Category Archives: Security

aka infosec

Android, Edge, Flash, Google, Internet crime, Malware, Microsoft, Mobile, Security, Spam and scams, Windows, WordPress and other CMS

April security roundup

May 3, 2016 jrivett Leave a comment

People who store Slack credentials in Github code repositories learned that this a bad idea, as researchers demonstrated the ease with which this information can be gathered without any explicit permissions.

Scary news: computers at a German nuclear reactor facility were found to be loaded with malware. The only thing that prevented miscreants from playing with real nuclear reactors was the fact that these computers are not connected to the Internet.

Crappy security practices led to the theft of user account information (email addresses and poorly-encrypted passwords) from Minecraft community site Lifeboat.

The notorious hacking group known as Hacking Team made the news again, this time with reports of active drive-by exploits affecting Android devices.

The Nuclear exploit kit is still operating, despite recent, partially-successful, efforts to shut it down. Researchers showed that the kit is still being used, and may be involved in recent ransomware infections.

Good news: the two men responsible for the notorious SpyEye banking trojan, recently extradited to the US to face federal prosecution, will be spending nine and fifteen years in prison.

Zero-day exploits are on the rise, doubling from 24 in 2014 to 54 in 2015. A zero-day exploit is a hack that takes advantage of software vulnerabilities before the software’s maintainers have had a chance to develop a fix.

Cisco security researchers identified vulnerabilities in several enterprise software systems, including Red Hat’s JBoss. As many as three million web-facing servers running this software are at risk of being infected with ransomware, and in fact as many as 2100 infected servers were identified.

More good news: the Petya ransomware was found to contain a flaw that allows its victims to decrypt their data without paying any ransom.

The Mumblehard botnet was taken down by ESet researchers, after it infected at least 4000 computers and sent out countless spam emails.

Microsoft announced plans to prevent Flash content from playing automatically in the Windows 10 web browser Edge. All the major browsers appear to be heading in this direction, if they don’t already have the feature, as does Chrome.

April’s issue of the SANS ‘Ouch!’ newsletter is titled “I’m Hacked, Now What?” (PDF) and provides helpful information for the recently-hacked. The newsletter is aimed at regular users, so it may not be particularly useful for IT professionals, except as a means to educate users.

The wildly popular WhatsApp – a messaging application for mobile devices – now has end-to-end encryption. This will make life more difficult for spy agencies who want to know what users are saying to each other. But WhatsApp users should be aware that this does not make their communications invulnerable, since techniques exist to get around full encryption, such as keystroke loggers.

Bad idea: someone at CNBC thought it would be a good idea to ask users to submit their passwords to a web-based system that would test the passwords and report on their relative strength. The service itself was vulnerable, and exposed submitted passwords to network sniffing. The service was taken offline soon after the vulnerability was identified.

The web site for toy maker Maisto International was hacked and serving up ransomware for an unknown amount of time, probably several days or even weeks. The hack was made possible because the site was using outdated Joomla software.

Patches and updates, Security, Vivaldi

Vivaldi 1.1.453.52

May 2, 2016 jrivett Leave a comment

Now that it’s officially released, Vivaldi is seeing frequent updates. The developers appear to be listening to user feedback and are fixing reported issues and enhancing functionality at a steady pace.

Another new version of Vivaldi was released earlier today: 1.1.453.52. This new version updates the Chromium browser engine, which includes several security fixes. Some Linux installation issues were resolved, and the developer tools improved.

Chrome, Google, Patches and updates, Security

Chrome 50.0.2661.94

April 29, 2016 jrivett Leave a comment

A total of thirty-one changes are listed in the log for Chrome 50.0.2661.94. Nine of the changes address security vulnerabilities.

If you use Chrome, make sure it’s up to date. Click the hamburger menu icon at the top right, then choose Help > About. If Chrome isn’t already the latest version, this should trigger an update.

Adobe, Patches and updates, Security, Shockwave

Shockwave 12.2.4.194

April 27, 2016 jrivett Leave a comment

At some point in March, Adobe released a new version of Shockwave, 12.2.4.194. The release notes are light on details, saying only that the version includes “Deprecation of SHA-1 certificates in the Shockwave installer.”

SHA-1 is no longer considered secure, so this is a security update, and anyone who uses a web browser with Shockwave enabled should install the latest version as soon as possible. Note that the Shockwave plugin sometimes appears in browsers as Shockwave for Director.

Firefox, JavaScript, Patches and updates, Security

Firefox 46 released

April 27, 2016 jrivett Leave a comment

It’s a major new revision for Firefox, ~~so there are lots of cool new features and enhancements to discuss~~, so Mozilla actually announced the release on their main blog. Typical of Mozilla announcements, the version is never mentioned.

At least the announcement lists the changes: “improved look and feel for Linux users, a minor security improvement and additional updates for all Firefox users.” Not much there. Turning to the release notes, it looks like the minor security improvement is related to Javascript. Other changes include ten security fixes, and fixes for a few other bugs.

Since several security vulnerabilities are addressed in 46.0, anyone using Firefox should install the new version as soon as possible.

Java, Patches and updates, Security

Java 8 Update 91

April 21, 2016 jrivett Leave a comment

If you visit the main Java page and click the Free Java Download button, it will give you Java 8 Update 91. That version was just released, along with Java 8 Update 92. The difference? Both address nine security vulnerabilities – and over 60 bugs in total – in versions earlier than 8u91, but 8u92 adds a few uninteresting enhancements.

This is Java we’re talking about here; since it’s still a popular target for malicious activity, if you use a browser with Java enabled, you should update the Java plugin right away. It’s also a good idea to configure the plugin as ‘click-to-play’. It’s an even better idea to disable it completely, if that’s an option for you.

Apple, Security, Windows

Windows users: uninstall Quicktime now

April 18, 2016 jrivett Leave a comment

QuickTime is Apple’s media player software. It was originally developed for Mac only, but eventually Apple produced a Windows version. It’s often installed on Windows systems as it’s almost the only way to play Apple’s proprietary Quicktime media.

The current version of Quicktime for Windows has at least two security vulnerabilities. Rather than fix those issues, Apple has decided to stop developing the Windows version. In other words, if Quicktime is installed on your computer, it is – and will always be – vulnerable.

This leaves Windows users little choice but to remove Quicktime completely, and that’s what we’re recommending.

Ars Technica has additional details.

Chrome, Google, Patches and updates, Security

Chrome 50 released

April 15, 2016 jrivett Leave a comment

According to the full change log, 8748 changes were made to Chrome for version 50.0.2661.75. At least twenty of those changes are related to security, so this is an important update.

With this many changes, it seems reasonable to expect that one or two of them might be worth pointing out, but the release notes only say that there are a number of fixes and improvements, and to “Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 50.”

Rather than spend several days reading the details of all 8748 changes, I’ll wait for further announcements from Google. If I discover anything interesting, I’ll add it here.

Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for April 2016

April 12, 2016 jrivett Leave a comment

Microsoft offers up thirteen patches this month, addressing thirty security issues in the usual culprits: Windows, Internet Explorer, Edge, .NET, and Office. There are thirteen updates in all, six of them flagged as Critical.

The folks at SANS now provide useful summaries of Microsoft patch days, showing which vulnerabilities are addressed in each update, with multiple risk assessments.

Adobe, Flash, Patches and updates, Security

Flash 21.0.0.213 fixes 24 security issues

April 9, 2016 jrivett Leave a comment

Earlier this week Adobe issued a security alert about a Flash vulnerability that was (and still is) being actively exploited on the web. As expected, that vulnerability has been fixed in a new version of Flash. In all, twenty-four security vulnerabilities are addressed in Flash 21.0.0.213.

If you use a web browser with Flash enabled, you should install the new version as soon as possible. You can find out whether Flash is enabled in your browser by visiting Check-And-Secure.

As usual, Chrome will update itself with the new Flash, and Internet Explorer and Edge running on newer versions of Windows will get the new Flash via Windows Update.

boot13