New Flash vulnerability discovered

April 7, 2016 jrivett Leave a comment

According to a security bulletin published yesterday by Adobe, all versions of Flash older than 21.0.0.182 running on Windows are vulnerable. The specific vulnerability involved — designated CVE-2016-1019 — is flagged as Critical, and could allow an attacker to crash or take over control of targeted Windows systems.

Adobe says that Flash 21.0.0.182 contains a mitigation that protects it from this vulnerability, so if you use Flash, and you’re not already running 21.0.0.182 or newer, you should install it ASAP.

Adobe is working on a more comprehensive fix for this vulnerability and plans to release another new version of Flash in the next day or so.

Firefox, Security

Malicious Firefox add-ons can co-opt other, vulnerable add-ons

April 6, 2016 jrivett Leave a comment

Security researchers recently discovered that Firefox add-ons can use functions and data from other add-ons. This allows malicious persons to create seemingly-innocuous add-ons that look for and use vulnerable versions of popular add-ons like NoScript and Firebug.

For this type of exploit to work, a user would need to a) leave a vulnerable add-on unpatched; and b) install the malicious add-on. Which means that we have yet another reason to make sure that Firefox add-ons are kept up to date. Thankfully, the extremely useful NoScript add-on receives updates automatically, and frequently.

This also serves as a reminder to be careful when installing any add-on, no matter how innocuous it seems.

Mozilla is currently revamping the add-on framework in Firefox. The new system will improve security, preventing add-ons from accessing each others’ functions and data.

Security, Tools

Password managers

April 3, 2016 jrivett Leave a comment

“If you’re not using a password manager, you should be.” You’ve heard the refrain, and you’re probably tired of hearing it. But we won’t stop saying it until people get the message.

Rule #1 in online security is “Don’t re-use passwords for multiple web sites and services.” Rule #2 is “Use long, complex passwords.” Following those two rules means you have to remember multiple, long, complex passwords. This is not something humans are particularly good at, which is why we need password management software.

I use Password Corral, free Windows software from Cygnus Productions. It’s not limited to storing passwords, so you can use it for bank accounts, license information, and so on. It can generate strong passwords according to customizable rules. It won’t fill in web forms for you, and it can’t be accessed on the cloud, but I don’t actually want either of those features.

I also recommend Bruce Schneier’s Password Safe.

When deciding on a password management solution, there are several factors to consider. There’s a useful comparison of password management tools (PDF) over at the SANS InfoSec Reading Room. It doesn’t include Password Corral or Password Safe, preferring to concentrate on the more mainstream and popular services, but it’s worth reading.

Adware, Android, Google, Hardware, Internet crime, Malware, Mobile, Opera, Security, Spam and scams

Security roundup for March 2016

April 2, 2016 jrivett Leave a comment

Ransomware made news frequently in March. Two more healthcare networks in the USA were hit with ransomware. A new variety of ransomware called Petya took things to a new level, encrypting the core data structures of hard drives. TeslaCrypt continued its destructive march across Europe and into the USA. A surge in malware-laden advertising (aka malvertising) on several popular web sites, including the Certified Ethical Hacker site, led to numerous ransomware infections.

Smartphones and tablets running Google’s Android operating system remain a popular target for malware. A newly-discovered vulnerability can allow malware to permanently take over a device at the root level. Malware that exploits the still largely unpatched Stagefright vulnerability was identified.

Security researchers discovered malware that can infect computers that are not connected to networks, using external USB devices like thumb drives. The malware, dubbed USB Thief, steals large quantities of data and leaves very little evidence of its presence.

A hacking group known as Suckfly is using stolen security certificates to bypass code signing mechanisms, allowing them to distribute malware-laden apps more effectively.

The folks at Duo Security published an interesting post that aims to demystify malware attacks, describing malware infrastructure and explaining how malware spreads.

Ars Technica reported on the surprising resurgence of Office macro malware. Macros embedded in Office (Word, Excel) documents were a major problem in the 1990s but subsequent security improvements by Microsoft reduced their prevalence until recently. Getting around those improvements only requires tricking the document’s recipient into enabling macros, and it turns out that this is surprisingly easy.

Millions of customer records were made available in the wake of yet another major security breach, this time at Verizon.

Google continued to improve the security of its products, with more encryption, better user notifications and other enhancements to GMail.

Brian Krebs reported on spammers taking advantage of the trust users have in ‘.gov’ domains to redirect unsuspecting users to their spammy offerings.

Opera announced that their web browser will now include ad-blocking features that are enabled by default.

Edge, Microsoft, Patches and updates, Windows 10

Windows 10 Insider Preview Build 14295

March 31, 2016 jrivett Leave a comment

Late last week, preview build 14295 started making its way to computers enrolled in the ‘Fast track’ Windows 10 Insider Preview program. Yesterday, the build was made available to computers on the ‘Slow track’.

This latest build actually includes some interesting features. Or it will when the accompanying developer tools become available. With this build, Microsoft is expanding support for Linux tools on Windows 10, including the BASH scripting language.

While not of much interest to regular users, adding Linux tools to Windows 10 shows that Microsoft is actually listening to developers and other power users.

Build 14295 also fixes some minor problems affecting XBox compatibility, the Edge browser, and Kaspersky security software.

Opera, Patches and updates

Opera 36.0.2130.46

March 31, 2016 jrivett Leave a comment

According to the release announcement, Opera 36.0.2130.46 fixes a couple of minor issues on Mac and Linux, and improves support for Windows 10.

The full change log provides more details.

None of the changes in this version relate to security, so this update is not particularly urgent. On most computers, Opera will update itself automatically.

Chrome, Google, Patches and updates

Chrome 49.0.2623.110

March 30, 2016 jrivett Leave a comment

At what point does an update qualify as pointless? The full change log for Chrome 49.0.2623.110 contains six items, two of which involve merely changing the version number. Another publishes a small change in dependencies. One is literally about compatibility with Windows NT4. There’s nothing here that justifies all the data movement associated with mass-updating a popular piece of software like Chrome.

But hey, I guess I shouldn’t complain. I’d rather be at the “too many updates” end of that particular spectrum.

What you really need to know about the new Chrome version is that none of the issues addressed relate to security.

Chrome, Google, Patches and updates, Security

Chrome 49.0.2623.108

March 26, 2016 jrivett Leave a comment

Earlier this week, Google announced another new version of Chrome.

Version 49.0.2623.108 addresses five security issues, so if you use Chrome, you should make sure it’s up to date. Click the browser’s ‘hamburger’ menu at the top right, then select Help > About Google Chrome. If you’re not running the latest version, Chrome will start the update process automatically.

The full log lists about sixty changes in the new version, but nothing particularly interesting.

Java, Patches and updates, Security

Java 8 Update 77

March 25, 2016 jrivett Leave a comment

A single major security bug fix appears to be the reason for the newest version of Java 8: Update 77.

The release notes don’t provide much useful information, and neither does the security alert for the bug addressed in the new version.

If you’re still using a web browser with Java enabled, you should consider disabling it. At least configure it as ‘click to play’, so that Java content doesn’t load and play automatically on any web page you visit. If you’re not sure whether Java is enabled in your browser, find out by visiting Check-and-Secure.

Adobe, Flash, Patches and updates

Flash 21.0.0.197

March 25, 2016 jrivett Leave a comment

According to the announcement, the latest version of Flash – released on March 23 – fixes a specific bug that was causing problems for some Flash games.

A review of the release notes seems to show that Flash 21.0.0.197 doesn’t contain any security fixes, so this isn’t an urgent update. Unless of course you’re having trouble running Flash games in your browser.

The announcement for 21.0.0.197 contains at least one error: it shows the new PPAPI version of Flash, used in Chrome, Opera, and other Chromium-based browsers, as 21.0.0.286. My own tests, as well as the official release notes, shows that the new PPAPI version is actually 21.0.0.197. I reported the discrepancy to the author.

There is no new version of Flash for Internet Explorer and Edge on Windows 8.x and 10; the latest is Flash 21.0.0.182.

As usual, Chrome will update itself with the new version of Flash.

boot13