Archive for the ‘Software’ Category

Google’s Chrome version 28 released with Rich Notifications For Apps, Extensions

July 9, 2013

Google today released Chrome version 28 for Windows and Mac. The new version features a notification center, although it’s only available on Windows (in addition to Chrome OS of course). You can update to the latest release now using the browser’s built-in silent updater, or download it directly from google.com/chrome. This is also the first release of Chrome that ships with Blink instead of WebKit. You can check the Blink ID yourself tag by navigating to chrome://version/.

Adobe, Microsoft Release Critical Updates

July 9, 2013

We have seven bulletins from Microsoft this month, addressing a total of 34 vulnerabilities. Six of the bulletins are rated “critical” and allow for Remote Code Execution.

This is quite a high ratio compared to past months, and it is mostly due to the font parsing vulnerability, which is present in three of the seven bulletins. Overall, the focus is clearly on the workstation part of your infrastructure because most vulnerabilities are triggered by users browsing websites, viewing files and watching media.

Our recommendation is to start the patching process with MS13-053, a bulletin for Windows that applies to all versions of the OS. It includes a fix for two high value vulnerabilities: first, CVE-2013-3129, the previously mentioned problem with Windows font parsing. The most likely attack vector is through end users browsing a malicious web page or opening an infected document, which results in Remote Code Execution that gives control of the affected machine to the attacker.

The second high profile vulnerability is CVE-2013-3660, a local Windows 0-day, which got its start by a post from Tavis Ormandy on the ”full disclosure” mailing list, and which soon after had several implementations published in underground forums and in security research tools such as Metasploit and Core Impact.

Next on our list is MS13-055, a bulletin for Internet Explorer (IE) that affects all current production versions, from IE 6 to IE10. It addresses 17 vulnerabilities, and several of them can be used to gain control over the attacked workstation through a malicious web page. Since several of the vulnerabilities have an exploitation index of “1,” indicating that the development of an exploit is well within the capabilities of attacks teams, it is worth addressing as quickly as possible.

Two of the remaining bulletins MS13-052 (.NET and Silverlight) andMS13-054 (GDI+) are results of the same font parsing vulnerability (CVE-2013-3129) affecting the font implementations in these software packages, which are separate from the Windows OS due to architectural reasons and increase the severity of these bulletins to “critical.” A single vulnerability appearing in several bulletins is not common but has happened before, for example in MS12-034 (Silverlight) and MS12-039 (Lync), which addressed both the font vulnerability CVE-2012-0159.

The remaining critical bulletins are MS13-057 (Windows Media), which is triggered by a malicious media file, and MS13-058(DirectShow), which fixes a vulnerability CVE-2013- in the GIF graphics format. MS13-058 is lowest on our list, since there is no Microsoft product using the vulnerable GIF function. However, third-party applications are potentially affected.

Adobe is releasing new versions of three products addressing security flaws, Adobe Shockwave (APSB13-18), Coldfusion (APSB13-19) and Adobe Shockwave Flash player (APSB13-17). Users of Internet Explorer 10 (KB2755801) and Google Chrome already have updates integrated and do not need to worry about installing the new version themselves. Everybody else, including Mac OS X users, should apply this critical update as quickly as possible.

By the way, the pre-production Windows 8.1 and IE 11 are not affected by any of these bulletins. However, there are still vulnerabilities in these products, and Microsoft has started a bug bounty program while these programs are in beta under the BlueHat umbrella. The cash prizes are quite attractive (up to $100,000 USD), and the program seems to be working and has attracted several submissions already.

Lastly, keep in mind that the month is not over: Oracle will be releasing their quarterly update for all of their software (except Java) next week on Tuesday, July 19.

Update Plugs 40 Security Holes in Java (Critical)

June 19, 2013

Oracle today released a critical patch update for its Java software that fixes at least 40 security vulnerabilities in this widely deployed program and browser plugin. Updates are available for Java 7 on both Mac and Windows.

Image

The latest patch brings Java 7 to Update 25 (looks like Oracle has finally followed through on its promise to stop shipping updates for Java 6). In its accompanying advisory, Oracle notes that 37 of the 40 vulnerabilities fixed in this update may be remotely exploitable without authentication — that is, they can be exploited over a network without the need for a username and password.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Other, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of Click-to-Play). Java 7 lets users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

Mac OS X 10.6 (Snow Leopard) users who have Java should check Software Update for any available updates. Mac OS X 10.7 (Lion) and 10.8 (Mountain Lion) users can grab the updated version of Java from Java.com.

Critical updates from both Microsoft and Adobe

June 12, 2013

For Patch Tuesday this month, Microsoft has five bulletins, bringing the six-month total up to 51 bulletins, about 20% more than we had in 2012.

The most important Microsoft bulletin is MS13-047, a new version of Internet Explorer (IE). The bulletin is rated “critical,” addresses 19 vulnerabilities and covers all versions of IE, from IE6 to IE10, running on all versions of Windows, from XP to RT. Given the large number of vulnerabilities fixed, this will be the main target for attackers to reverse engineer and construct an exploit that can be delivered through a malicious webpage. Apply this bulletin as quickly as possible on all workstations that use IE for Internet access.

Our second priority is bulletin MS13-051 for Microsoft Office 2003 on Windows and 2011 for Mac OS X. It addresses a parsing vulnerability for the PNG graphic format that is currently in limited use in the wild. The attack arrives in an Office document and is triggered when the user opens the document. Microsoft rates it only as “important” because user interaction is required, but attackers have shown over and over that getting a user to open a file is quite straightforward. They use social-engineering techniques and send the “right” content to the user under attack – documents that have professional names and contain information that is of interest to the target.

Other fixes are MS13-048, for an Information Disclosure vulnerability; MS13-049, for a DoS problem in the TCP/IP stack of newer Windows systems (Vista+); and MS13-050, a local privilege escalation vulnerability in Windows Print Spooler.

Microsoft is not fixing a recent vulnerability that Tavis Ormandy had alluded to in March and has recently published an exploit for on the full-disclosure mailing list. The 0-day vulnerability allows an attacker already on the machine to gain admin privileges, and we can assume that the underground is working to make that vulnerability part of their arsenal. The vulnerability should be addressed next Patch Tuesday unless wider exploitation in the wild is detected.

Adobe is coming out with a new version of Flash (APSB13-16), which addresses X vulnerabilities, mostly report by Google’s security team. If you use Google Chrome or Microsoft IE10, you will receive this update automatically. Microsoft offers more details in KB2755801.

Apple published its quarterly security fixes last week, with a new version of Safari and Mac OS X. These address numerous critical vulnerabilities and should be installed as quickly as possible. They are unrelated to the newly announced versions of Mac OS X and Safari at the recent WWDC in San Francisco, which will still take a number of weeks for release.

All in all, it’s a smaller Patch Tuesday, but certainly enough work for system administrators, many of whom have to take care of Adobe, Apple and Microsoft.

Microsoft, Adobe Push Critical Security Updates

May 16, 2013

Microsoft and Adobe each released updates to fix critical security holes in their software. Microsoft’s patch batch tackles at least 33 vulnerabilities in Windows and other products, including a fix for a zero-day vulnerability in Internet Explorer 8 that attackers have been exploiting. Separately, Adobe pushed security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

Microsoft’s Patch Tuesday bundle includes two separate updates for Internet Explorer; the first (MS13-037) is a cumulative update for Internet Explorer. The second is a fix (MS13-038) specifically for a critical bug in IE 8 that miscreants and malware have been using to break into windows computers. Other, slightly less severe holes were fixed in Microsoft PublisherWordVisio and Windows Essentials.

Last week, Microsoft released a stop gap fix it tool to help blunt the threat from the IE8 zero-day flaw. If you installed that interim fix, Microsoft recommends taking a moment to disable it before applying today’s patches.

As it usually does on Microsoft’s Patch Tuesday, Adobe used the occasion to push its own security updates. A new version of Flash (v. 11.7.700.202 for Mac and Windows systems) fixes 13 vulnerabilities.  IE 10 and Google Chrome automatically update themselves to fix Flash flaws. This link should tell you which version of Flash your browser has installed. If your version of Chrome is not yet updated to v. 11.7.700.202, you may need to just restart the browser.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (FirefoxOpera, e.g.).

In addition, Adode AIR (required by some applications like Pandora Desktop, for example) was updated to v. 3.7.0.1860. Also, Adobe has released new versions of Adobe Reader and Acrobat that fix at least 27 security holes in these products. See this link for more detail on those patches. Adobe said it is not aware of any active exploits or attacks in the wild targeting any of the issues addressed in these updates.

Firefox 15 Released

August 29, 2012

August 28, 2012 Mozilla today launched Firefox 15, boasting that users will see “drastic improvements in performance” because of new code that stops add-ons from leaking memory.

Download a Firefox that speaks your language:
http://www.mozilla.org/en-US/firefox/all.html

How to Unplug Java from the Browser

August 29, 2012

Below are instructions for unplugging Java from whatever Web browser you may use to surf the Web. These instructions were originally posted as a how-to in response to the constant news of Java exploits.

For Windows users:

Mozilla Firefox: From the main menu select Add-ons, and then disable any plugins with the word “Java” in them. Restart the browser.

Google Chrome: Click the wrench icon in the upper right corner of the browser window, then select Settings. In the search results box to the right in the next screen, type “Java”. A box labeled “Content settings” should be highlighted. Click that, and then scroll down to the Plug-ins section. Click the “Disable individual plug-ins” link, find Java in the list, and click the disable link next to it.

Internet Explorer:

Apparently, getting Java unplugged from Internet Explorer is not straightforward. The U.S. Computer Emergency Response Team (USCERT) lists the following steps, which may or may not completely remove Java from IE:

In the Windows Control panel, open the Java item. Select the “Java” tab and click the “View” button. Uncheck “enabled” for any JRE version listed. Note that this method may not work on Vista or newer systems. As an alternative, you may use one of the following techniques:

Click the start key and type “regedit” in the search box. Double-click the regedit program file when it appears.

– Change the HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0, where is any version of Java on your system. 10.6.2, for example.

If you are running a 32-bit version of Java on a 64-bit platform, you should set the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0.

– Run javacpl.exe as administrator, click the “Advanced” tab, select “Microsoft Internet Explorer” in the “Default Java for browsers” section, and press the space bar to uncheck it. This will properly set the above registry value, despite the option being greyed out.

US-CERT has some additional suggestions for removing Java from IE if the above steps do not do the trick. See their advisory for more details.

For Mac users:

Safari: Click Preferences, and then the Security tab (uncheck “Enable Java”).

Google Chrome: Open Preferences, and then type “Java” in the search box. Scroll down to the Plug-ins section, and click the link that says “Disable individual plug-ins.” If you have Java installed, you should see a “disable” link underneath its listing.

Firefox: Click Tools, Add-ons, and disable the Java plugin(s).

Critical Java 0-day flaw exploited in the wild

August 27, 2012
Researchers from security firm FireEye have discovered targeted attacks exploiting a zero-day Java vulnerability to deliver the Poison Ivy RAT onto the unsuspecting victims’ machines.

The vulnerability allows computers to be infected by simply visiting a specially crafted web page, and the malware served in the current attacks contacts a C&C server in Singapore.

The attacks are limited, but it’s only a matter of time until other cyber criminals create their own pages exploiting the flaw.

In the meantime, a module that takes advantage of it has alreadybeen added to the Metasploit Framework, and it works against a fully patched Windows 7 SP1 with Java 7 Update 6, Mozilla Firefox on Ubuntu Linux 10.04, Internet Explorer / Mozilla Firefox / Chrome on Windows XP, Internet Explorer / Mozilla Firefox on Windows Vista and Windows 7, and Safari on OS X 10.7.4.

Researchers from heise Security have also created a PoC page using information that is publicly available.

Oracle is yet to comment on the news, and to say whether it will break its scheduled quarterly patch cycle to issue a patch for the flaw.

In the meantime, users are advised either to disable or remove Java for the time being – or for good.

If you’re a Windows user and you have decided to disable Java, go to your Control Panel, select “Java”, and once the “Java Runtime Environment Settings” dialog box appears, select “Java” once again and uncheck the “Enabled” check box. Needless to say, if in the future you need to use Java again, go through the same steps and check the aforementioned check box.

To completely remove Java from your system, go to the Control Panel > Programs > Programs and Features, find Java, select it and press the “Uninstall” button.

New Adobe Flash Player Update Fixes 6 Flaws

August 21, 2012

For the second time in a week, Adobe has shipped a critical security update for its Flash Player software. This patch, part of a planned release, closes at least five six security holes in the widely-used browser plugin, and comes just one week after the company rushed out a fix for a flaw that attackers were already exploiting in the wild.

Updates are available for WindowsMacLinux and Android platforms. Windows and Mac users will need to update to v. 11.4.402.265 (Linux and Android should users see the advisory for their version numbers). The Flash Player installed with Google Chrome should automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player v. 11.3.31.230 for Windows and Linux, and Flash Player v. 11.4.402.265 for Macintosh. When I composed this post, however, the installation of Chrome on my Mac had not yet updated to the new version Google began pushing out today (a restart of the browser fixed that).

To find out what version of Flash is on your system, browse to this link. The latest version is available at this link, which should auto-detect the version of Flash your browser and operating system needs. Windows users take note: Unless you also want McAfee Security Scan Plus bundled with your Flash update, make sure to uncheck that box before clicking “download now.”

Adobe also has released an update that addresses these vulnerabilities in Adobe AIR. Windows and Mac users will want to update to Adobe AIR 3.4.0.2540. Windows users should be able to tell if they have this program installed and its version number from the Add/Remove Programs section of the Windows Control Panel. Determining the presence of AIR and its version number gets a bit more complicated for Mac users.

Google begins notifying users infected with DNS Changer

May 23, 2012
As the date set for the final shutdown of the infrastructure that keeps computers infected with the DNSChanger Trojan connected to the Internet is approaching at a fast pace, Google has decided to begin warning affected users that land on its search sites.
Google’s goal is to notify about half a million users whose computers and/or routers are infected by the malware, and to redirect them to pages where they can learn about the Trojan and how to remove it from their devices.

The warning has already begun appearing to infected users. It comes in different languages, and looks like this:


“Since the FBI and Estonian law enforcement arrested a group of people and transferred control of the rogue DNS servers to the Internet Systems Consortium in November 2011, various ISPs and other groups have attempted to alert victims,” Damian Menscher, a Google security engineer, explained.

“However, many of these campaigns have had limited success because they could not target the affected users, or did not appear in the user’s preferred language (only half the affected users speak English as their primary language). At the current disinfection rate hundreds of thousands of devices will still be infected when the court order expires on July 9th and the replacement DNS servers are shut down.”

Google is hoping that a warning from a trusted site such as Google and in the users’ native language might give better results. Still, Menscher says, the company does not give guarantees that their recommendations will always clean infected devices completely.

“Some users may need to seek additional help,” he concluded.