boot13The latest installment (warning: PDF) of the user-focused Ouch! newsletter from SANS discusses ‘spearphishing’. As in regular phishing, the goal of the attacker is to gain access to computers, systems and services. The difference is that while phishing is targeted very broadly, spearphishing targets specific companies, organizations or even individuals. Attackers typically use this technique to gain access to valuable targets like banks.
All posts by jrivett
More Windows 8.1 disappointments
Microsoft is pulling the plug on Facebook and Flickr integration in Windows 8.1. Microsoft insists that its own apps should be sufficient. Anyone who is currently using the Facebook or Flickr integration in Windows 8 may be heading for major annoyance when they upgrade to 8.1.
A good reason to avoid Windows 8.1: advertising
When Microsoft first started talking about making the Windows user interface more like the XBox 360 UI, I wondered if that also meant we would be seeing advertising in Windows 8. I was both surprised and relieved to see that the Windows 8 Start screen was not filled with ads, which alas cannot be said of the XBox 360 UI.
Well, that relief was short-lived. It was recently announced by Microsoft that the search function built into Windows will display advertising, starting with the Windows 8.1 update. As you read the announcement, marvel at the way advertising will “mak[e] it easier for consumers to complete tasks.” Nice try.
Windows 8.1 Start button will be slightly less useless than expected
Preview versions of Windows 8.1 were recently made available to reviewers, and The Verge reports on some additional tweaks to the Start button. There’s still no Start menu, but right-clicking the Start button will show a power user menu of sorts. The menu includes options to disable hot corners and shut down the computer.
Firefox 22 now available
Version 22 of Mozilla’s web browser was released yesterday, with the usual utter lack of anything approaching a proper announcement. The closest we got was a post on the Mozilla blog entitled “Firefox Delivers 3D Gaming, Video Calls and File Sharing to the Web“. That post discusses some of the new features of Firefox 22, but never actually mentions the new version number. I understand that Mozilla is trying to place less importance on version numbers, but in my opinion this is going too far.
Making things even more confusing, the main download page for Firefox never mentions the current version, although all the download links point to version 22 URLs, which you can see by hovering your mouse over them.
The release notes page is still a confusing mess. The first text you read on that page is “Firefox Notes (First offered to release channel users on June 25, 2013)”. It sounds like they’re saying that Firefox was released on June 25, 2013. What they really mean is that Firefox version 22 was released on June 25, 2013, but the version isn’t mentioned in the title. In fact, the only reference to the version is in a contributor “thank you” note below the title. Below that, the “What’s New” section lists changes made to Firefox, which we can only assume are specific to version 22 because the page’s URL includes the text “22.0”.
A link on the release notes page for version 22 titled “complete list of changes” now points to a list of bugs in Mozilla’s bug tracking system, Bugzilla. The list of bugs shown is huge, and although each of the 510 entries supposedly represents a bug fixed in version 22, the information is highly technical and not really intended for regular users. A proper change list is nowhere to be found.
Somewhat more useful are the confusingly-named and well hidden “known vulnerabilities” and “security advisories” pages for Firefox. The first of those pages lists security vulnerabilities and the versions of Firefox in which they were fixed, including version 22. The second page lists Firefox security vulnerabilities by the date on which they were first reported by Mozilla, with no indication of which vulnerabilities have been fixed, or when they were fixed.
I’ve been pointing out the lack of proper version announcement resources for Firefox here and in other online forums for a while now, but have yet to see any significant progress.
WordPress 3.5.2 released
WordPress 3.5.2 fixes several security vulnerabilities. Given the recent worldwide attacks against WordPress-based web sites, all WordPress sites should be upgraded to the new version as soon as possible.
One of the vulnerabilities fixed in version 3.5.2 is CVE-2013-2173, a Denial-of-Service (DoS) vulnerability recently disclosed on the VND blog. The vulnerability and a Proof of Concept were disclosed on that site one week after the author reported the issue to the WordPress security team. Concerned that a single email might have been caught in a spam filter, I posted a link to the report in two of the WordPress IRC channels (#wordpress and #wordpress-dev), and soon after that I was told that the security team had been notified. It was later disclosed that the original report had indeed been caught by a spam filter, even though the reporter had received a ‘we received your report’ auto-response. The lessons here are: 1) security email inboxes should not have spam filters; 2) don’t use an auto-responder on security email inboxes; and 3) don’t stop reporting a security issue until you’ve heard back from a human being, confirming receipt of your report.
Java 6 end-of-life
Oracle has quietly stopped updating Java 6, sort of. A page on the Java download FAQ site states that updates for Java 6 will no longer be publicly posted, and recommends upgrading to Java 7. Updates for Java 6 will still be available to customers who have support contracts from Oracle.
Switching from Java 6 to Java 7 is going to be a problem for anyone who uses Java-based software that is not yet compatible with Java 7. Large organizations with such Java 6 dependencies will either start paying for support (if they aren’t already), or deal with the consequences of allowing their Java 6 based software to become increasingly vulnerable. Smaller organizations and individuals with Java 6 dependencies who cannot afford to pay for Oracle support may want to consider switching to alternative software.
There’s likely to be a certain amount of backlash against this move. At the very least, if Oracle doesn’t back down from this stance, expect a ‘black market’ in Java 6 updates to start up fairly soon: people with access to the official Java 6 patches will make them available to the public. The main problem with this, besides annoying Oracle, is that nefarious persons are likely to use the need for Java 6 patches as a way to spread malware.
I predict that Oracle will relent; as long as they are still developing updates for Java 6, those updates will end up being publicly available.
Major Java update fixes 40 vulnerabilities
Oracle has released a new version of Java that addresses a large number of vulnerabilities. This is a scheduled “Critical Patch Update” (CPU) for June 2013.
This moves Java 7 from Update 21 to Update 25 (1.7.0_21 to 1.7.0_25).
Anyone using Java in a web browser should install this update immediately.
Google Chrome 27.0.1453.116 released
Yesterday, Google announced another new version of their web browser, Chrome.
The new version is 27.0.1453.116, and it includes a few security fixes, as well as the latest integrated version of Flash (11.7.700.225).
Flash clickjacking vulnerability not really fixed
A Flash vulnerability supposedly already fixed by Adobe is still a problem in some browser/platform combinations. This clickjacking exploit works by hiding a Flash security dialog under other page content, enticing the user into unintentionally clicking the dialog and allowing remote access to the user’s camera and microphone. Be careful what you click!