Windows Patch Tuesday – January 2012

For the swiss cheese of operating systems, Microsoft plans to start 2012 with a surprisingly large Patch Tuesday that covers seven security bulletins which collectively address eight separate vulnerabilities. Previous January releases have normally featured only one or two bulletins. The solitary critical bulletin in the batch fixes a remote code execution issue in Media Player. The remaining six “important” bulletins due next Tuesday handle the BEAST SSL issue, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts.

In the patch are other various information disclosure bugs, escalation of privilege issues and an update to Microsoft’s SEHOP (Structured Exception Handler Overwrite Protection) technology to enhance the defence-in-depth capability that it can offers to legacy applications. The first six bulletins affect various versions of the Windows Operating System, from XP SP3 up to the newest versions Windows 7 and Windows 2008 R2. The seventh bulletin covers Microsoft Developer Tools.

The “important” rather than critical status for the Beast SSL issue is at least debatable. The BEAST attack affects web servers that support SSLv3/TLSv1 encryption. Microsoft has already published a workaround, which involves using the non-affected RC4 cipher in SSL installations. A patch was originally promised in December but delayed until this month due to problems uncovered during testing. “Despite all of the hype over ‘The Beast’, attacks have simply never materialised and the issue has retained its ‘important’ classification from Microsoft,” notes Paul Henry, a security and forensic analyst at Lumension. Adobe and Oracle have both timetabled quarterly updates, on 10 January and 17 January, respectively in what promises to be a busy month for patching

January 7th, 2012 | dsmith | Categories: Adobe, Best Practices, Bugs, Exploit, Flaw, Maintenance, Microsoft, Patch, Updates, Windows, Windows 7, Windows Vista, Windows XP | Comments: Comments Off

Free Java Exploit

An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit exploit framework. Metasploit researchers say the Java attack tool has been tested to successfully deliver payloads on a variety of platforms, including the latest Windows and Mac systems.

The Java exploit is being sold on cybercrime forums and incorporated into automated crimeware kits like BlackHole. Since then, security researchers @_sinn3r and Juan Vasquez have developed a module for Metasploit that makes the attack tool available to penetration testers and malicious hackers alike. According to a post on the Metasploit blog, the Java vulnerability “is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they’re being exploited.

Metasploit also posted the results of testing the exploit against a variety of browsers and platforms, and found that it worked almost seamlessly to compromise systems across the board, from the latest 64-bit Windows 7 machines to Mac OS X systems.  (more…)

December 13th, 2011 | dsmith | Categories: Best Practices, Browser, Chrome, Exploit, Java, MacOS, Microsoft, Oracle, OS X, Patch, Updates, Windows, Windows 7 | Comments: Comments Off

Windows Patch Tuesday – December 2011

Patch up warmly this winter if you’re running Java, as Oracle’s software platform is the single biggest target for hackers. Java proved the single most popular target in the 12-month period to the end of June, according to Microsoft’s latest Security Intelligence Report has found here. Running Java as a Web-browser Plugin is much more dangerous than Flash, and you should disable the Java Applet Plugin.

Microsoft today issued software updates to patch at least 19 security holes in Windows XP, Vista, 2003 and 7 (no surprise there), including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software. (more…)

December 13th, 2011 | dsmith | Categories: Best Practices, Bugs, Exploit, Flaw, Internet Explorer, Java, Linux, MacOS, Malware, Microsoft, Oracle, OS X, Patch, Security, Trojan, Updates, Virus, Vulnerability, Windows, Windows 7, Windows Vista, Windows XP | Comments: Comments Off

Adobe Flash Update

Adobe has issued a critical software update for its Flash Player software that fixes at least a dozen security vulnerabilities in the widely-used program. Updates are available for Windows, Mac, Linux,  Solaris and Android versions of Flash and Adobe Air.

The update fixes flaws present in Flash Player versions 11.0.1.152 and earlier for Windows, Mac, Linux and Solaris systems, and in Flash11.0.1.153 and earlier for Android. The vulnerabilities are rated critical, meaning they could give hacked or malicious Web sites an easy way to install software on your machine.

Adobe’s advisory says users of Flash version 11.0.1.152 and earlier should update to v. 11.1.102.55; those using Flash v. 11.0.1.153 and earlier versions for Android should update to Flash Player 11.1.102.59. Users of AIR 3.0 for Windows, Macintosh, and Android should update to AIR  v. 3.1.0.4880. The company says it is not aware of any active attacks against these flaws at this time.

To find out if you have Flash and which version may be installed, visit the About Flash page. Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). Again, check the About Flash page with each browser you use to see whether you need to apply this update. To avoid using Adobe’s Download Manager, which tends to add little “extras” if you’re not careful, IE users can grab the latest update directly from these links; 32-bit IE installer, and 64-bit IE installer. Firefox and Opera users can grab the 32-bit installer here and the 64-bit version here. If you don’t know which one you need, you let Adobe’s site choose for you (although the download manager may try to foist other software unless you uncheck pre-checked options).

The installer for the latest Adobe Air version is available from this link.

Some Flash components also are bundled with Adobe Reader, so I asked Adobe whether current versions of Reader also were exposed to these vulnerabilities. Adobe spokeswoman Wiebke Lips confirmed that some of the issues fixed in today’s Flash Player update do impact the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.x) and 9.x for Windows and Mac. Lips said Adobe feels comfortable that its sandboxing technology built into the latest versions of Reader will protect users until January, when the company expects to issue the next quarterly update for Reader.

“These issues will be resolved in the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012,” Lips wrote. “Note that the Authplay.dll component is part of the ‘sandbox’ for users of Adobe Reader X (Protected Mode) and Acrobat X (Protected View), which would protect against potential exploits.”

November 11th, 2011 | dsmith | Categories: Adobe, Adobe Air, Adobe Flash, Adobe PDF, Firefox, Google Chrome, Internet Explorer, Linux, MacOS, Patch, Updates, Windows | Comments: Comments Off

Windows Patch Tuesday – November 2011

It is that time again! Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8. If there have been 17 security holes in Java just since the last release If that doesn’t convince a person to uninstall Java, I’m not sure what will.

The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7.

Adobe’s Shockwave update also fixes critical flaws, but users should check to see if they have this program installed before trying to update it. To test whether you have Shockwave installed, visit this page; if you see an animation, it’s time to update. If you see a prompt to install Shockwave, there is no need to install it. Mozilla Firefox users without Shockwave Player installed may still see “Shockwave Flash” listed in the “Plugins” directory of the browser; this merely indicates that the user has Adobe’s Flash Player installed.

The vulnerabilities fixed by this update exist in versions ofShockwave 11.6.1.629 and earlier. The latest version, v. 11.6.3.633, is available here.  I’m sure it has its uses, but to me Shockwave is just another Adobe program that requires constant care and feeding. What’s more, like Adobe’s Flash Player, Shockwave demands two separate installation procedures for IE and non-IE browsers.

Hat tip to the SANS Internet Storm Center for the heads up on the Java fix from Apple. This update, available via Software Update or Apple Downloads, essentially brings Snow Leopard and Lion up to date with the Oracle patches released last month in Java 6 Update 29 (Apple maintains its own version of Java).

If you use Mozilla Firefox or Thunderbird, you may have noticed that Mozilla is pushing out another major upgrade that includes critical fixes to these programs; both have now been updated to version 8. If you’re still running Firefox version 3.6.x, Mozilla has updated that to3.6.24. Perhaps I’m becoming a curmudgeon, but I’m growing weary of the incessant update prompts from Firefox. It seems that almost every time I start it up it’s asking to restart the browser or to remove plugins that no longer work with the latest version. I’ve been gradually transitioning more of my work over to Google Chrome, which seems faster and updates the browser and any installed plugins silently (and frequently patches oft-targeted plugins like Flash Player even before Adobe officially releases the update).

I switched to Google Chrome when it first came out ago. I love it. It’s faster and makes updating easy and effortless. I still have Firefox, but Chrome is my default browser now on all my computers.

 

November 10th, 2011 | dsmith | Categories: Adobe, Apple, Best Practices, Browser, Bugs, Firefox, Flaw, Maintenance, Microsoft, Mozilla, OS X, Patch, Security, Updates, Vulnerability, Windows, Windows 7, Windows Vista, Windows XP | Comments: Comments Off

Microsoft Word Virus

A new virus has cropped up in various countries across the world and its target appears to be corporate networks. The Duqu virus, first noted last month by a laboratory at Budapest University, has now been spotted in several other countries and appears to be sent via Microsoft Word documents attached as emails. Microsoft has announced that it is working on a fix.

The point of the new virus seems to be to gather corporate information and then send it to some as yet unknown site. Thus, it’s a form of corporate espionage. Chillingly, researchers at Symantec, the giant antivirus company, say it looks like some of the code in the virus is the same as was found in the Stuxnet virus that wreaked havoc on Iran’s nuclear program, indicating that the perpetuators were either able to obtain the code from that virus, or, are the same people.

The virus is activated when a person to whom an infected Word document was sent, opens it. The virus infects that computer then seeks out other computers through the corporate network. As it goes, it collects data and then apparently, seeks a path out to the Internet where it can send the data it’s collected to a predefined destination. Thus far it has relied on a so-named zero day exploit to take advantage of a previously unknown weakness in the Windows kernel, which means getting in and doing its dirty work before victims have a chance to come up with a means of defense against it.

Thus far, it appears that the virus has been targeted at specific types of companies, as the data- collecting part of the virus seems to seek out information pertaining to industrial control-systems. So it’s likely that whoever unleashed the virus, did so in hopes of gaining information on how companies are designing and manufacturing their products; not something the average person would need to worry about, but still enough to cause concern about the growing sophistication of computer viruses.

So far, instances of the virus have been seen in Iran, India, France, Ukraine, the UK and at least eight other countries that have not been specifically identified.

In the mean time, Microsoft has released an advisory and a stopgap fix for the zero-day vulnerability exploited by the “Duqu” Trojan, a highly targeted malware strain that some security experts say could be the most important cyber espionage threat since Stuxnet.

According to the advisory, the critical vulnerability resides in most supported versions of Windows, including Windows XPVista and Windows 7. The problem stems from the way Windows parses certain font types. Microsoft says it is aware of targeted attacks exploiting this flaw, but that it believes few users have been affected.

Nevertheless, the flaw is a dangerous one. Microsoft said that an attacker who successfully exploited this vulnerability could run arbitrary code, install programs; view, change, or delete data; or create new accounts with full user rights. The most likely vehicle for the exploit is a poisoned email attachment. This means that a hacker deploying the Duqu Trojan against a Windows machine that hasn’t yet downloaded the temporary fix could gain nearly total access to a person’s computer.

Microsoft is working on developing an official security update to fix the flaw. For now, it has released a point-and-click Fixit tool that allows Windows users to disable the vulnerable component. Enabling this tweak may cause fonts in some applications to display improperly. If you experience problems after applying the Fixit solution, you can always undo it by clicking “disable” image in the Microsoft advisory and following the prompts. So in reality, some of you may not be to may not be able to fix this until the next ‘Patch Tuesday’ in December.

November 7th, 2011 | dsmith | Categories: Attack, Bugs, Exploit, Flaw, Malware, Microsoft, Patch, Trojan, Virus, Vulnerability, Windows, Windows 7, Windows Vista, Windows XP | Comments: Comments Off

Mac Flashback Trojan

The security by obscurity myth is finally blown out of the water…Mac’s are pretty much mainstream these days and it yet again proves my points about Mac virus resistance, it may be virus resistant, but unless you upgrade the users, no platform is Trojan proof.

Apple has updated the malware protection built into its Mac operating system to flag a recently discovered trojan that hijacks users’ machines by masquerading as a benign document. Malware disguised as an Adobe Flash installer, meanwhile, remained unchecked.

The file quarantine, which Apple snuck into a prerelease version of Snow Leopard in 2009, was updated to include a definition for Trojan-Dropper: OSX/Revir.A, which antivirus provider F-Secure disclosed on Friday. According to an update on F-Secure’s blog, the malware disguises itself as a PDF file in an attempt to trick users into clicking on it.

“The malware then proceeds to install a backdoor, Backdoor:OSX/Imuler.A, in the background,” stated the F-Secure analysis, which was posted Monday. “As of this writing, the C&C of the malware is just a bare Apache installation and is not capable of communicating with the backdoor yet.”

By Tuesday morning, Apple had added a definition for Revir.A into the file quarantine feature, our review of a Mac running OS X Lion, aka 10.7, has shown. By our count, it’s the 10th definition to be included, although two of them cover malware with the identical label of “OSX.HellRTS.” The definitions are stored in a file called XProtect.plist tucked away in the /System/Library/CoreTypes.bundle/Contents/Resources/ folder.

Apple engineers pushed out the update around the same time that a new trojan was discovered menacing Mac users. According to Mac antivirus provider Intego, the Flashback trojan is built on a sophisticated code base that installs a backdoor on infected machines, and covers its tracks by using encryption when communicating with remote servers.

“The backdoor is able to download further software, but, for now, we are not seeing this activity,” Intego’s analysis stated. “It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed. If the Sha1 of the software version on the server is different from that installed, this means that an update is necessary.”

With the explosive growth of Macs, iPhones, and iPads, malware purveyors have finally begun targeting Apple products after years of almost exclusive focus on Microsoft users. Earlier this year, an outbreak of fraudulent Mac antivirus products ignited a huge spike in support calls from frantic Mac users who had been tricked into installing a piece of malware called MacDefender. Apple eventually added definitions for it to its file quarantine, as well.

I think the difference between Microsoft and Apple here is that Microsoft weren’t the ones to create a condescending “I’m a PC” commercial insinuating that their operating system was virus free…With the amount of braindead Apple fans who claim that Apple Virus / Malware is an oxymoron, that 30 second spot could turn out to be some of history’s most damaging tech-related FUD.

Early I wrote that actually most targeted vulnerabilities are in Flash, PDF or Java these days via Internet Explorer (IE) and once you take IE out of the equation, Windows does quite well, especially given the rich rewards and vast selection of low-hanging fruit users can offer.

November 3rd, 2011 | dsmith | Categories: Adobe Flash, Adobe PDF, Apple, Exploit, F-Secure, Firefox, Flaw, Internet Explorer, iPad, iPhone, Java, MacOS, Malware, OS X, Patch, Trojan, Virus | Comments: Comments Off

Java 6 Update 29

Oracle Corp. released a critical update to plug at least 20 security holes in versions of its ubiquitous Java software. Nearly all of the Java vulnerabilities can be exploited remotely to compromise vulnerable systems with little or no help from users.

If you use Java, take some time to update the program now. According to a reportreleased this month by Microsoft, the most commonly observed exploits in the first half of 2011 were those targeting Java flaws. The report also notes that Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters.

Methods for exploiting one of the flaws fixed by this update were detailed at a recent security conference in Buenos Aires, where researchers demonstrated a method for intercepting encrypted SSL and TLS traffic.

Don’t know if you have Java? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button. A majority of folks who have Java installed will have some update of Java 6; this latest patch brings Java 6 to Update 29. Java also has released a major revision to Java 7 (the vulnerabilities fixed in Java 6 Update 29 are available in Java 7 Update 1). It’s not clear whether Java 7 is more for regular users or for developers at this point, because the Free Java Download link at java.com still takes users to Version 6 Update 29.

Microsoft Windows users can update Java from the Java icon in the Windows Control Panel, and then clicking the “Update Now” button on the Update tab.

I’ve urged readers who have no use for Java to get rid of the program, but there is another way to keep it around while reducing the likelihood that the software will be targeted by malicious Web sites: unplug it from the browser. In Mozilla, Java can be toggled on or off via the plugins menu of the Add-ons page. In Internet Explorer, Java can be disabled via the “Manage Add-ons” option.

Finally, Windows users may find more than one Java version in the Add/Remove Programs list in the Control Panel. Older Java 6 versions can be safely removed after updating. The updater in Java 6 was long ago tweaked to remove older versions of Java before installing an update, but if you’ve already upgraded to Java 7, be aware that it does not remove Java 6 versions.

November 2nd, 2011 | dsmith | Categories: Exploit, Internet Explorer, Java, Microsoft, Oracle, Patch, Updates, Vulnerability, Windows | Comments: Comments Off

MS Office 2007 SP3

For those of you that have Office 2007, Microsoft will be releasing Service Pack (SP) 3 for it soon. Here’s a Microsoft blog post with the download links. SP3 is available via the Download Center as of this week, and will be pushed out as an Automatic Update in 90 days Microsoft execs said.

The last cumulative update for Office 2003, Service Pack 3 resolves several compatibility and stability issues with Windows Vista and later operating systems. Mainstream support for Office 2003 application ended in April 2009 and extended support ends in April 2014.

I have written about Office XP here: http://jet-computing.com/microsoft-office-xp-support-retired/ It’s highly doubtful you use Office XP at home, but there may be some poor souls at there still using that decade-old version of Office.

If your in the market for new document software give LibreOffice a try, it is what I use here in the office.  On a side note and with great news, The Document Foundation creators of the LibreOffice office suite of applications, have announced that they are currently working on projects to bring LibreOffice to Android and iOS devices, together with accessibility through web browsers.

The Libreoffice port project is based on the work of Tor Lillqvist and will now be focusing on bringing its suite of applications to mobile devices in the near future. LibreOffice currently competes and offers a great free alternative to Microsoft Offices suite of applications. LibreOffice was created by former OpenOffice.org developers after concerns about Oracle’s community-hostile stewardship of OpenOffice.org and a number of long-standing procedural and governance issues that existed long before Oracle’s acquisition of Sun.

LibreOffice has been developed by The Document Foundation as a fork of OpenOffice.org, and is compatible with other major office suites, including Microsoft Office making it easy to swap too. When created it developers goal with LibreOffice was to create a vendor-independent office suite with ODF support but without any copyright assignment requirements. Since its launch the LibreOffice software has been downloaded over 7.5 million times since its launch back in January 2011.

November 2nd, 2011 | dsmith | Categories: Cost Savings, iOS, LibreOffice, Microsoft, Office 2003, Office 2007, Office XP, Openoffice, Patch, Updates, Windows Vista | Comments: Comments Off

Apple Mac Trojans

A newly identified Mac OS X Trojan bundles a component that leverages the processing power of video cards (GPUs) to generate Bitcoins, a popular type of virtual currency.

The new Trojan known as OSX/Miner-D, nicknamed “DevilRobber” by antivirus vendors, is being distributed together with several software applications via BitTorrent sites.

“This malware is complex, and performs many operations,” security researchers from Mac antivirus vendor Intego warned. “It is a combination of several types of malware: It is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers,” they explained. The software is being distributed through torrent sites. It installs a Java-based application called “DiabloMiner” that uses your Mac’s graphics processing unit (GPU) to generate Bitcoins.

The Bitcoin mining program that DevilRobber installs on infected computers is called DiabloMiner and is a legitimate Java-based application used in the virtual currency’s production. As this application is Java based, it will run on Windows, Solaris and Linux computers.

The first sign of infection is if your Mac suddenly becomes sluggish, Graham Cluley of Sophos wrote in a blog post.

“It’s becoming clearer every week that Mac users need to take malware protection more seriously by running anti-virus software,” he wrote.

The DevilRobber trojan steals processing power, which can lead to slow computer performance, as well as actual Bitcoins, which are kept in virtual wallets on the victim’s machine.

“OSX/Miner-D [DevilRobber] also spies on you by taking screen captures and stealing your usernames and passwords,” warned Graham Cluley, a senior technology consultant at antivirus vendor Sophos.

“In addition, it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history and .bash_history,” he added.

So far, the Trojan has been detected in a BitTorrent download for GraphicConverter version 7.4, an image editing application for Mac OS X. However, this doesn’t mean that there aren’t similarly Trojanized torrents out there.

“Clearly, Mac users — like their Windows cousins — should practice safe computing and only download software from official websites and legitimate download services,” Cluley said. He also stressed that Mac users should install an antivirus program, which is not hard to do and costs nothing.

There are several providers of free antivirus solutions for Mac and all of their solutions are more capable than Mac OS X’s default anti-malware defense mechanism, which some Trojans already bypass or even disable.

The latest patch from Microsoft Security Essentials and other Mac AV providers will detect this DevilRobber. I suggest you go one step further and use ESET NOD32.

Bitcoin is a form of virtual cash that can be exchanged by users without the need for an intermediary bank or payment service. Bitcoins are actually cryptographic hashes that get generated piece by piece using specialized programs like DiabloMiner, according to a public algorithm.

Bitcoin is a decentralized, highly controversial virtual currency that was formed by programmers in 2009. The currency is generated by programming computers to calculate highly complex math problems; the more computing power you have, the faster you can create Bitcoins. This is why Bitcoin rigs often look like massive sculptures of connected servers.

Ideally, Bitcoin resolves issues inherent in traditional currencies, like double-spending, inflation, corruption, and inept monetary authorities. But in reality, the effort is being undermined by security issues like exchange breaches, account theft, and pure FUD.

In the past we’ve also heard of Twitter-based Bitcoin bots and months ago, Symantec predicted the spawn of botnets used to mine Bitcoins.

One Bitcoin is currently valued at around US$3.20, and it is a good source of profit for both Bitcoin miners, who legitimately use their computer resources to generate them, and cybercriminals who steal them.

 

November 1st, 2011 | dsmith | Categories: Anti-virus, Apple, Attack, Bitcoin, Exploit, Laptop, Macintosh, MacOS, OS X, Patch, Security, Sophos, Symantec, Trojan, Virus, Windows | Comments: Comments Off

Next Page »