Advertisement
<a href="http://abaca.com/free_trial.html"><img src="/a-ab/missing.gif" /></a>
  • About the Author
  • About this Blog

    • Security Tools

    A Little Sunshine / Latest Warnings / Security Tools20 Comments
    11
    May 12

    FBI: Updates Over Public ‘Net Access = Bad Idea

    The Federal Bureau of Investigation is advising travelers to avoid updating software while using hotel or other public Internet connections, warning that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms.

    From the FBI’s advisory:

    “Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

    The warning is a good opportunity to revisit some wireless safety tips I’ve doled out over the years. Avoid updating software while you’re using networks that are untrusted and public, whether they are wired or wireless. This generally means Wi-Fi networks like those available in hotels and coffee shops, and even wired connections at hotels. The only exception I make to this rule is when I have a device that is tethered to the 3G connection on a mobile phone. But even this can be dicey, because many laptops and mobile devices will switch over to available Wi-Fi networks in the event that the 3G signal dies.

    There are a number of free attack tools that can be used to spoof software update prompts, and these are especially effective against users on small local networks. Bear in mind that false update prompts don’t have to involve pop-ups. I’ve written at least two blog posts about EvilGrade, a toolkit that makes it simple for attackers to install malicious software by exploiting weaknesses in the auto-update feature of many popular software titles. The deviousness of this tool is that it can be used to hijack the legitimate updaters built into software already installed on your computer.

    If you must update while on the road, make sure that you initiate the update process. Avoid clicking pop-up prompts or anything that looks like it was launched from an auto-updater. When in doubt, always update from the vendor’s Web site. Most importantly — and Rule #1 of Krebs’s 3 Basic Rules for Online Safety covers this nicely — “if you didn’t go looking for it, don’t install it!” Also, using an update tracker, such as Secunia‘s Personal Software Inspector or File Hippo‘s Update Checker, can help you stay on top of the latest security patches for widely-used software, and make it easier for you to plan your software updates ahead of time.

    Latest Warnings / Security Tools / Time to Patch13 Comments
    8
    May 12

    Adobe, Microsoft Push Critical Security Fixes

    Adobe and Microsoft today each issued updates to address critical security flaws in their software. Adobe’s patch plugs at least five holes in its Shockwave Player, while Microsoft has released a bundle of seven updates to correct 23 vulnerabilities in Windows and other products.

    Microsoft’s May patch batch includes fixes for vulnerabilities that could be exploited via Web browsing, file-sharing, or email. Eight of the 23 flaws earned Microsoft’s “critical” rating, meaning no user interaction is required for vulnerable systems to be hacked. At least three of the flaws were publicly disclosed before today.

    According to Microsoft, the two updates are the most dire: The first is one related to a critical flaw in Microsoft Word (MS12-029); the second is an unusually ambitious update that addresses flaws present in Microsoft Office, Windows, .NET Framework and Silverlight. In a blog post published today, Microsoft explained why it chose to patch all of these seemingly disparate products all in one go. But the short version is that Microsoft is addressing the ghost of Duqu, a sophisticated malware family discovered last year that was designed to attack industrial control systems and is thought to be related to the infamous Stuxnet worm. A patch Microsoft issued last year addressed the underlying Windows vulnerability exploited by Duqu, but the company found that the same vulnerable code resided in a slew of other Microsoft applications.

    Continue reading →

    A Little Sunshine / Security Tools18 Comments
    12
    Apr 12

    How to Find and Remove Mac Flashback Infections

    A number of readers responded to the story I published last week on the Flashback Trojan, a contagion that was found to have infected more than 600,000 Mac OS X systems. Most people wanted to know how they could detect whether their systems were infected with Flashback — and if so — how to remove the malware. This post covers both of those questions.

    Screen shot of Flashback detection tool from Dr.Web

    Since the discovery last week of the Flashback Mac botnet, several security firms have released tools to help detect and clean up Flashback infections. Dr.Web, the Russian antivirus vendor that first sounded the alarm about the outbreak, has published a free online service that lets users tell whether their systems have been seen phoning home to Flashback’s control servers (those servers have since been hijacked by researchers). The service requires users to enter their Mac’s hardware unique user ID (HW-UUID), because this is how the miscreants who were running the botnet kept track of their infections.

    F-Secure Corp., the Finnish security firm that worked with Dr.Web to more accurately gauge the true number of Flashback-infected Macs, has a Flashback Removal Tool available for download from its Web site.

    Where is Apple’s response in all of this, you ask? Apple says it is developing software that will detect and remove Flashback. Inexplicably, it has not yet released this tool, nor has it added detection for it to the XProtect antivirus tool built into OS X. The company’s advisory on this threat is predictably sparse, and focuses instead on urging users to apply a recent update for Java. Flashback attacks a well-known Java flaw, but it’s worth noting that Apple released the Java patch only after Flashback had begun infecting hundreds of thousands of Macs.

    Update, 8:22 p.m. ET: Apple just released a new version of Java that includes a Flashback remover. Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion. It includes no new security fixes, but it adopts a novel approach to the debate over whether to temporarily disable or remove Java: “It configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application.” If the Java web plug-in detects that no applets have been run for at least 35 days, it will again disable Java applets.

    Continue reading →

    Latest Warnings / Security Tools / Time to Patch21 Comments
    10
    Apr 12

    Adobe, Microsoft Issue Critical Updates

    Adobe and Microsoft today each issued critical updates to plug security holes in their products. The patch batch from Microsoft fixes at least 11 flaws in Windows and Windows software. Adobe’s update tackles four vulnerabilities that are present in current versions of Adobe Acrobat and Reader.

    Seven of the 11 bugs Microsoft fixed with today’s release earned its most serious “critical” rating, which Microsoft assigns to flaws that it believes attackers or malware could leverage to break into systems without any help from users. In its security bulletin summary for April 2012, Microsoft says it expects miscreants to quickly develop reliable exploits capable of leveraging at least four of the vulnerabilities. Continue reading →

    Latest Warnings / Security Tools / Time to Patch58 Comments
    4
    Apr 12

    Urgent Fix for Zero-Day Mac Java Flaw

    Apple on Monday released a critical update to its version of Java for Mac OS X that plugs at least a dozen security holes in the program. More importantly, the patch mends a flaw that attackers have recently pounced on to broadly deploy malicious software, both on Windows and Mac systems.

    Distribution of 550,000 Flashback-infected Macs. Source: Dr.Web.com

    The update, Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7, sews up an extremely serious security vulnerability (CVE-2012-0507) that miscreants recently rolled into automated exploit kits designed to deploy malware to Windows users. But in the past few days, information has surfaced to suggest that the same flaw has been used with great success by the Flashback Trojan to infect large numbers of Mac computers with malware.

    The revelations come from Russian security firm Dr.Web, which reports that the Flashback Trojan has successfully infected more than 550,000 Macs, most which it said were U.S. based systems (hat tip to Adrian Sanabria). Dr.Web’s post is available in its Google translated version here.

    Continue reading →

    Latest Warnings / Security Tools / Time to Patch44 Comments
    28
    Mar 12

    Critical Security Update for Adobe Flash Player

    Adobe has issued a security update for its Flash Player software that fixes at least two critical vulnerabilities in the widely-used program. At long last, this latest version also includes an auto-updating mechanism designed to streamline the deployment of Flash security fixes across multiple browsers.

    If it seems like you just updated Flash to fix security holes, it’s not your imagination. This is the third security update for Flash in the last six weeks. Flash Player v. 11.2 addresses a couple of flaws  in Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x. Adobe warns that these vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

    My previous posts on Flash updates have been accompanied by lengthy instructions about how to update the program. That’s in part because Adobe has traditionally deployed two separate installers for Windows based systems: One for Flash on Internet Explorer, and another for non-IE browsers. With the release of Flash Player 11.2, Adobe is introducing a new background update mechanism for Windows users that promises to take some of the pain out of updating. Continue reading →

    Latest Warnings / Security Tools / Time to Patch30 Comments
    5
    Mar 12

    Adobe Patches Critical Flash Flaws

    For the second time in less than a month, Adobe has issued an update to fix dangerous flaws in its Flash Player software. The patch addresses two vulnerabilities rated “critical,” but Adobe says it is not aware of active attacks against either flaw.

    The fixes being released today address a pair of critical bugs that are present in Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Mac, Linux and Solaris, Flash Player v 11.1.115.6 and earlier versions for Android 4.x, and Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x. Adobe says both flaws in today’s release were reported by Google security researchers.

    For Windows, Mac, Linux and Solaris users, the newest version is 11.1.102.63, and is available through the Player Download Center. To find out which version of Flash you have installed, visit this page. Users can grab the latest version from the Adobe Flash Player Download Center, although if you’re not careful to untick the check box next to whatever “optional” goodies Adobe tries to bundle with Flash Player (the most common is McAfee Security Scan Plus) you could end up with more than you wanted.

    Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser. Chrome normally auto-updates Flash – often hours or days before the fixes are publicly released for download — although for some reason I still had the vulnerable version 11.1.102.62 installed when Adobe’s security advisory was released today. According to the Chrome Releases blog, Google began pushing out an update last night that includes the new Flash version.

    Today’s update comes close on the heels of a critical Flash patch that closed at least seven security holes, including one that was at the time already being exploited to break into vulnerable systems (that one, also, was reported by Google).

    Security Tools26 Comments
    28
    Feb 12

    PSI 3.0: Auto-Patching for Dummies

    A new version of the Personal Software Inspector (PSI) tool from vulnerability management firm Secunia automates the updating of third-party programs that don’t already have auto-updaters built-in. The new version is a welcome development for the sort of Internet users who occasionally still search their keyboards for the “any” key, but experienced PSI users will probably want to stick with the comparatively feature-rich current version.

    PSI 3.0 Beta's simplified interface.

    PSI 3.0 introduces one major new feature: Auto-updating by default. The program installs quickly and immediately begins scanning installed applications for missing security updates. When I ran the beta version, it found and automatically began downloading and installing fixes for about half of the apps that it detected were outdated. The program did find several insecure apps that it left alone, including iTunes, PHP and Skype; I suspect that this was based on user feedback. It may also just avoid auto-patching busy programs (all three of those applications were running on my test machine when I installed PSI 3.0); for these, PSI presents the “run manual update,” or “click to update,” option.

    But users familiar with previous versions of PSI may be frustrated with the beta version’s intentional lack of options. The beta is devoid of all settings that are present in the current version of PSI, and the user dashboard that listed updated software alongside outdated programs and other options no longer exists. In fact, once a program is updated, it is removed from the update panel, leaving no record of what was updated (I had to sort my Program Files folder by date to learn which programs were touched after running PSI 3.0).

    Continue reading →

    Latest Warnings / Security Tools / Time to Patch16 Comments
    15
    Feb 12

    Flash Player Update Nixes Zero-Day Flaw

    Adobe has issued a critical security update for its ubiquitous Flash Player software. The patch plugs at least seven security holes, including one reported by Google that is already being used to trick users into clicking on malicious links delivered via email.

    In an advisory released Wednesday afternoon, Adobe warned that one of the flaws — a cross-site scripting vulnerability (CVE-2012-0767) reported by Google –  was being used in the wild in active, targeted attacks designed to trick users into clicking on a malicious link delivered in an email message. The company said the flaw could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. A spokesperson for the company said this particular attack only works against Internet Explorer on Windows.

    Continue reading →

    Latest Warnings / Security Tools / Time to Patch15 Comments
    15
    Feb 12

    Java Security Update Scrubs 14 Flaws

    Oracle has shipped a critical update that fixes at least 14 security vulnerabilities in its Java JRE software. The company is urging users to deploy the fixes as quickly as possible.

    Java flaws are a favorite target of miscreants and malware because of the program’s power and massive install base: Oracle estimates that Java is installed on more than three billion machines worldwide.

    In an emailed advisory accompanying the new release, Oracle urged users to update without delay. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon a possible.”

    The new versions are Java 6 Update 31, and Java 7 Update 3. To see if you have Java installed and to find out what version you have, visit Java.com and click the “Do I have Java?” link. Existing users should be able to update by visiting the Windows Control Panel and clicking the Java icon, or by searching for “Java” and clicking the “Update Now” button from the Update tab. Continue reading →

    ← Older Entries