August, 2017


8
Aug 17

Critical Security Fixes from Adobe, Microsoft

Adobe has released updates to fix dozens of vulnerabilities in its Acrobat, Reader and Flash Player software. Separately, Microsoft today issued patches to plug 48 security holes in Windows and other Microsoft products. If you use Windows or Adobe products, it’s time once again to get your patches on.

brokenwindowsMore than two dozen of the vulnerabilities fixed in today’s Windows patch bundle address “critical” flaws that can be exploited by malware or miscreants to assume complete, remote control over a vulnerable PC with little or no help from the user.

Security firm Qualys recommends that top priority for patching should go to a vulnerability in the Windows Search service, noting that this is the third recent Patch Tuesday to feature a vulnerability in this service.

Qualys’ Jimmy Graham observes that many of the vulnerabilities in this month’s release involve the Windows Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems.

According to Microsoft, none of flaws in August’s Patch Tuesday are being actively exploited in the wild, although Bleeping Computer notes that three of the bugs were publicly detailed before today’s patch release.

Case in point: This month’s patch batch from Microsoft does not address the recently-detailed SMBLoris flaw, a vulnerability in all versions of Windows that can be used to remotely freeze up vulnerable systems or cause them to crash. Continue reading →


2
Aug 17

Flash Player is Dead, Long Live Flash Player!

Adobe last week detailed plans to retire its Flash Player software, a cross-platform browser plugin so powerful and so packed with security holes that it has become the favorite target of malware developers. To help eradicate this ubiquitous liability, Adobe is enlisting the help of Apple, Facebook, Google, Microsoft and Mozilla. But don’t break out the bubbly just yet: Adobe says Flash won’t be put down officially until 2020.

brokenflash-aIn a blog post about the move, Adobe said more sites are turning away from proprietary code like Flash toward open standards like HTML5, WebGL and WebAssembly, and that these components now provide many of the capabilities and functionalities that plugins pioneered.

“Over time, we’ve seen helper apps evolve to become plugins, and more recently, have seen many of these plugin capabilities get incorporated into open web standards,” Adobe said. “Today, most browser vendors are integrating capabilities once provided by plugins directly into browsers and deprecating plugins.”

It’s remarkable how quickly Flash has seen a decline in both use and favor, particularly among the top browser makers. Just three years ago, at least 80 percent of desktop Chrome users visited a site with Flash each day, according to Google. Today, usage of Flash among Chrome users stands at just 17 percent and continues to decline (see Google graphic below).

For Mac users, the turning away from Flash began in 2010, when Apple co-founder Steve Jobs famously penned his “Thoughts on Flash” memo that outlined the reasons why the technology would not be allowed on the company’s iOS products. Apple stopped pre-installing the plugin that same year.

The percentage of Chrome users over time that have used Flash on a Web site. Image: Google.

The percentage of Chrome users over time that have used Flash on a Web site. Image: Google.

“Today, if users install Flash, it remains off by default,” a post by Apple’s WebKit Team explains. “Safari requires explicit approval on each website before running the Flash plugin.”

Mozilla said that starting this month Firefox users will choose which websites are able to run the Flash plugin.

“Flash will be disabled by default for most users in 2019, and only users running the Firefox Extended Support Release will be able to continue using Flash through the final end-of-life at the end of 2020,” writes Benjamin Smedberg for Mozilla. “In order to preserve user security, once Flash is no longer supported by Adobe security patches, no version of Firefox will load the plugin.” Continue reading →


1
Aug 17

New Bill Seeks Basic IoT Security Standards

Lawmakers in the U.S. Senate today introduced a bill that would set baseline security standards for the government’s purchase and use of a broad range of Internet-connected devices, including computers, routers and security cameras. The legislation, which also seeks to remedy some widely-perceived shortcomings in existing cybercrime law, was developed in direct response to a series of massive cyber attacks in 2016 that were fueled for the most part by poorly-secured “Internet of Things” (IoT) devices.

iotc

The IoT Cybersecurity Improvement Act of 2017 seeks to use the government’s buying power to signal the basic level of security that IoT devices sold to Uncle Sam will need to have. For example, the bill would require vendors of Internet-connected devices purchased by the federal government make sure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that vendors ensure the devices are free from known vulnerabilities when sold.

The bill, introduced by Sens. Steve Daines (R-Mont.), Cory Gardner (R-Colo.), Mark Warner (D-Va.) and Ron Wyden (D-Ore.), directs the White House Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality. In addition, it requires each executive agency to inventory all Internet-connected devices in use by the agency.

The bill’s provisions would seem to apply to virtually any device that has an Internet connection and can transmit data. Under the proposal, an IoT device has a fairly broad definition, being described as “a physical object that is capable of connecting to and is in regular connection with the Internet;” and one that “has computer processing capabilities that can collect, send or receive data.” Continue reading →