Category Archives: Security

aka infosec

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Microsoft Patch Tuesday for May 2014

May 13, 2014 jrivett Leave a comment

This month’s crop of updates addresses thirteen vulnerabilities in Windows, Office, Internet Explorer, SharePoint and .NET.

There are eight bulletins, with two of them being flagged as Critical.

There are no updates for Windows XP this month, so it looks like Microsoft really has put the final nail in XP’s coffin.

The summary bulletin on the TechNet Security TechCenter has all the gory details. As usual, there’s a friendlier summary on the MSRC blog. The SANS Handler’s Blog has a slightly different take on this month’s updates.

Adobe, Patches and updates, Security

Pre-notification of updates for Adobe Reader

May 9, 2014 jrivett Leave a comment

Adobe has issued a pre-notification of updates for Acrobat and Reader software that are expected to be made available on May 13.

The updates address critical security vulnerabilities in Reader and Acrobat.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Advance notification for May 2014 Patch Tuesday

May 9, 2014 jrivett Leave a comment

Next Tuesday we’ll find out whether Microsoft is going to stick to its original plan and stop providing Windows XP security updates to us ordinary folks.

According to the Advance Notification post on the MSRC blog, this month’s updates will include eight bulletins, with two of those being Critical. The updates affect the usual suspects, including Windows, Office, Internet Explorer and .NET.

The more technical Advance Notification security bulletin on the TechNet Security Tech Center blog definitely does not list Windows XP anywhere.

Internet, Privacy, Security

DropBox issue exposes private documents

May 8, 2014 jrivett Leave a comment

Security researchers recently discovered a flaw in DropBox that could allow access to users’ private documents in certain circumstances. DropBox responded quickly to fix the vulnerability. It’s not clear whether the vulnerability was known to – or exploited by – any nefarious persons.

If you use DropBox, you should review your Shared Links settings and restrict shared links to collaborators only.

Internet, Internet crime, Security

SANS Ouch! newsletter: Has your computer been hacked?

May 8, 2014 jrivett Leave a comment

This month’s Ouch! newsletter (PDF) provides some basic guidelines for determining whether your computer has been hacked. There’s also some help for dealing with hacks. Note that this information is aimed at regular users, so if you’re an IT professional, it’s unlikely to be useful.

Internet Explorer, Microsoft, Patches and updates, Security, Windows, Windows XP

Microsoft issues special update for Internet Explorer

May 1, 2014 jrivett Leave a comment

We recently reported on a serious vulnerability affecting all versions of Internet Explorer that is being exploited on the web.

Well, it appears that Microsoft sees this vulnerability as very serious, because they are planning to release an update – later today – that addresses the problem. This is an ‘out-of-band’ update, meaning that it’s considered too important to wait for the next Patch Tuesday.

Just in case you were wondering, this vulnerability affects all versions of Internet Explorer on all versions of Windows, including Windows XP. ~~But the patch will not be made available for Windows XP computers.~~

Update 2014May02: Surprisingly, Microsoft has decided to make this update available for Windows XP. I confirmed this by running Microsoft Update on my WinXP test system: security update 2964358 was offered, and I installed it without any difficulties. Reading through the associated bulletin (MS14-021) there is no explanation for this decision, but there is confirmation, in the section titled “Security Update Deployment
– Windows XP (all editions)”, and in a related post on the MSRC blog. The Verge has additional details, as does Ars Technica. The Ars Technica post includes the official explanation from Microsoft:

Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded) today. We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don’t take these reports seriously. We absolutely do.

Update 2014May02: Another Ars Technica post makes the argument that releasing a patch for Windows XP was a mistake. The moment of truth will be Patch Tuesday for May 2014: will Microsoft stick to its guns and leave Windows XP out of the next set of patches?

Firefox, Patches and updates, Security

Firefox 29 released

May 1, 2014 jrivett Leave a comment

Another new version of Firefox was announced on April 29.

Version 29 is touted by Mozilla as ‘elegant’ and ‘the most customizable’ Firefox ever, but there’s been a lot of noise on the web from people who are unhappy with the user interface changes.

It’s not really clear why many major browser developers are trying to make their browser look exactly like Google’s Chrome, but that does seem to be what’s happening. A few months ago, Opera chucked their browser engine in favour of WebKit, with the result being that Opera is now almost indistinguishable from Chrome. Mozilla hasn’t gone that far: their browser engine hasn’t changed, but in terms of appearance, Firefox now looks a lot more like Chrome. Perhaps they think that if Firefox looks like Chrome, users won’t realize they’re not actually using Chrome.

Has anyone done any actual usability studies on these UI elements that are now so popular among developers, like rounded corners on everything? Do rounded corners make people more productive? I doubt it. Another example is Firefox 29’s tab bar, which (besides having those awesome rounded corners we should apparently care so much about) now makes unselected tabs fade out so that they are hardly visible. How is this a good thing? Mozilla seems to think that being able to read what’s on those unselected tabs is a major distraction. Nope.

As for Firefox 29 being more customizable, I beg to differ. I was previously able to open and close the bookmark toolbar with a single click of a toolbar icon. That icon is nowhere to be seen in Firefox 29. Instead, I now have to click the ‘Show your bookmarks’ icon, then click ‘View bookmarks sidebar’. This is progress?

The release notes page for Firefox 29 lists several new features and changes, none of which are particularly useful or interesting.

The best thing about Firefox 29, in my opinion, is that web site favicons – those little icons that appear next to the page title in the tab bar and desktop shortcuts – now seem to work reliably. Previous Firefox versions had a lot of trouble with some favicons.

Several security issues were fixed in version 29, so even if you think you’ll hate the new UI, you should probably upgrade anyway.

On a related note, despite my having diligently reported my problems with the Firefox release notes pages (bug #973335) and version announcement pages (bug #973330), Mozilla has done nothing to improve them, as you can see from the pages for Firefox 29.

Ars Technica has their own review of the changes in Firefox 29.

Adobe, Flash, Patches and updates, Security

Adobe releases Flash 13.0.0.206

April 28, 2014 jrivett Leave a comment

A new version of Flash, announced earlier today, addresses several security vulnerabilities, one of which (CVE-2014-0515) is being actively exploited on the Internet.

As with most Flash vulnerabilities, Adobe says that the ones addressed in this update “could potentially allow an attacker to take control of the affected system.”

The security bulletin associated with this update provides additional details regarding the security fixes.

Google Chrome will auto-update with the new version of embedded Flash, and Internet Explorer on Windows 8.x will receive Flash updates via Windows Update.

Anyone using Flash in a web browser should install the new version of Flash as soon as possible.

Internet Explorer, Microsoft, Security, Windows

New Internet Explorer vulnerability

April 27, 2014 jrivett 1 Comment

On April 26, Microsoft released Security Advisory 2963983, which describes a newly-discovered vulnerability affecting all versions of Internet Explorer.

According to the related MSRC blog post, attacks based on this vulnerability are being seen in the wild, but so far those attacks are limited.

This IE vulnerability is apparently based on a vulnerability in Flash.

Microsoft is advising the usual caution, especially when clicking links in email and visiting unfamiliar web sites.

Presumably Microsoft will produce a patch for this vulnerability, and an interim ‘Fix-It’ workaround may be made available soon, but in the meantime, you should either stop using Internet Explorer completely, or at least install and configure EMET.

Windows XP users should not – under any circumstance – still be using Internet Explorer as their default web browser or for browsing the web. This vulnerability is only the first in what is sure to be a long series that make using Internet Explorer on Windows XP extremely risky.

Update 2014Apr28: Ars Technica, The Verge, and the SANS InfoSec handlers diary all have additional information.

Privacy, Security

A special Ouch! newsletter about Heartbleed

April 24, 2014 jrivett Leave a comment

SANS just published a special issue (warning: PDF) of their monthly, user-focused security newsletter, Ouch!

This issue is titled ‘Heartbleed – Why Do I Care?’ Its goal is to help regular users understand Heartbleed and how it does – and does not – affect them. Highly recommended, since there seems to be a lot of confusion on this subject.

boot13