aka infosec
This month’s ‘Ouch!’ newsletter from SANS covers password managers. A password manager is a small program that stores all of your passwords, in an encrypted form. When you forget a password, you only need to remember the password manager’s password to access your collection.
I’ve been using the freeware Password Corral for years and recommend it.
On October 3, 2013, Adobe announced that their network and some of their servers had been breached. Their investigation continues, and the full scope and impact of the breach has yet to be determined.
However, we do know the following:
Ars Technica has additional details, as does the SANS ISC Diary.
Update 2013Nov02: Ars Technica explains exactly what Adobe did wrong and why we should all be worried about it. Adobe now says that as many as 38 million users were affected by the breach.
Update 2014Oct10: Duo Security reviews the fallout from this breach, and warns of the dangers of password hints.
Patches from Microsoft and Adobe were announced today, along with a new version of Flash.
Eight bulletins from Microsoft fix security vulnerabilities in Windows, Internet Explorer, .NET, Office, Windows Server and Silverlight.
The Microsoft Security Research Center as usual provides a more friendly overview of this month’s patches, while the SANS Internet Storm Center provides a wealth of technical details.
Two bulletins from Adobe fix security vulnerabilities in Adobe Reader/Acrobat and Robohelp.
Flash 11.9.900.117 includes a long list of bug fixes. Chrome will be updated silently to match the new version of Flash. An update for Internet Explorer 10 on Windows 8 is also on the way.
Google announced Chrome 30.0.1599.66 on Tuesday. This version fixes a whopping 50 security vulnerabilities, many of which were reported via Google’s Vulnerability Rewards Program. The new version also includes many performance and stability improvements.
Any time something catches the attention of huge numbers of Internet users, there’s a possibility that nefarious persons will try to make money from it. A famous actor has their phone hacked, a celebrity dies, or a whistleblower exposes the extent of NSA snooping, and the spam in your inbox suddenly has a new flavour… or worse.
Zscaler and other security researchers are reporting an increase in ransomware threats that are built on recent revelations of the NSA’s activities.
Ransomware works like this: you visit a web site that has been compromised and is serving malicious code. The code infects your computer, after which it becomes impossible to use your computer. Instead you see a full page threat from what appears to be the NSA, claiming that you have participated in unlawful activities (usually downloading copyrighted materials). You are told that you can pay up or face legal action.
If this happens to you, do not follow any of the instructions shown by the ransomware. Hire a professional to remove the malware or reinstall your operating system.
How to determine whether a warning is fake and ransomware:
Yesterday, Microsoft announced that they are looking into reports of a security vulnerability potentially affecting all versions of Internet Explorer. Apparently an exploit for this flaw exists and has been observed in the wild, targeting IE 8 and 9.
If you are using one of the affected browsers (likely all versions of Internet Explorer) and you visit a web site that has been compromised with malicious code that targets this vulnerability, an attacker might be able to execute arbitrary code on your computer remotely.
Microsoft issued security advisory 2887505 to warn and provide guidance to users. Workarounds include installing EMET and raising the security settings related to running ActiveX within the browser.
No patch for this vulnerability has yet been published by Microsoft, although there is a temporary ‘Fix-It’ solution available from Microsoft.
Update 2013Sep21: The SANS Internet Storm Center has been monitoring this issue. They have confirmed seeing related exploits in the wild. They also confirmed that Microsoft’s ‘Fix-It’ solution prevents these exploits, but only in 32-bit versions of Internet Explorer.
Update 2013Oct03: The developers of the controversial hacking toolkit Metasploit have released a module that exploits this IE vulnerability. This is likely to spur an increase in the number of attacks based on this vulnerability. Microsoft has yet to release a proper fix. If you use Internet Explorer for anything other than Windows Update, you should consider applying the temporary Fix-It solution or installing EMET (see above).
A new version of WordPress was announced yesterday. Version 3.6.1 fixes several security vulnerabilities.
Anyone managing a WordPress site is strongly encouraged to install this update as soon as possible. WordPress sites are already popular targets for nefarious hackers; there’s no point in making things easy for them.
Here’s the full list of changes in this update.
Another month, another pile of patches from Microsoft. This month there are fourteen bulletins, addressing security vulnerabilities in Windows, Internet Explorer, Office, and the .NET framework. Four of the bulletins are rated Critical.
As usual, the updates will become available after 10am PST from Windows Update.
The SANS Internet Storm Center has a detailed look at the vulnerabilities addressed by this month’s patches.
The Microsoft Security Response Center has a somewhat friendlier summary of this month’s updates.
Adobe today released version 11.0.04 of Reader and Acrobat. This version fixes eight critical vulnerabilities and should be installed as soon as possible by anyone who uses the affected software to open PDF documents from untrusted sources.
A new version of Flash was announced by Adobe today. Version 11.8.800.168 fixes four critical vulnerabilities. The official release announcement from Adobe provides details on all of the changes in this new version.
Anyone who uses a Flash-enabled web browser should install the new version as soon as possible. That includes anyone who uses Youtube.
The changes in this version will be ported to the Chrome web browser as embedded Flash version 11.8.800.170. Flash updates for Chrome tend to happen silently in the background. You can see what version of Flash Chrome is currently running by browsing to the chrome://flash/ page. Recently, the version of Flash in Chrome mysteriously rolled back to 11.8.800.97, so it will be interesting to see what happens with 11.8.800.170 (Chrome finally updated itself with Flash 11.8.800.170 on 2013Sep18, a delay of one week, which is somewhat alarming. The version of Chrome itself also changed at the same time, to 29.0.1547.76.)
Internet Explorer 10 on Windows 8 also uses embedded Flash code. Microsoft Security Advisory 2755801, now available from Windows Update, patches IE10 on Windows 8 to use the new Flash version 11.8.800.168.
boot13