Category Archives: Security

aka infosec

Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Microsoft updates for May 2015

Leave a comment

It’s the second Tuesday of the month, so Microsoft is pushing out another set of updates. This month there are thirteen updates, addressing about 50 vulnerabilities in Windows, Internet Explorer, .NET, Office, and Silverlight. Three are flagged as Critical.

As always with security updates affecting Windows, you should install these as soon as possible.

Two of the updates (MS15-044 and MS15-049) affect Silverlight. Once you install these updates, your version of Silverlight should be 5.1.40416.0, which you can confirm on the Get Silverlight page. Installing from that page will also update Silverlight to version 5.1.40416.0. That’s also the only way you can get the latest version if you’re using Windows XP.

Adobe, Chrome, Flash, Google, Patches and updates, Security

Security updates for Adobe Flash and Reader

Leave a comment

Updates for Flash and Reader/Acrobat, released earlier today by Adobe, address a variety of security vulnerabilities “that could potentially allow an attacker to take control of the affected system.”

Flash 17.0.0.188 includes fixes for at least eighteen vulnerabilities, all of which have been flagged as Critical.

Adobe Reader/Acrobat version 11.0.11 addresses seven Critical vulnerabilities.

Anyone still using Flash in a web browser should update Flash as soon as possible. If you use Adobe Reader to open PDF files from unknown sources, you should update Reader as soon as possible. As usual, newer versions of Internet Explorer will auto-update, as will Chrome (to version 42.0.2311.152).

Internet, Internet crime, Malware, Security, Spam and scams, WordPress and other CMS

Recent surge in spam likely due to Mumblehard botnet

Leave a comment

If you noticed more spam than usual in your inbox in recent months, you’re not alone. You may also have noticed that using your email client to block the sender is typically ineffective. That’s because the spam is coming from thousands of different domains, each corresponding to a different compromised web server.

This is the work of the Mumblehard botnet, which was observed sending mass spam starting about seven months ago by ESet researchers. The Mumblehard code has existed on the web for at least five years, but seems to have started its spamming activities on a large scale only in the last year or so.

Computers infected with Mumblehard are typically Linux web servers. It remains unclear exactly how servers become infected, but researchers suspect that unpatched WordPress and Joomla vulnerabilities provide the key.

Internet, Patches and updates, Security, WordPress and other CMS

WordPress 4.2.2 and critical theme updates

Leave a comment

A new version of WordPress addresses several critical security issues. Version 4.2.2 also fixes some non-security issues that were introduced in WordPress 4.2.

The vulnerabilities fixed in WordPress 4.2.2 are being actively exploited on the web, so anyone who operates a WordPress site should immediately check whether the new version has been auto-installed, and if not, install it.

Another vulnerability was recently discovered in the Twenty Fifteen theme that comes packaged with newer versions of WordPress. An updated version of the theme that addresses the issue is now available.

Internet, Internet crime, Security

User and sysadmin mistakes allow intruder access in most cases

Leave a comment

Recent studies from Verizon and Symantec show that malicious hackers almost always gain unauthorized access to computer systems because of misconfigured software and user errors. You don’t have to be a genius hacker to get into a supposedly secure system if a sysadmin left the door wide open, or if you can fool a gullible user into revealing their password.

As a user, you’re probably getting tired of being told to be careful when clicking links on the web and in email. But it’s good advice. If you receive an email message that includes a link, and tells you to click the link, think before you click. If someone asks you for your password, do not give it to them.

Chrome, Google, Internet Explorer, Microsoft, Security

Chrome and Internet Explorer add security features

Leave a comment

A new extension for Chrome called Password Alert helps users recognize when they’ve unknowingly entered their Google/GMail password on a phishing web page. The extension does this without itself compromising security. If you use Chrome, this extension is highly recommended. You can find the extension in the Chrome web store. Bruce Schneier has more.

Meanwhile, Microsoft is adding a feature to Internet Explorer that will warn users when they visit a site with ads that contain malware. The feature is expected to start working on June 1.

Update 2015May01: And just like that, Google’s Password Alert extension is shown to be extremely easy to bypass. Google issues an update, which is also shown to be seriously flawed.

Internet, Privacy, Security

Jeff Atwood on passwords

Leave a comment

Noted technology blogger Jeff Atwood discusses passwords in a recent post on his entertaining and informative site Coding Horror.

Jeff wants web-based services to get better at both insisting on strong passwords, and helping users to choose those passwords; or to switch to authentication technologies provided by Facebook, Google, and others. Based on his testing, he also observes that passwords shorter than twelve characters are easy to crack using brute force methods.

Patches and updates, Security, WordPress and other CMS

WordPress 4.2 and 4.1.3

Leave a comment

WordPress 4.2 was released yesterday. This version adds some new features and improves others. This is not a security-related update.

Updating to version 4.2 also seems to trigger several theme updates. On one of my sites, which uses a Twenty Eleven child theme, an update to the parent Twenty Eleven theme caused the site to stop working completely. I was able to resurrect the site by installing the Twenty Eleven theme again manually. Update: apparently one of the download servers had an incomplete copy of the theme. This problem has been resolved.

Confusingly, WordPress 4.1.3 was also released yesterday. Because it was released so soon after 4.1.2, it’s safe to assume that it contains more security fixes. However, details are sketchy at this point. There was no formal announcement of the release. The WordPress Codex entry for version 4.1.3 says ‘Fix database writes for esoteric character sets, broken in the WordPress 4.1.2 security release.’

WordPress sites configured for auto-updates will update themselves to version 4.1.3 over the next few days. Depending on the auto-update settings, WordPress sites may also update themselves to version 4.2, bypassing 4.1.3. This shouldn’t be a problem, since it’s safe to assume that any fixes in 4.1.3 are also in 4.2.

Your best bet at this point is to update your WordPress sites manually to version 4.1.3. Then start testing version 4.2; once you’re sure it’s not going to break anything, upgrade your production sites.