Microsoft zero-days seem to be happening so frequently, I’m running out of clever bon-mots to introduce these warnings. “What now?” I hear you ask. Users of Vista (Windows machines circa 2007) or Server 2008 (still in wide use everywhere) are affected by a vulnerability in versions of Microsoft Office 2003-2010. Let’s skip the gory technical details: this exploit uses a hacked image inserted into a Word document to run code that can lead to the victim’s computer being completely compromised and subject to remote control. Microsoft has not yet announced a patch for this vulnerability, but they have released a Fixit that can be run on the targeted machines to close the security hole.
What this means for you:
Security analysts are already seeing attacks utilizing this vulnerability in the wild in Asia and the Middle East, so it’s only a matter of time before victims start cropping up here in the US. If your Windows machine is running Vista, it’s highly likely you are also running a version of MS Office affected by this vulnerability. Run the Fixit immediately and consider upgrading your OS. If you have Microsoft-based servers in your environment and they are more than a year or two old, it’s highly likely they are running Server 2008, but less likely that Office is installed on the device. Your server administrator will know best how to handle this particular issue. As always, contact the sender to verify any unexpected attachments before opening them, make sure your computer is fully patched and protected by up-to-date antimalware, and double-check that your data is backed up, preferably to an offsite and fully encrypted location.
As predicted, the zero-day flaw in multiple versions of Microsoft’s web browser, Internet Explorer, is now being actively exploited by multiple APT (Advanced Persistent Threat) groups in attacks that are targeting large numbers of people. The most publicized and successful of these attacks have been focused on government websites. Their primary purpose: to install rootkits on government worker machines to facilitate access to confidential government documents. On top of the growing number of attacks leveraging this weakness, the Metasploit framework (an open source hacking tool used by security researchers and white-hat hackers) just released a module to the public that demonstrates how this security flaw can be used to hack IE, theoretically making it even easier for malicious agents to understand and develop their own exploits. Microsoft has yet to say when a patch will be released to fix this weakness, which affects just about every version of IE from 6 through 10.
What this means for you:
If you are using Internet Explorer, whether by corporate mandate or by choice, make sure you’ve applied Microsoft’s temporary fix, or ask your IT guy if they’ve distributed the fix throughout the company. If you work for the government, either as an employee or contractor, be extra wary of strange behavior on your computer, and ensure that your antimalware software is fully functional and up to date.
If you are using some other browser, you don’t have to worry about this particular exploit, but as always, remain ever vigilant and make sure your OS, software and antimalware are fully patched!
You thought you’d done a good thing: you finally listened to all the warnings and locked your iPhone with a passcode or, if you are one of the lucky few with a shiny new 5s, the new fingerprint lock. Sadly, one of Apple’s other famed technologies may betray you in the end. An Isreali security analyst has uncovered a significant flaw in iOS7 security when access to Siri on your iPhone’s lockscreen is enabled. The problem is part convenience and part bug: using Siri while your phone is locked allows you to make calls without having to punch in a passcode, something that is indispensible while driving, or when your hands are otherwise occupied. Unfortunately, using Siri in this manner leaves a back door open in the form of unfettered access to the phone app, while your phone is still locked. Oh, and did you remember that Siri responds to anyone’s voice, not just the owners?
What this means for you:
“How bad could this be?” I hear you asking. While in the phone app, the user can access the phone’s voicemail, send text messages, view the calendar and look through all the contacts in your phone. If you don’t consider that private, you are part of a very small minority on this planet. The fix is simple: disable access to Siri from the lockscreen. The recommendation: do it now if you care about your phone’s security. It’s likely Apple will fix this flaw, but will they do it in time to protect your confidential data?
In case you were worried that Internet Explorer might be gaining ground as a secure web browser, security researchers have uncovered another zero-day vulnerability that is actively being exploited in version 8 and 9 of Internet Explorer. I’ll spare you the gory details but the gist of the hole is such that it can be exploited in a simple “drive-by” attack, and doesn’t even require interaction from the user. Sadly, this weakness seems to afflict all versions of Microsoft’s web browser, including the yet-to-be released version 11. Microsoft is aware of the issue, and is working to plug the hole, but could be weeks away from a formal fix.
What this means for you:
If you are using IE 8 (extremely likely if you are still using Windows XP), or IE 9 (also likely throughout much of the corporate world), there is a Microsoft Fixit that can be applied, and enterprise IT shops can address this centrally if they are running well-managed computer fleets. If you are leery of applying temporary patches and are not restricted to using Microsoft’s browser, you can give Chrome, Firefox or even Safari a try until Microsoft issues a formal patch for this exploit. At minimum, make sure your anti-malware is up to date and working, and watch carefully for suspicious behavior while surfing the internet, especially if you are visiting new/unfamiliar websites.
A german security researcher has revealed that as many as 750 million cellphones may be vulnerable to to hacking via their SIM card if it’s encrypted with DES (Data Encryption Standard) originally coded in the 1970s. Through studies on approximately 1000 sim chips and phones, Karsten Nohl of Security Research Labs demonstrated the ability to fool the older SIM chips into thinking he was authorized to access confidential data on the phone, including SMS texts, call logs as well as pay for fraudulent services via the phone. In theory, this level of access could grant an attacker the ability to compromise and steal the phone owner’s identity on top of gaining access to online bank accounts and other high-risk areas.
What this means for you:
Mr. Nohl has not revealed to the public the details of which SIM cards may suffer from this weakness and has instead been working closely with SIM card manufacturers to assist them with identifying and hopefully remediating the weakness where they can. His estimates are that as many as 3 billion cell phones use the older-generation SIM cards, but only some of those are prone to the security bug he has exploited in the above research. According to SIM manufacturers, they stopped using the older DES method back in 2008, so it’s likely that if your phone is less than 3-years old, you are probably safe from this particular exploit. If you have a phone that is older than 3-years, you should consider replacing it with a newer phone, or at minimum, see about getting a new SIM card from your carrier if you want to continue using your cellphone.
Lest you think Facebook is the only security punching bag getting a beating lately, two significant flaws in the Android application platform have been revealed by overseas security teams. Without going into the gory details, each team has found a different way to create a trojanized APK (the file format in which Android apps are delivered) that is indistinguishable from the original. This would allow an app to appear and function normally, but also execute functions like transmitting your passwords, texts, emails on the sly. Google has already put together a fix and distributed a patch to OEM manufacturers, and supposedly they are able to detect this sort of exploit on the Google Play Store.
You need to worry if you “sideload” apps on your Android phone, which is to say you get apps from sources other than Google Play. Keep in mind, even Amazon’s App store counts as a sideloading source, and as of the moment, they aren’t scanning for this vulnerability.
What this means for you:
Even though Google has issued a fix for this particular vulnerability, they can’t force the update upon the millions of Android phones out there affected by this weakness, as that task lies with the phone manufacturers and the carriers. With the exception of avid power-users, most Android users are unaware that their Android OS may be months or years out of date, primarily because cellular carriers insist on selling phones that use a modified version of the OS that does not automatically get updated when Google updates the core version of Android. On top of this, the carriers are notoriously slow in issuing updates. If you are wondering what folks are talking about when they are discussing “Gingerbread”, “Honeycomb”, “Ice Cream Sandwich” and “Jelly Bean”, they are referring to the various versions of Android OS, where Jelly Bean is the latest. Supposedly this exploit exists as far back as “Donut” (ver 1.6).
Even worse, certain older models of Android phones may never get updated, as the carrier has essentially abandoned firmware updates for phones that are “retired” from active support. Users of these phones have essentially two options: root, unlock and update the phone with a custom version of the Android OS developed by the open source community, or buy a new phone. The former option is definitely not for technically-disinclined. Given the gravity of the vulnerability, the carriers may issue patches for the majority of its phones, but I wouldn’t hold your breath.
Until you are able to verify your Android smartphone is running a version of the OS that fixes this vulnerability, don’t sideload applications. If you want to be extra safe, avoid using smartphone apps that transmit sensitive information like banking passwords, pins and other sensitive personal information. As I’ve reiterated before, exercise caution before convenience, especially when it comes to protecting yourself.
Hackers have compromised a Department of Energy website, leveraging a previously undiscovered security flaw in version 8 of Microsoft’s Internet Explorer. IE 8, which is now 2 versions back from Microsoft’s most recent release (v10), is used by almost a quarter of all Internet Explorer users, and is most commonly found on Windows XP computers. The “watering hole” style attack is thought to be the work of Chinese hackers based upon the malware used and the command and control protocols used. The hacked website is used by the DOE to disseminate information on radiation-based illnesses, leading analysts to believe that this was a targeted attack aimed at compromising the computers of government employees working with nuclear weapons and reactors, ostensibly for the purposes of gaining access to classified information and systems.
What this means for you:
This is the first instance of this particular exploit being discovered, but given the publicity and Microsoft’s well-known inertia in issuing security updates for it’s older products, there is a chance that if you are still using IE 8 you could be at risk. Microsoft recommends upgrading to a new version of Internet Explorer, but in the event that you are unable to upgrade due to your business requirements or application limitations, Microsoft has issued the following guidance for working around the security flaw until it can be patched:
- Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
- Add sites that you trust to the Internet Explorer Trusted sites zone to minimize prompt disruption
As I’m not a Microsoft employee, I can also recommend switching browsers to Chrome or Firefox. Both issue security updates much more rapidly, and though they are not free of security flaws and zero-day exploits, both browsers typically fair better than IE in terms of overall security strength.
Just when we were getting flight attendants to relax the electronic device restrictions on flights, a German security consultant has demonstrated a real-world hack and takeover of an airplane’s critical guidance and control systems using an app he built that runs on an Android smartphone. Hugo Teso of n.run, who is also a trained commercial pilot, demonstrated the exploit at the Hack in the Box conference in Amsterdam, and has developed a framework and app as a means to illustrate just how poor the current state of aviation security actually is. Teso designed the framework to be unusable outside his simulation environment, but he maintains that his environment mirrors technology that is currently in use throughout the aviation industry. On top of being able to completely own the Flight Management System (sometimes referred to as the “Autopilot”) of an aircraft, Teso’s app, named “PlaneSploit” demonstrated how, once complete control of the aircraft’s control systems was obtained, the actual operation of a flying aircraft could be remotely controlled from a smartphone.
Teso has carefully kept his research private, and has been working closely with the aircraft industry to help them close the gap on the many security vulnerabilities that exist in the thousands of aircraft in use today. Even still, it’s possible that other security analysts could uncover the same exploitable weaknesses in avionics platforms, and perhaps behave less altruistically than Teso. Also keep in mind that the autopilot systems can be manually overridden and the aircraft flown “by hand” using backup analog instrumentation. The trick, Teso reminds us, is that unless the pilot knows the plane has been hacked, he won’t know to take over control until the damage has already been done.
What this means for you:
Unless you are a commercial pilot, or someone of influence in the airline industry, I’m afraid there’s not much you can do about this except continue to raise awareness with everyone around you about technology security. Even though I sincerely doubt we’ll see any real-world plane hijackings via smartphone any time soon, now that this Pandora’s Box has been opened, it may never be shut again.
Windows users will probably be unsurprised to note that Adobe’s ubiquitous Flash plug-in requires yet another patch. This time, unfortunately, Adobe is scrambling to release version 11.6 to rectify 2 serious security holes that are already being exploited in the wild, and not just on Windows machines; Macs and even Linux is affected by the latest flaws.
What this means for you:
The flaws fixed by the above release may allow malicious websites to install malware either from just visiting a compromised website, or by redirecting your browser to open infected Microsoft Word documents or Adobe PDFs. There are malware websites being found on the web right now that can take advantage of unpatched Flash plugins and they will wreak havoc on your computer.
Patch Flash now. Here’s how:
- Go to Adobe’s website: http://get.adobe.com/flashplayer/ (works for any platform)
- Windows: Go to your Control Panel and look for the “Flash Player” control panel icon. Click the “Advanced” tab and then the “Check Now” button.
If you want to verify you’ve updated to the correct version, you can check it by visiting this link after patching: http://www.adobe.com/software/flash/about/
Carnegie Mellon University’s CERT and the Department of Homeland Security have issued a broad warning about using the latest version of the Java 7 plug-in for web browsers, and some browser manufacturers have already taken steps to disable Java application execution until the vulnerability can be fixed. The security flaw is already being exploited in the wild, and can be used to run malicious code without the victim’s permission or even awareness. Oracle is investigating, but has not indicated when the hole would be patched, aside from promising a fix “shortly.”
What this means for you:
Unless you have a really good reason to keep running it, you should probably disable Java until Oracle can fix this problem. Unlike other vulnerabilities that affect specific browsers (Internet Explorer has been notorious for flaws in the past), this particular problem affects all browsers that have a Java 7 plugin, including the Apple OS. Oracle has had problems in the past with providing quick patches for the Java platform, so until they do, the safest approach is to disable the plugin in your browser.