Adobe .pdf Reader Critical Flaw

Adobe has warned of yet another critical flaw that effects most Windows users. If your version is 10.1.1 or earlier expect an update almost immediately. Plan B would have you using an alternative application such as Sumatra.

Update Your Java Now

Go to http://java.com/en/ and click on the Do I have Java? link. If you do not have Java installed you have no worries. If you have Java installed then update it by clicking the large red Free Java Download link.

Critical Security Fix it Released for Windows

If you run Windows Xp, Vista or Windows 7 you need to immediately install a patch. Go to http://support.microsoft.com/kb/2639658 and download and right-click install the Enable Fix it link. If the fix does not install correctly you should re-visit the link and click on the Disable Fix it link.

This threat is serious so don"t fail to install the patch - This “Duqu” Trojan is really nasty.

You're all a bunch of thieving crooks.

A report from the Business Software Alliance (BSA) appears to show that most people have illegal or pirated software on their PC's. A Google news search gives you a good overview.

Tsk-tsk-tsk - you people should be ashamed.

Be aware that you will eventually be plagued with a piece of software containing a virus, spyware, malware, trojan or some other evil bit.

Try using open source software or look into searching for well written applications whose cost is rarely above $50.00 and generally provide years of free updates. Sweet.

What's on Your PC?

Do you know what software is on your PC? A woman in Vancouver now knows. A software application meant to allow a PC to be tracked via its IP address was also taking pics via its built-in webcam. This at the same time she was ingaging in, ahem, risque conduct with a 'special friend' if-you-get-my-drift. The Mothercorps has the story here.

iPhone Tracker Revealed

A story from the Guardian reveals Apple keeps a file on the iPhone and iPad that contains the latitude and longitude of the phone's recorded positions coupled with a time stamp. When synchronised with the owners computer this file is copied over resulting in two copies. The file data can be accessed with mimimal effort by anyone with possession of the device(s). You can access this file with this handy application called IphoneTracker. The only saving grace is that the file is apparently not uploaded to Apple. Stay tuned for the fallout from this.

Critical Windows Flaw Targets IE

A security flaw in Windows MHTML (MIME Encapsulation of Aggregate HTML) protocol handler that is used by Windows applications to render ceertain document types can allow evil-doers to take control of a users Internet Explorer sessions.

Bill has a fix here: http://support.microsoft.com/kb/2501696 . Click the icon located about halfway down the page under Enable To lock down MHTML and follow the instructions.

IE Exploit for Xmas!

Microsoft's Internet Explorer is the target of a new zero day attack.
Best Practice? If you're using IE, stop.
If you must use IE then perhaps Sandbox it with Sandboxie.
Why not try Firefox (with the awesome No-Script Add-on) or Opera instead?
Safer, Better and hip . . . like the kids say.

Adobe Software Patches

Adobe has released a critical update that patches at least two security holes in its PDF Reader and Acrobat software. Hopefully these patches will be the last before the new 'Sandboxed' version appears. The newest version is 9.4.1. - update to this version by clicking 'Help', then 'Check for Updates'.

Firefox BlackSheep: Anti-Networking Sniffing Tool

Not too long ago a Firefox extension called Firesheep designed to (according to the writeup at Lifehacker.com) ". . . sniff out weak security and/or hijack web site credentials on open Wi-Fi networks." was released. While useful for legitimate tasks it also gave crackers a tool that could allow them obvious access to PC's at your local coffee shop.

Now BlackSheep, an anti-Firesheep tool has been released. It is designed to alert you whenever Firesheep is active on your local network.

If you frequent establishments where you use Wi-Fi you might consider using this Firefox extension. The download page is here: http://www.zscaler.com/blacksheep.html

You should also look into grabbing the HTTPS Everywhere Firefox extension which encrypts your entire session not just the login portion.

Adobe Flash, Reader and Acrobat Security Advisory

Adobe products are again opening up exploitable holes in Operating Systems of all types.
The news is here: http://www.adobe.com/support/security/advisories/apsa10-05.html

Instead of Adobe Reader try the alternative application, FoxitReader.

Facebook coughing up UID's

The online platform for farming, organized crime and poker . . . known in these here parts as Facebook, again finds itself on the wrong end of user privacy. It appears certain online apps (Farmville, etc) have been providing info that could allow evil-doers to reveal names, phone numbers, email addresses, photos and other personal bits.

I use Facebook but never play any games and check the privacy settings religiously to try and stay ahead of the inevitable security breach.

An excellent write up is here: http://mashable.com/2010/10/18/facebook-apps-leak-user-info/

Java Security Hole

Microsoft's Malware Protection Center Blog is reporting a huge surge in Java exploits. From the end of 2009 until now the number of exploits has gone from roughly 100,000 to 6,000,000!

So, if you have Java on your machine (Mac, Linux or Windows) then make damn sure it's patched.*

Remember, the default patching schedule only checks the Mothership for updates on the 14th of every month and this is way too long to wait. Change it to daily. Have it occur immediately after you back up your data.

If you use Windows you should install as a service Secunia PSI which will automagically check for a wide range of patches.

*If possible, remove Java if it is not required by another application. Java is, for most users, in the background and you may never know it's running unless you have seen the splash screen. If you remove Java and some application breaks it will probably very politely suggest you need to install Java. In this case, well, you need Java so simply make sure it's patched as you do any other application.

Critical Microsoft Fixit

Bill has announced that an unpatched critical security hole in Windows XP operating systems is a genuine threat. A temporary patch using Microsoft Fix it is available here - after the .msi file downloads double-click it and the install is self-explanatory. Users who apply this patch will not need to uninstall it before applying the official patch when it becomes available towards the middle of July.

Critical Opera flaw - patch NOW!

If you use Opera and do not automagically update your installation you a) should ;) and b) need to manually update NOW to fix a gigantic security hole. After the update you better be running version 10.53 to be safe.

 

 

 

 

WiFi network finder - now with password cracker!

If you use a router and are still using WEP encryption then please read this.

I'll wait.

Ok.

Connect to your router and ensure you are using WPA or better yet, WPA2.

Palm Pre Security Hole

The recent Palm Pre OS has been found to have a major, glaring security gap because, since the browser is embedded into the OS, it's naturally vulnerable to various exploits (Javascript being the obvious one) making it a large target for evil-doers. A fix better come sooner rather than later to save the brand for the forseeable future. What were they thinking?

Adobe is the Winner!

Microsoft Word has been dethroned as the most likely point-of-entry for rogue software.

Files based on Reader were exploited in almost 49 per cent of the targeted attacks of 2009, compared with about 39 per cent that took aim at Microsoft Word. By comparison, in 2008, Acrobat was targeted in almost 29 per cent of attacks and Word was exploited by almost 35 per cent.

So, either use an alternative such as Foxit Reader or for a quick 'n dirty fix: Open Adobe Reader, click onEdit, Preferences, JavaScript, and uncheck the enable JavaScript box.

Internet Explorer F1 Key Flaw

If you use any of the last several versions of Internet Explorer you are advised to not press the F1 key if prompted by any web site. A flaw has been discovered that could open up your Windows machine (except Vista, way to go Bill!) to evil-doers. The Microsoft Security Advisory (981169) is here: http://www.microsoft.com/technet/security/advisory/981169.mspx

The quote from Microsoft below:

Successful exploitation of this vulnerability requires that users assist the exploit by pressing the F1 key on their keyboard. Our analysis shows that if users do not press the F1 key on their keyboard, the vulnerability cannot be exploited.

Consequently, malicious Web sites may attempt to persuade users into pressing the F1 key. Such a Web site could invoke an endless loop of dialog boxes that tell the user to press the F1 key to end the loop, or offer information such as pricing information or help to be revealed through the F1 key.

Users are advised to avoid pressing F1 presented by Web pages or other Internet content. If a dialog box appears repeatedly in an attempt to convince the user to press F1, users may log off the system or use Task Manager to terminate the Internet Explorer process.

Adobe .PDF Reader Critical Fix

Adobe has announced a patch for its Reader that is a must have as always.

It appears Adobe's software is highly unsafe and worse, breaks quickly giving the evil-doers more time to exploit the openings. Oops.

Details at Krebs on Security. And, Aviv Raff On .NET has apparently found the horrible Adobe Download Manager will re-install the evil

bits so make sure you un-install it as well. Firefox users should disable or un-install the Adobe Download Manager Extension/Add-on.

Adobe Flash Security Upgrade

Adobe has released an out-of-sequence update of its Flash Player that fixes two critical security holes in its Web browser plugin.

The latest version is now version 10.0.45.2. Visit here to check your version.

Also, remember that you will have to install the upgrade seperately for each browser you use so if you're like me well, Internet Explorer, Firefox, Opera and Chrome all need patching!

Firefox Update

Y'all better check yer Firefox to see that you are running version 3.5.5 - if you aren't then run a manual upgrade (Help - Check for Upgrades). You might also set Firefox to automagically download and install upgrades:

Shockwave Player Update

Your Adobe Shockwave Player should be upgraded to version to 11.5.2.602 which is available here. Don't know if you actually have this POS installed? Go here - if you see an empty box at the top that says "Click here to download plugin," then you don't have Shockwave installed. If you use Firefox you should see a yellow box at the top of the page saying, "Additional plugins are required to display all the media on this page". The security inplications of NOT upgrading can be mitigated by using the Firefox Add-on Adblock Plus.

Michael Duarf

Read this fine description of what bad guys are doing with your not-quite locked down Facebook account. If this sillyness keeps up I predict a large exodus from Facebook (starting with me). The fear of security breaches may be overblown but it is real. Don't be a victim. Remember, security is a process, not a product.

Facebook Hacking

A new applications on Facebook, "City Fire Department," has been compromised by hackers. The application had been modified to deliver an iframe which can bring content from one Web site to another. This iframe tries to exploit vulnerabilities to download a fake antivirus program called Antivirus Pro 2010.

A few of the other hacked or bogus applications are:

• MyGirlySpace
• Ferrarifone
• Mashpro
• Mynameis
• Pass-it-on
• Fillinthe
• Aquariumlif

Ok, here is the deal - When you find a wonderful new application on Facebook do a quick search on Google or bing to determine if anyone has had any problem with it. You can also wait, yes wait, for a day or two until enough newbies have started using it to provoke any disasters - if all is well after this then you might . . . might try it. Just make sure your Facebook preferences are locked down for maximum security. Or just don't use any of these silly applications until Facebook gets a grip and uses some mechanism to confirm these applications aren't a giant security hole!

Firefox Plugs Microsoft Security Hole

If you use Firefox (and you should, imho) you have probably already seen a pop-up alert informing you that it is blocking Microsoft`s .NET Framework Assistant and Windows Presentation Foundation add-ons that were stealthily installed by Microsoft earlier this year.

This hole was supposed to have been fixed earlier by having users edit the Windows registry - but this idea stunk because editing the registry is potentially dangerous. Microsoft later released a simple point and click removal tool - except this left behind the Windows Presentation Foundation plug-in which is what was just killed by Mozilla.

So, the confusion up to now has been addressed by both Mozilla and Microsoft to remove both nasty bits. Whew!

Adobe Reader Critical Vulnerability

It appears the ever popular Adobe Reader (version 9.1.3 and earlier) has a gaping hole that could allow bad people to take over Windows installs. This problem as popped up before. One way to mitigate (but not eliminate) the threat is to disable Javascript in Adobe reader and/or change your browsers behavior to download .pdf files as opposed to view them. You also might want to try the free alternative called Foxit Reader which has a better record when it comes to security issues. Just sayin' . . .

Third-party apps create insecure Facebook

Popular social networking site Facebook has exposed users to phishing attacks that use already hacked accounts to contact friends. Links presented to users lead to look-alike pages not associated with Facebook that may hold any one of 11 rogue scripts (and counting) that do bad things. Trendmicro has details here.

Until facebook tightens up the ship now heading for the shoals be very careful about using third-party apps. Yes, that means a large chunk of facebook, sorry. Do this . . . no, seriously . . . and facebook will adapt or die. Now if Leafs fans would just do the same.

Critical Firefox 3.5 Security Flaw

The newest Firefox, version 3.5, includes Tracemonkey, a new feature designed to speed up Javascript scripts. A flaw within Tracemonkey could allow attackers to remotely install evil software when users visit compromised Web sites.

A simple fix is available until the next patch fixes the vulnerability:

1. Open up a new Firefox window and type ‘’about:config‘’ (without the quotes) in your browser's address bar
2. In the ‘’filter‘’ box, type ‘’jit‘’ and a setting called ‘’javascript.options.jit.content‘’ will appear.
3. If the setting is set to ‘‘true’’ it means the option is enabled.
4. If it is, double-click on the setting. This should change the option to ‘’false‘’ disabling it.

Another Insecure ActiveX? You Betcha!

ActiveX flaws pop up on a regular basis so forget the explanation. Go to Microsoft and click the ‘’Fix It‘’ icon under ‘’Enable Workaround‘’ and following the instructions.