Archive for the Security Category

« Older Entries
Newer Entries »

Microsoft Issues Emergency Patch For IE Flaw [UPDATED]

Posted in Security with tags , on December 17, 2008 by itnerd

That was fast!

Microsoft is releasing a patch sometime today to fix the Internet Explorer flaw that I discussed yesterday. It’s unusual for Microsoft to release patches outside of it’s normal release schedule of the second Tuesday of the month. But given how serious this flaw is, they really didn’t have a choice. Frequent readers of this blog will note that this is the second time this year that Microsoft has had to come out with an emergency patch.

When I have a download link to the patch, I’ll post it here (or you can always pull it via Windows Update).

UPDATE: The security bulletin with the updates can be found here. Or you can use Windows Update to install the proper patch.

Leave a comment »

Microsoft Warns Users Of IE Related Security Flaw…. Glad I Use Firefox [UPDATED]

Posted in Security with tags , , on December 16, 2008 by itnerd

Here’s a shock. Microsoft’s Internet Explorer has a security hole that is serious enough that Microsoft has put out a security advisory on the subject:

“Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are only against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable.”

Well that’s not good.

The flaw lets criminals take over computers merely by tricking them into visiting web sites with malicious code installed on them. As many as 10,000 sites might have been taken over according to this AP report.

For the time being, the advice that I would have for you would be to switch to Chrome, Firefox, Safari, or Opera until the dust settles. But if that’s not possible, here’s Microsoft’s advice for those who are sticking with IE:

  • Change IE security settings to high (Look under Tools/Internet Options)
  • Switch to a Windows user account with limited rights to change a PC’s settings
  • With IE7 or 8 on Vista turn on Protected Mode
  • Ensure your PC is updated
  • Keep anti-virus and anti-spyware software up to date

The hole will be fixed likely with an emergency out of cycle patch. Given the scope of this issue, Microsoft really has no other choice but to get this out the door ASAP.

Meanwhile, the Mac Fanbois and LINUX geeks are likely dancing in the streets over this latest Microsoft screw up.

UPDATE: As if on cue, Firefox 3.0.5 has hit the streets. You can view the changelog here, or just download it from here.

Leave a comment »

The iPhone Trojan That Isn’t A iPhone Trojan…Confused? Read On…

Posted in Security with tags , , on September 18, 2008 by itnerd

Now that the iPhone has become so widely popular, it was only a matter of time before somebody tried writing some sort of marware targeted towards iPhone users. According to Sophos, there’s now iPhone trojan in the wild. Here’s the catch, it doesn’t actually run on the iPhone. Instead it promises to be a free iPhone game for the iPhone that you download to a Windows PC. From there it does nefarious things to your PC like take control of it. Mac users are (currently) unaffected by this trojan.

Removal instructions can be found here.

Leave a comment »

New Web Exploit Hijacks Your Clipboard… And Macs Are NOT Immune! [UPDATED]

Posted in Security with tags on August 18, 2008 by itnerd

Another day, another exploit.

Reports on a variety of sites (click here, here, here, here for examples) have detailed a new type of web attack that goes something like this:

  • You surf to a seemingly legitimate site (MSNBC.com and Newsweek comes up more than once)
  • A malicious link is copied to the clipboard.
  • The link remains even after the user copies a new batch of text to the clipboard. The only way to remove it is to reboot the computer.

The attack has been reported by Firefox users running both OS X and Windows (Sorry Apple Fanbois) as well as IE users, but I wouldn’t be surprised to hear that other browsers and operating systems are also vulnerable. At this point, there isn’t enough info for me to say for sure. The link (which I will not repost here) sends you to a site that claims your PC is infected with malware and you need to use a fraudulent anti-malware program to get rid of it. The only reason why I would think that the link is being shoved into the clipboard is that I guess they’re hoping that you’ll do a copy/paste into an e-mail and propagate it that way.

This attack appears to be coming from a carefully crafted .swf file, so the best way to protect yourself if you run Firefox is to run the NoScript extension in your Firefox browser. IE users might want to try the following:

  • Open up Internet Explorer and select Tools > Manage Add-ons.
  • Depending on your Internet version, the options might vary a bit. Either look under Add-ons currently loaded in Internet Explorer or under Add-ons that have been used by Internet Explorer. IE7 has an additional option too.
  • Select the Shockwave Flash Object and set its status to disabled. Ok the boxes and restart Internet Explorer as required.

The web won’t look nearly as pretty, but at least you won’t get infected. That buys you time until a fix comes out.

UPDATE: Ubuntu machines are exploitable too.

1 Comment »

Consumer Reports Tells Mac Users To Ditch Safari

Posted in Security with tags , on August 5, 2008 by itnerd

I just spotted this link over at Consumer Reports that lists “7 online blunders” which can lead to identity theft or could trash your computer. Most of these blunders are things that have been around for a while, but blunder #5 caught my eye because it directly addresses Mac users and their false sense of security:

According to this year’s State of the Net survey, Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar. To make matters worse, the browser of choice for most Mac users, Apple’s Safari, has no phishing protection. We think it should.

What you can do: Until Apple beefs up Safari, use a browser with phishing protection, such as the latest version of Firefox (shown at right) or Opera. Also try a free anti-phishing toolbar such as McAfee Site Advisor or FirePhish.”

Consumer Reports is the latest in a growing string of organizations to take Apple to task over its handling of security issues. Not to mention that unpatched security holes have occasionally prompted security watchers such as US CERT to advise against using IE. Safari could easily end up in the same boat if Apple doesn’t get serious about security.

But Apple is only half the problem. Apple users have been force fed the story that Macs are more secure than Windows boxes. Up until recently that’s been largely true. But no computer platform is truly secure. Anything can be hacked, cracked, pwned, or exploited. So it is up to users to practice the same safer computing methods that have been drilled into Windows users for years.

Speaking of security. Apple was supposed to take part in the Black Hat security conference this week. However, Apple’s marketing team got in the way and vetoed the talk at the last minute. That’s unfortunate because Apple’s lack of clarity on security isn’t giving people the “warm fuzzies” at the moment.

Leave a comment »

Apple Patches DNS Flaw…. What Took Them So Long? [UPDATED x2]

Posted in Security with tags on August 1, 2008 by itnerd

The much talked about DNS flaw in OS X is now patched. Apple released Security update 2008-005 late last night and recommends it for the following systems:

Alternately, you can grab this via Software Update.

It should be noted that this fixes a bunch of other security issues. You can read this for the 411. One key thing it does address is the ARDAgent.app exploit that I’ve talked about previously.  My question is, why did it take so long given the severity of the DNS issue? Not to mention the ARDAagent.app issue that is serious as well?

Given Apple’s level of secrecy, we’ll likely never know for sure. But at least the patch is finally out.

UPDATE: Reports have surfaced in multiple places that this patch for the DNS issue doesn’t implement one key feature. That is port randomization on requests. Mac OS X machines doggedly issue DNS requests on sequential ports, making them far more vulnerable to spoofing. No word from Apple on this, and you won’t likely hear anything as they don’t respond to requests for comment on security issues. In any case, Apple might have dropped the ball this time and needs to fix this NOW if this is true.

UPDATE #2: This might be a non-issue. Here’s why from Apple’s security advisory (I’ve bolded the key point):

“The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue.”

So, since BIND is not enabled on OS X clients, OS X might be secure with this patch. Can anybody confirm this?

Leave a comment »

75% Of Bank Websites Insecure…. Time To Put Your Money In Your Mattress

Posted in Security with tags , on July 28, 2008 by itnerd

Seeing as most of planet earth uses on-line banking to some degree, I was shocked to see this story that more than 75% of bank websites are insecure by design according to a recently published study:

“To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country,” [University of Michigan computer science professor Atul] Prakash said in a statement. “Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking.”

The report was based on the examination of websites for 214 financial institutions. The study was conducted in 2006, so it’s possible the design flaws have been cleaned up. But somehow I doubt it as the website from my bank hasn’t changed in at least that long and from what I can tell it still behaves the same way it did when I started using it.

Perhaps it’s time to ask some hard questions of those who safeguard our money?

Leave a comment »

Yet Another Apple Trojan In The Wild!

Posted in Security with tags , , on June 23, 2008 by itnerd

It seems that everyone and their dog is writing a Trojan to take advantage of the Apple Remote Desktop vulnerability that I posted about last week. This one is called OSX/Howdy and does the following:

“When run the Trojan will attempt to install itself to the /Library/Caches folder and perform the following tasks:

– disable system logging and delete system log files
– start PHPShell and web server
– start ARD, VNC and SSH services
– disable system updates
– open ports in the firewall
– disable third party security software
– steal various password hashes and keys which may be used to compromise other systems

OSX/Hovdy-A will also attempt to use the ARDAgent vulnerability to obtain root access.”

Since it is a Trojan, it needs you to run it so it can do its evil work. So I will say it again… Never download and install software from untrusted sources or questionable web sites. Also, if something suddenly appears on your Mac asking you for your password, and you are NOT installing software or changing system settings, don’t type your password in.

Leave a comment »

“Carpet Bomb” Still A Problem Despite Patch…. Oh Noes!

Posted in Security with tags , on June 22, 2008 by itnerd

Apple patched Safari last week, but according to this ZD article, security researcher Billy Rios notes that when Safari is used on a computer with Firefox 2 or 3, there is a risk of an attack that allows a remote attacker to steal files using the “carpet bomb” method. He’s not going into other details at this time so that Apple can fix the issue, but its not good optics for Apple. To be fair, its a problem due to an interaction with another product, so Safari in isolation should be fine (in theory).

Oh yeah, if you look at Billy’s blog, he also has this quote:

“UNREALTED NOTE TO MOZILLA:  Firefox 3 shouldn’t FORCE itself to be my default browser after I install it (YES, I unchecked the default browser checkbox during install)”

Hmmm…. That sounds vaguely familiar. I saw that coming a mile away, just not from him.

Leave a comment »

Nasty MacOS X Trojans In The Wild….. Oh Noes!

Posted in Security with tags , , on June 20, 2008 by itnerd

The word on the street is that a trojan now exists for MacOS X that exploits a “root” vulnerability in Apple Remote Desktop Agent in Mac OS X 10.4 and 10.5:

“The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.”

The Apple Remote Desktop Agent that this article speaks of is the piece of software that is built into MacOS X that allows you to control your computer from another computer. The details of the vulnerability in question has been discussed at length at Slashdot. If you’re a home user, you’d likely never have to use this aspect of Mac OS X, so I would follow these directions to protect yourself.

A second trojan disguises itself as a poker game to get onto your system. Once there, it does the following:

“The Trojan horse, when run, activates ssh on the Mac on which it is running, then sends the user name and password hash, along with the IP address of the Mac, to a server. It asks for an administrator’s password after displaying a dialog saying, “A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.”

This sounds nasty, but it requires your interaction to do any sort of damage. Therefore you need to practice safe computing and never download and install software from untrusted sources or questionable web sites. Also, if something suddenly appears on your Mac asking you for your password, and you are NOT installing software or changing system settings, don’t type your password in.

Now that Apple has raised the profile of the Mac, you can fully expect to see more of this as hackers and script kiddies target the Mac. Hopefully Apple steps up its game to keep its user base safe. Given that it has been criticized in the past for not doing that, I hope this forces them to improve their repsonse to issues like these.

Leave a comment »

« Older Entries
Newer Entries »