Security holes in Adobe’s Flash and Oracle’s Java have become so commonplace, it’s actually helped to raise awareness about the necessity of keeping these platforms updated, but there’s a third platform that many of you probably use everyday without ever realizing that it too needs to be patched. Would it surprise you to know that it’s a Microsoft product? Microsoft’s Silverlight technology was originally built to compete with Flash, but it’s probably best known as the platform that delivers Netflix’s streaming content to your computer. Hackers, unfortunately, are very much aware of how widespread Silverlight is, and are currently pressing their attacks on older versions of Silverlight, seeing as their usual punching bags, Java and Flash, are now firmly in the security spotlight.
What this means for you:
If you’ve ever watched Netflix streaming content on your computer, you have Silverlight installed. Even if you don’t use Netflix streaming, there is a high probability Silverlight is installed on your computer, even if it’s a Mac. Depending on how long ago it was initially installed, it might be out of date, especially if you disallowed automatic updates of the software. The latest version of Silverlight is 5, and to make sure you are up to date, you can use this link here. While you are at it, double check to make sure Java and Flash are both up to date as well, but be careful of the “optional software” both companies push when you update their platforms. Oracle variously pushes the Ask toolbar or McAfee Security Scan, the former a very annoying adware-spawning toolbar, and the latter may be redundant if you already have a decent antimalware app installed. Adobe is a little less obnoxious, but it does offer to automatically install Google Chrome (and the Google Toolbar), which may be redundant if you already have it installed, or possibly very confusing to a less savvy computer user who thinks Internet Explorer is the web browser.
Java’s recent security problems hasn’t stopped its smarmy practice of foisting the Ask-dot-com toolbar or McAfee’s Security Scanner on you every time you update Java. In case you didn’t notice, or were wondering how either of those products got installed on your computer, Java was the likely culprit. This wouldn’t be so bad, except the Java updater uses a trick called an “opt-out” checkbox which most people (who might be in too much of a hurry to get back to working|playing) just assume is part of the default Java update. If you actually look at what it’s asking you install, you’ll notice, “Hey, that’s not Java!”
What this means for you:
If you’ve been a diligent netizen, you probably heeded the countless warnings about the latest flaw in Java and updated it when Oracle released their patch last week. If you are a normal human being, you were probably frustrated with yet another series of dialog boxes filled with barely intelligible technobabble and progress meters creeping across the screen, and you might have accidentally left that checkbox checked, which means you are the proud new owner of a questionanbly useful toolbar from Ask-dot-com. Unless you’ve fallen in love with it (for some crazy reason), I’d recommend removing this software at once.
If you want to read more about why you should do this, have a look at the ZD Net article detailing Ask’s shady takeover of your browser. I’ve not had any personal experience with McAfee’s Security Scanner, but I’ve found just about all third-party browser security “scanners” to be at best, barely functional, and at worst, completely disruptive to normal, safe browsing. Let me know if you’ve had a positive experience with either product!
Carnegie Mellon University’s CERT and the Department of Homeland Security have issued a broad warning about using the latest version of the Java 7 plug-in for web browsers, and some browser manufacturers have already taken steps to disable Java application execution until the vulnerability can be fixed. The security flaw is already being exploited in the wild, and can be used to run malicious code without the victim’s permission or even awareness. Oracle is investigating, but has not indicated when the hole would be patched, aside from promising a fix “shortly.”
What this means for you:
Unless you have a really good reason to keep running it, you should probably disable Java until Oracle can fix this problem. Unlike other vulnerabilities that affect specific browsers (Internet Explorer has been notorious for flaws in the past), this particular problem affects all browsers that have a Java 7 plugin, including the Apple OS. Oracle has had problems in the past with providing quick patches for the Java platform, so until they do, the safest approach is to disable the plugin in your browser.
Kaspersky Labs just released their quarterly threat report for Q3 2012, and it’s dry reading for most folks not fascinated by IT security as I am. There are some notable trends that their research has surfaced, and I thought you might find some of these data points interesting:
- You are least likely to be infected by a fellow countryman in the nation of Denmark. (The US is in the lower first quartile, in case you were wondering.)
- Russia has overtaken the US as having the most websites hosting malware software.
- The most commonly found smartphone virus is designed to steal money from you by texting premium-rate numbers without you noticing.
- The most common way to get a virus infection is via drive-by infections, ie. visiting a dodgy website and getting infected when your browser loads pages that have embedded viruses.
- Of the top 10 most commonly found software vulnerabilities, 2 are found in Oracle software (Java), 5 from Adobe (Flash, Shockwave & Acrobat), 2 from Apple (Quicktime and iTunes), and 1 from Winamp.
- Over half of the detected malware infections came from Java vulnerabilities.
- For the first time in many years, Microsoft did not make the Top 10 list of vulnerabilities!
What this means for you:
Keep your software up to date. The java vulnerabilities have been patched, but many people ignore (or aren’t even aware) that Java needs to be kept up to date just like any other software installed on their machine. Keep your browser up to date, and if you have the choice, use the latest version of IE, or even better, Google’s Chrome browser. However, nothing will keep you safe if you don’t have proper malware protection installed, updated and ACTIVE. If you use an Android phone, see my previous article on the dangers of side-loading questionable apps. As of the moment, buying smartphone anti-virus software isn’t at the same state of “must-have” as computers, but we may be fast approaching that point. If you are careful about the apps you install on your phone, you don’t need it…yet.
Threatpost has reported on a new zero-day vulnerability that is affecting the Oracle Java plugin used in all popular web browsers, and this time, all operating systems, including Apple’s OS X which is typically excluded from most security exploits. So far, the white hats are ahead of the game on this one, having detected and then demonstrated the hack to Oracle in a “proof of concept” as opposed to discovering malware in the wild exploiting the security hole. In case you missed it, Oracle experienced a similar situation not less than a month ago with Java 7, so it’s likely there are more holes waiting to be discovered.
What this means for you:
This is a fairly significant vulnerability according to the folks that discovered it, as it affects multiple version of Java, including the most recent version 7 release, and multiple operating systems. However, it does not appear to be widely exploited yet, giving Oracle time to patch it up before malware writers can disperse malware to take advantage of this hole. According to Oracle, Java is in use on billions of devices, so if they were to ignore this vulnerability, there could be serious repercussions. If Oracle drags its feet on releasing a patch, you may want to consider disabling the Java plugin in your browser, or uninstalling it altogether. Before you do that, make sure you don’t rely on Java for any critical business applications – you may be surprised to find out just how often you use Java without knowing it!