Thursday, January 28, 2010

IE flaw to be exposed at Black Hat, probably not fixable

Here's just one more reason to stop using IE to browse the Internet. Once this flaw leaks out to the bad guys, anyone using IE will be vulnerable. Because it affects SMB, IMHO it may be difficult-to-impossible to fix without breaking Microsoft Windows networking.

Internet Explorer Flaw Reveals Web Surfers Hard Drive Contents |
... The hole is difficult to close because the attack exploits an array of features IE users have come to rely on to make web application work seamlessly. Simply removing the features could neuter functions such as online file sharing and active scripting, underscoring the age-old tradeoff between a system’s functionality and its security.

Based on Medina’s characterization, it appears that fixing the weakness will require changes in a Windows network sharing technology known as SMB, or server message block, as well as the way Windows makes file caches available to a wide variety of applications.

“The things we are reporting are not bugs, they are features,” Medina said. “They are needed for many applications to work, so [Microsoft] can’t simply remove or truncate” them.

IE suffers from at least one other long-standing security bug that can enable attacks against people browsing websites that are otherwise safe to view. It can be exploited to introduce XSS, or cross-site scripting, exploits on webpages, allowing attackers to inject malicious content and code.

Tuesday, January 26, 2010

I thought Google's motto was "do no evil".

This certainly doesn't qualify.  I have been uninstalling the Google toolbar from all my systems for the past few months, and now I guess that was a Good Thing to do ...

Sunbelt Blog: Google Toolbar tracks searches after it’s disabled.
Ben Edelman, Harvard privacy researcher and guru has revisited the features of Google Toolbar and was appalled to discover that disabling it doesn’t really disable it. He is recommending that all users uninstall it.

In a long, thorough and well-written piece on his blog Edelman discusses how he monitored the Toolbar’s behavior with a network sniffer and documented the transmission of data back to Google (to Not only does it track a user’s Google searches, but it also phones home information about searches done in other search engines.

And, the privacy policy, he says, is ill-conceived.

“Notice that the Privacy Policy loads in an unusual window with no browser chrome – no Edit-Find option to let a user search for words of particular interest, no Edit-Select All and Edit-Copy option to let a user copy text to another program for further review, no Save or Print options to let a user preserve the file. Had Google used a standard browser window, all these features would have been available, but by designing this nonstandard window, Google creates all these limitations.”

This, of course, prevents a user from using an application like EULAlyzer that points out areas of concern in end user licensing agreements and privacy statements.

Update Wed 27 Jan 2010 06:49: Ars Technica reports that restarting the browser stops the behavior, and Google is fixing the problem anyway.
Google: Toolbar data persistence a bug, fix available
We asked Google for comment, and a spokesperson told us there's a simpler solution: quit and relaunch the browser. That apparently gets the software to reload its preferences, and will put a stop to the transmission of URL data.

"It affects those using Google Toolbar versions 6.3.911.1819 through 6.4.1311.42 in Internet Explorer," the spokesperson told Ars. "Once the user restarts the browser, the issue is no longer present. A fix that doesn't require a browser restart is now available on [our site] and in an automatic update to Google Toolbar that we are starting tomorrow." The rapid response—Edelmen's report is dated today—suggests that Google was already aware of the problem and had put the fix through Q&A.

Sunday, January 24, 2010

Upcoming Blackhat presentation: ""IE turns your personal computer into a public file server"

I don't know how much credence to put in this announcement, but Core Security is a legitimate company with a long history of doing good security research, and Blackhat is a legitimate conference. If this is true, anyone with sensitive data on their computers (bank accounts, credit card numbers, tax returns, and the like), should probably not use IE for the foreseeable future.

I don't use IE except for Windows Updates, but those of you who do should STRONGLY consider switching to Google Chrome or Mozilla Firefox. Chrome is possibly safer because it runs partially sandboxed from the OS but everything you do on the Internet is fed into Google's databases; Firefox is much safer than IE, especially when enhanced with NoScript and Adblock Plus but unless you run as a non-administrative user (as I do) it runs with administrative access to the system.  FWIW I use Firefox -- Google already knows too much about me ;-).

"IE turns your personal computer into a public file server" -
I dunno. We just get a patch for a major vulnerability in IE and breathe a sigh of relief only to learn about another nasty vulnerability in IE that will be demonstrated at the upcoming Black Hat Conference. Sigh.

Researchers at Core Security, one day after Microsoft patched IE, have announced another set of vulnerabilities in Internet Explorer that involve stringing several minor vulnerabilities together to enable a hacker to have complete access to all files on the user's computer. The user would need to be enticed to click on a malicious link first.

The vulnerability, along with proof of concept, will be demonstrated at the Black Hat conference which begins Feb 2 in Washington. Core Security states that they are working with Microsoft to try and find a way to mitigate the risk. Microsoft has declined to comment.

Core Security page
Blackhat Conference Announcement
Reuters story about this

Friday, January 22, 2010

Is it time to remove Real Player from your system?

When was the last time you used Real Player to view anything?  If you can't remember, don't patch, just uninstall it.  The free open-source player VLC media player will play Real media, so you don't need it any more.

US-CERT Current Activity: RealNetworks, Inc. Releases Updates to Address Vulnerabilities
added January 22, 2010 at 08:36 am

RealNetworks, Inc. has released updates to address multiple vulnerabilities in several versions of RealPlayer for Windows, Mac, and Linux and several versions of the Helix Player for Linux. These vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the RealNetworks, Inc. advisory and apply any necessary updates to help mitigate the risks.

Thursday, January 21, 2010

Microsoft releases emergency patch for IE

Microsoft today released a so-called "out of band" patch for Internet Explorer (all supported versions).  I will be testing this on my systems, but home users should go ahead and run Windows Update and make sure this is installed.  NOTE: just because you have Automatic Updates enabled doesn't mean they're working.  Last night I applied almost 100 Windows Updates to a system which had Windows Updates on full-automatic-mode, but some part of the WU system had gotten corrupted and it wasn't working.  I opened an email case with Microsoft

The Microsoft Security Response Center (MSRC) : Bulletin MS10-002 Released
Today we released Security Bulletin MS10-002 out-of-band to address vulnerabilities in Internet Explorer. All customers using currently supported versions of Windows and Internet Explorer should apply this update as soon as possible. Once applied, customers are protected against the known attacks that have been widely publicized. For customers using automatic updates, this update will automatically be applied once it is released.

Other stories about this with non-Microsoft commentary are here:

In a totally unrelated development, version 3.6 of Firefox was released today.  It is not a security patch, so there is no need to rush it into production use.  I will be testing it and will report back here next week.

Mozilla drops Firefox 3.6 with security goodies | Zero Day |
Mozilla has released the latest iteration of its flagship Firefox browser with a few significant security goodies to keep malicious hacker at bay.

The update, which is being shipped via the browser’s automatic update mechanism, includes new features to patch third-party Firefox plug-ins and lock out rogue add-ons.

There are no security vulnerabilities being fixed with this Firefox 3.6 update.

Wednesday, January 20, 2010

Another Adobe problem, this time it's the Shockwave Player

News today of another Adobe problem, only this time it's the Shockwave Player.  This is different from the Flash Player.  If you have it, Adobe says to uninstall it, REBOOT, and then install the new one.  I say just uninstall it -- most likely you don't need it unless you play online games that require it.

Critical flaws haunt Adobe Shockwave Player | Zero Day |
Adobe’s run on the patching treadmill continued this week with a “critical” update to fix a pair of code execution holes in its Shockwave Player.

The vulnerabilities affect Adobe Shockwave Player and earlier versions, on the Windows and Mac operating systems.

According to an Adobe advisory, an attacker who successfully exploits the vulnerabilities could run malicious code on the affected system.

* This update resolves a buffer overflow vulnerability that could potentially lead to code execution (CVE-2009-4002).
* This update resolves multiple integer overflow vulnerabilities that could potentially lead to code execution (CVE-2009-4003).

Adobe recommends Shockwave Player users uninstall Shockwave version and earlier on their systems, restart their systems, and install Shockwave version

D-Link routers easily hacked

I don't use D-Link routers, I use a recycled computer turned into a router using IPCop, but if you have a D-Link router you should follow the links.

This is important because once a "bad guy" has control of your home router, he controls your internet traffic and can make you think you are at your bank's website when in fact you're at his copy of your bank's website.

D-Link issues fixes for router vulnerabilities
Router manufacturer D-Link Corp. today admitted that some of its routers have a vulnerability that could allow hackers access to a device's administrative settings. The Taipei, Taiwan-based form said that it has issued patches to fix the flaws.

According to a Jan. 9 blog post from SourceSec Security Research, some D-Link routers have an insecure implementation of the Home Network Administration Protocol (HNAP), which could allow an unauthorized person to change a router's settings.

SourceSec published a proof-of-concept software tool called HNAP0wn that would enable the hack -- a move that D-Link criticized.

... D-Link and SourceSec differed over which models were vulnerable. SourceSec wrote that it suspected that all D-Link routers made since 2006 with HNAP support were affected, but they said they had not tested all of them.

D-Link said the models affected are the DIR-855 (version A2), DIR-655 (versions A1 to A4) and DIR-635 (version B). Three discontinued models -- DIR-615 (versions B1, B2 and B3), DIR-635 (version A) and DI-634M (version B1) -- are also affected.

The company said new firmware updates are being made available across its Web sites.

NOTE: The link in the Computerworld story is bad, click the corrected link here.

Mac users also need to patch ...

Apple Security Update 2010-001
In an effort not to be left out, Apple has released Security Update 2010-001 which patches a dozen vulnerabilities in CoreAudio (code execution via crafted MP4), CUPS (remote DoS), Flash Player Plug-in (multiple including arbitrary code execution), ImageIO (code execution via crafted TIFF file), Image Raw (code execution via crafted DNG image), and OpenSSL (the renegotiation exploit). Details can be found here:
Mac OS X dirty dozen: Apple plugs critical security holes | Zero Day |
Apple’s first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities.

The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site.

With Security Update 2010-001, Apple also fixes flaws in the Adobe Flash Player plug-in that ships with the operating system.

Monday, January 18, 2010

Two European governments warn against use of Internet Explorer

European governments warn against Internet Explorer - Network World
The French government has become the second in days to warn its citizens to steer clear of Internet all versions of Explorer (IE) until a serious security flaw is fixed in the browser.

At the weekend, The German Federal Office for Information (BSI) Security warned users against using versions 6, 7 and 8 of the browser until Microsoft patched the vulnerability referred to Microsoft in advisory 979352, the remote execution security hole believed to be connected to recent high-profile attacks on Google servers which saw the search giant threaten to quit China.
Networking Goes Borderless: Download now

Now the French Centre d'Expertise Gouvernemental de RĂ©ponse et de Traitement des Attaques informatique has issued its own terse warning to the same effect.

IE used to hack Google, Microsoft issues warning

Just one more reason to abandon IE (except for Windows Updates) and use Firefox ... if you click the link below, there are more links at the MSRC page:

The Microsoft Security Response Center (MSRC): Security Advisory 979352 Released
Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks. Today, Microsoft issued guidance to help customers mitigate a Remote Code Execution (RCE) vulnerability in Internet Explorer. Additionally, we are cooperating with Google and other companies, as well as authorities and other industry partners.

Microsoft remains committed to taking the appropriate action to help protect our customers. We released Security Advisory 979352 to provide customers with actionable guidance and tools to help with protections against exploit of this vulnerability. Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time. Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band.

It is important to note that complex attacks targeting specific corporate networks are becoming more prevalent in the threat landscape, therefore organizations should follow defense-in-depth best practices, and deploy multiple layers of protection to improve their security posture. In addition, Protected Mode in IE 7 on Windows Vista and later significantly reduces the ability of an attacker to impact data on a user’s machine. Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions.

Customers can also set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones or configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. You can find details on implementing these settings in the advisory.

Anyone believed to have been affected can visit: and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-727-2338 (PCSAFETY). Additionally, customers in the United States should contact their local FBI office or report their situation at: Customers should follow the guidance in the advisory and our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software (learn more by visiting the Protect Your PC web site). International customers can find their Regional Customer Service Representative

The Microsoft Security Response Center (MSRC) has a followup posting here:

Further Insight into Security Advisory 979352 and the Threat Landscape

Thursday, January 14, 2010

Microsoft warns of 0-day flaw in IE6, IE7, & IE8

Just one more reason to switch to Firefox as your Internet-browser-of-choice.  AOL users should be aware that the "AOL Browser" on Windows is just IE wearing an AOL "skin".

Microsoft Security Advisory (979352): Vulnerability in Internet Explorer Could Allow Remote Code Execution
Microsoft is investigating a report of a publicly exploited vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

... At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6.

Other reports suggest that this attack was used against Google and Adobe to invade their systems so seriously that Google is considering pulling out of China as a result.
  • 0-day Vulnerability In Internet Explorer 6, 7 And 8 Exploited In Recent Chinese Attack |
    Microsoft published an advisory today about a critical security vulnerability in all versions of Internet Explorer (apart from version 5). While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default.

    According to McAfee, hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used this vulnerability to carry out at least some of the attacks.
  • US-CERT Current Activity: Microsoft Releases Security Advisory 979352
    Microsoft Releases Security Advisory 979352
    added January 14, 2010 at 06:49 pm

    Microsoft has released Security Advisory 979352 to alert users of a vulnerability in Microsoft Internet Explorer. The advisory indicates that exploitation of this vulnerability may allow an attacker to execute arbitrary code. Microsoft also indicates that it is aware of public, active exploitation of this vulnerability.

    US-CERT encourages users and administrators to review Microsoft Security Advisory 979352 and apply the suggested workaround of setting the Internet zone security setting to High to help mitigate the risks.

    Additional information about this vulnerability can be found in Vulnerability Note VU#492515.
  • SANS: 0-day vulnerability in Internet Explorer 6, 7 and 8
    Microsoft just published an advisory about a critical security vulnerability in all versions of Internet Explorer (apart from 5 – but no one has that around anymore, right?).

    While all versions of Internet Explorer are affected, the risk for everyone running Internet Explorer 8 is lower since it has DEP (Data Execution Prevention) enabled by default. DEP makes exploitation of this vulnerability more difficult so as a temporary workaround you might want to enable it for older IEs (keep in mind that it might break some add-ons).

    Microsoft says that so far they only saw exploits against Internet Explorer 6. In a related post (here) McAfee said that this vulnerability was (one of those) used to compromise Google. So, it appears that it was maybe even a cocktail of 0-day exploits used (IE + Adobe).
  • McAfee Security Insights Blog » Blog Archive » Operation “Aurora” Hit Google, Others
  • Microsoft discloses zero-day IE flaw used in China attacks - SC Magazine US

Facebook news: 1 year of McAfee free, but privacy problems remain

This will affect mostly home users.  Facebook users have both Good News and Bad News these days. The Good News is that McAfee is offering FB users a free half-year of protection:

Facebook offers users free McAfee protection - Network World
Facebook has joined forces with McAfee to offer social networkers a free six-month subscription of security software.

Facebook users that take up the free subscription will also be entitled to a discount on a full version of the security software once the trial period is over.
See also:

McAfee Security Insights Blog » Blog Archive » McAfee and Facebook Secure the Internet
Facebook is one of the most popular sites on the Internet, and today McAfee and Facebook announced an unprecedented partnership that’s a great benefit for Facebook users. We believe this unique collaboration is a step in the right direction — using technology and education — to secure the Internet as a whole and reduce global cybercrime.

First, Facebook users will be eligible to receive a complimentary six-month subscription to McAfee® Internet Security Suite available to its users. The suite provides excellent online threat protection—just what today’s active Internet users require to stay safe while surfing and staying safely connected in their online communities. Facebook users can find the offer on the “Protect Your PC” tab on McAfee’s Facebook Page.

Facebook users will also learn how to avoid the dirty tricks that cybercriminals use by visiting the McAfee Facebook Page, as well as the Facebook Security Page ( These pages will offer articles and tips about staying safe online so be sure to become a McAfee Facebook fan (

Lastly, for very rare cases in which a Facebook user’s account has been compromised by malware such as viruses, spyware, phishing scams or other potentially unwanted programs, Facebook and McAfee have co-developed a tool called McAfee Scan and Repair which has been incorporated into the Facebook remediation process. The tool, which quarantines and deletes infected files, gets the Facebook user back on track so he/she can continue to enjoy Facebook knowing his or her computer is protected.
If you have a problem with your machine, having access to the Scan and Repair tool will be a huge benefit compared to the support you would get from other free anti-malware programs like Microsoft Security Essentials.

However, just recently Facebook relaxed its privacy settings unilaterally, exposing to the public data that many FB users thought was private and triggering a firestorm of criticism. Many pages exist documenting this, among them this one:

Facebook Privacy Doesn't Really Exist - F-Secure Weblog : News from the Lab
Absolute privacy on Facebook (and the Internet) is an illusion, it doesn't really exist. Relative privacy is the best that we can hope for.
See also:
facebook privacy - Google News and
A guide to privacy on Facebook | Facebook

Wednesday, January 13, 2010

Adobe Reader v8.x and v9.x patched

Late Tuesday, 12 Jan 2010, Adobe released updated versions of Adobe Reader 8 and 9 to correct an exploitable flaw.  If you're still using Adobe Reader instead of the less-hacked Foxit Reader, you should update. Here's a link to a Youtube video of what can happen to you if you run Adobe Reader and DON'T apply these patches:
Screen Capture: Targeted Attack PDF Exploit Taking Over A Computer

US-CERT Current Activity
Adobe Releases Update for Adobe Reader and Acrobat
added January 12, 2010 at 07:01 pm

Adobe has released an update for Reader and Acrobat to address multiple vulnerabilities. These vulnerabilities affect Adobe Reader 9.2 and earlier versions for Windows, Macintosh, and UNIX and Adobe Acrobat 9.2 and earlier versions for Windows and Macintosh. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Adobe Security Bulletin APBS10-02 and apply any necessary updates to help mitigate the risks.

Other reports here:

Adobe update trumps Microsoft's lone fix in patch frenzy - SC Magazine US
Microsoft's monthly security update took a backseat on Tuesday to a scheduled critical fix from Adobe that addresses a zero-day vulnerability in its widely deployed Reader and Acrobat software.

Adobe was to address the flaw, which is being exploited in in-the-wild attacks, among others as part of its quarterly security update.

Adobe has other problems, too:

Adobe confirms 'sophisticated, coordinated' breach | Zero Day |
In an attack described as “sophisticated” and “coordinated,” Adobe said its corporate network systems were breached by hackers.

Tuesday, January 12, 2010

Today is Microsoft Patch Tuesday -- time to update

Despite Microsoft claiming this is "Critical" only on Windows 2000, all my systems (XP Home and Pro and Windows 7 Pro) installed this patch.  I recommend you do so also.

MS Patch Tuesday: Another critical font engine vulnerability | Zero Day |
The first Microsoft patch for 2010 is out, providing cover for a solitary vulnerability in the way Windows handles EOT (Embedded OpenType) fonts.

The update is rated “critical” but Microsoft says there is a low likelihood of exploitation on its newer operating systems.

The vulnerability, which was discovered by Google security engineer Tavis Ormandy, is a remote code execution issue in the way that the Microsoft Windows Embedded OpenType (EOT) Font Engine decompresses specially crafted EOT fonts.

From the MS10-001 advisory:
If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Because Microsoft considers this a very difficult vulnerability to exploit on most operating systems, it is rated “critical” only for Windows 2000.

However, it’s important to note that Windows XP, Windows Vista and Windows 7 are all affected by this flaw.
US-CERT Current Activity
Microsoft Releases January Security Bulletin
added January 12, 2010 at 02:07 pm

Microsoft has released an update to address a vulnerability in Microsoft Windows in its Microsoft Security Bulletin Summary for January 2010. This vulnerability may allow an attacker to execute arbitrary code. An attacker may be able to exploit this vulnerability by convincing a user to view content rendered in a specially crafted Embedded OpenType (EOT) font in an application that can render EOT fonts. Common applications that can render EOT fonts include Microsoft Internet Explorer, Microsoft Office Word, and Microsoft Office PowerPoint.

US-CERT encourages users and administrators to review the bulletin and apply any necessary updates to help mitigate the risks.
Microsoft Security Bulletin: January 2010
Overview of the January 2010 Microsoft patch and status.
Microsoft Advices XP Users to Uninstall Flash Player 6
As part of today's bulletin release, Microsoft advices users of Windows XP to uninstall Flash Player 6 which is installed with Windows XP. Affected users should upgrade to the latest version or Flash Player which is available for download from Adobe.

Some thoughts on password security for laptop (and smartphone) owners

Just read a good article at Lifehacker on the risks of allowing your computer to save your passwords:

Your Passwords Aren't As Secure As You Think; Here's How to Fix That - Passwords - Lifehacker
If you allow applications to save your passwords, anyone with physical access to your PC can decode them unless you're properly encrypting them—and chances are pretty good you're not. Let's walk through the right and wrong ways to store your passwords.

For the purpose of this article, we'll assume that the people you allow into your house are trustworthy enough not to hack your passwords, and your laptop has been stolen instead—but the tips here should apply to either scenario. Regardless of how you choose to save your passwords, you should make sure to use great passwords and even stronger answers for security questions.

The article discusses in some user-friendly detail the risks of allowing Firefox, Internet Explorer, instant-messaging programs, and other software to save passwords for you.

I use the free LastPass Password Manager to store my online passwords for everything except my bank (I don't do online banking yet -- the risks are IMHO too great) and credit-card accounts (where my risk is at most $50/card), and I have a very long, complex password for LastPass.

I also use an encrypted password manager in my PDA -- Yaps V2.5 for Palm OS -- and I recommend that anyone storing passwords in a phone or PDA use an encrypted password store. There are some real snake oil password-encryption products out there, so please do some research before you purchase anything.

Monday, January 11, 2010

Malicious apps found in Google's Android online store

If you have an Android phone, you should be careful about the apps you load, especially if you use the phone to access anything which requires security. I've seen this story reported multiple times on security sites today.

Malicious apps found in Google's Android online store - SC Magazine US
Rogue applications developed to steal banking credentials from users were discovered late last month in Google's Android Market online software store.

The malicious programs were disguised as a legitimate mobile banking apps and were designed to steal users' online banking credentials, according to Oregon-based First Tech Credit Union, which posted a fraud alert about the threat on Dec. 22.

Thursday, January 7, 2010

Reminder: Disable Javascript in your PDF Reader

Especially if you're using Adobe Reader.

Large-scale attacks exploit unpatched Adobe PDF bug | Security Central - InfoWorld
A week before Adobe is scheduled to patch a critical vulnerability in its popular PDF software, hackers are actively exploiting the bug with both targeted and large-scale attacks, a security researcher said today.

The SANS Institute's Internet Storm Center (ISC) reported Monday that they'd received samples of a new rigged PDF document that hijacked PCs using a bug Adobe acknowledged Dec. 14 . Later last month, Adobe said it would not patch the bug until Jan. 12. In his write-up of the sample, ISC analyst Bojan Zdrnja called the attack PDF "sophisticated" and its use of egg-hunt shellcode "sneaky."

Wednesday, January 6, 2010

Security reality check: user error

This could just as easily be any Windows or Linux user as well. I've summarized the original article by highlighting the "user errors" ... I leave it as an exercise for the student to go read the full article to get the solutions.

[Mac] Security reality check: user error
By Rich Mogull, Macworld
January 05, 2010 04:02 PM ET
Sponsored by:

Some security problems are due to user error (or user laziness). It's not that hard to practice good system security on your Mac [ASF note: for Windows and Linux users: every where you see "your Mac" just read it as "your computer" -- it applies regardless of your OS-of-choice]. But a surprising number of people--including some who should know better--don't. Here are some basic tips on practicing safe computing.

Poor passwords

The Threat A few months ago a close friend called me. A criminal was posing as him, passing bad checks, transferring funds out of bank accounts, and changing passwords. Fortunately, the nefarious activity was discovered early, and my friend worked with his banks and other providers to stop the attack and recover the lost funds. Piecing together what happened, I discovered the root problem: my friend had been using the same single password for most of his banks, e-mail, and other online services.


What You Can Do Use a password management tool like ... [ASF note: article recommends a Mac-only solution. I use LastPass online with a LONG passphrase (and I don't use it for my banking or credit-card passwords) and YAPS, Yet Another Password Safe on my Palm phone, but I recommend using whatever fits YOUR personal phone/PDA-and-computer needs. Ask me if you need recommendations.]

Sharing too much

The Threat Out of the box, new Macs expose few network services, and file sharing is disabled. But many power users quickly expose these services and turn on sharing, opening themselves up to potential exposure over the network. [ASF note: also true of Windows "Power Users". Know what you're doing before you enable services to Internet-exposed computers. Read the article for more.]

Unencrypted personal data

The Threat If bad guys gain access to your Mac itself--whether over your Internet connection or by physically possessing your Mac--they can possess all your crucial personal information--credit card, Social Security or Tax ID numbers, account passwords and so on.

Financial management software, plain-text password cheat-sheets, and e-mail messages are all ripe sources of confidential information. They're the first things any attacker will seek out when he gains access to your Mac. If he finds what he wants, the effects can be costly and long-lasting. This is a case where the risk is low, but the potential cost is so high that precautions are worthwhile.

What You Can Do [ASF note: article is very Mac-specific. Windows users should (a) use a password manager to encrypt things like SSNs and (b) use disk encryption like TrueCrypt, which works for Mac, Windows, and Linux computers. Do NOT store passwords in plain-text files, spreadsheets, or email folders. My laptop's datafiles are all encrypted using TrueCrypt.]

No backups

The Threat There are plenty of ways bad guys can destroy your data; it's not that hard to accidentally do it yourself. While losing applications or rebuilding a system is painful, losing something irreplaceable like all your family photos is the digital equivalent of your house burning down. So the most important thing you can do keep your data safe is to back it up regularly.

... [ASF note: my primary laptop hard-drive failed a few months ago. I was backed up to both local copies and a remote backup, so I lost nothing except the time it took to re-install my software and recover my data.]

Risky downloads

The Threat While there is virtually no malicious software for Macs circulating in the wild, what little Mac malware we do see is almost always hidden in illegitimate software. [ASF note: also true for Windows users.]

Right now, the most common source of Mac trojans is pirated software downloaded from the Net. ...

The next most common sources of infection are sites that ask you to download new QuickTime plugins or special applications to look at pictures or videos of people in various states of undress.

Lastly, we do sometimes see trojans planted in free software, especially gambling software and simple games. These, like the other trojans, tend to appear on less-popular sites or online forums.

What You Can Do Use your common sense. Don't try to find free copies of commercial programs. Don't download random QuickTime plugins or video viewers unless you know, with absolute certainty, that the source is legitimate. When downloading software, avoid forums or sources that are off the beaten track. If there's any doubt about a program, do a quick online search for it and see if it also appears on more mainstream download sites.


Antisocial networking

The Threat If the Internet is the Wild West of the digital world, social networking sites are the seedy saloons.

Criminals love social networking sites; they're cross-platform, based on trust, and often full of security flaws. We've seen social networking worms propagating through friend's lists, attackers stealing contact e-mails for spam, fake advertisements, and direct browser attacks to take over systems. And once you start installing widgets and applications on a social site, you are essentially allowing arbitrary programs to run inside your browser with full access to your information.

What You Can Do When posting information on a social networking site, don't put anything up there that you wouldn't want the whole world to see. Also carefully consider the applications you allow the site to install--especially on Facebook, where you can't always control the information an application accesses.....[ASF note: more advice in the article.]

Peer-to-peer sharing

The Threat Peer to peer (P2P) file-sharing can be a great way to distribute or download large files. But researchers have found reams of sensitive information on P2P networks. For example, there have been cases of public employees placing sensitive legal and government documents on home computers that were also running P2P software; those files turned up on the P2P networks. In my own research, I've seen everything from tax returns to scans of passports.

It isn't that P2P file-sharing itself is evil (despite what the recording and motion picture industries might claim). It's just that it's all too easy to inadvertently share things you shouldn't.

What You Can Do If you use P2P services, ... [ASF note: DON'T use P2P, especially on business computers, including computers you connect from home to the company network. If you use P2P on your home computer, do it in a "Virtual Machine" that only exposes your music or other shared files but doesn't have access to your taxes, checkbook, documents, or email. Call me if you need help with this.]

Monday, January 4, 2010

PDF exploits now in the wild! Disable Javascript in Adobe Reader

Just read a technical explanation of how it works, and it isn't being detected by most anti-virus programs yet. If you use Adobe Reader instead of my preferred reader, Foxit Reader, follow the advise in the paragraph below:

Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
Since this exploit has not been patched yet, I would like to urge you all to, at least, disable JavaScript in your Adobe Reader applications. We are getting more reports about PDF documents exploiting this vulnerability, and it certainly appears that the attackers are willing to customize them to get as many victims to open them as possible. Also keep in mind that such malicious PDF documents can go to a great length when used in targeted attacks – the fake PDF that gets opened can easily fool any user into thinking it was just a mistakenly sent document.

I would also disable Javascript in Foxit Reader just for safety.