In case you are new here, let me catch you up on the primary purpose of this blog. My objective is to scare you into being more secure with technology. It doesn’t always work – one person’s phobia is another’s fetish, but this one ought to give you pause. A white hat security hacker has uncovered a bug in Symantec Antivirus that would allow for an almost trivial exploitation of its scanning engine to actually compromise the computer its supposed to be protecting. And this bug exists across all three major operating systems – Windows, OSX and Linux – something that is very rare in any type of software. Not worried yet? A victim doesn’t even need to open an infected file because Symantec will do it for them when it scans the file in your email, or scans a link in your web browser. Just touching a file designed to exploit this bug will cause a memory buffer overflow, which is tech-speak for “OK malware, I’m puckering up so you can plant a big haymaker right in my kisser.”
What this means for you:
If you don’t use Symantec or Norton products for malware protection, carry on and enjoy that feeling of schadenfreude most technology users rarely experience. If you do use either of those products, Symantec has already patched this bug, and if your software is set to update automatically, it should no longer be a problem. There in lies the rub: do you know if your antivirus is up to date? How many of you have been ignoring the little warning flags your AV has been waving at you from the corner of your screen, “Hey, I need to update but I can’t for some reason!” Do you know how to make sure your antivirus is updating regularly? By the way, “regularly” means daily, if not multiple times a day. Zero-day exploits are sometimes seen within hours of an vulnerability being published. Security companies like Symantec stake their reputation on reacting quickly, but they can only lead your computer to the update river. You need to make sure it’s drinking deep, daily. Not a software update wrangler by trade? Well it just so happens I know someone who is, pardner.
You wouldn’t let your business be run by amateurs, why would you leave your technology to anyone less that an experienced professional?
The first Tuesday of every month is commonly known as “Patch Tuesday” in the IT industry, and is called thus because Microsoft issues its monthly batch of patches and security fixes to its operating systems and applications, most notably Internet Explorer. February’s selection features a whopping 31 CVEs (common vulnerabilities and exposures) that have been fixed in 4 “critical” updates and 3 “important” updates. Chief among the fixes are patches to all versions of Internet Explorer 6 through 11 to fill holes in the web browser that Microsoft anticipates being exploited in the next 30 days. Adobe also issued a fix for its Shockwave Media Player (a legacy multimedia player that may be installed on older PCs), not to be confused with Adobe Flash, which was also patched last week to combat a security hole that was actively being exploited on the internet.
What this means for you:
Depending on whether your technology is managed by an IT department, 3rd-part provider like C2, or just by you, your Windows computers may update in the next day or two, or further out if your IT department tests MS updates before patching your company’s fleet. The ones that really need to pay attention are those that manage the software updates personally, as it’s easy to forget about or ignore the Windows Update process.
Not sure if your computer’s OS needs an update? Go to Control Panels -> Windows Update and read the information presented there. It will tell you if there are any updates waiting to be applied, when your computer was last updated, and you can even see a full history of what was updated previously. You can also double-check to see how your computer is set to check and apply updates. The best choice for most non-managed computers is the default setting for Windows Update, which is to download and apply all “important” and “critical” updates automatically on a regular schedule.
If you need to check whether Adobe Flash is properly patched, you can visit http://helpx.adobe.com/flash-player.html to check what version you have installed and whether it is working properly.
In case you were worried that Internet Explorer might be gaining ground as a secure web browser, security researchers have uncovered another zero-day vulnerability that is actively being exploited in version 8 and 9 of Internet Explorer. I’ll spare you the gory details but the gist of the hole is such that it can be exploited in a simple “drive-by” attack, and doesn’t even require interaction from the user. Sadly, this weakness seems to afflict all versions of Microsoft’s web browser, including the yet-to-be released version 11. Microsoft is aware of the issue, and is working to plug the hole, but could be weeks away from a formal fix.
What this means for you:
If you are using IE 8 (extremely likely if you are still using Windows XP), or IE 9 (also likely throughout much of the corporate world), there is a Microsoft Fixit that can be applied, and enterprise IT shops can address this centrally if they are running well-managed computer fleets. If you are leery of applying temporary patches and are not restricted to using Microsoft’s browser, you can give Chrome, Firefox or even Safari a try until Microsoft issues a formal patch for this exploit. At minimum, make sure your anti-malware is up to date and working, and watch carefully for suspicious behavior while surfing the internet, especially if you are visiting new/unfamiliar websites.
Windows users will probably be unsurprised to note that Adobe’s ubiquitous Flash plug-in requires yet another patch. This time, unfortunately, Adobe is scrambling to release version 11.6 to rectify 2 serious security holes that are already being exploited in the wild, and not just on Windows machines; Macs and even Linux is affected by the latest flaws.
What this means for you:
The flaws fixed by the above release may allow malicious websites to install malware either from just visiting a compromised website, or by redirecting your browser to open infected Microsoft Word documents or Adobe PDFs. There are malware websites being found on the web right now that can take advantage of unpatched Flash plugins and they will wreak havoc on your computer.
Patch Flash now. Here’s how:
- Go to Adobe’s website: http://get.adobe.com/flashplayer/ (works for any platform)
- Windows: Go to your Control Panel and look for the “Flash Player” control panel icon. Click the “Advanced” tab and then the “Check Now” button.
If you want to verify you’ve updated to the correct version, you can check it by visiting this link after patching: http://www.adobe.com/software/flash/about/
Microsoft seems to be taking Fat Tuesday to heart: this month’s package of software updates includes a whopping 57 fixes for security flaws across most of its current product line. Microsoft isn’t the only one patching: Adobe also has a handful of security fixes for its products – the most commonly installed are Flash and Acrobat. The security exploits patched are just as potentially dangerous as the vulnerabilities patched in Internet Explorer.
What this means for you:
Ideally, you either have an IT department watching out for you and making sure your software is being updated in a timely fashion, or you have Automatic Updating turned on and will automatically download and apply all critical and important patches released by Microsoft and Adobe. In the case of the former, it may actually be a week or two before the actual patches are applied, as many IT departments routinely test all MS patches before distributing them through the enterprise, mostly to ensure Microsoft doesn’t break something proprietary to your company’s platforms. And in the case of this month’s Patch Tuesday, they will have much more to test and deploy.
If your computer is relying on automatic updates received via the internet, make sure you pay attention to the little message popups in the lower right corner of your screen. Windows Update will let you know when its doing its thing, and will also notify you when it has finished applying the necessary patches. Not sure whether your machine has been patched? For most versions of Windows (XP, Vista, 7) you can click the Start Menu and select “All Programs” and scroll until you find “Windows Update”. Review the information on the screen, and if you have any questions, don’t hesitate to call us for a second opinion!
According to security firm Exodus, the patch to Internet Explorer 6, 7 and 8 released on December 31 only fixed one of several ways to exploit a weakness in Microsoft’s browser. In their research on this exploit, Exodus continued to develop more aggressive ways to exploit the documented weakness and in doing so, uncovered a means that bypasses Microsoft’s fix, but are witholding details from the public until Microsoft has a chance to address their findings. A number of human rights and government sites have been compromised with malware agents that exploit this weakness and appears to be part of a larger campaign by the “Elderwood Gang” – a highly effective and well-backed group of hackers that have been targeting high-profile government sites since 2009, ostensibly with financial and espionage-based goals.
What this means for you:
Internet Explorer 6, 7 and 8 are still considered vulnerable, though no one has documented any websites yet taking advantage of the exploits discovered by Exodus. The fact that there are still holes in IE browser security will not go unnoticed, and if Exodus can develop work-arounds for Microsoft’s patch, you can bet groups like “Elderwood” will be able to do the same, if they haven’t already. Your best short-term solution is to either use another browser like Chrome or Firefox until Microsoft can fully patch this weakness, or upgrade your Internet Explorer to version 9 or 10 as soon as possible. If you are working for an organization or using software that requires backward compatibility to IE 7 or 8, you should consider having a serious discussion with the IT department about their reasons for maintaining what is increasingly becoming an untenable stance. If you are required to use IE 6 for some unfathomable reason, you should stop what you are doing immediately and consult with an IT professional, as IE 6 is a magnet for security exploits.
It might be the last day of 2012, but there’s still time to issue yet another patch to fix a zero-day exploit in Microsoft Internet Explorer 6, 7 and 8. Confirmed on Saturday by Microsoft, this patch fixes a vulnerability in all versions of IE prior to v9 that may allow hackers to gain control over a victim’s machine. This latest weakness is likely to be exploited when a computer using one of the versions of the aforementioned browser visits a malicious website, allowing it to run code that can corrupt the memory on the victim’s computer and from there execute malicious code as the logged in user, potentially resulting in backdoor installations, malware infections, and zombification.
What this means for you:
It’s conceivable you are still running IE 8 which was released in 2011, so you may be affected by this weakness. If you are running IE7 or, impossibly, IE6 (it was released in 2001 – over 10 years ago!), I’d say you are better off upgrading to the latest version of IE you can reasonably run on your computer, and then making sure it is patched appropriately.
Since its release last month, Apple has been fielding numerous complaints about wifi issues on the new iPhone 5. It’s not uncommon for manufacturers to sit tight during the first wave of complaints to see if there is any merit to them, or if they are just a combination of user-error and settling-in that always appears in new product launches. New customers were complaining of poor performance during the initial weeks of the iPhone 5’s arrival, and now that the first month’s bills are rolling in, these same customers have uncovered what looks to be a serious bug on the Verizon version of the the iPhone 5: instead of using an existing wifi connection to deliver data to the phone, iOS 6 (the operating system powering the iPhone 5) will instead continue to use the cellular connection, chewing up the monthly data allotment at an alarming rate.
Apple admitted the existence of the bug through a software update released on September 30, and Verizon has stated that no one will be charged for “unwarranted data usage” that might have occurred from this bug.
What this means for you:
If you’ve recently purchased an iPhone 5 or have upgraded your older iPhone 4 to iOS 6, and Verizon is your carrier, keep a close eye on your data usage and look for any unusual spikes in your monthly usage average. Reports are mixed as to whether this problem affects any other model other than the iPhone 5. Watch for the alert to patch your phone, and accept the update as soon as you see it. To check your cellular data usage on your iPhone: Settings->General->Usage->Cellular Usage.
In a rare, out-of-band release, Microsoft released an update on Sept 21 that patched the much bally-hooed vulnerability that affected all versions of its browser as far back as IE 6. This security flaw was significant enough to warrant the German government recommend to its citizens that they use another browser until MS could address the exploit, which it did on the 19th in a “fixit” tool downloadable via their website, and now in an MS Update that will be delivered automatically to all validated Windows OS systems.
What this means for you:
Microsoft normally releases its updates on Tuesday, so the more savvy among you might have already noticed the unusual appearance of an update request from your Windows machine as early as last Friday evening. Regardless of when you see it, you should allow update to download and patch your OS as soon as possible, especially if you use IE as your internet browser. If your computer is managed by a corporate IT department, the update may go through internal testing before being released to update your computer. Assuming you’ve not made any changes to how your OS stays up to date, you should be patched, or will be patched the next time you reboot your computer. To make sure you’ve received this update, you can visit your Control Panel, open Windows Update and check your update history for “Cumulative Security Update for Internet Explorer (2744842)”. If this has been successfully installed, you been patched!