Category Archives: Security

aka infosec

Internet Explorer, Microsoft, Security, Windows

Internet Explorer 8 vulnerable to new web-based attack

1 Comment

Update 2013May09: Microsoft has issued a ‘Fix-It’ for this problem. This is a temporary, band-aid solution to the problem. It will be superseded by an actual patch at some point. The original bulletin about this issue has been updated to include information about the ‘Fix-It’.

Microsoft recently announced a new attack, targeted at a specific version of Internet Explorer, being exploited in the wild. More details are provided in the associated security advisory from Microsoft.

Only Internet Explorer version 8 is vulnerable to this attack, which begins when someone using IE8 is tricked into visiting a compromised web site. Once infected, the user’s computer can be remotely controlled by the attacker.

Anyone using Internet Explorer 8 is strongly urged to upgrade to IE9, or – if using Windows 7 or 8 – to IE10. If upgrading Internet Explorer is not an option, you can reduce the risk of infection by increasing the level of protection provided by the browser, as follows:

Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones. This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones. This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

Ars Technica has additional details.

Java, Patches and updates, Security

Latest Java still vulnerable

Leave a comment

According to Adam Gowdiak of Security Explorations, many of the Java vulnerabilities he reported to Oracle in recent months were fixed in the April update (Java 7, Update 21).

However, several of the reported vulnerabilities remain, and Oracle has confirmed that they are working on fixes for those issues.

On April 22, Mr. Gowdiak reported another new Java vulnerability to Oracle:

The new flaw was verified to affect all versions of Java SE 7 (including the recently released 1.7.0_21-b11). It can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed).

Current Java status: vulnerable.

Details are on the Security Explorations web site (scroll to the end).

Update 2013Apr27: Ars Technica reports that exploits for the just-patched Java vulnerabilities are showing up in attack kits and being seen in the wild. If you use Java, patch it ASAP!

Java, Patches and updates, Security, Windows

Java 7 Update 21 fixes 42 security issues

Leave a comment

As expected, Oracle yesterday released a new update for the series 7 Java Runtime Environment (JRE). Java 7 Update 21 includes fixes for a whopping forty-two security vulnerabilities.

Adam Gowdiak of Security Explorations reports that several of the issues previously reported by him have apparently been fixed in Java 7u21. He points out that one issue in particular took six weeks to fix, and that this delay was unwarranted.

Update 21 also includes some general security improvements. Java will now pop up security warnings whenever unsigned Java code starts to run. Requiring Java code to be signed is going to annoy some users, but given the number of Java security issues in recent months, this is definitely a good idea. The Internet Storm Center has additional details.

Given that most of the fixed vulnerabilities can allow remote attackers to gain control of unprotected computers, we recommend installing the update as soon as possible on any computer running Java, especially those with Java enabled in web browsers.

Unfortunately, as with most Java updates, the announcement from Oracle leaves much to be desired. The date of the announcement is buried toward the bottom of the document. The version of the update is never mentioned. Instructions to users are needlessly complex.

Java, Patches and updates, Security

Big Java security update expected today

Leave a comment

Yesterday, Oracle announced that it will soon issue a significant update for Java. The update will include fixes for forty-two known security vulnerabilities, including thirty-nine that may be remotely exploitable without authentication. Apparently the update will also introduce some new general security improvements.

Ars Technica has additional details.

The update is scheduled for release later today (April 16, 2013).

Security, WordPress and other CMS

Massive attack against WordPress web sites underway

Leave a comment

Ars Technica reports on evidence of a worldwide attack on WordPress web sites.

The attack seems to focus mainly on brute-force login attempts using the WordPress ‘admin’ account. Successful password guesses allow the attacker to gain full control over the site and install back-door software.

Anyone who operates a WordPress web site should quickly check their admin password and change it to something complex: no dictionary words; use of mixed case letters, numbers and punctuation; at least 10 characters long.

Microsoft, Patches and updates, Security, Windows

Advance notification for April 2013 Patch Tuesday

Leave a comment

It’s that time again. Microsoft has posted its usual notification about the next Patch Tuesday. This month’s patch day is on April 9. Anyone using Windows Autoupdate will start seeing the patches around 10am on that day.

There will be nine bulletins/updates this month, two of which are Critical, addressing Windows, Internet Explorer, Office, and server software. The technical details are available in the associated Security TechCenter post.