Category Archives: Security

aka infosec

EMET 5 released by Microsoft

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) is free software that improves the overall security of Windows computers. EMET isn’t a replacement for anti-malware software; rather, it provides additional protections that complement anti-malware software.

There’s little downside to using EMET, so we recommend installing it on all Windows computers. By default, it provides specific protections for Microsoft software, including Office and Internet Explorer.

Version 5 adds new mitigations and features.

Shockwave 12.1.3.153

Apparently a new version of Adobe Shockwave was released on July 1, 2014. The new version is 12.1.3.153.

The main welcome/download page for Shockwave shows the latest version and provides a test that shows the version you’re currently running. If you’re not running the latest version, you can download and install it from that page. The Shockwave Player Help page does much the same thing.

Adobe’s web resources for Shockwave are appallingly bad. The list of security updates is over a year out of date. The most recent update listed is for version 12.1.0.150. The official Shockwave version history is even worse, as it hasn’t been updated since 2007! There doesn’t seem to be any kind of an update alert mechanism such as an RSS feed, although with the information so out of date, that wouldn’t really help.

The best resource for keeping track of Shockwave versions that I’ve found so far is FileHippo’s Shockwave version history.

Microsoft XML code vulnerable on many computers

A recent report from Secunia (PDF) highlights the unfortunate hole into which some versions of the Microsoft XML parser library have fallen.

Numerous versions of this library are available for Windows, and any or all of them can be installed at the same time on Windows PCs. Some versions are no longer supported by Microsoft, and updates for those older versions won’t appear in Windows Update.

Because of this, many Windows PCs contain versions of this library that have security vulnerabilities.

Microsoft’s documentation on the XML library is confusing and incomplete. For what it’s worth, here are a couple of links to said documentation:

We recommend installing and running Secunia’s PSI, which scans for out of date software, including Microsoft’s XML libraries. PSI also helpfully provides links to download any missing updates.

Update 2014Jul30: A reader pointed out that getting MSXML4 up to date is not a simple task. Here’s what you need to know:

  • The most up to date MSXML4 is a patched version of MSXML4 SP3, specifically 4.30.2117.0.
  • Windows Update won’t offer newer updates for MSXML4 if the version on your computer is SP2. This is the basic problem pointed out by Secunia.
  • To get the most recent MSXML4 on your computer, you have to manually download and install MSXML4 SP3, then run Windows Update, which should show this update: Security Update for Microsoft XML Core Services 4.0 Service Pack 3 (KB2758694). Once you install that update, you should be running MSXML4 SP3 version 4.30.2117.0.
  • Even after you’re running the most recent version of MSXML4, Secunia PSI will tell you it needs to be updated. That’s because Secunia has decided to report MSXML4 as ‘end-of-life’ (which it is) and direct users to MSXML6 instead. There are two problems with this: first, installing MSXML6 will not remove any earlier versions, including MSXML4; second, Microsoft recommends leaving MSXML4 in place as long as it’s up to date. The upshot is that unless you manually remove all remnants of MSXML4, PSI will keep telling you to install MSXML6, even if it’s already installed.

Further reading:

Sensible passwords

By now you’re probably sick of hearing the password mantras “use long, complex passwords”, and “don’t reuse specific passwords for multiple accounts”. Sick or not, that advice is still valid, and anyone who signs in to online services should be following it.

But you can make your online life a bit easier if you give some thought to the risk associated with each account you’re trying to protect. A password used to access an obscure web forum doesn’t need to be as complex (and difficult to remember) as the password for your online bank account.

Researchers from Microsoft and Carleton University have done the math, and conclude that this risk-based approach is sound.

We still strongly recommend the use of an offline password manager such as Password Corral or Password Safe. But at least now you can consider using easier-to-remember passwords for some accounts.

Firefox 31 released

Thanks once again to organizations like CERT and SANS, this morning I was alerted to a new version of Firefox.

Version 31 includes fixes for security vulnerabilities and other bugs, and adds several features, none of which is likely to be of much interest to anyone except developers.

There’s a post on the Mozilla blog that seems to be about the new Firefox, although it’s difficult to know for sure since the new version is never actually mentioned. New version announcements for Firefox are still terrible.

The official release notes for the new version are still woefully inadequate. Notable security fixes in Firefox 31 are listed on the Security Advisories (aka Known Vulnerabilities) page.

Web-based password managers found to be insecure

Researchers at the University of California, Berkeley tested several popular web-based password managers and found serious vulnerabilities.

Although it’s a good idea to use password management software, any web-based service is going to be a tempting target for nefarious persons, since discovering one password will typically open a treasure trove of additional passwords.

We recommend using an offline password manager like Bruce Schneier’s Password Safe or Password Corral.

New Java updates fix 20 vulnerabilities

Oracle published its most recent quarterly Critical Patch Update bulletin on Wednesday. The bulletin describes updates to most of Oracle’s products, including its flagship database software, but the updates of interest to most people are those related to Java.

New versions of Java include fixes for twenty security vulnerabilities, many of which could be exploited by attackers to gain control of affected computers. The Java SE 8 Update 11 and Java SE 7 Update 65 release announcement outlines some new features, while the full release notes for Java 7 Update 65 and Java 8 Update 11 provide additional details.

As usual, given the severity of the vulnerabilities fixed by these new versions, you are strongly encouraged to update as soon as possible, particularly if you are using a Java-enabled web browser. Brian Krebs has more.

Microsoft issues emergency update of Certificate Trust List

A set of fraudulent security certificates was identified by security researchers at Google on July 8. The certificates were issued by an authority in India, and trusted by the Microsoft Root Store. That means the bogus certificates potentially impact anyone using certain Windows applications, and especially Internet Explorer.

Microsoft was quick to react, issuing an update of their Certificate Trust List on July 10. Anyone using Internet Explorer should install the update as soon as possible.

Flash 14.0.0.145 fixes more security vulnerabilities

These days ‘Patch Tuesday’ means Adobe updates as well as Microsoft updates. This month was no different: Adobe released a new version of Flash that addresses at least three vulnerabilities, including the JSONP callback API problem that made several popular sites potentially vulnerable.

The Flash runtime announcement for the new version outlines a few new features, most of which are likely only of interest to developers. The associated security bulletin gets into the details of the included security fixes.

As usual, Google Chrome will update itself, but this time via its internal ‘component updater’ rather than with a new version of the browser. Warning: the component updater sometimes takes a few days to do its work; unfortunately, there doesn’t seem to be any way to force the update.

Updates for the Flash component in Internet Explorer running on Windows 8.x will be made available through Windows Update.