Microsoft and Adobe have issued their round of updates today, as of 1 PM EST. The below details what was fixed.
First, Microsoft…Five of the 12 patches Microsoft released today earned “critical” acclaim. This means that attackers could exploit such vulnerabilities at any time.
Some of the vulnerabilities include: Windows implementation of Vector Markup Language (VML), Microsoft Exchange, and flaws in the way Windows handles certain media files. The remaining (critical) patch fixes a flaw only on Windows XP systems.
In today’s update, a patch for .NET may be included. This should be installed separately for best results. Install all other updates, and then do the .NET patch. This seems to be the best plan.
Adobe fixes Flash and Shockwave Players:
APSB13-05 tells about the fixes for CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-0649, CVE-2013-1365, CVE-2013-1374, CVE-2013-1368, CVE-2013-0642, CVE-2013-0644, CVE-2013-0647, CVE-2013-1367, CVE-2013-0639, CVE-2013-0638 and CVE-2013-0637. The fixes are for Flash Player, AIR and AIR SDK.
Here are the new versions:
Android 2.x-3.x, 22.214.171.124
Windows, Mac, & Android, 126.96.36.1997
Adobe AIR SDK
Windows, Mac, & Android, 188.8.131.529
Google pushed out today it’s channel update for Chrome for Flash Player.
The question that many have had on their minds is if mobile devices will become a source of DDoS attacks. Whether mobile phones will be used as zombies is currently under speculation by many researchers, who say “It may be imminent.”
It can be figured due to the amount of trojans found on Android devices, how iOS devices got attacked, and Windows Phone being vulnerable. Trojans are masks that cover an legitimate looking program. Basically, a program appears to be legitimate, but has hidden features to do something different. Most of the time, either the trojan will steal data and mine some cash, or use your computer as a zombie (using your resources such as CPU, RAM, etc.) to launch a DDoS attack.
A distributed denial of service is used to cause a server to take too many requests that it cannot handle. This is usually done by blackhat hackers or cybercriminals to either protest a specific ideal, or just for fun.
A highly used DDoS tool by Anonymous called “Low Orbit Ion Cannon” (LOIC) was recently redesigned for use on the Android platform. The porting over to Android from the Desktop app took no programming skills. In fact, it’s easy to use old tools and port them over to Android.
With device manufacturers slowly releasing updates to device operating system, firmware, etc. – this leaves an open hole for exploit/cyberattack. Android is particularly vulnerable because of the ability to use ‘unknown source’ apps, or apps outside of the Google Play store.
Although, if it is thought out, it would take thousands of devices to be able to have the power to construct a DDoS attack. However, this would make it a lot simpler for a pre-constructed attack, that can come from many countries – thus making it hard to trace the origin of the attack(s).
It is sure that as carriers and app developers are distributing e-wallet apps, the ability to rob personal data, credit card, etc. will increase. Heads up!
Security never takes a holiday, unlike most other industries in the world. Proof is from spam email, vulnerability updates, etc. right on the same week of the holidays. Thankfully, most of us will have some time with our families. But, the point here is, is that Firefox 17.0 has been officially released, right on schedule!
The technical side of things, or the biggest change in this version is HTTPS enforcement as described:
Mozilla has engineered new “rules” to enforce HTTPS for certain websites. Mozilla calls the new technology, to be included in Firefox 17 (currently in BETA), HTTP Strict Transport Security (HSTS). It is a technology mechanism that shall force certain websites to engage HTTPS connection with the browser, as long as it matches the security certificate presented.
In other words, it gives the ability to Firefox to read SSL certificates, and check to be sure they are legitimate. Once it’s verified, and matched, it will force the site loaded to be in HTTPS, even if the browser receives a HTTP request.
“When a user connects to one of these hosts for the first time, the browser will know that it must use a secure connection. If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user’s security,” Mozilla claims.
Now, there are also a ton of bugs that were fixed in this release. Mozilla patched 2365 bugs in this version…16 bundles involving things like the normal memory corruption or buffer overflow, CSS to HTML inject for Style Inspector, and various image rendering issues (security-wise).
Firefox should automatically prompt you, install the update and then prompt you, or you can check for the update via Firefox tab > Help > About Firefox > Check for updates. If a manual download and install it needed, simply go to http://www.getfirefox.com
Once you install Firefox, it will ask to restart your browser. Please allow it to do so, in order for it to finish updating and get you secure and well on your way in the dangers of the Internet. Especially safety is a concern as we head in to the holiday shopping day, Cyber Monday, next week. Get updated now!
Image courtesy of Mozilla, shown in About Firefox.
As we reported yesterday, users were told to downgrade to Firefox 15.0.1 from version 16, because of a vulnerability. Now, that vulnerability has been fixed, and Firefox 16.0.1 is now available.
To get the newest version of Firefox now (if it hasn’t already prompted you), click the Orange Firefox button, select Help > hit About Firefox > Check for Updates.
On the same blog post pointed to yesterday, Mozilla developer(s) placed an update:
- An update to Firefox for Windows, Mac and Linux was released at 12pm PT on Oct 11. Users will be automatically updated and new downloads via http://www.mozilla.org/firefox/new/ will receive the updated version (16.0.1).
- A fix for the Android version of Firefox was released at 9pm PT on Oct 10.
Issue:Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16). We are actively working on a fix and plan to ship updates tomorrow. Firefox version 15 is unaffected.Impact:The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters. At this time we have no indication that this vulnerability is currently being exploited in the wild.Status:
Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available.
Reference: Mozilla Blog
How to downgrade the easy way?
If you’re using version 16, it is highly recommended to downgrade now. If you want to downgrade the easy way for Firefox, go to http://getfirefox.com and download the installer for 15.0.1.
Once you have downloaded the installer, run or double-click it to run, and allow it to “Upgrade” the install, which technically the installer would not recognize that it’s truly downgrading Firefox.
Once that’s done, start up Firefox again, and it shall be back to 15.0.1, and vulnerability free!
Single-Sign-On (SSO) is a user-authentication process, in which the user signs in to one screen name, and it makes multiple applications or websites unlocked or logged-in. Usually, the system will have conditional measures that will know what a certain user has access to, permissions, etc., and be able to provide the services. Now, the question brought to attention is, what are the advantages and disadvantages of single-sign-on?
- In the healthcare industry, it could be booming with single-sign-on. If a doctor were to need to sign-on to a database to access a patient’s files, he/she would also have to access x-rays, and other data that would be on a different application. Having a single-sign-on for all that would be life-saving and totally worth it. Not only that, but hours of saved time.
- Apps such as OneLogin provide easy-access to tons of accounts across the board, particularly social media. It says on their site that they are supporting “identity & access management for the cloud”.
- Could work wonders for those with disabilities. Having a disability may limit you from typing a lot of words at one time, or typing fast enough. If a single-sign-on system were in place, one login means much saved time.
- Reduces the chance of forgetting your password. By having your one-set master password, it will be a lifesaver to not have to remember a ton of passwords.
- Reduces IT help desk costs, by reducing the number of calls to the help desk about lost password.
- Newer technologies are being implemented to help detect the attempt to hack a certain system, in which it would lock out the hacker from the remaining systems. But, this has more studying to prove how good it works.
- Vulnerability problems, such as with authentication, privacy keys, etc.
- The lacking of a backup stronger authentication, such as smart cards or one-time password tokens.
- The SSO is a highly-critical tool to keep up always. If the SSO goes out, the user would lose access to all sites.
- It would be critical to have a good password, one that is very hard to crack. With the reduction of accounts, particularly the fact that SSO is in play, it’ll be easier to find and hack accounts. Once the SSO account is hacked, all others under that authentication are hacked as well.
- SSO is bad news for a multi-user computer, especially if the user stays logged in all the time. This is more prevalent of an issue in plant operations, business floors, etc. where multiple users can access the computer (if the original user left their desk).
Examples of current implementations
- Log-in with Facebook
- Log-in with Twitter
- Log-in with Linked-In or Apply with Linked-In
- ANGEL Learning Systems
And many more.
Worth reading: Building and implementing a SSO solution
Overall, the usage of SSO systems are good and bad. Based on your organization or personal life, it is your choice on whether to use it or not. Based on how potentially problematic it may be, you will have to be on your toes about a lot of it. But, I guess the time you save trying to figure out or remember your passwords, you can spend on staying guard for SSO systems.
If this has saved you money or your organization money, or potentially provides savings, please donate to further our cause.
When talking with several other IT professionals, they happened to know who Anonymous was. Based on hacking, activism, and other protesting events particularly online, Anonymous has become very well known around the IT world. But, the questions today have to do with how all of us (in the IT and business world) can learn from these motives by Anonymous.
Here are some automatic principles that can be learned that applies to all of us in the IT world:
- Anonymous will not ever cease function, because it is an awesome principle. It requires the hacker to be anonymous, and to not admit identity. Tons of people worldwide do not display their picture with their name online. Ask a “private” person to put their full name online, and they will cower in fear. That is why Anonymous can get away with their motives that are done in secret.
- The target to bring down Anonymous, is to get them to stop their hacking, and to stop the activism in the streets. It’s not getting anywhere. The collective thinks that we need a perfect world, but sadly, it won’t happen!
- Membership in Anonymous is a “free-for-all”. Which means that even if your code name gets banned, you can come back as a different code name/IP address and continue contribution on hacking, projects (software), etc.
- There is probably not a grand-master or leader, just people keeping the same old mission going year after year. It all began with a few voices on 4chan years ago, and keeps on going (8 years now?).
- Time is of the essence. These people spend countless hours hacking. That means you have to work countless hours fighting back and on prevention.
What Businesses can learn
- Anyone entering your organization with anonymous identity ideas, or asks to be anonymous (by preference), has probably bad motives.
- It’s about time to implement better password security policies.
- It’s also time to implement better database encryption.
- Ensure good reputation across the entire spectrum of business…why? It attracts awesome workers, makes income rise, and makes the overall feeling of running the company a great type of feeling.
- Ensure the host server has excellent firewall technology and antivirus. It should not allow even the tiniest of malware threats onto a client server.
What Developers can learn
- “There may be developers smarter than me in Anonymous, so I need to step up my coding skills and get better encryption.”
- Encrypting files and databases has never been more important than now. Don’t think it cannot happen to you. That’s what Philips thought, or even AMD thought. You’d think AMD would have proper protection for their WordPress databasing since they know how to engineer root-level microprocessing chips. What gives?
- If the network is running one or two servers to operate a website, then it DOES need antivirus/firewall software. Don’t think just because your skills in database administration or server management are very good that malware can’t trump your server…you’re wrong. Some of the best administrators/managers have trouble with their server keeping free from malware.
- If you must get an unknown application from the web, or download it from an “anonymous source”, then run it in a sandbox or virtual machine. Execution of malware could be the end of the life for a server…don’t be tricked…stay protected.
- Just because your programming skills are awesome doesn’t mean anything. There are a lot of others that think their programming skills are awesome, however, the first time you let your guard down or get prideful – expect trouble.
What IT Security can learn
- Hackers can get in to nearly anything. Keep up on top standards in IT security. Being one step ahead of the hackers is a good thing.
- Keep the defense-in-depth method in mind. If you can get it to work, it will help for miles and miles (or kilometers and kilometers).
- Don’t expect security to be a piece of cake anymore. It’s now the top challenge in IT, and people are being recruited all across the IT stage to work in security. There just isn’t enough warriors on the scene. It’s time to step it up a notch in all aspects of your work. Don’t procrastinate and don’t be pessimistic. Be optimistic about all outcomes of your work, and see the improvement before your eyes!
- As stated above for businesses: password security is extremely important! Push password security big time. It’s the only chance at keep information secure in personal, business, and enterprise aspects.
- Push internet security software like there’s no tomorrow. Because for some people’s computers, personal or business, there will be no tomorrow. Not just for computers now, but also for devices such as smart phones, tablets, and PDAs.
There may be no more way to stop Anonymous, but at least we can be 5-10 steps ahead of them. If we do that, we’re showing them they have no future. It will also make it more challenging for hackers, and improve the best of technologies all across the IT spectrum. See for yourself, and try these principles on your specific spectrum. You won’t be sorry!
Get Kaspersky Antivirus for Server now to safeguard your Windows Server!
Please consider a donation to help our project, if we have helped you or your business save money.
In this frequently asked questions post, I will publish some of the questions people ask me, and then will post some answers from my expertise about Sirefef or ZeroAccess.
Q: How to protect from this atrocity?
Q: Are Sirefef and ZeroAccess the same thing?
A: YES! They are both the same, but names different by many antivirus companies. This is sometimes due to language translations and competitiveness.
Q: Can the ZeroAccess virus infect my flash drive?
A: I doubt that the virus could activate on the flash drive, unless you plugged it in while logged on to the infected Windows. If you’re worried about running something accidental on the flash drive, use USB Immunizer from BitDefender to disinfect it.
Q: Should my passwords be changed after the ZeroAccess infection? Is it only active ones to change?
All active passwords and even passive ones need to be changed. If you’re unsure about passive ones, then don’t set a new password based on old passwords. Go all fresh with new passwords. See more on passwords.
Q: What is Sirefef, how did it infect my computer, or when are new variants released?
Sirefef or ZeroAccess is a transitional rootkit, virus, and/or backdoor trojan. It is still being watched and studied constantly, having 2-3 new variants every two weeks. We stay abreast of all changes.
Q: How did Sirefef infect me?
Viruses or other malware get embedded in to webpages through iFrame exploits commonly, or through vulnerable plugin exploitation. For iFrame exploits, malware authors can create a small (1x1px) iFrame, which contains scripts necessary to run malware on a target machine by automatically downloading and installing malware. The vulnerable plugin problem happens when people fail to update Adobe Reader, Adobe Flash Player, Java Runtime Environment, Apple QuickTime, Mozilla Firefox, etc. Many times, malware authors use these vulnerable versions of the plugins to distribute an exploit, which can allow them to take control of a computer.
Other malware can be distributed by means of operating system and program bugs. Sometimes programs and very often, Windows, becomes vulnerable to attacks, because of certain bugs in the code.
Those whom do not have proper Internet security protection will fall victim to exploits.
Many people are being hit with Sirefef because of these exploits. I’d say 3/4 of people I’ve seen here on the forums have out-of-date plugins, inevitably leading to infection. Sirefef is one of the most prevalent and highly engaged malware coded problems in the past year.