Category Archives: Security

aka infosec

Java no longer supported on Windows XP

As of April 8, 2014, Oracle is no longer supporting the use of Java on Windows XP. Java 7 can still be installed on Windows XP, and Java 7 updates installed on Windows XP will probably work as expected, but Oracle says you’re on your own if bad things happen. Java 8 will refuse to install on Windows XP.

Recommendation: if you still have computers running Windows XP, stop using Java on those computers.

Update 2014Jul18: Oracle recently posted a clarification, saying that Java issues affecting only Windows XP will not be addressed with updates. Java issues affecting Windows XP as well as other versions of Windows will get updates, and those updates will work as expected on Windows XP.

Edit 2014Jul18: fixed two typos in the first paragraph.

Advance notification for July Microsoft updates

This month’s updates will become available around 10am PST on July 8. There are expected to be six bulletins, with associated updates affecting Windows and Internet Explorer. Two are tagged as Critical.

The official advance notification bulletin has all the technical details, while as usual there’s a less technical summary over on the MSRC blog.

Vulnerability in TimThumb

TimThumb is a toolkit for cropping and resizing images that’s used in numerous WordPress themes and plugins. A serious flaw in TimThumb was widely exploited several years ago to hijack thousands of WordPress sites.

A new vulnerability in TimThumb was recently revealed. This new flaw allows attackers to execute malicious code on vulnerable WordPress sites. Thankfully, the vulnerability only exists when TimbThumb’s ‘webshot’ feature is enabled, and that feature is disabled by default.

If you administer any WordPress sites, you should check for the use of TimThumb and make sure webshot is disabled. Search your site’s files for ‘timthumb.php’ and if you find it, make sure webshot is not enabled. In other words, if you see this:

WEBSHOT_ENABLED == true

… either comment out that line or change ‘true’ to ‘false’ and save the file. There may be multiple copies of timthumb.php on any given site.

Vulnerability in Microsoft Malware Protection Engine

A serious vulnerability in the software at the core of Microsoft’s anti-malware solutions (Microsoft Malware Protection Engine) could open the door for DDoS attacks.

An attacker could create a special file, which – when scanned by affected software – would make the anti-malware software ineffective against any and all malware. A new patch from Microsoft fixes the vulnerability.

Software that uses the Malware Protection Engine is typically configured to update itself automatically. That includes Microsoft Security Essentials, a free Windows-based anti-malware solution.

If you are using MSSE, you can determine whether the patch has been installed by opening MSSE, clicking the small arrow next to ‘Help’, then clicking ‘About’. You should see a line like this:

Engine Version: 1.1.10701.0

If your Engine Version is 1.1.10701.0 or higher, then the patch has been installed and you are protected against this vulnerability. If the version is 1.1.10600.0 or lower, go to the Update tab and click the Update button.

Microsoft Security Advisory 2974294 provides additional details.

Twitter worm spread via TweetDeck

If you use Twitter at all, you may have noticed a strange tweet showing up in your feeds yesterday. The tweet is actually a script that takes advantage of a bug in the popular desktop Twitter application TweetDeck.

The developers of TweetDeck took it offline briefly to deal with the problem, and the glitch was later confirmed to be fixed.

Anyone using TweetDeck is being told to log out and back in to make sure the fix takes effect.

Shockwave 12.1.2.152

The latest version of Adobe Shockwave Player is 12.1.2.152.

Unfortunately, the release notes for Shockwave on the Adobe site haven’t been updated since 2007, so it’s difficult to know for sure what’s different about this version. However, given Adobe’s reputation, it’s safe to assume that running an older version of Shockwave will make your computer less secure.

Then again, since Shockwave apparently includes an old, unsecure version of Flash, you might want to consider removing Shockwave from your computer completely, unless you absolutely require it. Another alternative is to configure your browser to prompt for activation whenever Shockwave media is encountered. See the instructions for doing this in Firefox elsewhere on this site.

Firefox 30.0 released

At least seven security issues were fixed in version Firefox 30.0, released yesterday.

The release notes for version 30.0 show several other changes in this release, but only one is worth mentioning. A new ‘Sidebars’ toolbar button was added, presumably based on complaints that version 29 made it more difficult to toggle the bookmark sidebar on and off. But toggling the sidebar still requires two clicks as opposed to the single click that was required before version 29. So that’s not exactly progress.

For those of you keeping score, the release notes pages for Firefox are still a mess.