Friday, May 13, 2011

New version of Adobe Flash Player released

This has much better privacy controls, comes with a new Control Panel applet (in Windows), and includes some security fixes.  Download it and install it soon, the Bad Guys will be sure to take advantage of security holes in the older versions soon.

Adobe Flash Player 10.3 released (new Privacy Controls) - Security | DSLReports Forums
Adobe Flash Player released May 12, 2011

Download here (especially for offline installation to multiple computers): Adobe Flash Player Downloads. Don't forget you need different versions for IE and Firefox/Opera.  User-friendly write-up with userful links and advice here:

Critical Flash Player Update Plugs 11 Holes — Krebs on Security
Adobe has released another batch of security updates for its ubiquitous Flash Player software. This “critical” patch fixes at least 11 vulnerabilities, including one that reports suggest is being exploited in targeted email attacks.

The vulnerabilities exist in Flash versions and earlier for Windows, Mac, Linux and Solaris. To learn which version of Flash you have, visit this link. The new version for most platforms is; Android users should upgrade to Flash Player available by browsing to the Android Marketplace on an Android phone; Google appears to have updated Chrome users automatically with this version of Flash back on May 6 (Chrome versions 11.0.696.68 and later have the newest Flash version).

Remember that if you use Internet Explorer
in addition to other browsers, you will need to apply this update
twice: Once to install the Flash Active X plugin for IE, and again to
update other browsers, such as Firefox and Opera. Updates are available by browsing with the appropriate browser to the Flash Player Download Center.
Bear in mind that updating via the Download Center involves installing
Adobe’s Download Manager, which may try to foist additional software.
If you’d prefer to update manually, the direct installers for Windows
should be available at this link. If you run into problems installing this update, you’ll want to uninstall previous versions of Flash Player and then try again.

Wednesday, May 11, 2011

Another reason to abandon debit cards

If you shop at Michael's and have used your debit card there, I recommend you pay close attention to your bank account, or maybe even request a new debit card number by "losing" your debit card.

Breach at Michaels Stores Extends Nationwide — Krebs on Security
Earlier this month, arts & crafts chain Michaels Stores disclosed that crooks had tampered with some point-of-sale devices at store registers in the Chicago area in a scheme to steal credit and debit card numbers and associated PINs. But new information on the investigation shows that many Michaels stores across the country have discovered compromised payment terminals.

It also is not clear yet how the fraudsters compromised the POS
devices, or whether the devices were tampered with in-place, or were
replaced with pre-compromised look-alikes.  But investigators say the
fraudsters have used the stolen data to create counterfeit cards that
are used in tandem with stolen PINs to withdraw funds from ATMs.

Detective Jeff Stolzenburg of the Libertyville
Police Department just north of Chicago, said most of the fraudulent
withdrawals have taken place at cash machines in Las Vegas and other
parts of the West. Stolzenburg estimates that actual card losses from
the fraud are now in the millions of dollars, and said that the
investigation has since been turned over to the U.S. Secret Service.

A light "Patch Tuesday" from Microsoft this month

Sysadmins deserve a light month every once in a while.  Microsoft's Patch Tuesday this month has only two patches, one of which affects servers on company networks and the other of which affects PowerPoint.  No reboot has been required on any workstation I have patched so far.  SANS rates both patches "Critical", meaning they need to be patched but exploitation is not widespread right now.

Microsoft plugs critical Windows worm hole | ZDNet
Microsoft today shipped two security bulletins with patches for three security holes in the Windows operating system and the PowerPoint presentation software.
Microsoft Patch Tuesday – May 2011 | eEye IT Security Blog
Oh how I am starting to enjoy the odd numbered months this year. Back in January Microsoft released 2 bulletins. February followed with 12, March with 3, and April with 17. Now May has arrived with only 2 bulletins. If you are looking to avoid piles of patch deployment work this summer, I’d bet on taking vacation in June or August.
SANS: May 2011 Microsoft Black Tuesday Overview

Turn off WebGL in new browsers

As is typical of a new standard, after it has been out for a while people start discovering security flaws.  WebGL is no exception.  If you are running Firefox 4, use "about:config: to disable it.

US CERT: WebGL Security Risks
added May 10, 2011 at 11:35 am
US-CERT is aware of reports indicating that WebGL contains multiple significant security issues. The impact of these issues includes arbitrary code execution, denial of service, and cross-domain attacks. WebGL is a new web standard that is enabled by default in Firefox 4 and Google Chrome and is included in Safari.

US-CERT encourages users and administrators to review the Context report and disable WebGL to help mitigate the risks.
User-friendly (well, less user-hostile) write-up here:
Dangerous WebGL Flaw Puts Firefox and Chrome Users at Risk | PCWorld Business Center

Security researchers have discovered a dangerous vulnerability in WebGL--a Web standard used by Firefox and Chrome to deliver 3D graphics within the Web browser. The flaws may be exploited to enable an attacker to run malicious code on the system, and could expose sensitive data.


The issue with WebGL isn't a vulnerability per se, but a fundamental design flaw.What is the risk? WebGL enables Internet-based programs to access the graphics driver and graphics hardware--exposing low-level core functions of the system to possible malicious exploits. The graphics hardware and drivers are not developed with security in mind, and are built with an inherent trust that the code that can access that level of the system must be safe.

How to disable WebGL in Firefox 4
How to disable WebGL in Chrome