Monthly Archives: July 2015

Adobe, Internet Explorer, Microsoft, Patches and updates, Security, Shockwave, Windows

Patch Tuesday for July 2015

Leave a comment

This month there are fourteen bulletins from Microsoft, with associated updates affecting Windows, Internet Explorer, Office and SQL Server. Four of the updates are flagged as Critical. The updates address at least fifty-nine vulnerabilities.

From Adobe, there are updates for Flash (see previous post), Reader/Acrobat (version 2015.008.20082) and Shockwave (version 12.1.9.159).

So, although installing updates on computers is probably not anyone’s idea of summer fun, let’s all try to keep our sense of humour as we once again work through the monthly update grind. Enjoy!

Update 2015Jul16: This month’s Microsoft updates address three vulnerabilities (two in Internet Explorer) exposed in the recent Hacker Team leak.

Adobe, Chrome, Firefox, Flash, Google, Internet Explorer, Patches and updates, Security

Flash 18.0.0.209 fixes latest vulnerabilities

1 Comment

Earlier today, Adobe released yet another version of Flash to address the most recent vulnerabilities revealed in the Hacker Team leak (CVE-2015-5122 and CVE-2015-5123).

According to the release notes for version 18.0.0.209: “These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly.

If you still need to use a web browser with Flash enabled, you should install the new Flash version immediately. As usual, Internet Explorer 10/11 in Windows 8.x will receive the Flash update via Windows Update. A new version of Google Chrome (43.0.2357.134) includes the most recent Flash version.

Ars Technica has more about the latest updates and efforts to minimize Flash-related vulnerabilities by Mozilla and Google.

Adobe, Firefox, Flash, Google, Security

Yet another Flash exploit revealed

Leave a comment

At this point, the Hacking Team leak appears to be a never-ending source for Flash exploits. A third vulnerability was just discovered among the leaked materials. As always, we recommend disabling Flash completely in your browser, or setting up one browser with Flash, to be used only when you have no other choice.

To reduce potential damage, Mozilla has configured Firefox to block all versions of Flash up to version 18.0.0.203. Of course, that won’t help for as-yet unpatched vulnerabilities such as the last two from the Hacking Team leak.

Meanwhile, there’s renewed interest in eliminating Flash from the web completely. YouTube abandoned Flash for an HTML5-based video player recently, and organized campaigns like Occupy Flash are trying to keep the ball rolling by encouraging both users and service providers to stop using Flash. Facebook’s Chief Security Officer wants Adobe to announce the end of Flash.

We’re hoping that Google is working to remove Flash from their advertising infrastructure, since for many users, Flash-based advertisements are their biggest remaining exposure to Flash.

Adobe, Flash, Patches and updates, Security

Flash update fixes Hacking Team vulnerability

Leave a comment

As much as I would like to see Flash disappear completely, I have to commend Adobe’s quick response to the recent discovery of a critical Flash exploit.

Flash 18.0.0.203 was released earlier today. The new version fixes the vulnerability associated with the Hacking Team leak (CVE-2015-5119), but it also addresses thirty-five other security vulnerabilities in Flash.

As usual, Google Chrome will update itself with the new Flash code, and Internet Explorer 10 and 11 on Windows 8.x will get the Flash changes via Windows Update.

Recommendation: if you use a web browser with Flash enabled, install the new Flash as soon as possible. Keep in mind that the standard Flash installer also installs McAfee security software by default: look for a checkbox for this option in the installer and disable it.

Ars Technica has additional details.

Firefox, Security

Recent changes to Firefox prevent access to network resources

Leave a comment

By now you’re no doubt familiar with the warnings displayed by web browsers when you navigate to sites that use out of date or incomplete security. Typically, a browser will allow you to continue to the site in question, regardless of the security issue. While it can be argued that allowing the user to ignore security warnings is a bad idea, in many cases this is the only way for users to access some sites.

The classic example of this is when a business creates a self-signed SSL certificate for a web resource that is only accessible internally. Typically this is done when non-secure access to the resource is simply not supported. Creating a self-signed certificate gets around this limitation and costs nothing. Users accessing the resource will see a warning about the self-signed certificate, but can tell their browser to proceed anyway, knowing that there’s no actual danger.

Unfortunately, Mozilla seems to have eliminated the ability for users to bypass these warnings. I recently encountered this when using the current version of Firefox (39.0) to access a router on a local network. I received a cryptic warning:

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

In earlier versions of Firefox, I would then be allowed to continue regardless of the security issue. But that’s no longer the case. To access the router, I switched to Google Chrome, which showed the same warning, but allowed me to proceed.

I understand that Mozilla is trying to tighten security, and limit the ways in which uninformed users expose themselves to security risks, but I believe that this is going too far. It’s yet another example of how Mozilla is pushing users away from Firefox, to other web browsers.

Update 2015Jul09: I’m seeing workarounds for this problem, but they typically involve ignoring the security check completely. I only want to be able to bypass the check for specific sites.

Update 2015Aug07: Only certain types of SSL keys are being handled this way in Firefox now. Specifically, Diffie-Hellman keys that are 1024 bits long or shorter. Other self-signed keys still allow for exceptions to be added.

Update 2015Oct16: Chrome also no longer allows access to sites, services, or devices using Diffie-Hellman keys.

Adobe, Flash, Internet crime, Security

Exploit for unpatched Flash vulnerability found in leaked material

4 Comments

Hacking Team is an Italian company that develops counter-security (i.e. hacking) software. They claim to provide their tools only to NATO partners, but there have long been suspicions that their client list includes oppressive governments. These claims have always been denied by the company, but a recent, comprehensive hack against their servers has confirmed Hacking Group sells their software to anyone who asks, including Kazakhstan, Sudan, Russia, Saudi Arabia, Egypt and Malaysia.

Nobody has yet claimed credit for the hack and data scoop, but whoever did it, they have done the world a favour in exposing the practices of Hacking Group. Unfortunately, in publishing the information obtained in the hack, at least one serious – and unpatched – Flash vulnerability has also been exposed.

Adobe responded to the publication of the vulnerability with a Flash security bulletin, in which they confirm that the vulnerability and exploit exist, and that they are currently working on a fix (expected later today). Meanwhile, the exploit has already found itself into hacking toolkits.

Anyone still using a web browser with Flash enabled should consider disabling Flash until this vulnerability is patched.

Update 2015Jul08: Bruce Schneier points out that Hacking Team’s practices are even worse than predicted, and doesn’t expect the company to survive.

Firefox, Patches and updates, Security

Confusing series of Firefox releases

Leave a comment

Last week the FileHippo update checker kept insisting that Firefox 38.0.6 was the latest version. I was – and still am – unable to find any official release notes for that version, but according to one source, 38.0.6 is a special version for specific hardware. In any case, Firefox never updated itself to 38.0.6.

Yesterday I discovered that Firefox 39.0 had been released, apparently on June 30th. According to its release notes, this version includes a variety of fixes and improvements, especially for Macs. HTML5 support is improved, as is networking. Several security vulnerabilities were also addressed.

Meanwhile, in reviewing the official list of Firefox releases, I found notes for version 38.1.0, which was apparently released on July 2nd. It looks like Mozilla staff posted this version in the wrong place, because the 38.1.0 release is for the ‘ESR channel’. Readers of this site are likely more interested (as am I), in the ‘release channel’. According to the Firefox ESR FAQ:

Mozilla Firefox ESR is meant for organizations that manage their client desktops, including schools, businesses and other instituitions that want to offer Firefox. Users who want to get the latest features, performance enhancements and technologies in their browsing experience should download Firefox for personal use [ed: the release channel], as these improvements will only be available to ESR users several development cycles after being made available in Firefox for desktop.

In other words, pay no attention to the 38.1.0 ESR release if you want all the latest improvements. The ESR releases tend to lag behind in features, while typically being more stable.

Internet, Miscellany, Security

Security roundup for June 2015

Leave a comment

What’s in a name?

ICANN is the non-profit organization that governs the basic naming system used on the Internet. Anyone who owns a domain name has an ongoing relationship (even if indirect) with ICANN. Unfortunately, there’s alarming evidence that ICANN is now being guided by corporate interests. Update 2015Jul08: this is a very real privacy threat.

ICANN wants to make it impossible for site owners to be anonymous. They insist that this will only apply to commercial sites, but the definition of commercial promises to be so vague that almost any site would qualify. Spammers will be rubbing their hands together in glee, since the information associated with domain registration is extremely valuable to them.

Free proxies: use with caution

Brian Krebs reports on recent research in which 443 free, open proxy services were tested, to determine whether they: a) support secure web traffic; b) maintain the privacy of user information; and c) modify user traffic in any way. Fully 79% of the tested proxies force web pages to load non-securely, which means that the service operator can see all their user traffic in unencrypted form. Sixteen percent of the services actively insert advertising into customer web traffic.

Recommendation: if you’re looking for a free proxy service, try to find one that allows secure (HTTPS) web traffic.

Why We Encrypt

Another insightful post from security expert Bruce Schneier explains why encryption is important, why it should be enabled by default, and why recent efforts to weaken encryption are a huge mistake.

Failure to encrypt

Researchers at AppBugs used their security software to detect flaws in the way apps encrypt Internet traffic, and the results are depressing. Over fifty Android applications – downloaded by millions of users – are using encryption incorrectly, or not at all. While some of these apps probably don’t transmit anything sensitive, many do, including several high profile apps from the NBA, Match.com, Safeway, and Pizza Hut.

New method for managing passwords

The free, open source Master Password simplifies the task of securely generating and storing secure, unique passwords. It does this without the need to store or access anything on the Internet; all you need is the app itself and a master password. The catch? You’ll have to generate and set new passwords for all the sites and services you use. Master Password is available for iPhone/iPad, Mac, Windows Desktop, Android, and on the web.

Steganography toolkit for malware

Steganography is a technique used to hide information inside otherwise harmless-looking image files. Security researchers have previously detected its use in hiding malware, but now they’ve discovered software that helps malware authors use the technique. Dell SecureWorks researchers recently analyzed StegoLoader’s capabilities. From their report:

Stegoloader is stealthy in many aspects; it evades analysis tools and deploys only necessary modules, without writing them to disk. Although CTU researchers have not observed Stegoloader being used in targeted attacks, it has significant information stealing capabilities.

The dangers of using secret questions for account recovery

Anyone who uses Internet-based services has seen them: ‘secret’ questions and answers you set up to facilitate password resets and account recovery. The idea is that the service can be sure you are who you say you are because you can correctly answer one or more of these questions. The problem is that this method has serious failings, as reported by Google researchers (PDF). The authors recommend using email-based, or – better still – SMS/text-based account recovery methods.

Testing your anti-malware solution

Is your anti-malware software working? Short of visiting a web site known to distribute malware, how can you be sure? One method involves a special string of text known as the EICAR test. Visit the EICAR web site and download a file containing the text; your anti-malware software should detect the text and identify it as the EICAR test. Alternatively, you can download Didier Stevens’ EICARGen software, which generates files containing the EICAR text. Depending on your anti-malware software’s configuration, the EICAR text may be detected when you attempt to download it, or when you write, read, or execute a file containing it. I currently use Avast, which by default detects EICAR when attempting to download it, and during full and explicit scans, but only detects EICAR in existing files when they are executed.