Category Archives: Security

aka infosec

Adobe, Security

Adobe Reader software currently being exploited

Leave a comment

There’s a brief announcement on the Adobe Product Security Incident Response Team (PSIRT) Blog stating that Adobe is looking into reports of a new exploit for their Reader software. No further details are provided. Since this exploit is apparently being seen in the wild, we recommend extreme caution when opening PDF documents from unknown or untrusted sources. Better yet, switch to a different PDF reader like Foxit, thereby avoiding the dangers inherent in using Adobe Reader.

Update: Ars Technica has the details. Apparently the vulnerability was reported by the security company FireEye, and attacks based on the vulnerability have been seem in the wild. Further, the vulnerability is important because security in version 11 of the Reader software was supposedly much more difficult to circumvent.

Update 2: There’s a new post on the Security Advisory blog for Adobe Reader and Acrobat that covers this issue.

Update 3: Ars Technica points out that Adobe Reader 11 would protect users from this vulnerability, if its security settings were actually enabled by default (which they aren’t). On learning this, I immediately made the required changes to my installation of Reader, enabling Protected View. Check the bottom of this post for the procedure.

Update 4: Adobe announced that updates for the vulnerabilities in Reader will be made available some time during the coming week.

Enabling Protected View in Adobe Reader 11

  1. Start Adobe Reader.
  2. From the menu, select Edit > Preferences.
  3. Select Security (Enhanced) from the list on the left.
  4. In the Sandbox Protections section at the top, make sure that the setting for Protected View is All files.
  5. Click OK.

And here’s a screenshot:
AdobeReaderSecurity

Chrome, Flash, Google, Patches and updates, Security

New version of Chrome

1 Comment

Version 24.0.1312.70 of Google’s web browser contains the latest version of Adobe Flash.

Update: Something funny going on here. The announcement linked above states that version 24.0.1312.70 is actually for the Linux platform. It goes on to say: “This release contains an update to Flash (11.6.602.167). This Flash update has been pushed to Windows, Mac, and Chrome Frame platforms through component updater.” But what is the ‘component updater’, and how will it affect the version number of Chrome in Windows? There’s nothing on the Chrome support site about it. My own Chrome installation reports itself as being up to date at version 24.0.1312.57. Has Flash been updated in my installation or not? How can I determine what version of Flash is running in Chrome? Comments below the announcement linked above show other users similarly confused. Meanwhile, another new version was announced on Feb 14: “The Stable channel has been updated to 24.0.1312.71 for Windows Standalone Enterprise. This build contains an updated Flash (11.6.602.167).” That version at least seems to be targeted at Windows, but what is “Windows Standalone Enterprise”? It contains the same version of Flash as 24.0.1312.70, but again my version of Chrome reports that it is up to date at 24.0.1312.57. Not much we can do at this point except wait for Google to sort out this mess.

Malware, Microsoft, Security

Microsoft teams up with Symantec to take down another botnet

Leave a comment

Microsoft and Symantec, working with law enforcement authorities in the US and Spain, have disabled another botnet. The Bamital botnet first appeared in 2009, and at its height, included as many as 1.8 million computers.

User computers became infected with the Bamital malware through drive-by web-based infections (often from porn sites) and corrupted software downloads.

Infected computers were used to generate revenue for the perpetrators by generating or redirecting traffic to specific web sites.

Adobe, Flash, Patches and updates, Security, Windows

Flash player update fixes serious security issues

Leave a comment

Yesterday, Adobe announced an update for Flash that fixes specific security issues that are currently being exploited on the web.

Anyone who uses Flash should install the update as soon as possible.

The new version for Windows XP, Vista and 7 is 11.5.502.149. The new version for Windows 8 (available as an update from Microsoft) is 11.3.379.14.

Ars Technica has additional details.

Security

Latest SANS: Ouch! – Email Phishing Attacks

Leave a comment

This month’s Ouch! newsletter (PDF) from SANS is about email ‘phishing’ attacks. According to Wikipedia,

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

It’s a worthwhile read, and describes different types of phishing attacks and what you can do to protect yourself from them.

Java, Patches and updates, Security

Massive Java security update

Leave a comment

Oracle/Sun has released update 13 for Java 7 (Java 7u13).

The update was originally scheduled for release on February 19, but given all the recent security issues, Oracle decided to get the latest patch out there as soon as possible.

The update includes fifty bug and security fixes. The issues addressed are listed on the associated Critical Patch Update Advisory. Oddly, the update version (7u13) is never mentioned once on that lengthy page.

Recommendations:

  • If you use Java, update it ASAP.
  • Don’t depend on the Java auto-updater to update Java: do it manually.
  • Don’t assume Java is now safe. Until security researchers like Adam Gowdiak give Java 7u13 a thumbs-up, assume it’s still vulnerable.
  • Disable Java plugins in your web browser unless you have no choice.
  • Continue to be extremely careful when browsing the web.
Adobe, Firefox, Flash, Java, Security

Plugins will be safer in future versions of Firefox

Leave a comment

Presumably in response to the recent flood of Java vulnerabilities, the developers of Firefox (Mozilla) will be adding a new layer of security to all plugins, including the notororiously insecure Java, Flash and Adobe Reader.

Essentially, the new security will consist of additional prompts when plugins are triggered. So when a web site tries to run Java code, Firefox will prompt you to make sure you really want to allow the plugin to activate and run the Java code. You will be able to control which plugins and sites are affected.

Oracle/Sun recently made similar changes to Java itself, in an attempt to improve the overall safety of Java in web browsers. However, as security researcher Adam Gowdiak points out, those changes are ineffective: Java code can still run silently, bypassing the new safeguards. He writes:

… unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings …
Our Proof of Concept code … has been successfully executed in the environment of [the] latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 … and with “Very High” Java Control Panel security settings.

That said, recent … security “improvements” to Java SE 7 software don’t prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.

Definitions, Java, Security

Java: what is it, and why do I need it?

Leave a comment

You’re probably sick of hearing about Java and its troubles. Still, there seems to be a lot of confusion about what Java is, what it’s used for, and whether it’s really needed. This post is an attempt to alleviate that confusion.

From the About page on the Java web site:

From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!
– 1.1 billion desktops run Java
– 3 billion mobile phones run Java
– 100% of all Blu-ray players run Java
– Java powers set-top boxes, printers, Web cams, games, car navigation systems, lottery terminals, medical devices, parking payment stations, and more.

What is Java?

Java is essentially a programming language. It’s also a runtime environment: a program that runs natively on your PC or other computing device and allows Java programs to run on that device.

Why is Java everywhere?

Java is embedded into many household and industrial devices. Typically these devices run older versions of Java, and those older versions often have security vulnerabilities. However, the potential for damage through exploiting vulnerabilities on such devices is usually small or non-existent.

Java is currently installed on most consumer and corporate PCs, usually because at least one Java application or Java-enabled web site requires it. Java may also be enabled in the various web browsers used on those PCs.

The main reason for Java’s prevalence is its portability. In computing terms, that means a Java program will run on any Java-enabled device without modification. Developers only need to create one version of a program, instead of a different version for every computing platform they want to support.

Java in the browser; Java outside the browser

To run a Java program outside of a web browser, a Java Runtime Environment (JRE) must be installed on the device. To use a Java-enabled web site or a web-based Java application, you still need a JRE, but you also need a Java plugin for your web browser. Each browser handles plugins differently, but without a Java plugin providing a link between the browser and the JRE, Java code will not run in the browser.

Because a plugin is required to run Java in a web browser, disabling the plugin is a sure-fire way to avoid web-based Java malware.

Java programs that run outside of the web browser

The primary danger posed by Java at this time is visiting malware-infested web sites with a vulnerable version of Java enabled in the web browser. A Java program that runs outside the web browser is safe, even if the shared Java JRE is old or vulnerable, because the only Java code that runs is the code for that program. If you trust the program’s developer, you’re safe. Note that there is one exception: if the program contains a Java-enabled web browser, the risk is the same as in any other Java-enabled web browser.

Examples:

  • Minecraft – a popular game
  • Eclipse – a software development environment
  • FreeMind — mind-mapping software
  • OpenOffice (Base; wizards) – an office application suite

Java programs that run in the web browser

A Java program that runs in the web browser is safe – even using a shared, old, or vulnerable JRE – as long as you only use that program and don’t navigate to any Internet-based web sites. If you must run a browser-based Java program, try to use one particular web browser for that program (and any similar programs). In other words, use a browser that has Java disabled for web browsing, and a different (Java-enabled) browser for running your browser-based Java programs.

Examples:

  • Yahoo SiteBuilder – requires and installs JRE 1.6 in a shared location, and installs JRE 1.6 components in browsers (use with caution)
  • Vigiliti nLive – network management software
  • ManageEngine OpManager – system management software
  • many other system and network monitoring and analysis packages

Web sites that require Java for proper operation

If you can’t avoid web sites that use Java: again, it’s a good idea to set aside a Java-enabled web browser for accessing those sites (and nothing else!) Use a separate web browser with Java disabled for most of your web surfing.

Examples:

  • Some banking web sites
  • The Wall Street Journal website uses Java for dynamic charts
  • Secunia’s Online Software Inspector

Java applications that install their own JRE

When an application requires a JRE to run, it can use a shared JRE that is typically installed in a standard location where it can be found by any Java application on the PC. It can also install its own JRE in a location where it is only used by that application. This avoids potential compatibility issues, but it can make things more confusing for anyone trying to understand how Java is being used on their PC.

Examples:

  • Vigiliti nLive – network management software
  • ManageEngine OpManager – system management software
  • MindRaider – notebook and outlining application

How is Java related to Javascript?

It isn’t. Java is to Javascript what ham is to hamster. Like Java, Javascript is a programming language, and it’s often used on web sites to provide enhanced functionality. Also like Java, Javascript is often used for malware. Unlike Java, Javascript can only run within a web browser. Both represent significant security threats, and both can be disabled within web browsers, but doing so may cause some web sites to stop working properly.

Why are there so many security problems with Java?

Java’s success – its prevalence on PCs – has made it a useful target for malware developers. The success of Windows made that operating system the primary target of malware developers for years, but Microsoft has improved the security of Windows, and malware writers are looking for other targets.

All programs contain bugs, and if enough time is spent examining a program, eventually someone will find a way to break it in a way that allows security to be bypassed. Java is a program like any other, and the new focus on Java is revealing more and more security issues.

Why do developers still use Java?

Given all the recent problems with Java, one might expect software and web site developers to steer clear of it. Some developers are probably already looking elsewhere, and the longer it takes for Oracle/Sun to fix Java’s security problems, the more developers will bail. Most developers are probably concerned, but biding their time; switching away from Java is likely to be a massive undertaking.

Why do I need Java? Can I stop using it?

There’s no way to escape Java completely. You probably have several devices in your home that have Java embedded into them. But apart from the Java embedded in devices, you may not need Java at all.

In the PC world, some applications and web sites need Java to work properly. If you don’t have Java on your PC, you won’t be able to use those applications and web sites. If you’re a system or network administrator, you probably need Java to run system management tools. Your employer may use or require custom Java software in your workplace. You may need Java to use your bank’s web site. And so on.

The only way to know for sure whether you can do without Java on your PC is to disable or uninstall it, then make note of any web site or application that stops working. Of course, this may be more difficult than it sounds, since functionality may only be affected in subtle ways.

More problems with Java

  • Version confusion: traditionally, the JRE installer left old versions intact when installing new versions. This was apparently done to get around version incompatibilities, but in practice it created more problems than it solved. More recent JRE installers seem to be better at cleaning up older versions.
  • Java Development Toolkits (JDKs) add to the confusion, since they typically include their own, separate, embedded JRE.
  • There are apparently no tools for finding and diagnosing Java installations on a PC. JavaRa is useful to a point, but it doesn’t seem to find embedded JREs installed with certain Java applications.
  • When you install Java, it sets itself up to perform auto-updates. This feature can be disabled, but it has to be done every time you install or update Java. Worse, the auto-updater may delay updating your Java for days or even weeks after an update becomes available.
  • Recently, Oracle started including crapware (aka foistware) with Java JREs. Performing a default install of a recent JRE will add a worthless toolbar to your browser and may hijack your browser search settings.
  • Removing Java from Internet Explorer is almost impossible. Web browsers like Firefox and Google Chrome include simple settings for disabling Java, but for some reason this is not the case with IE.

Further reading

If you’re gotten this far and want more, the folks over at Windows Secrets recently posted some more useful information about Java.

Links