Archive for June, 2013

Update Plugs 40 Security Holes in Java (Critical)

June 19, 2013

Oracle today released a critical patch update for its Java software that fixes at least 40 security vulnerabilities in this widely deployed program and browser plugin. Updates are available for Java 7 on both Mac and Windows.

Image

The latest patch brings Java 7 to Update 25 (looks like Oracle has finally followed through on its promise to stop shipping updates for Java 6). In its accompanying advisory, Oracle notes that 37 of the 40 vulnerabilities fixed in this update may be remotely exploitable without authentication — that is, they can be exploited over a network without the need for a username and password.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Other, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of Click-to-Play). Java 7 lets users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

Mac OS X 10.6 (Snow Leopard) users who have Java should check Software Update for any available updates. Mac OS X 10.7 (Lion) and 10.8 (Mountain Lion) users can grab the updated version of Java from Java.com.

Advertisements

Critical updates from both Microsoft and Adobe

June 12, 2013

For Patch Tuesday this month, Microsoft has five bulletins, bringing the six-month total up to 51 bulletins, about 20% more than we had in 2012.

The most important Microsoft bulletin is MS13-047, a new version of Internet Explorer (IE). The bulletin is rated “critical,” addresses 19 vulnerabilities and covers all versions of IE, from IE6 to IE10, running on all versions of Windows, from XP to RT. Given the large number of vulnerabilities fixed, this will be the main target for attackers to reverse engineer and construct an exploit that can be delivered through a malicious webpage. Apply this bulletin as quickly as possible on all workstations that use IE for Internet access.

Our second priority is bulletin MS13-051 for Microsoft Office 2003 on Windows and 2011 for Mac OS X. It addresses a parsing vulnerability for the PNG graphic format that is currently in limited use in the wild. The attack arrives in an Office document and is triggered when the user opens the document. Microsoft rates it only as “important” because user interaction is required, but attackers have shown over and over that getting a user to open a file is quite straightforward. They use social-engineering techniques and send the “right” content to the user under attack – documents that have professional names and contain information that is of interest to the target.

Other fixes are MS13-048, for an Information Disclosure vulnerability; MS13-049, for a DoS problem in the TCP/IP stack of newer Windows systems (Vista+); and MS13-050, a local privilege escalation vulnerability in Windows Print Spooler.

Microsoft is not fixing a recent vulnerability that Tavis Ormandy had alluded to in March and has recently published an exploit for on the full-disclosure mailing list. The 0-day vulnerability allows an attacker already on the machine to gain admin privileges, and we can assume that the underground is working to make that vulnerability part of their arsenal. The vulnerability should be addressed next Patch Tuesday unless wider exploitation in the wild is detected.

Adobe is coming out with a new version of Flash (APSB13-16), which addresses X vulnerabilities, mostly report by Google’s security team. If you use Google Chrome or Microsoft IE10, you will receive this update automatically. Microsoft offers more details in KB2755801.

Apple published its quarterly security fixes last week, with a new version of Safari and Mac OS X. These address numerous critical vulnerabilities and should be installed as quickly as possible. They are unrelated to the newly announced versions of Mac OS X and Safari at the recent WWDC in San Francisco, which will still take a number of weeks for release.

All in all, it’s a smaller Patch Tuesday, but certainly enough work for system administrators, many of whom have to take care of Adobe, Apple and Microsoft.

Most small businesses can’t restore all data after

June 6, 2013
Most small businesses can’t restore all data after a cyber attack
Posted on 06 June 2013.
 
Almost one-third of U.S. small businesses surveyed by the Ponemon Institute had a cyber attack in the previous year, and nearly three-quarters of those businesses were not able to fully restore their company’s computer data.


The primary causes of cyber attacks on small businesses were computer viruses, worms and Trojans (61 percent) and unspecified malware (22 percent), the Ponemon Institute reported. Following the cyber attacks, 72 percent were not able to fully restore their company’s data.

The survey found that 29 percent of the small businesses experienced a computer-based attack. The consequences of those attacks included managing potential damage to their reputations (59 percent); theft of business information (49 percent); the loss of angry or worried customers (48 percent) and network and data center downtime (48 percent).

In recently released findings on data breaches, the Ponemon Institute surveyed the same small businesses, health care providers and professionals around the U.S. and found that 53 percent had experienced a data breach and 55 percent of those businesses had multiple breaches.