Internet Explorer, Microsoft, Patches and updates, Security, Windows

Advance notification for April 2014 Patch Tuesday

Leave a comment

Next Tuesday is much more significant than the usual Patch Tuesday, because this crop of updates will be the last one for both Windows XP and Office 2003.

After April 8, most of the IT-enlightened world will be holding its collective breath, waiting for a likely deluge of hacks, attacks and malware based on vulnerabilities in Windows XP and Office 2003.

According to the official advance warning bulletin from Microsoft, this month’s updates will include patches for Office, Windows and Internet Explorer. Two of the patches are flagged as Critical.

One of the patches addresses the recently-discovered vulnerability in Word’s handling of RTF documents.

As usual, there’s a somewhat less technical overview of the upcoming updates on the MSRC blog.

The SANS InfoSec Handlers Diary blog has its own take on the upcoming updates.

Security

SANS Ouch! newsletter: Yes, you are a target

Leave a comment

This month’s Ouch! newsletter (PDF) from SANS should dispel any thoughts you may have regarding your digital safety.

In the networked world, if your device is connected, it is potentially vulnerable. Staying safe is largely a matter of vigilance: keep your software patched, use strong, unique passwords, and avoid opening suspicious email or browsing shady web sites.

The Ouch! newsletter is aimed at general users, so IT professionals may not learn much from reading it.

Adobe, Flash, Security

Flash vulnerabilities found at Pwn2Own

1 Comment

The recent Pwn2Own hacking competition revealed vulnerabilities in a variety of software products, including Chrome, Firefox, Internet Explorer, and Flash.

While patches for Firefox and Chrome were released soon after the results of the contest were published, the vulnerabilities in Flash remain unpatched. They are identified as CVE-2014-0506 and CVE-2014-0510. Severity is ranked as high for both vulnerabilities. No exploits for these vulnerabilities have yet been seen in the wild.

Update 2014Apr09: CVE-2014-0506 was fixed in Flash 13.0.0.182.

Microsoft, Patches and updates, Windows 8.x

Windows 8.1 Update 1 available starting April 8

1 Comment

Microsoft recently announced the release date for Windows 8.1 Update 1: April 8, 2014, which is also Patch Tuesday for April. Windows 8.x users will be able to download the update via the Windows Update service.

This update brings back some of the mouse/keyboard and desktop features missing from the original version. Still missing, however, is the Start menu.

Ars Technica has more, as does The Verge.

Microsoft, Security, Windows XP

Millions of computers still running Windows XP

Leave a comment

With less than a week to go before Microsoft ends support for Windows XP, over 27% of Internet-connected computers are still running the venerable O/S, according to an Ars Technica report.

Microsoft has clearly been unable to convince XP users to switch to another O/S, and the days and weeks following April 8 will likely be filled with stories about new malware and attacks on XP-based systems.

Linux, Security

Roundup of recent Linux exploits

Leave a comment

Linux proponents often say that Linux is safer than Windows, and in some respects, it’s true. Linux is inherently more secure than most versions of Windows. Actual Linux viruses are rare, since it’s very difficult for them to propagate. It’s also much more difficult to hide malicious activity on Linux systems than it is on Windows systems.

But don’t be fooled: Linux is not invulnerable. Now that it’s the basis for Mac OS X, and generally growing in popularity, Linux has become much more of a target. The Linux kernel currently sits at the top of the CVEDetails Top 50 products with distinct vulnerabilities list, with Mac OS X at number four and Windows XP at the fifth spot.

Not all vulnerabilities are exploited. Many exploits are never seen outside of research labs. Serious Linux vulnerabilities that are exploited ‘in the wild’ usually see patches within days of discovery.

A large proportion of the world’s web servers run Linux; a single compromised Linux server can affect all web visitors, so keeping them patched and clean is critical. But there seems to be a certain amount of complacency among some Linux system administrators, and Linux servers often stay unpatched and/or misconfigured for long periods of time, providing windows of opportunity for targeted attacks. Worse still, the reliability of Linux servers is such that Internet-facing servers are sometimes neglected completely.

Several recent stories highlight these issues.

A critical bug in the GnuTLS library, common to most Linux distributions, allows malicious parties to bypass security measures and eavesdrop on encrypted communication. This bug may have existed as far back as 2005. A patch for the GnuTLS vulnerability was made available in early March 2014.

The Windigo malware has been around since about 2011. It lies in wait on Linux web servers, infecting Windows visitors with malware, redirecting visitors to malicious web sites, serving ads for porn sites, and sending out spam. Typically, Windigo is installed on Linux servers by way of stolen credentials, rather than software vulnerabilities and related exploits. As many as 35,000 Linux servers have been affected, including high profile sites like kernel.org. Since the affected Linux systems are typically web servers, Windigo’s reach is potentially huge.

An extremely critical vulnerability in PHP that was discovered two years ago remains unpatched on many Linux servers. Exploits designed to take advantage of this bug can give attackers control of entire web sites. A patch for this vulnerability was made available soon after discovery of the bug.

Sites running out of date versions of Linux are susceptible to a new mass compromise that is taking over web sites and serving up fraudulent web pages and advertisements.

The lesson is that while Linux is a secure operating system, it must be kept patched to be truly secure. In particular, anyone administering a Linux-based web server has a responsibility to the Internet in general to keep their server patched.

Malware, Microsoft, Security

New Microsoft Word vulnerability already being exploited

2 Comments

Earlier today, Microsoft announced in a security advisory that it was seeing evidence of attacks targeted against certain versions of its flagship word processing software.

The vulnerability can be exploited using a specially-crafted RTF file. Opening such a file can give the attacker full access to the user’s computer.

According to Microsoft, Word 2003, 2007, 2010, and 2013 are all affected. Since Word is the default editor in Outlook, simply opening an affected email can lead to a successful attack.

Microsoft is working on a patch, but until it’s ready, their advice is to install and configure EMET. They are also providing the usual ‘Fix It‘ stopgap, which in this case just disables the ability to open RTF files in Word.

There’s a less technical overview of this issue over at the MSRC blog.

This vulnerability is identified as CVE-2014-1761.

Java, Patches and updates

Java 8 released

1 Comment

Oracle recently announced the availability of Java version 8.

The new Java includes a range of new features, most of which are only of interest to developers. There are some security improvements, but again, these will not be visible to the user and are mostly of use for developers of new Java software.

You can see the list of changes on the What’s New in JDK 8 page (warning: technical). The release notes may also be of interest.

Oddly, the main Java download page still points to older versions (Version 7 Update 51). You can get Java 8 from the Java SE downloads page.

Update 2014Apr15: Oracle clarified their position on the availability of Java 8 in a special FAQ. Basically, Java 8 is for developers, and Java 7 is for regular users. At some point, Oracle will decide Java 8 is ready for general use.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.