Windows vulnerable to document-based attack

According to Microsoft, all versions of Windows except Windows Server 2003 are vulnerable to attacks based on a bug in OLE (Object Linking and Embedding).

Attacks exploiting this vulnerability would take the form of a specially-crafted PowerPoint document.

Microsoft has released a Fix It solution that can be used to close this hole until a proper patch is released. If you commonly receive PowerPoint documents from unknown sources, you are strongly encouraged to apply this fix or refrain from opening those documents.

References:

  1. MSRC post about Security Advisory 3010060
  2. Security Advisory 3010060
  3. Fix It solution for Advisory 3010060

SSL3 protocol compromised

SSL3 is one of the ways web sites encrypt data. It has theoretically been superseded by TLS, but in fact is still widely used.

Now researchers at Google have demonstrated that SSL3 encryption can be made to reveal supposedly secure information. The name they’ve given to the new attack is POODLE, an acronym for Padding Oracle On Downgraded Legacy Encryption. In any case, this technique has been verified, and now the race is on to mitigate the vulnerability of browsers and web servers worldwide. If you run a web server, and it supports SSL3, you should disable SSL3 as soon as possible.

A post on Microsoft’s MSRC security blog provides a brief overview of the problem from their perspective and points to security advisory 3009008. The advisory provides instructions for disabling SSL3 in Internet Explorer.

Anyone still using Internet Explorer 6 (why?) is going to have difficulty accessing secure web sites from this point forward, because IE6 requires SSL3 for secure web browsing, and web servers are now busily having SSL3 disabled.

More information:

Update 2014Dec11: A new variant of the POODLE attack targets TLS and apparently affects up to 10% of the world’s servers. Brian Krebs has more.

Update 2015Jan12: One of the SANS handlers posted a followup that looks in detail at assessing the actual risk of a POODLE attack. It turns out that the risk is actually fairly low.

Firefox 33 released

The release of Firefox 33 snuck past my radar on October 13. In my conversations with Mozilla workers, it was explained to me that only major releases would be announced. But there was no announcement for Firefox 33. Clearly I need to keep bugging them about this. At least the release notes have improved.

The version number would seem to indicate that there are a lot of changes in this new version, and the release notes do list several new features. But none of those features are likely to be of much interest to regular users, aside from some improvements to searching.

Firefox 33 does include at least nine security fixes, as outlined on the Known Vulnerabilities (aka Security Advisories) page.

Patch Tuesday for October 2014

Yesterday saw eight security bulletins and associated patches from Microsoft, as well as two new versions of Java from Oracle, and a new version of Adobe Flash.

The Microsoft updates include three flagged Critical. The updates address twenty-four CVEs in Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer. A post on the MSRC blog provides a good overview.

Two new versions of Java from Oracle address as many as 25 security vulnerabilities in Java 7 and 8. If you’re using a web browser with Java enabled, you should install Java SE 8 Update 25 and/or Java SE 7 Update 72 as soon as possible. Unfortunately, Oracle has made things a bit confusing by saying that you should install SE 7 Update 72 only if you are being affected by the issues fixed in that version, and otherwise to install Update 71. Our recommendation is to install Update 72.

The new version of Flash is 15.0.0.189, and it includes fixes for at least three security vulnerabilities. If you’re like most people and use a browser with Flash enabled, you should update to the new version as soon as possible.

Microsoft once again realizes that there are different kinds of users

A lot of the criticism of Windows 8 focused on its lack of support for enterprise users. Most notably, the new user interface was spectacularly unsuited to business use. Enterprises stayed away from Windows 8, preferring to upgrade to – or stay with – Windows 7.

Microsoft seems to have given up on Windows 8. Although the Start menu was scheduled to reappear in Windows 8, plans for that change were later scrapped. Microsoft’s efforts are now firmly centered on Windows 10, where the Start menu will once again appear.

There’s more good news for enterprise users in Windows 10. According to a recent report from Ars Technica, the update process will have some new options that allow system administrators to control which updates are distributed to enterprise computers. This is already possible with Windows Server Update Services, but the new options promise to simplify things greatly.

USB firmware hacks published

We recently reported a new potential security threat in the form of hacked USB device firmware.

The details of the original hack were not reported by its discoverers, since it seemed likely that the vulnerability was widespread and difficult to fix.

Now a second team of researchers has published working code for a similar hack. Reactions have been mixed, with some categorizing this move as irresponsible.

This is probably going to get a lot worse before it gets better. There’s currently no way to detect whether a USB device has been hacked. Traditional anti-malware software is useless for this purpose.

Hopefully you were already exercising caution when using thumb drives, viewing drives from unknown sources with suspicion. With this new vulnerability, there’s probably no way to be perfectly safe unless you stop using thumb drives completely. Since that’s not practical for many users, you can stay relatively safe by making sure that your thumb drives are always on your person or stored in a secure location when not in use. So much for convenience.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.