Category Archives: Security

aka infosec

Adobe, Chrome, Flash, Internet Explorer, Patches and updates, Security

Adobe releases fix for new zero-day exploit

October 18, 2015 jrivett Leave a comment

Yesterday, Adobe released an update for the recently-discovered Flash security vulnerability CVE-2015-7645. Kudos to Adobe for acting quickly to fix this bug, which is being actively exploited on the web.

The new version of Flash (19.0.0.226) addresses the CVE-2015-7645 vulnerability and two others. Additional details are available in the associated security bulletin. Other changes in this version of Flash are described in a post on the Flash runtime announcement site.

As usual, Internet Explorer on newer versions of Windows will get the new version of Flash via Windows Update, and Chrome will update itself via its own auto-updater.

If you’re still using Flash in a web browser, you need to install this update as soon as possible.

Adobe, Flash, Security

Nasty new zero-day exploit affects even most recent Flash

October 15, 2015 jrivett 1 Comment

Security researchers at Trend Micro have identified a new Flash exploit being used in targeted attacks against various government agencies. The exploit takes advantage of a previously unknown vulnerability in all versions of Flash, including the most recent, 19.0.0.207. It seems likely that the exploit will be used more widely in the near future.

Adobe quickly confirmed the vulnerability and announced in a security bulletin that a patch will be made available some time next week.

At this point one wonders whether there’s any code left in Flash that hasn’t been afflicted with security vulnerabilities at some point.

As always, if you can possibly live without Flash enabled in your browser, just disable it. If you need to use it, your best option is to configure your browser to always ask before displaying Flash content.

Chrome, Google, Patches and updates, Security

24 security fixes in latest version of Chrome

October 14, 2015 jrivett Leave a comment

Chrome 46.0.2490.71 includes fixes for a variety of issues, including at least 24 security vulnerabilities.

As usual, the details are buried in the rather technical change log. Go ahead and take a look, but set aside several hours, because that log is 245,986 lines long. That’s not a typo. I started reading the log, and after scrolling down about 20 pages, I noticed that my browser’s scrollbar hadn’t even moved. There may some interesting stuff in there, but life’s too short to read that monstrosity.

Adobe, Chrome, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for October 2015

October 14, 2015 jrivett Leave a comment

It’s a relatively light month for Microsoft, with only six bulletins, and associated updates affecting Windows, Windows Server, Internet Explorer, Office, and the new Windows 10 browser Edge. Three of the bulletins are flagged as Critical. The bulletin summary has all the details, and it includes a link to Microsoft’s Security Advisories page for 2015, which may be of some interest.

Meanwhile, Adobe’s contribution to this month’s patch pile is more updates for Flash and Reader/Acrobat. The new version of Flash is 19.0.0.207, and it addresses thirteen vulnerabilities. The release notes get into the details of what was changed, which includes a few bug fixes unrelated to security. As always, Chrome will update itself and Internet Explorer on newer versions of Windows will get the new Flash via Windows Update.

The newest versions of Adobe Reader are 11.0.13 for Reader XI, and 2015.009.20069 for Acrobat Reader DC. At least fifty-six vulnerabilities are addressed in these updates. Check out the related security bulletin for additional information.

Adobe, Android, Apple, Flash, Google, Hardware, Internet crime, Linux, Mac, Malware, Mobile, Privacy, Security, Shockwave

Security & privacy roundup for September 2015

October 4, 2015 jrivett Leave a comment

Android made security news in September for a lockscreen bypass hack and a ransomware app designated Android/Lockerpin.A.

Passwords in the leaked Ashley Madison user database became much easier to decrypt, once again reminding us to avoid re-using passwords.

A rogue version of the iPhone development tool XCode was found to have added malicious code to almost 500 legitimate apps. Those apps were published on the Apple App Store, and were subsequently installed by millions of iPhone and iPad users.

In other Apple-related news, a simple bypass for the Gatekeeper process, that protects Mac OS X users from malicious software, was discovered.

This month’s Flash updates prompted Brian Krebs to take another look at Adobe Shockwave. He found that even the most recent versions of Shockwave still contain very out of date versions of Flash, and strongly recommends that you remove Shockwave from all your computers.

A series of exploits against the Imgur and 8chan sites caused little damage, despite their enormous potential. The true goals of the hack are still in question, and the associated vulnerabilities on the affected sites have been fixed.

A researcher discovered several serious vulnerabilities in popular security software from Kaspersky Labs. While there’s no evidence of exploits in the wild, this is rather alarming. Anti-malware software typically has access to core system functionality, making working exploits very valuable to attackers. Kaspersky Labs acted quickly to fix the bugs, but this isn’t the first time security software has been found vulnerable, and likely won’t be the last.

A new botnet called Xor.DDoS is using compromised Linux computers to perform DDoS attacks against a variety of web sites, probably at the request of paying customers. The Linux computers hosting the botnet appear to have been compromised via weak root passwords. So far, most of the targets are in Asia. This marks a shift in platform for botnet developers, which previously focused almost exclusively on Windows.

Chrome, Google, Patches and updates, Security

Security update for Chrome

September 26, 2015 jrivett Leave a comment

Chrome 45.0.2454.101 includes fixes for at least two security issues. The release notes are intentionally cryptic:

Access to bug details and links may be kept restricted until a majority of users are updated with a fix.

In any case, this is a security update, and as such you should definitely install it as soon as possible – if you use Chrome.

Firefox, Patches and updates, Security

Firefox 41 now available

September 23, 2015 jrivett Leave a comment

The usual lack of a coherent version announcement accompanied yesterday’s release of Firefox 41. A post on the Mozilla blog refers vaguely to the ‘latest Firefox’, and provides a brief overview of changes to Firefox accounts and synchronization in the new version.

The release notes for Firefox 41 provide more details on the changes, although nothing listed there is of much interest.

Firefox 41 does include at least nineteen security fixes, as outlined on the Firefox Security Advisories page.

Recommendation: update Firefox as soon as possible.

Chrome, Flash, Google, Patches and updates, Security

Chrome 45.0.2454.99: new Flash

September 23, 2015 jrivett Leave a comment

A new version of Chrome, just announced by Google, contains the latest Flash. Since the new Flash includes a bunch of security fixes, you should make sure Chrome is up to date wherever you use it.

Adobe, Flash, Patches and updates, Security

23 vulnerabilities fixed in Flash 19.0.0.185

September 22, 2015 jrivett 1 Comment

There’s a new version of Flash. Version 19.0.0.185 addresses almost two dozen security vulnerabilities in previous versions. Yes, as fast as Adobe can plug one hole, another opens up. Happily, the web is already moving away from Flash. With any luck, five years from now Flash will be a distant memory.

If you still use a web browser with Flash enabled, you need to update Flash and any related browser extensions as soon as possible.

As usual, Internet Explorer on newer versions of Windows will get its own Flash updates via Windows Update, and Chrome will auto-update itself with the latest Flash.

Internet crime, Malware, Security, WordPress and other CMS

Compromised WordPress sites again used in malware campaign

September 18, 2015 jrivett Leave a comment

WordPress continues to be a victim of its own success. There are so many sites built using the WordPress software that it remains a tempting target for malicious activities. Many WordPress sites are managed by less technically-savvy people, which means that they may not be kept up to date with security patches, and may use plugins that are known to be vulnerable.

Most recently, an active malware campaign (designated “VisitorTracker” by researchers) is using thousands of compromised WordPress sites to direct site visitors to servers hosting attack code connected with the Nuclear exploit kit.

If you run a WordPress site, please make sure that it’s up to date, and that you only use plugins that are compatible with the latest version of WordPress, and that the plugins are themselves up to date. If you suspect that your site has been compromised, take it offline and rebuild it.

boot13