90 Second Security Roundup (Video)

 

 

Perform a security scan by Symantec Security Check

Is your computer safe from online threats? The Security Scan performs the following tests and offers recommendations based on the results:

Hacker Exposure Check
Checks whether your computer allows unknown or unauthorized Internet communications.

Windows Vulnerability Check
Checks whether basic information about your computer, including your PC’s network identity, is exposed to hackers.

Trojan Horse Check
Checks whether your computer is safe from Trojan horses.

 

 

Embarrassing privacy flaw found on Facebook

A researcher has found a critical security flaw on Facebook that could be exploited by hackers to expose sensitive information about users.

 

M J Keith, a senior security analyst with security firm Alert Logic, discovered the vulnerability which could lead to private information being exposed, or users’ Facebook pages being maliciously defaced.

 

IDG security reporter Robert McMillan has explained the problem well:

The bug has to do with the way that Facebook checked to make sure that browsers connecting with the site were the ones they claimed to be. Facebook's servers use code called a "post_form_id" token to check that the browser trying to do something -- liking a group, for example -- was actually the browser that had logged into the account. Facebook's servers check this token before making any changes to the user's page, but Keith discovered that when he simply deleted the token from messages, he could change many settings on any Facebook account.

 

This is called a CSRF (Cross-site request forgery attack), which – if left unpatched – would allow hackers to set up malicious webpages that could submit instructions to the victim’s Facebook account without validation.

 

The consequence? Well, a hacker could make your hitherto private information public, or force your profile to “like” a Facebook group that you may find embarrassing.

 

M J Keith reports on AlertLogic’s website that he informed Facebook of the problem on the 11th of May, and that the problem has now been fixed.

 

However, IDG has reported that the security hole is still present.

 

Hopefully, if it’s not already patched, this privacy flaw – which comes at an embarrassing time for Facebook – will be removed soon.

 

If you’re a regular user of Facebook, you could do a lot worse than join the Sophos page on the site to ensure you are kept up-to-date with the latest security news. Oh, and remember to be careful about clicking on suspicious links..

 

By Graham Cluley, Sophos

 

Transport website leaking private information of 168,000 passengers

A hacker called “ins3ct3d” has demonstrated that he can access the personal information of 168,000 users of public transport in The Netherlands via an insecure website.

 

A campaign to encourage residents living in the provinces of Gelderland, Overijssel and Flevoland to use public transport has been promoting a website called “Experience the OV” at www.ervaarhetov.nl, which allows people to request a card allowing them to try out public transport travel for free.

 

However, as magazine Webwereld reports, a simple SQL injection attack allowed “ins3ct3d” to access how to access the personal information of subscribers – including names, addresses, birth dates, email addresses and phone numbers.

 

The hacker, who has chosen to remain anonymous, demonstrated the attack to the magazine by accessing the personal data of one of Webwereld’s reporters.

 

Explaining his reason for exposing the security vulnerability, “ins3ct3d” explained that he felt compelled to warn his fellow citizens as long as the government continues to use unsafe systems. “This time it’s sensitive personal data, next time your fingerprints or EPD,” he said.

 

(EPD is the Electronische Patientdossier.. I guess I don’t need to give a translation of that for you to realise why that’s not data you want falling into the wrong hands).

 

There’s no confirmation that banking data was exposed, but there were fields in the databases for ID card numbers, payment agreements and so forth. At the request of Webwereld, the hacker did not retrieve more data, so there’s no telling if any of these fields had been filled.

 

Webwereld contacted the authorities, and the website is currently “temporarily unavailable”:

I guess we should all breath a sigh of relief that, in this instance, the hack appears to have orchestrated with the interests of exposing poor security, rather than stealing users’ data and identities. Hopefully this incident might play some smart part in raising awareness around the world of the need to ensure your website is coded securely, and not at risk of leaking sensitive information.

 

By Graham Cluley, Sophos

 

Critical security updates from Microsoft and Adobe

It was “Patch Tuesday” yesterday, which means another parcel of security updates for computer users to unwrap, and this time the fixes aren’t just from Microsoft, but from Adobe too.

 

First on the menu is Microsoft, which has served up two security bulletins detailing vulnerabilities that could be exploited by hackers to execute malicious code (such as a worm) on your computer.

 

The first of these security holes exists in Outlook Express, Windows Mail, and Windows Live Mail. Microsoft’s Security Research & Defense blog goes into some detail about the vulnerability, explaining that although the security hole is given a “critical rating” on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008, it is considered less serious for Windows 7 users as Windows Live Mail is not installed by default on that platform.

 

The other patch from Microsoft addresses a vulnerability in Visual Basic for Applications, a component used by Microsoft Office and other third-party products. Microsoft has given this security update its highest possible rating – “Critical” – for all supported versions of Microsoft Visual Basic for Applications SDK and third-party applications that use Microsoft Visual Basic for Applications. It is also rated “Important” for all supported editions of Microsoft Office XP, Microsoft Office 2003, and the 2007 Microsoft Office System.

 

Next up is Adobe, who have released patches to squash over 20 security vulnerabilities in its Shockwave and ColdFusion products.

 

The critical vulnerabilities identified in Adobe Shockwave Player 11.5.6.606 and earlier versions impact both Windows and Macintosh users, and could allow attackers to run malicious code on your computer.

 

Adobe recommends that users update their version of Adobe Shockwave Player to version 11.5.7.609.

 

Details of the ColdFusion vulnerabilities, classed as “important”, are provided in Adobe Security Bulletin APSB10-11.

 

Enough of waffle. Download and install the patches if your computer is affected.

 

By Graham Cluley, Sophos

 

Apple Safari zero-day exploit revealed

 

 

Apple’s Safari browser contains a critical, unpatched bug that attackers can use to infect Windows PCs with malicious code, researchers at US-CERT and other security firms said today.

 

Hackers could compromise PCs with simple “drive-by” attack tactics, researchers added.

 

The vulnerability, first reported by Danish vulnerability tracker Secunia and confirmed by the United States Computer Emergency Readiness Team (US-CERT), was disclosed by Polish researcher Krystian Kloskowski on Friday. The bug is caused by an error in the handling of the browser’s parent windows.

 

Apple Safari gets security fix in update | Apple Safari 4 browser | How to use Greasemonkey scripts with IE, Chrome and Safari

 

“This can be exploited to execute arbitrary code when a user visits a specially-crafted web page and closes opened pop-up windows,” said Secunia’s alert.

 

The vulnerability can also be exploited by attackers who dupe users into opening rigged HTML-based e-mail within Safari, added US-CERT in its advisory. That scenario likely would involve tricking users into opening malicious messages in a Web mail service, such as Gmail or Windows Live Hotmail.

 

Both Secunia and US-CERT confirmed today that the proof-of-concept attack code published by Kloskowski successfully compromises the Windows version of Safari 4.0.5, the most up-to-date edition. Secunia rated the vulnerability as “highly critical,” the second-most-dangerous ranking in its five-step threat scoring system.

 

It’s not known whether the vulnerability also exists in the much more widely used Mac OS X version of Apple’s software. “Other versions may also be affected,” cautioned US-CERT.

 

Charlie Miller, the noted vulnerability researcher who won $10,000 by hacking a Mac in March at the Pwn2Own contest, was out of his office and not able to verify that the bug also exists in Safari on Mac OS X.

 

US-CERT urged users of the Windows version of Safari to disable JavaScript as a temporary defense.

 

Apple last patched Safari in mid-March when it fixed 16 flaws, including six that applied only to the Windows version of the browser. It’s not unusual for Apple to patch Windows-only vulnerabilities when it updates Safari.

 

Apple patched Miller’s $10,000 vulnerability in mid-April by plugging a hole in ATS (Apple Type Services), a font renderer included with Mac OS X. Miller accessed the ATS bug via Safari during Pwn2Own.

 

 

By Gregg Keizer, techworld.com

KHOBE ‘vulnerability’: is this game over for security software?

The last couple of days there have been a lot of headlines in the security press about a report by a firm called Matousec, which claimed that “today’s most popular security solutions simply do not work.”

 

The attack method, dubbed KHOBE and described by Matousec researchers as an “8.0 earthquake for desktop security software”, describes a potential bypass in the way some parts of some anti-malware products operate on some versions of Microsoft Windows.

 

The dramatic headlines might make you think that this is TEOTWAWKI*, but the truth is somewhat different.

 

Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of “doing something extra” if the bad guys’ malicious code manages to get past your anti-virus software in the first place.

 

In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that’s one of the reasons, of course, why we – and to their credit other vendors – offer a layered approach using a variety of protection technologies.

 

So, before you hide yourself in the basement and prepare for nuclear winter, make sure you read this excellent piece by Paul Ducklin, which examines and discusses the KHOBE claims in greater detail.

TEOTWAWKI: The End Of The World As We Know It

 

By Graham Cluley, Sophos

 

 

Microsoft to release emergency Internet Explorer patch on Tuesday

Microsoft has announced that it will be issuing an emergency out-of-band patch for a critical security hole in some versions of Internet Explorer on Tuesday 30 March.

 

According to a Microsoft advisory, the emergency fix is designed to protect users of Internet Explorer 6 and Internet Explorer 7.

 

Microsoft normally bundles its security updates into a monthly package, known in the industry as “Patch Tuesday” (the second Tuesday of each month), and it is relatively unusual for the company to issue a fix for a security vulnerability outside of this cycle. Clearly Microsoft considers the bug particularly important to patch as soon as possible.

 

And in my opinion they’re right not to leave this vulnerability unpatched until April 13th. Earlier this month I described how hackers are actively exploiting the vulnerability, in their attempt to infect computers.

 

The researchers in SophosLabs reported some of the malicious spam messages we have seen being distributed which attempt to trick users into visiting websites that will exploit the zero day vulnerability and infect Windows PCs.

 

More information about the security flaw can be found in Sophos’s analysis of the problem.

 

So, if you are still using Internet Explorer versions 6 or 7, please be sure to update your systems as soon as Microsoft releases the fix. But, in all honesty, what are you doing running such old versions of IE anyway? Shouldn’t you have upgraded to Internet Explorer 8 by now?

 

By Graham Cluley, Sophos

 

 

Related Blogs

Critical Firefox security hole fixed – have you updated?

Mozilla has responded to concern about a critical security vulnerability in Firefox 3.6, by releasing version 3.6.2 of its popular browser ahead of schedule.

 

Firefox 3.6.2 fixes a vulnerability first discovered by security researcher Evgeny Legerov last month, which could allow hackers to launch malicious code on users’ computers.

 

As I blogged yesterday, concern about the bug was so high that the likes of the German government had advised internet users to switch to an alternative browser until a fix from Mozilla was available (at the time that fix was not scheduled until March 30th).

 

However, concern about the severity of the security flaw encouraged Mozilla to accelerate its timetable for release and speed up the schedule.

 

If you are a Firefox 3.6 user, go to the Help menu and choose “Check for Updates” to update your installation of Firefox to the latest version. You can also visit www.getfirefox.com if you wish to download the full version.

 

I would also strongly recommend that all Firefox users consider using NoScript, the Firefox addon that provides a higher level of protection by allowing you to choose which websites are allowed to run active content (such as JavaScript).

 

By Graham Cluley, Sophos

 

 

German Government: Don’t use Firefox

The German government has advised computer users not to run Firefox and run an alternative browser instead, because of a critical security flaw.

 

The advice, which comes from BürgerCERT, part of the German Federal Office for Security in Information Technology (known as the Bundesamt für Sicherheit in der Informationstechnik or BSI), recommends that computer users stop using Firefox until Mozilla releases a fix.

 

The reason why Germany is suggesting such seemingly drastic action is that there is a critical vulnerability in currently available versions of Firefox that could be exploited by hackers to launch malicious code on users’ computers.

For its part, Mozilla has acknowledged the security vulnerability, and advises that a patched version 3.6.2 of Firefox is scheduled to be available on March 30th.

 

Here is a rough translation (courtesy of Google Translate):

Recommendation
Because of the Mozilla Foundation, a privately disclosed vulnerability Bürger-CERT recommends the use of alternative browser until Mozilla has released Firefox version 3.6.2. The current release of Firefox 3.6.2 Plan provides for delivery on Tuesday 30 Before March 2010.

 

Description
There is an as yet unspecified vulnerability in Mozilla Firefox version 3.6. A remote attacker to execute using rigged websites the opportunity to inject malicious code in the context of the logged on user.

 

Security researcher Evgeny Legerov discovered the vulnerability last month, controversially making code which exploited it available to those who were prepared to pay. That’s not an approach which is likely to have won him many friends at Mozilla, who would much prefer that vulnerability researchers worked with them on responsible disclosure.

 

It must be an uncomfortable time for German web users too. After all, in January they were advised not to use Internet Explorer, and now they’re being told to keep a wide berth from Firefox until it’s fixed.

 

It’s certainly a lot easier for computer-savvy home users to leapfrog from browser to browser than companies.

 

Switching your web browser willy-nilly as each new unpatched security hole is revealed could cause more problems than it’s worth. For instance, imagine how much training some users will require to switch from one browser to another.

 

And it’s worth bearing in mind – what are you going to do when your replacement browser itself turns out to contain a vulnerability? Are you going to switch yet again?

 

My advice is to only switch from Firefox if you really know what you are doing with the browser you’re swapping to. If you stick with Firefox, apply the security update as soon as its available.

 

If you can’t wait – Mozilla says it has produced a release candidate build of Firefox 3.6.2 which already contains the fix (obviously it hasn’t been through their complete quality assurance process yet). You can download it from their website at https:/ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

 

By Graham Cluley, Sophos

 

 

« Previous Page — Next Page »