Technology Gadgets Food Toys Fun and Games

Not a good week for these two browsers - IE has a pretty big issue that is actively being exploited.

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable.

Also there's this issue with Opera - that admittedly Opera itself is trying to downplay.

The vulnerability is confirmed in version 10.50 for Windows. Other versions may also be affected.

Right now the only thing you can do is to NOT use the affected browsers - go and get Firefox or Chrome until patches are available.

Link: http://www.h-online.com/security/news/item/Thunderbird-3-0-2-released-941372.html

If you use Thunderbird - you've got a small update .... go to help / check for updates if it hasn't arrived yet.

Link: http://www.fuzzywindows.com/index.php?option=com_content&view=article&id=93:internet-explorer-9-ie9-confirmed-for-march-2010&catid=58:internet-explorer&Itemid=112

You know - it was just getting a little better in Web Development... Now IE 9? You can bet they will NOT suppot HTML 5 ( even though all other browsers do) - and forget standards/Acid 3 Compliance. - some - sure... but IE has never tried to be compliant.

I can only sit back and wonder how many troubles the bastard child of Bill Gates will cause all us Web people.

mark out some time to fix everything IE9 breaks.

Yeah, I'm tagging this as "Flaw"

Link: http://www.norcalis.com/

I can't believe ANYONE would hire these people.... Yes, I've checked it out and there's no evil - well, in the form of viruses etc. The evil is the entire website.

Btw - Norcalis - if you read your webstats see me - you need help. - Not to mention I can upload a malicious file right off the bat ... I could Own that webserver in 3...2...1...

Link: http://blogs.zdnet.com/hardware/?p=7413

Not a lot of details on this one yet - but apparently somethings up...

A vulnerability has been reported in Mozilla Firefox, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code.

The vulnerability is reported in version 3.6. Other versions may also be affected.

The solution is of course kinda stupid...

Solution
Do not visit untrusted websites or follow untrusted links.

Well, you know this at least - all GeeG links are tested ... you'll get no trouble here.

Link: http://blogs.zdnet.com/security/?p=5473

Taking the torch from Quicktime, Adobe is leading the way in infecting your systems. Don't get me wrong - there's still the users that are clicking on the damn things...

A newly released report shows that based on more than a trillion Web requests processed in 2009, the use of malicious PDF files exploiting flaws in Adobe Reader/Adobe Acrobat not only outpaced the use of Flash exploits, but also, grew to 80% of all exploits the company encountered throughout the year.

Another bright side ,  today is the first day I saw a pc boot into Win XP and immediately prompt the user to update Flash (and it worked) ... however this crap won't end until Adobe builds a silent updater and gets on top of it's patches.

You have at least 2 of these - and yes, again....  sorry, it's not my fault.

For the Flash Air Bulletin go HERE

For the Reader and Acrobat Bulletin go HERE

Update now or be pwned - you have been warned.

Link: http://www.ghacks.net/2010/02/05/mozilla-promises-better-virus-scanning-after-virus-faux-pas/#more-22831

Yeah, Mozilla caught it but if you've ever installed Sothink Web Video Downloader 4.0 and Master Filer - You have some system cleaning to do.

Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.

Link: http://blogs.zdnet.com/security/?p=5390

Oh they knew about it for years... someone (from Google) just had to make some noise for them to move on it. Also in the general patch bucket - a whole bus load of other patches - (26 vulnerabilities)

So don't miss next Tuesdays updates eh?

Link: http://www.theregister.co.uk/2010/01/27/ie_file_disclosure_attack/

Seems like there's one a week this year - and if that aint enough to make you switch browsers well, I probably can't help you.

If you use any version of Internet Explorer to surf Twitter or other Web 2.0 sites, Jorge Luis Alvarez Medina can probably read the entire contents of your primary hard drive.

The security consultant at Core Security said his attack works by clicking on a single link that exploits a chain of weaknesses in IE and Windows. Once an IE user visits the booby-trapped site, the webmaster has complete access to the machine's C drive, including files, authentication cookies - even empty hashes of passwords.

Link: http://www.reuters.com/article/idUSTRE60L5O820100122?type=technologyNews

For Christmas sake - why is anyone still using IE?

Research firm Core Security Technologies said on Friday that it discovered another set of vulnerabilities in Internet Explorer that hackers can link together and exploit, to remotely access all of the data on a personal computer.

"There are three or four ways to conduct this type of attack," said Jorge Luis Alvarez Medina, a security consultant with Boston-based Core, who will demonstrate the vulnerability at the Black Hat security conference in Washington, which begins February 2.

No patch or mitigation - and even a patch might not fix things permanently - Go and get either Firefox, Chrome, or Opera - (in that order) and be safe.

Link: http://tech.slashdot.org/story/10/01/23/1429207/Widespread-Attacks-Exploit-Newly-Patched-IE-Bug?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29&utm_content=Google+Feedfetcher

First off if you're using IE6 -then you probably are a company that thinks you have to for compatibility - you don't have to and update that buggy out of date piece of....

Secondly if you use IE AT ALL - you'd better patch right the heck now.

The first widespread attack to leverage the Internet Explorer flaw that Microsoft patched in an emergency update Thursday morning has surfaced. By midday Thursday Symantec had spotted hundreds of Web sites that hosted the attack code. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system

Seriously- go to windows update and patch - this applies to IE7 and IE8 as well....

Link: http://blogs.zdnet.com/security/?p=5225

It could cause you quite a bit of harm,

Microsoft is aware of reports of vulnerabilities in Adobe Flash Player 6 provided in Windows XP. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time but recommend that users install the latest version of Flash Player provided by Adobe.

The Adobe Flash Player 6 was provided with Windows XP and contains multiple vulnerabilities that could allow remote code execution if a user views a specially crafted Web page. Adobe has addressed these vulnerabilities in newer versions of Adobe Flash Player. Microsoft recommends that users of Windows XP with Adobe Flash Player 6 installed update to the most current version of Flash Player available from Adobe.

Nother words the bad boy has more holes than Swiss Cheese - either uninstall it completely or update it.

Link: http://www.v3.co.uk/v3/news/2256040/adobe-issues-fresh-round

If you don't wanna get owned go and update Reader (you most likely have it) and Acrobat - usually you'll know if you bought that.

The updates include fixes for six vulnerabilities which, if exploited, could allow an attacker to remotely execute code on a targeted system. Such flaws are commonly used by malware writers to infect systems.

Adobe has classifed the update as 'critical' owing to the severity of the flaws, and recommends that users of all Acrobat and Reader versions update their systems immediately.

Link: http://blogs.zdnet.com/security/?p=5178

How long did this take ? How many times have I ranted about it? If they make one as good as Firefox's updater I'll jump for joy...

small caveat to that is being Adobe the silent updater will probably install the ask toolbar at every update

According to Adobe security chief Brad Arkin, the tool be configurable for end users that want more control of the patching process.

“They can download and then give them the choice to install it, or it can just notify – or you can turn it off completely. And so, by giving users these options, you know, people who have a well managed environment and they’ve got good reason for why they don’t want to install an update.

Link: http://www.pcworld.com/businesscenter/article/185601/adobe_to_be_prime_target_for_malware_in_2010.html

Yup, this should come as no surprise - The worst threat of the next decade is Flash and Acrobat.

We should all install Silverlight then as that's as safe as mothers milk.

/sarcasm

Link: http://www.theregister.co.uk/2009/12/25/microsoft_iis_semicolon_bug/

Couldn't have come at a worse time - the holidays when sysadmins are out.

A researcher has identified a vulnerability in the most recent version of Microsoft's Internet Information Services that allows attackers to execute malicious code on machines running the popular webserver.

The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili. Many web applications are configured to reject uploads that contain executable files, such as active server pages, which often carry the extension ".asp." By appending ";.jpg" or other benign file extensions to a malicious file, attackers can bypass such filters and potentially trick a server into running the malware.

If you have websites where the users can upload a file manually then take off execute rights for the Anon user and IWAM accounts. Lets hope this gets addressed in the January patch Tuesday eh?

Link: http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.6

3.5.6 is out and if you haven't gotten the update go to

Help / Check for Updates

Fixed in Firefox 3.5.6
MFSA 2009-71 GeckoActiveXObject exception messages can be used to enumerate installed COM objects
MFSA 2009-70 Privilege escalation via chrome window.opener
MFSA 2009-69 Location bar spoofing vulnerabilities
MFSA 2009-68 NTLM reflection vulnerability
MFSA 2009-67 Integer overflow, crash in libtheora video library
MFSA 2009-66 Memory safety fixes in liboggplay media library
MFSA 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)

Whats this the 14th time in 2 years? Why the heck does anyone need Javascript in PDF's anyway?!?!

The critical vulnerability exists in Adobe Reader and Acrobat 9.2 and earlier versions. It is being exploited in the wild. As in you can get owned right now by opening a malicious PDF.

The fix isn't coming for a month so if you're in the habit of opening a lot of pdf's then disable Javascript

Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

For more information and enterprise recommendations check out the CERT document here

Link: http://blogs.zdnet.com/security/?p=5104

Time to do the Flash Shuffle again, one thing to note is that they changed the crapware that comes with it - so when you go to the Download Page - make sure to uncheck the free crap box first.

Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.32.18 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Flash Player 10.0.32.18 and earlier versions update to Adobe Flash Player 10.0.42.34. Adobe recommends users of Adobe AIR version 1.5.2 and earlier versions update to Adobe AIR 1.5.3.

Link: http://blogs.zdnet.com/security/?p=5064

If you haven't gotten the auto update yet go and do it manually.

Just two weeks after the release of exploit code for a critical (remotely exploitable) security hole in its Internet Explorer browser, Microsoft says a fix will be included in this month’s batch of Patch Tuesday updates.

Microsoft has already issued an advisory to confirm the severity of the issue, which affects users of Internet Explorer 6 and Internet Explorer 7 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

This is for all platforms - Windows - Mac and Linux. The actual vulnerability has not been officially disclosed, however be aware that you'll be needing to update these products next week.

the update will affect Flash Player version 10.0.32.18 and earlier versions.

Ah, seems like there's never a week without some dire news on the digital front ....

First there's a new 0 day IE flaw that can Pwn your rig .... ( tip - stop using Internet Exploder)

and secondly a rootkit that goes straight to the BIOS - rendering all security measures useless - and whats more -- most every BIOS is vulnerable.

Heck - might as well give up and reinstall Win 3.1 - least there's no active exploits out anymore

Link: http://news.slashdot.org/story/09/11/12/2337236/Flash-Vulnerability-Found-Adobe-Says-No-Fix-Forthcoming?from=rss

Another doom and gloom scenario brought to you by the fine folks at Adobe -

Any site that allows files to be uploaded could be vulnerable to this issue (whether they serve Flash or not!). Adobe has said that no easy fix exists and no patch is forthcoming. Adobe puts the responsibility on the website administrators themselves to fix this problem, but they themselves seem to be vulnerable to these problems. Every user with Flash installed is vulnerable to this new type of attack and — until IT administrators fix their sites — will continue to be.

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.1.601 and earlier versions. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system.

This applies to Windows and Mac - The patch requires no reboot and takes almost no time so do it now -

HOWEVER - before I give you the link - remember to uncheck the box that allows them to cram crapware of various types into the install!!!

Download the patch HERE

Link: http://blogs.zdnet.com/security/?p=4616

Read up if you use this software - either on Apache or Windows, there's a serious flaw and you'll be needing to patch .... So get Patching already... or in the meantime don't serve the MyAdmin site until you have time to patch.

According to an advisory from the maintainers of the open-source tool, one of the vulnerabilities allow remote hackers to inject arbitrary web script or HTML via a crafted MySQL table name.

The second issue is a SQL injection vulnerability that allows remote attackers to inject SQL via various interface parameters of the PDF schema generator feature.

Link: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=220600883

Adobe released a fix for 29 vulnerabilities in its Acrobat and Acrobat Reader software, warning that the vulnerabilities could be exploited to cause crashes and to take control of the user's computer.

Adobe rates the update as "crtical" and warns that one of the vulnerabilities (CVE-2009-3459) is actively being exploited.

You heard it - if you use either software package go and get patched - you know these Adobe vulnerabilities can do a good deal of damage.

Link: http://blogs.zdnet.com/security/?p=4500

Important security update for us Blackberry owners - read up and update a.s.a.p

The certificate handling vulnerability, which carries a CVSS severity score of 6.8, affects all versions of the BlackBerry device software. The flaw allows malicious hackers to trick BlackBerry device users into connecting to an attacker-controlled Web site

Link: http://www.theregister.co.uk/2009/09/04/firefox_adobe_security_warning/

Sigh, you know a company sucks at doing security when other non competing products have to do it for them...

Upcoming versions of Mozilla's Firefox browser will automatically warn users running versions of Adobe's Flash Media Player that contain known security bugs, according to a published report.

The check will be invoked each time the popular open-source browser is updated.

Read between the lines here Adobe - a silent updater is needed in Flash... kinda like... hmmm,

Firefox?

Right now the #1 vector for new infections is through older unpatched installations of Flash.

Link: https://www.kb.cert.org/vuls/id/276653

This just in -

IIS is a web server that comes with Microsoft Windows. IIS also includes FTP server functionality. The IIS FTP server fails to properly parse specially-crafted directory names. By issuing an FTP NLST (NAME LIST) command on a specially-named directory, an attacker may cause a stack buffer overflow. The attacker can create the specially-named directory if FTP is configured to allow write access using Anonymous account or another account that is available to the attacker.

Explicit permissions darnit! - if you're giving write permissions to the Anon user you need to take up farming.

Anywho I know none of you do that

Link: http://blogs.zdnet.com/security/?p=4034

Apple takes way too long to fix serious security problems. You know, when you're lagging behind Microsoft you got problems.

Apple has released Safari 4.0.3 to fix at least six security vulnerabilities that put Mac and Windows users at risk of hacker attacks.

The update is considered highly-critical and should be immediately applied on both Windows and Mac systems because of the risk of information disclosure, phishing and remote code execution attacks.

Even on Mac OS - you're better off with Firefox or Chrome.

Link: http://isc.sans.org/diary.html?storyid=6916

You'll be seeing that familiar icon in your tray shortly - there's a security update for Java.

When you do install take EXTRA CARE to un-check and boxes like "also install the Yahoo Toolbar"

I don't know why Java continues to jam crap like this down our throats but until they stop - just uncheck the box and you'll be allset.

Go get the patches now - you can expect to have your pc Owned if ya don't - oh and make sure the noobs on your list get updated too eh?

Flash download site http://get.adobe.com/flashplayer/

Shockwave site http://get.adobe.com/shockwave/

There's a patch for Acrobat coming out tomorrow too - so don't forget it.

On a closing note - Adobe blames the whole thing on Microsoft.

Link: http://news.cnet.com/8301-27080_3-10295592-245.html

Something big had to happen to get this kind of response from the same company that has had vulnerabilities open for 7 years on occasion.

Nobody has any details on the flaw - it's being kept hush-hush until release, but you can bet that right after the patch is issues the malware writers will have exploits out to whack all the folks that haven't updated.

If you don't have automatic updates on - check manually tomorrow.

Ok, this ones bad. It's currently being exploited in the wild - and it will allow full ownership of your machine.

It exploits a vulnerability in Adobe Flash player (versions 9 and 10) as well as Adobe Reader and Acrobat 9.1.2. - Vector is either by viewing a malicious PDF file or simply by viewing a webpage (so yes - it's a drive by too)

The flaw is so bad that the US Dept. of Homeland Security's CERT cybersecurity team is asking users and administrators everywhere to turn off Flash video in their Web browsers.

There is a Temporary workaround ( Adobe has promised a fix by next week ) manually delete the file %ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll

Firefox with Noscript is a good idea - but even so I'd kill the authplay.dll file until next weeks patch... better to be safe than sorry.