Android, Apple, Google, Hardware, Internet crime, Malware, Microsoft, Mobile, Privacy, Security, WordPress and other CMS

Security and privacy roundup for November 2015

Leave a comment

PCs from Dell were found to include support software and related security certificates that potentially expose users to various threats. Dell moved quickly to provide fixes, but many systems remain vulnerable. As if we needed more convincing, this is yet another reason to remove manufacturer-installed software from new PCs as soon as possible after purchase.

A hacking tool called KeeFarce looks for KeePass password databases, attempts to decrypt the stored passwords, and makes the decrypted passwords available to intruders. For this to work, the target computer must already be compromised, and the KeePass database left unlocked. According to researchers, the technique could be used on any password management software. Please, if you use password management software, remember to leave it locked, even if you’re the only user. Why make things any easier for intruders?

Anti-adblocking service provider PageFair was hacked on Halloween, and for a couple of hours, visitors to about 500 web sites were shown fake Flash update warnings that actually installed malware. PageFair fixed the problem relatively quickly and apologized for the breach.

The web site for the popular vBulletin forum software was hacked and user account information stolen. Site admins reset all user passwords and warned users, but have yet to address claims that the attackers used a long-standing vulnerability in the vBulletin software itself to achieve the intrusion. If true, anyone who manages a vBulletin site should immediately install the patch, which was made available after the vBulletin site hack.

With all the furor over Windows 10’s privacy issues, it’s important to recognize that modern phones have all the same issues. Anyone who uses a smartphone has observed that most apps ask for access to private information when they are installed. Generally, user choices are limited to agreeing or cancelling installation. A new study looks at popular iOS and Android apps, the user information they collect, and where they send it. The results are about as expected, and the authors conclude, “The results of this study point out that the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs.” No kidding.

A nasty new type of Android malware has been discovered. Researchers say that the perpetrators download legitimate Android apps, repackage them with malware, then make the apps available on third-party sites. Once installed, the infected apps allow the malware to install itself with root access. So far, the malware only seems to be used to display ads, but with root access, there’s no limit to the potential damage. Worse still, it’s extremely difficult to remove the malware, and in many cases it’s easier to simply buy a new phone.

Ransomware was in the news a lot in November. SANS reported seeing a malware spam campaign that impersonates domain registrars, tricking recipients into clicking email links that install the ransomware Cryptowall. Ars Technica reports on changes in the latest version of Cryptowall, and a new ransomware player called Chimera. Brian Krebs reports on new ransomware that targets and encrypts web sites. Luckily, the encryption applied by that particular ransomware is relatively easy to reverse.

Several web sites and services were hit with Distributed Denial of Service (DDoS) attacks in November. In some cases, the attackers demanded ransom money to stop the attack. ProtonMail, provider of end-to-end encrypted email services (and used by yours truly) was hit, and the attacks didn’t stop even when the ransom was paid.

Security certificates generated using the SHA1 algorithm are nearing the end of their usefulness. Plans are already underway to stop providing them and stop supporting them in web browsers and other software. SHA1 is being phased out in favour of the much more secure SHA2 algorithm.

A rash of vulnerabilities in popular WordPress plugins, including the excellent BPS Security plugin, came to light in November. WordPress site operators are strongly encouraged to either enable auto-updates or configure their sites to send alerts when new plugin versions are detected.

An app called InstaAgent was pulled from the Apple and Google app stores when it was discovered that the app was transmitting Instagram userids and passwords to a server controlled by the app’s developer. It’s not clear how the app managed to get past the quality controls in place for both stores.

Security researchers discovered a bizarre new form of privacy invasion that uses inaudible sound – generated by advertisements on TV and in browsers – to track user behaviour. As weird as it seems, this technology is allowing true Cross Device Tracking (CDT).

On a brighter note, Google is now detecting web sites that appear to use social engineering techniques to trick users. Chrome’s Safe Browsing feature will now show a warning when you are about to visit a page Google thinks is using these devious methods.

The whole-disk encryption technology TrueCrypt was previously reported as vulnerable, and a new study has confirmed those vulnerabilities. The study also found that if TrueCrypt is used on unmounted drives, it is perfectly secure, but what use is a hard disk if it isn’t connected to anything? TrueCrypt users are still anxiously awaiting new encryption technologies like VeraCrypt.

Security researchers discovered a critical flaw in many Virtual Private Network (VPN) services. VPN software and services are used by many torrent users to protect their identity. The flaw allows a malicious person to obtain the true IP address of a VPN user.

The Readers Digest web site was infected with a variant of the Angler malware and proceeded to infect unpatched visitor computers for about a week before site operators took action. Thousands of Windows computers may have been infected before the site was finally cleaned up.

Chrome, Google, Patches and updates, Security

Chrome 47 released

Leave a comment

Google just announced another new version of Chrome. Version 47.0.2526.73 includes fixes for at least 41 security vulnerabilities.

Alas, the only complete list of changes is the change log (warning: clicking may crash your browser), which as usual includes so much detail that it’s a headache to parse. It’s thousands of lines long. I started reading it, and ten minutes later, my browser scrollbar still hadn’t moved. Presumably if this version included any noteworthy changes, Google would mention them in the release announcement.

Meanwhile, if you use Chrome, you should install the new version, because of the security fixes it contains.

Microsoft, Miscellany, Patches and updates, Privacy, Windows 10

Windows 10 miscellany

Leave a comment

Ed Bott noticed that the latest release of Windows 10 (1511) was mysteriously removed from availability via the Media Creation Tool. The new version can still be obtained through Windows Update. Microsoft’s explanation isn’t very helpful, and it’s rather annoying to system builders who missed the brief window during which release 1511 was available via MCT. Update #1: Ars Technica reports on the situation, noting that there are reports of serious problems with release 1511 when installed via the MCT. Update #2: Ars Technica confirms that upgrading via MCT was causing privacy settings to be reset to defaults. The problem has been fixed, and build 1511 is once again available via MCT.

Meanwhile, Microsoft apparently updated its privacy policy in response to concerns about information gathered and transmitted by Windows 10. Changes to the policy make it clear that Microsoft will only provide law enforcement access to your data on their servers, not data stored locally on your computer. Encryption keys are backed up to Microsoft servers, but Microsoft will not use them to decrypt disks or files on your computer. The collection of telemetry data cannot be disabled, but it can be limited so that only very basic data is collected, and none of it personal.

And finally, Microsoft has relented somewhat on its Windows 10 activation policy, allowing for legitimate installs using old, unused activation keys from Windows 7 or 8.

Java, Patches and updates, Security

Java 8 Update 66

Leave a comment

We previously wondered about the status of Java 8 Update 66, released almost simultaneously with Update 65 around October 20, since it wasn’t being installed by Java’s auto-updater and seemed to cover a lot of the same ground as Update 65.

Well, wonder no longer, since Update 66 is now officially the latest Java version. Java 8 Update 66 is the version you’ll get if you look for the latest version on the Oracle Java site, and Java’s own auto-update mechanisms will also install Update 66. According to Oracle, Java 8 Update 66 was released on November 16. The release notes provide additional details.

Microsoft, Windows 10

Microsoft to start pushing Windows 10 on business customers

Leave a comment

Microsoft is turning its sights on businesses and other large customers, making changes to Windows 10 that it hopes will entice IT departments to try the new O/S.

With the arrival of build 10586, Windows Update for Business is now ready for use in Windows 10. This is bound to be helpful for business users, since it allows updates to be delayed, but there’s still no way to avoid updates indefinitely. Microsoft is still promising to provide better information about updates, but as yet that hasn’t actually happened.

There’s also now a business-oriented version of the Windows Store. Most importantly, there are options for disabling telemetry and other data sent to Microsoft from Windows 10 computers. Hopefully that change will find its way to regular Windows 10 versions as well.

It’s far too early to decide whether these changes will have any influence over business and corporate decision makers. I certainly wouldn’t recommend Windows 10 for use in business or educational environments; there are simply too many unresolved issues related to privacy, updates, and the user interface.

Ars Technica has additional details.

Chrome, Google, Security, Windows XP

Google to discontinue support for Chrome on Windows XP

Leave a comment

Google recently announced that they will no longer support Chrome running on Windows XP after April, 2016. Chrome will still run on Windows XP, but Google won’t address any new security issues in Chrome that don’t affect newer versions of Windows.

Standard advice to anyone still running Windows XP has included avoiding Internet Explorer in favour of a browser that’s still being updated, like Chrome. After next April, Chrome will be potentially as risky to use on XP as Internet Explorer.

Microsoft, Patches and updates, Windows 7

Update MS15-115 re-released to fix crashing issues

Leave a comment

One of the updates released by Microsoft on Tuesday apparently caused serious crashing problems on Windows 7 and Windows Server 2008 computers. Microsoft has re-issued the update to resolve these problems. Anyone who already installed MS15-115 on affected Windows systems should run Windows Update again to get the new version.

The MS15-115 bulletin has been updated to show the change.

From the associated knowledge base article:

This security update was rereleased on November 11, 2015, for Windows 7 and Windows Server 2008 R2 to resolve the following issues:

* Resolves crashing that occurred in all supported versions of Microsoft Outlook when users were reading certain email messages.
* Resolves problems that occurred while users were logging on to the system. For example, after a user restarted the computer and then pressed Ctrl+Alt+Delete at the logon screen, the screen flashed and then went black. The user was then unable to continue. There may be other, similar logon issues that are related to this issue.

Internet, Privacy, Security

Latest Ouch! newsletters from SANS

Leave a comment

It’s been a while since I posted a link to the SANS Ouch! Security Awareness (“Securing The Human”) Newsletter. It’s a monthly PDF publication that’s aimed at ordinary users, and each issue covers a topic that is – or should be – of interest to everyone.

The most recent issues are Two Step Verification, Password Managers, and Shopping Online Securely. Note: these are all PDF documents.

Note: because they are written for ordinary users, more knowledgeable users may not learn anything new from Ouch! newsletters. Still, they’re worth reading and passing on to anyone who may benefit.

Adobe, Chrome, Flash, Google, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for November 2015

Leave a comment

It’s that time again. This month’s crop of updates from Microsoft addresses security problems in the usual suspects, namely Windows, Office, .NET and Internet Explorer. Adobe joins the fun with yet another batch of fixes for Flash, and Google releases another version of Chrome with the latest Flash.

The Microsoft security summary bulletin for November 2015 gets into all the technical details. There are twelve separate bulletins with associated updates. Four of the updates are flagged as Critical. One of the updates affects the Windows 10 web browser Edge. A total of 53 vulnerabilities are addressed.

Flash 19.0.0.245 includes fixes for at least seventeen vulnerabilities. As usual, Internet Explorer in recent versions of Windows will be updated via Windows Update. Chrome gets the new Flash via its internal updater. Anyone still using a web browser with Flash enabled should install the new Flash as soon as possible.

Chrome 46.0.2490.86 includes the latest Flash (see above) and fixes a security issue in its embedded PDF viewer.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.