge spike in support calls from frantic Mac users who had been tricked into installing a piece of malware called MacDefender. Apple eventually added definitions for it to its file quarantine, as well.

I think the difference between Microsoft and Apple here is that Microsoft weren’t the ones to create a condescending “I’m a PC” commercial insinuating that their operating system was virus free…With the amount of braindead Apple fans who claim that Apple Virus / Malware is an oxymoron, that 30 second spot could turn out to be some of history’s most damaging tech-related FUD.

Early I wrote that actually most targeted vulnerabilities are in Flash, PDF or Java these days via Internet Explorer (IE) and once you take IE out of the equation, Windows does quite well, especially given the rich rewards and vast selection of low-hanging fruit users can offer.

Microsoft warns Firefox & Chrome users

Laughable at best, Microsoft has unveiled a website aimed at raising awareness of browser security by comparing the ability of Internet Explorer, Mozilla Firefox, and Google Chrome to withstand attacks from malware, phishing, and other types of threats.

The website doesn’t do any security checks at all, it just reads the ‘User Agent’ data from your browser, so if you use Firefox 7.0.1 masquerading as Internet Explorer 9 gets 4 out of 4. Microsoft is leading people into a sense of false security. The site does no “testing”, it just matches your browser to whatever it has in its lookup table.

Care to take a guess what they say about IE 9? This is pure Microsoft marketing at it’s best. EPIC FAIL, false security is no security at all. Really, you would have to be an idiot to fall for this…Can you say, FALSE ADVERTISING?

Your Browser Matters gives the latest versions of Firefox and Chrome a paltry 2 and 2.5 points respectively out of a possible score of 4. Visit the site using the IE 9, however, and the browser gets a perfect score. IE 7 gets only 1 point, and IE 6 receives no points at all.

The page is designed to educate users about the importance of choosing an up-to-date browser that offers industry-standard features. The ability to automatically warn users when they’re about to download a malicious file, to contain web content in a security sandbox that has no access to sensitive parts of the computer’s operating system, and to automatically install updates are just three of the criteria.

The site dings Firefox for a variety of omissions, including its inability to restrict an extension or a plug-in on a per-site basis, its failure to use Windows Protected Mode or a similar mechanism such to prevent the browser from modifying parts of the system it doesn’t have access to, and its lack of a built-in feature to filter out malicious XSS, or cross-site scripting, code. Among other things, Chrome lost points for not using Windows features that protect against structured exception-handling overwrite attacks.

Readers still stuck in the rut of critiquing Microsoft security based on products released a decade ago are likely to be unimpressed. The reality is that over the past few years, Redmond has endowed Windows and IE with measures such as ASLR, or address space layout randomization, and DEP, or data execution prevention, that significantly reduce the damage attackers can do when they exploit buffer overflows and other bugs that are inevitable in any large base of code. Apple didn’t pull ahead of Microsoft on this score until earlier this year with the release of its Mac OS X Lion.

It didn’t take long for Mozilla developers to take issue with the critique.

“Microsoft’s site is more notable for the things it fails to include: security technologies like HSTS, privacy tools like Do Not Track, and vendor response time when vulnerabilities are discovered,” Johnathan Nightingale, Mozilla’s director of Firefox engineering, said in a statement. He said: “Mozilla is fiercely proud of our long track record of leadership on security.

Java 6 Update 29

Oracle Corp. released a critical update to plug at least 20 security holes in versions of its ubiquitous Java software. Nearly all of the Java vulnerabilities can be exploited remotely to compromise vulnerable systems with little or no help from users.

If you use Java, take some time to update the program now. According to a reportreleased this month by Microsoft, the most commonly observed exploits in the first half of 2011 were those targeting Java flaws. The report also notes that Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters.

Methods for exploiting one of the flaws fixed by this update were detailed at a recent security conference in Buenos Aires, where researchers demonstrated a method for intercepting encrypted SSL and TLS traffic.

Don’t know if you have Java? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button. A majority of folks who have Java installed will have some update of Java 6; this latest patch brings Java 6 to Update 29. Java also has released a major revision to Java 7 (the vulnerabilities fixed in Java 6 Update 29 are available in Java 7 Update 1). It’s not clear whether Java 7 is more for regular users or for developers at this point, because the Free Java Download link at java.com still takes users to Version 6 Update 29.

Microsoft Windows users can update Java from the Java icon in the Windows Control Panel, and then clicking the “Update Now” button on the Update tab.

I’ve urged readers who have no use for Java to get rid of the program, but there is another way to keep it around while reducing the likelihood that the software will be targeted by malicious Web sites: unplug it from the browser. In Mozilla, Java can be toggled on or off via the plugins menu of the Add-ons page. In Internet Explorer, Java can be disabled via the “Manage Add-ons” option.

Finally, Windows users may find more than one Java version in the Add/Remove Programs list in the Control Panel. Older Java 6 versions can be safely removed after updating. The updater in Java 6 was long ago tweaked to remove older versions of Java before installing an update, but if you’ve already upgraded to Java 7, be aware that it does not remove Java 6 versions.

Next Page »