Category Archives: Security

aka infosec

If you needed another reason to stop using iTunes on a PC…

February 20, 2015 jrivett Leave a comment

Even diehard Mac users are increasingly frustrated with the bloated mess that is Apple’s iTunes. If ever a piece of software needed a total rewrite, it’s iTunes.

The Windows version of iTunes is even worse. My own early evaluation left me wondering whether Apple had intentionally made the software buggy and unstable, as a ploy to get people to ditch their PCs in favour of Macs. Suffice to say that I haven’t let it anywhere near any of my PCs since then.

Now, security researchers have discovered that iTunes for Windows includes ancient software libraries that contain numerous security vulnerabilities.

Recommendation: do not use iTunes on any Windows PC. Doing so is just asking for trouble.

Adware, Hardware, Internet, Security

A warning to Lenovo PC users

February 20, 2015 jrivett 1 Comment

PC manufacturer Lenovo has been shipping PCs with an extraordinarily nasty piece of adware called Superfish.

The basic concept is bad enough: Superfish watches your Internet activity and injects advertisements into web pages. But Superfish is much worse than that, since in the process of hijacking your web sessions, it opens your PC to ‘man in the middle’ attacks.

Lenovo has been downplaying the risks involved, while analysts continue to demonstrate just how bad this situation really is.

Affected models include:

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30]

You can confirm that your computer is affected using the Superfish CA test (offline as of 2016Jan06).

Anyone who owns or uses one of these models should follow the Superfish removal instructions or ask their IT/support person to look into it.

Update 2015Feb21-1: Lenovo is may be starting to recognize and admit their mistake. Meanwhile, Superfish (developers of the adware) remains defiant, and Komodia (who develop spyware that is apparently at the heart of this issue) is saying nothing at all.

Update 2015Feb21-2: Microsoft has added Superfish detection and automatic removal to Windows Defender.

Update 2015Feb21-3: Lenovo’s CTO is still in denial, saying the vulnerability is ‘theoretical’.

Update 2015Feb21-4: Ars Technica takes a closer look at the Komodia software and the risks related to the way it was used by Superfish.

Update 2015Feb21-5: Superfish (the company) has a history of annoying people with their intrusive technologies. That hasn’t stopped them from making a ton of money, however. The company’s CEO is insisting that they did nothing wrong, but doesn’t address the specific technical concerns.

Hardware, Internet, Security

Netgear routers vulnerable to attack

February 18, 2015 jrivett Leave a comment

Several popular wireless routers made by Netgear are susceptible to attacks using a recently-discovered vulnerability in their firmware.

From the original report, posted by Peter Adkins on the Full Disclosure mailing list:

Platforms / Firmware confirmed affected:
—-
NetGear WNDR3700v4 – V1.0.0.4SH
NetGear WNDR3700v4 – V1.0.1.52
NetGear WNR2200 – V1.0.1.88
NetGear WNR2500 – V1.0.0.24

Additional platforms believed to be affected:
—-
NetGear WNDR3800
NetGear WNDRMAC
NetGear WPN824N
NetGear WNDR4700

Anyone using one of these routers should immediately confirm that its web interface is NOT enabled for access from the WAN/Internet. If possible, it should also be configured to restrict access to the admin interface to specific IP addresses on the LAN.

A CVE number has not yet been assigned to this vulnerability. Hopefully Netgear will release firmware updates to address this flaw in the near future.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for February 2015

February 10, 2015 jrivett Leave a comment

Microsoft has announced this month’s updates. There are nine bulletins and associated patches, addressing 56 vulnerabilities in Windows, Office and Internet Explorer. Three are flagged as Critical.

Recommendation: install these updates as soon as possible. At least one of them fixes a bug that’s currently being exploited in the wild.

The official bulletin summary has all the technical details.

Chrome, Flash, Google, Patches and updates, Security

Chrome 40.0.2214.111 fixes several vulnerabilities

February 6, 2015 jrivett Leave a comment

The latest version of Chrome fixes eleven security issues. Version 40.0.2214.111 also includes the latest embedded version of Flash (16.0.0.305).

The release notes for Chrome 40.0.2214.111 describe some of the changes in the new version. There’s a link to the ‘full list of changes’, but since the linked page is an automated change log from the version management software Git, it’s aimed at developers and not much use for regular users. A link to ’11 security fixes’ currently displays an empty page.

In any case, since the new Chrome contains security fixes and the new Flash, anyone using the browser is strongly encouraged to allow Chrome to update itself before using it for web browsing.

Adobe, Flash, Patches and updates, Security

Flash 16.0.0.305 fixes latest zero-day

February 6, 2015 jrivett Leave a comment

To their credit, Adobe is reacting swiftly to the recent outbreak of critical vulnerabilities in Flash. They just released another new version (16.0.0.305) to address vulnerability CVE-2015-0313, which is being actively exploited on the Internet.

Anyone using Flash, especially in a web browser, should install the new version as soon as possible.

Internet Explorer for Windows 8.x and Google Chrome will see related updates in the very near future.

Update 2015Feb07: Ars Technica: As Flash 0day exploits reach new level of meanness, what are users to do?

Internet Explorer, Microsoft, Security

Unpatched vulnerability in Internet Explorer

February 5, 2015 jrivett Leave a comment

Ars Technica reports on a serious bug in current versions of Internet Explorer that could allow attackers to gather security credentials from targeted Windows computers.

Microsoft is aware of the problem and is working on a fix. Anyone using Internet Explorer should exercise extreme caution when opening links from sources not known to be safe.

Adobe, Flash, Security

Another critical Flash vulnerability

February 3, 2015 jrivett Leave a comment

Adobe has posted an alert about yet another critical vulnerability in Flash. This issue (CVE-2015-0313) affects all versions of Flash, including the most recent (16.0.0.296).

So far there is no patch from Adobe, although one is expected this week. As always, disable flash in your browser if you don’t need it, exercise great care in web browsing if you need Flash, and configure Flash browser plugins as ‘Ask to activate’ where possible.

Firefox, Patches and updates, Security

Firefox 35.0.1 fixes several bugs

January 27, 2015 jrivett Leave a comment

A new version of Firefox was released by Mozilla yesterday. Version 35.0.1 includes fixes for various crashing and security issues.

There was no announcement from Mozilla for Firefox 35.0.1. As usual, I learned of the new release from non-Mozilla web sites. The struggle continues.

Although there have been some improvements to the release notes for Firefox, it’s still often difficult to determine whether the items listed changed in the version being discussed, or in a previous version. For instance, while all the items at the top of the list marked as ‘Fixed’ also refer to version 35.0.1, nothing else on the list refers to a specific version. Many of those items do in fact look like they are related to Firefox 35.0. There’s a link to ‘various security issues‘, but again it’s not clear what on that list is specific to version 35.0.1.

The ‘complete list of changes‘ link to Bugzilla is still not much help.

Adobe, Flash, Patches and updates, Security

Adobe releases another Flash zero-day fix

January 27, 2015 jrivett Leave a comment

Adobe has updated the bulletin related to the CVE-2015-311 vulnerability in Flash. Apparently a new version of Flash (16.0.0.296) has been released to address the bug.

Initially, the new version was not available from the main Flash download page, although computers with Flash’s automatic update feature enabled did download and install it. As of January 27, the new version is available on the Flash download page.

Anyone using a web browser with Flash enabled should install the new version as soon as possible.

Ars Technica has additional details.

Update 2015Jan28: Adobe has issued another security bulletin for this update.

Update 2015Jan30: Flash 16.0.0.296 also addresses the vulnerability CVE-2015-312.

boot13