Category Archives: Security

aka infosec

Mac, Security

Extremely critical security flaw may affect Macs

Leave a comment

Apple recently patched a critical vulnerability in iOS, the operating system that runs all iPhones. Now it appears that the same flaw may affect all Macs running OS X as well. So far there is no official confirmation from Apple, but security experts are warning Mac users to avoid using public networks until we know more.

Update 2014Feb24: Apple released a patch for iOS that fixes this flaw on iPhones. Meanwhile, it looks like the flaw does affect Macs (OS X). A security researcher at ImperialViolet has created a proof-of-concept test page (no longer functional). Steer your Mac web browser to that page; if you get an error message, your browser is not affected by the flaw. Vulnerable Mac browsers will see a message to that effect. Tests on my own Mac show Safari as vulnerable, while Firefox is not.

Update 2014Feb25: TechDirt has an amusing article on the surprising lack of information coming from Apple. There’s a general sense of dissatisfaction with Apple, and increasing clamour for information – any information – on how this issue affects Macs.

Update 2014Feb26: Apple has released an update for OS X that addresses this issue. OS X 10.9.2 includes several other security fixes and bug fixes.

Adobe, Flash, Patches and updates, Security

Emergency update for Flash

Leave a comment

On February 20, Adobe announced a new version of Flash that addresses critical security vulnerabilities. Security bulletin apsb14-07 describes the vulnerabilities.

We strongly recommend upgrading to this new version of Flash (12.0.0.70) as soon as possible, especially if you have Flash enabled in a web browser and you use that web browser for web surfing.

As usual, Google Chrome will update itself to the latest version of Chrome, and Internet Explorer 10 and 11 will be updated to the latest Flash by way of Windows Update.

Ars Technica has more details.

Internet Explorer, Malware, Microsoft, Security

Internet Explorer vulnerable to new attack

2 Comments

Update 2014Feb19: Microsoft has released a ‘Fix-It’ patch that apparently removes this vulnerability in Internet Explorer 9 and 10. They are expected to release a regular update at some point, but for now, if you have to use IE9/10, you should apply this Fix-It.

Ars Technica reports on a new vulnerability affecting Internet Explorer 10 and 9. Visitors to the American Veterans of Foreign Wars (VFW) web site who are using Internet Explorer will become infected with malware.

The VFW site was recently compromised, and altered to include code that loads the malware from another site. Presumably the VFW site will be cleaned up very soon, but the vulnerability in IE remains, so we can expect to see this malware being served up by other compromised web sites very soon.

Microsoft said that they are aware of the problem but there’s no word yet on a possible fix.

For now, since there’s no way to know which web sites to avoid, we recommend not using Internet Explorer at all for general web surfing.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday, February 2014

Leave a comment

It’s the second Tuesday in February 2014, so it’s time to patch your Windows computers. Originally there were only going to be five bulletins this month, but two more were added late. The updates fix security vulnerabilities in Internet Explorer, Windows and .NET. Four of the updates are flagged as Critical.

The summary bulletin has all the technical details, and Dustin Childs has posted a friendlier summary over at the MSRC blog.

As usual, a SANS ISC Diary post provides a security-focused interpretation of the month’s updates, with its own recommendations, as well as useful references (CVE identifiers) to the specific vulnerabilities addressed.

Firefox, Patches and updates, Security

Firefox 27 stealth release

Leave a comment

Another new version of Firefox slid quietly off the production line yesterday. Version 27 improves interactivity with certain social web sites, and fixes a few bugs, including a dozen security vulnerabilities.

As usual, the only announcement of the new version was in the form of a post on the Mozilla Blog, which fails to mention that the post is actually about a new version of Firefox. The official release notes for the new version are as usual a total mess, barely even mentioning the new version identifier.

Adobe, Flash, Patches and updates, Security

Critical security update for Flash

Leave a comment

Yesterday Adobe released a new version of Flash (12.0.0.44) that addresses a critical security vulnerability. There is some evidence that the vulnerability is already being exploited in the wild, so everyone should update their browsers ASAP.

As usual, Internet Explorer 10 for Windows 8 and Internet Explorer 11 for Windows 8.1 will receive the new Flash version via Windows Update, and Chrome will update to the new Flash automatically.

Internet, Security

Yahoo email accounts compromised

Leave a comment

Yahoo announced yesterday that some Yahoo Mail account addresses and passwords were being used in a coordinated attempt to gain access to those accounts. The source of the account information remains unclear, but Yahoo claims that it was not obtained from Yahoo’s services directly.

Yahoo is resetting the passwords of affected accounts and informing the associated account holders.

Since it’s difficult to know, at this point, the full extent of this problem, anyone with a Yahoo Mail account is advised to immediately change its password.