Category Archives: Security

aka infosec

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for April 2014

Leave a comment

It’s a very special Patch Tuesday: the last one for Windows XP and Office 2003. Security vulnerabilities in those products that appear after today will not be publicly patched by Microsoft. Also losing support today is the much-despised Internet Explorer version 6.

There are four bulletins and corresponding updates this month. Two are flagged as Critical. The updates address eleven security vulnerabilities (CVEs) in Office (including Office 2003), Windows (including Windows XP), and Internet Explorer (including IE 6).

As expected, one of the updates addresses the recently-discovered vulnerability in Word’s handling of RTF documents.

The MSRC blog has a good overview of this month’s updates.

Microsoft, Patches and updates, Security, Windows XP

British and Dutch governments paying for Windows XP updates after April 8

Leave a comment

It’s long been understood that Microsoft would continue to produce updates for Windows XP after support officially ends on April 8, 2014 – for anyone willing to pay. What hasn’t been known for certain is whether anyone would actually pay.

Now, as reported by Ars Technica, the British and Dutch governments have apparently decided to delay upgrading thousands of Windows XP computers, and have contracted with Microsoft to continue supporting Windows XP.

This raises some interesting possibilities. It seems likely that at least one person who works in the British government will find a way to leak new Windows XP security updates to the rest of the world. Microsoft may have measures in place to prevent this, but people are inventive, and would probably find workarounds. Then again, would you trust a supposedly-official update that you obtained from a shady download site? One can imagine Microsoft relenting, and making the updates available to everyone, just to stop the spread of tainted updates.

Another possible scenario is that a flood of hacks, attacks and malware, all based on previously unknown Windows XP vulnerabilities, have such a huge impact on the Internet, that again Microsoft relents and makes updates available to everyone.

If Microsoft does give in and continue making updates available for everyone, what does that mean for the British and Dutch governments? Will they demand refunds from Microsoft? Each has apparently paid many millions of dollars for the updates, so it would be completely reasonable to want it back if the updates became available for free.

This is going to get interesting…

Update 2014Apr15: Add the US Internal Revenue Service to the list of organizations paying Microsoft for Windows XP support and patches.

Update 2014Apr21: Apparently Microsoft just reduced the price tag for Windows XP patches. Presumably they looked at the current Windows XP usage numbers and decided it’s less important to gouge corporate clients than it is to make sure Windows XP systems are patched.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Advance notification for April 2014 Patch Tuesday

Leave a comment

Next Tuesday is much more significant than the usual Patch Tuesday, because this crop of updates will be the last one for both Windows XP and Office 2003.

After April 8, most of the IT-enlightened world will be holding its collective breath, waiting for a likely deluge of hacks, attacks and malware based on vulnerabilities in Windows XP and Office 2003.

According to the official advance warning bulletin from Microsoft, this month’s updates will include patches for Office, Windows and Internet Explorer. Two of the patches are flagged as Critical.

One of the patches addresses the recently-discovered vulnerability in Word’s handling of RTF documents.

As usual, there’s a somewhat less technical overview of the upcoming updates on the MSRC blog.

The SANS InfoSec Handlers Diary blog has its own take on the upcoming updates.

Security

SANS Ouch! newsletter: Yes, you are a target

Leave a comment

This month’s Ouch! newsletter (PDF) from SANS should dispel any thoughts you may have regarding your digital safety.

In the networked world, if your device is connected, it is potentially vulnerable. Staying safe is largely a matter of vigilance: keep your software patched, use strong, unique passwords, and avoid opening suspicious email or browsing shady web sites.

The Ouch! newsletter is aimed at general users, so IT professionals may not learn much from reading it.

Adobe, Flash, Security

Flash vulnerabilities found at Pwn2Own

1 Comment

The recent Pwn2Own hacking competition revealed vulnerabilities in a variety of software products, including Chrome, Firefox, Internet Explorer, and Flash.

While patches for Firefox and Chrome were released soon after the results of the contest were published, the vulnerabilities in Flash remain unpatched. They are identified as CVE-2014-0506 and CVE-2014-0510. Severity is ranked as high for both vulnerabilities. No exploits for these vulnerabilities have yet been seen in the wild.

Update 2014Apr09: CVE-2014-0506 was fixed in Flash 13.0.0.182.

Microsoft, Security, Windows XP

Millions of computers still running Windows XP

Leave a comment

With less than a week to go before Microsoft ends support for Windows XP, over 27% of Internet-connected computers are still running the venerable O/S, according to an Ars Technica report.

Microsoft has clearly been unable to convince XP users to switch to another O/S, and the days and weeks following April 8 will likely be filled with stories about new malware and attacks on XP-based systems.

Linux, Security

Roundup of recent Linux exploits

Leave a comment

Linux proponents often say that Linux is safer than Windows, and in some respects, it’s true. Linux is inherently more secure than most versions of Windows. Actual Linux viruses are rare, since it’s very difficult for them to propagate. It’s also much more difficult to hide malicious activity on Linux systems than it is on Windows systems.

But don’t be fooled: Linux is not invulnerable. Now that it’s the basis for Mac OS X, and generally growing in popularity, Linux has become much more of a target. The Linux kernel currently sits at the top of the CVEDetails Top 50 products with distinct vulnerabilities list, with Mac OS X at number four and Windows XP at the fifth spot.

Not all vulnerabilities are exploited. Many exploits are never seen outside of research labs. Serious Linux vulnerabilities that are exploited ‘in the wild’ usually see patches within days of discovery.

A large proportion of the world’s web servers run Linux; a single compromised Linux server can affect all web visitors, so keeping them patched and clean is critical. But there seems to be a certain amount of complacency among some Linux system administrators, and Linux servers often stay unpatched and/or misconfigured for long periods of time, providing windows of opportunity for targeted attacks. Worse still, the reliability of Linux servers is such that Internet-facing servers are sometimes neglected completely.

Several recent stories highlight these issues.

A critical bug in the GnuTLS library, common to most Linux distributions, allows malicious parties to bypass security measures and eavesdrop on encrypted communication. This bug may have existed as far back as 2005. A patch for the GnuTLS vulnerability was made available in early March 2014.

The Windigo malware has been around since about 2011. It lies in wait on Linux web servers, infecting Windows visitors with malware, redirecting visitors to malicious web sites, serving ads for porn sites, and sending out spam. Typically, Windigo is installed on Linux servers by way of stolen credentials, rather than software vulnerabilities and related exploits. As many as 35,000 Linux servers have been affected, including high profile sites like kernel.org. Since the affected Linux systems are typically web servers, Windigo’s reach is potentially huge.

An extremely critical vulnerability in PHP that was discovered two years ago remains unpatched on many Linux servers. Exploits designed to take advantage of this bug can give attackers control of entire web sites. A patch for this vulnerability was made available soon after discovery of the bug.

Sites running out of date versions of Linux are susceptible to a new mass compromise that is taking over web sites and serving up fraudulent web pages and advertisements.

The lesson is that while Linux is a secure operating system, it must be kept patched to be truly secure. In particular, anyone administering a Linux-based web server has a responsibility to the Internet in general to keep their server patched.

Malware, Microsoft, Security

New Microsoft Word vulnerability already being exploited

2 Comments

Earlier today, Microsoft announced in a security advisory that it was seeing evidence of attacks targeted against certain versions of its flagship word processing software.

The vulnerability can be exploited using a specially-crafted RTF file. Opening such a file can give the attacker full access to the user’s computer.

According to Microsoft, Word 2003, 2007, 2010, and 2013 are all affected. Since Word is the default editor in Outlook, simply opening an affected email can lead to a successful attack.

Microsoft is working on a patch, but until it’s ready, their advice is to install and configure EMET. They are also providing the usual ‘Fix It‘ stopgap, which in this case just disables the ability to open RTF files in Word.

There’s a less technical overview of this issue over at the MSRC blog.

This vulnerability is identified as CVE-2014-1761.

Malware, Microsoft, Patches and updates, Security, Windows XP

MSRT will still be updated for Windows XP after April 8

Leave a comment

Microsoft’s Malicious Software Removal Tool (MSRT) checks for and attempts to remove known malware from Windows computers during the Windows Update process.

Previously, it was assumed that MSRT would stop being updated for Windows XP once support for that O/S ends in April. A few weeks ago, Microsoft confirmed that it will continue to update MSRT on Windows XP computers until July 15, 2015.

This is good news for anyone who will still be running XP after April, but it’s important to note that MSRT is not a substitute for a full anti-malware solution, and should not be seen as protection against the flood of malware, targeted at Windows XP computers, expected to appear after April 8.

Firefox, Patches and updates, Security

Firefox 28 released

Leave a comment

There was yet another stealth release of Firefox yesterday. Version 28 was not announced on any of the myriad Mozilla blogs. I only discovered it because of release announcements on CERT and SANS blogs.

According to SANS, at least some of the security fixes in Firefox 28 are the result of successful hacks at the recent Pwn2Own contest. There’s a full list of the security fixes in this version at the top of the ‘Known Vulnerabilities‘ (aka ‘Security Advisories for Firefox’) page for Firefox.

The official release notes page for version 28 shows no improvement over previous release notes pages. But it does list the changes in the latest version, none of which are worthy of note.

Aside: I recently submitted two bugs to the Mozilla bug tracking system for Firefox. Bug #973330 is about the lack of proper announcements for new Firefox versions. Bug #973335 covers the many issues with the release notes pages for Firefox. So far the responses from Mozilla workers have not been encouraging.