Wednesday, December 17, 2008

Security updates for Firefox released yesterday

Some fairly important security updates for Firefox 2.x and 3.x were released yesterday.

See http://www.mozilla.org/security/announce/ for more info on the bug fixes included.

If you still use Firefox 2.x, this release is the last planned upgrade . . .
http://en-us.www.mozilla.com/en-US/firefox/2.0.0.19/releasenotes/

For users of FireFox 3.x, see this page for news and info:
http://en-us.www.mozilla.com/en-US/firefox/3.0.5/releasenotes/

As always I highly recommend the excellent NoScript plugin for both versions to help make your online browsing experience safer. And remember to check for updates in your Tools:Add-ons menu option every time you upgrade to new builds of Firefox.

NoScript: https://addons.mozilla.org/en-US/firefox/addon/722

Get your out-of-cycle critical IE patch now

The patch just went live on Windows Update. If you run Windows or Microsoft Updates manually via the browser or Vista Update program, look for references to any one of the following (depending on your OS):

MS08-078
KB961051
KB960714

"Security Update for Internet Explorer 7" (or 8, 6, etc.)

If you need to download and install the update manually (or have a lot of machines to update, or have older versions of IE), try this search query on Microsoft's site for MS08-078:

http://search.microsoft.com/Results.aspx?mkt=en-US&q=ms08-078

If you are otherwise current on updates, and use Auto-Updates, you will get this patch sometime during the next few days. Personally I would do a forced check to be sure.

Tuesday, December 16, 2008

Ultra-Critical out of cycle fix for IE coming tomorrow from Microsoft

You might have heard about a nasty vulnerability in Internet Explorer that allows a malicous website to remotely take-over one's machine. Microsoft just announced a fix for this issue that will be released tomorrow. It should be available via automatic updates, but just in case I'll follow up tomorrow with links.

The announcement:
http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

More info about the vulnerability:
http://www.microsoft.com/technet/security/advisory/961051.mspx

If you previously applied any of the complex workarounds for this problem, you will need to reverse your changes before applying tomorrows update.

Sunday, December 7, 2008

Get traditional -- send paper cards via snail mail for the holidays

. . . Or call your family/friends/loved ones. Better yet send them a nice gift.

Whatever you do - forget about eCards. I personally think eCards are tacky anyway, but the real problem is that too many email virus spammers use fake eCards during the holidays to propagate their infections. Lately it's become darn near impossible to tell the fakes from the "legit" eCards.

We see this every holiday season, so here's your paranoid reminder for 2008:

http://blogs.technet.com/mmpc/archive/2008/12/02/merry-malware.aspx

Every year the ne’er-do-wells trundle out the same set of tricks to distribute their malware and take advantage of people’s better nature, and the additional opportunities for sensitive data theft as shoppers flock to the Internet to purchase gifts and other festive treats. Regardless of the simplicity of this basest style of social engineering attack, it must be successful or I guess we wouldn’t see so much of it every year.

The basic holiday-themed attack has varied little, if at all, through the years and across various holidays. Generally, the attacker sends a malicious e-mail that appears to notify the target that they have received an e-card that says “Happy ”. The e-mail also contains a link that the target can use in order to ‘see’ their card. Clicking on the link downloads a malicious executable that compromises the user’s machine, often opening a backdoor that places the machine under the attacker’s control. Colourful animations and music tend to feature in these lures (and who doesn’t like dancing snowmen/candycanes/santas/Christmas trees/champagne bottles, etc?) Of course, Christmas isn’t the only popular theme for bait, the New Year also finds its share of fans in the malware distributing underground.

So, while musing about the delights of the coming festive season, spare a thought for your safety online, and don’t be fooled by the dancing Santas.

Thursday, December 4, 2008

Home firewalls and routers vulnerable to hacking . . . still

Old bug, old news, and apparently STILL not being corrected by the Internet Service Providers that distribute these things to their customers. Unknown at this time is whether some of the combo Cable-Modem and Fiber routers have the same issue. (My bet is -- yes!)

The short story: the default login to most firewall/routers browser based configuration panel from the LAN side is unsecured - we're talking a known admin user and no (or a factory default that's widely known) password. The customer almost never logs in to change or set a new password, and the service tech that installs the router doesn't either.

This issue has also been around for a loooong time for retail Wi-Fi or Wired firewall/routers: the admin passwords for all brands and models are well-known (and it's a very short list) and if never changed by the customer they are vulnerable to this hack.

See http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212201777 for the full article. Excerpts below:

~~~snip~~~
A deadly attack typically associated with Websites can also be used on LAN/WAN devices, such as DSL routers, according to a researcher who this week demonstrated cross-site request forgery (CSRF) vulnerabilities in devices used for AT&T's DSL service.

The vulnerability isn't isolated to Motorola/Netopia DSL modems. It affects most DSL modems because they don't require authentication to access their configuration menu, he says. "I can take over Motorola/Netopia DSL modems with one request, and I can do it from MySpace and other social networks," Hamiel says. The attack uses HTTP POST and GET commands on the modems, he says.

CSRF vulnerabilities are nothing new; they are pervasive on many Websites and in many devices. "CSRF, in general, is a very old issue," says Hamiel, who blogged about the hack this week. "Most of the vulns found today are old. That's the point: Nobody seems to learn lessons anymore."

A CSRF attack on a DSL router could be launched from a social networking site, Hamiel says, using an image tag on a MySpace page, for example. "Everyone who viewed my MySpace page with AT&T DSL and the Motorola/Netopia DSL modem would be owned," he says.

~~~ snip ~~~

What can a hacker do to you once they have access to your routers configuration page?

1) They can create false DNS entries that will point you to their site instead of -- say -- your banks.

2) They can login to your home or small business network and snoop on your shared files.

3) If your computer has no password, or an easy password, they may directly login to your computer behind your firewall and install backdoor Trojans and use your broadband to send out more virii, spam and malware to others.

4) They can use your system as a proxy while they go do really bad things on the Internet. Later you get served papers (or the officers kick down your door at midnight) for crimes you did not know were being done on your connection.

Etc. Etc. Etc . . .

Lesson for the day (and most of my direct readers already do this, so pass the word to your family, friends and neighbors):

When you buy or take delivery on a DSL, Cable or auxiliary Wi-Fi or Wired router, log onto it at least once and change the Administrator password.

Wednesday, December 3, 2008

List of reputable Anti-Malware/Virus suites that have free editions or fully functional trials

My top list of reputable Anti-Malware/Virus suites for Windows that have free editions or fully functional trials.

They're in no particular order of effectiveness at the time of this writing . . . these are all genuine and are usually listed within the top 10 AV products as tested by VB100. I am posting this as a reference because there are way too many pop-up ads for so called free scanners that are actually Trojans in and of themselves.

Remember that you should only run ONE real-time protection product at a time on your system. Don't install two or more and expect your computer to be stable.

Links provided in clear text so you can examine them for funny business.

SunBelt Software: Vipre - 15 day free trial. (Fully functional, Virus, Rootkit, Malware/Spyware protection and cleanup. Very useful for emergency cleanups.)
http://www.sunbeltsoftware.com/Home-Home-Office/VIPRE/

ESET NOD32 AV - 30 day free trial. (Mostly fully functional, Virus, Malware/Spyware protection and cleanup.)
http://www.eset.com/download/free_trial_download.php

Kaspersky Anti-Virus 2009 - 30 day free trial. (Mostly fully functional, Virus, Malware/Spyware protection and cleanup.)
http://www.kaspersky.com/trials

Sophos AntiVirus - 30 day free trial. (Fully functional, Virus, Malware/Spyware protection and cleanup. Free Rootkit analyzer also available, see below.)
http://www.sophos.com/products/small-business/eval.html

Sophos Anti-Rootkit - Free version. (Fully functional within the scope of the intended use, that is to find and delete rootkits - but it's not going to go after other malware or viruses on your system.)
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Avira: AntiVir - Free version. (Good protection and system scans, but pops up nag screens from time to time asking you to upgrade to the pro version.)
http://www.free-av.com/

Avast!: Home Antivirus - Free version. (Good protection etc, free virus definitions seem to be about 4 days behind -- but I cannot prove that.)
http://www.avast.com/eng/avast_4_home.html

Grisoft: AVG - Free version. (Good protection etc, as with Avast the free virus definitions seem to be about a week behind -- but I cannot prove that.)
http://free.avg.com/

Since someone may ask -- I personally use the first on the list. It provides excellent scan and cleanup features including a special safe mode scanner and a boot-time rootkit scanner. Its real-time monitor has very low impact on system performance and the program has a very clean -- even simplistic -- UI.