Category Archives: Security

aka infosec

‘Ransomware’ prevalence increasing in North America

A new white paper from Symantec discusses the increase of ‘ransomware’ in North America. Ransomware is malware that – once installed on a user’s computer – prevents normal operation and presents the user with warnings that appear to be from regional law enforcement organizations. The warnings threaten further legal action if the user fails to pay a fine. The warnings look sufficiently legitimate to fool many users, who then pay the ‘fine’.

If you start seeing one of these warnings on your computer, do not pay the ‘fine’. Instead, have the malware removed from your computer by a knowledgeable technician.

More details from ARS Technica.

‘Impervious’ Adobe Reader X/XI is actually vulnerable

A working exploit for the latest versions of Adobe’s PDF Reader software (X and XI) is being made available to malicious hackers for $50,000 via underground forums.

Starting with Version X, Adobe’s Reader software has employed a ‘sandbox’ that supposedly insulates the operating system from attacks originating in Reader content. The exploit code reportedly gets around the sandbox.

Adobe is investigating, but no patches are available yet. Since this threat is active, anyone using Adobe Reader X or XI should exercise extreme caution when opening PDF documents or clicking links to PDF documents from unknown sources. Another option is to uninstall the Adobe software and use an alternative like Foxit Reader.

More details from KrebsOnSecurity.

Vulnerabilities in Sophos anti-malware products

Security researcher Tavis Ormandy has discovered several security vulnerabilities in Sophos security products. The holes were patched within a few weeks of the initial reports, but Ormandy maintains that Sophos’ response was too slow. The vulnerabilities, if unpatched, can allow attackers to gain full control of computers running affected Sophos software.

Regardless of whether you agree with Ormandy’s conclusions about Sophos, it’s clear that if you run Sophos security products, you should make sure they are fully patched.

Adobe Flash security updates

Yesterday, Adobe announced a new version of Flash that includes fixes for several security holes in earlier versions. Anyone who uses Flash to view web-based video, which includes anyone who uses YouTube, should install the latest version of Flash as soon as possible.

The latest version of Flash for Windows is 11.5.502.110. Adobe also made available updates for older versions of Flash that address the same security vulnerabilities, but we recommend updating to the latest version.

A new version of Google Chrome, also announced yesterday, includes these security fixes. A similar patch for Internet Explorer 10 in Windows 8 was made available by Microsoft.

These updates resolve buffer overflow vulnerabilities that could lead to code execution, memory corruption vulnerabilities that could lead to code execution, and a security bypass vulnerability that could lead to code execution.

ZeroAccess botnet growing rapidly

Growth of the ZeroAccess botnet is unfortunately showing no signs of slowing down. darkReading reports “2.2 million infected with fraudulent ad-click botnet’s malware“. The perpetrators make money by using infected computers to fraudulently ‘click’ on web-based ads.

Most current anti-malware software can detect and disable ZeroAccess-related malware. Make sure your anti-malware software is up to date, and run regular scans.

Java still vulnerable even with recent batch of security fixes

We were wondering whether the recent Java updates addressed the security holes reported by Adam Gowdiak of Security Explorations. Well, Mr. Gowdiak tested the most recent Java in various browsers, and the answer is no, they do not.

Gowdiak went even further, developing a simple fix for the vulnerability. Oracle is unimpressed, saying that a proper fix will involve a lot more testing than the 30 minutes Gowdiak spent on it. They are sticking to their original estimate, that an official fix will not be available until the February 2013 Critical Patch Update.

So Java, despite the recent patches, is still vulnerable to exploits using the hole reported by Gowdiak. We continue to recommend disabling Java in web browsers.

Java on the desktop: safe or not?

Java is increasingly the focus of both malware developers and security researchers. Many malware packages include Java code, and drive-by malware infections often use known Java vulnerabilities to trigger web browser-based infections. Java releases are filled with fixes for security vulnerabilities. Security researchers find new Java holes with alarming frequency.

ARS Technica recently asked their readers to talk about Java and how they use it. The resulting article outlines the results of this informal survey and makes some recommendations to users.

On typical Windows computers, Java is installed as a browser plugin, allowing Java code on web sites to be run seamlessly within the browser. This should not be confused with Javascript, which is also used within web browsers, but despite its name, is a totally separate thing.

Many Windows computers also contain the Java Runtime Environment (JRE), which allows standalone Java applications to run without a web browser. Many system administration tools are developed in Java, since this allows the same code to run on many different operating systems. There are also plenty of Java games, including the hugely popular Minecraft. Although Minecraft can be run from within a web browser, the full version of the game runs in the JRE.

Java vulnerabilities exist both in Java browser plugins and in the JRE. However, Java code that runs in the JRE must be explicitly downloaded and installed by the user. For example, to play the full version of Minecraft, the user must go to the Minecraft web site, buy the game, download the installer, install the game on their computer, then run the game. On the other hand, Java code on a malicious or hacked web site can run automatically and invisibly the moment a user visits that web site – if their browser has a functioning Java plugin.

Clearly, Java web browser plugins present a much greater security risk than standalone Java. Our recommendations – echoed by the ARS Technica article – remain the same: you should seriously consider disabling Java plugins in your web browser, but it’s okay to leave the JRE installed on your computer.

Critical Patch Update fixes 30 Java security issues

Oracle has released updates for all of its Java packages. The updates include a variety of bug and security fixes across all the affected Java products.

You can download the Java Runtime Environment (JRE) or Java Developer Kit (JDK) appropriate for your computing environment from the Java downloads page.

Java browser plugins that are not updated as part of a JRE update will require separate updates, in some cases from the web browser developer (Chrome, Internet Explorer).

It is unclear whether these updates include fixes for the vulnerabilities reported in late September 2012. Update 2012-Oct-25: Apparently they do not, according to security researcher Adam Gowdiak.