Adobe Flash Zero Day Bug Emergency Patch

Adobe patches new Flash zero-day bug with emergency update – Computerworld

Adobe today warned that hackers are exploiting a critical vulnerability in its popular Flash Player program, and issued an emergency update to patch the bug.

“There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message,” the Friday advisory said.

All editions of the Flash player are affected, but those abusing this vulnerability are targeting Internet Explorer with this current exploit and Adobe is giving it their Priority 1 status:

The update was pegged with Adobe’s priority rating of “1,” used to label patches for actively-exploited vulnerabilities or bugs that will likely be exploited. For such updates, Adobe recommends that customers install the new version within 72 hours.

In this case of course it’s already actively being exploited. So don’t wait! Don’t be a target, get your Adobe Flash Player update today!

Advertisements

Mac Malware Targeting Unpatched Office Running on OS X – Not the same as before

Mac Malware Targeting Unpatched Office Running on OS X – eWeek

This is a different issue than reported earlier on this blog here on April 16th.

Microsoft is reporting that malware is exploiting unpatched versions of its Microsoft Office Word 2000 suite to compromise Apple Macintoshes running Snow Leopard or earlier versions of Mac OS X.

Microsoft has discovered malware that’s preying on Apple computers running unpatched versions of its Office application suite.

The two vulnerabilities in question were patched in the Microsoft Office Word 2000 suite in June 2009, almost three years ago.

At that time, Microsoft put out a critical security bulletin—MS09-027—to close the holes, which can allow an attacker to get control of a system if a user opens a maliciously crafted Word file.

Much more in the article.

These Office Word 2000 installs on Mac OS X should have been patched by users for 3 years now.

Another troubling situation is that the malware seems to be targeting Snow Leopard and earlier versions of Mac OS X; not Lion.

With Lion the particular memory address being abused to run shellcode isn’t vulnerable like in earlier versions of Mac OS X.

So, if you have ANY version of Microsoft Office software running on your Mac, make sure it is up to date.

Better yet, if you have any software running on your Mac make sure it is updated including MS Office, Java, and other Internet facing programs, as well as Mac OS X itself. This should be obvious to must Mac users by now, but certainly bears repeating.

This is not just a Mac problem, but it has been exacerbated on Macs because getting MS updates for MS Office on the Mac apparently hasn’t been done as religiously as it often is on MS Windows systems, which are also vulnerable by the way.

Microsoft Security Bulletin MS09-027 – Critical
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514).

For Mac OS X, MS Office 2011/Office 14, Microsoft has a page showing how to check for software updates automatically.

Microsoft has a page to download MS Office Updates (at least back to Office 2004)

Religious websites riskier than porn for online viruses: study

Religious websites riskier than porn for online viruses: study – Raw Story

Web wanderers are more likely to get a computer virus by visiting a religious website than by peering at porn, according to a study released on Tuesday.

“Drive-by attacks” in which hackers booby-trap legitimate websites with malicious code continue to be a bane, the US-based anti-virus vendor Symantec said in its Internet Security Threat Report.

The same article, or variations on the theme have been have been run by many news/technology venues such as InformationWeek, NYDailyNews, WallStreetJournal Blogs, CSO Online, PCWorld, etc. Many created their own stories from the report, so well worth a read.

Where did all this information come from:
Symantec Internet Security Threat Report – 2011
Symantec Logo - Confidence in a Connected World - Click to view Malicious Code Threat Report 2011

Malware in 2011
By analyzing malicious code we can determine which threats types and attack vectors are being employed. The endpoint is often the last line of defense, but it can often be the first-line of defense against attacks that spread using USB storage devices, insecure network connections and compromised, infected websites. Symantec’s cloud-based technology and reputation systems can also help to identify and block new and emerging attacks that haven’t been seen before, such as new targeted attacks employing previously unknown zero-day exploits. Analysis of malware activity trends both in the cloud and at the endpoint can help to shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers.

Corresponding to their large internet populations, the United States, China and India remained the top sources for overall malicious activity. …

The reference about religious sites?

Moreover, religious and ideological sites were found to have triple the average number of threats per infected site than adult/pornographic sites. We hypothesize that this is because pornographic website owners already make money from the internet and, as a result, have a vested interest in keeping their sites malware-free – it’s not good for repeat business.

And here’s just one more small area of the report:

Exploiting the Web: Attack toolkits, rootkits and social networking threats

Attack toolkits, which allow criminals to create new malware and assemble an entire attack without having to write the software from scratch, account for nearly two-thirds (61%) of all threat activity on malicious websites. As these kits become more widespread, robust and easier to use, this number is expected to climb. New exploits are quickly incorporated into attack kits. Each new toolkit version released during the year is accompanied with increased malicious Web attack activity. As a new version emerges that incorporates new exploit functionality, we see an increased use of it in the wild, making as much use of the new exploits until potential victims have patched their systems. For example, the number of attacks using the Blackhole toolkit, which was very active in 2010, dropped to a few hundred attacks per day in the middle of 2011, but re-emerged with newer versions generating hundreds of thousands of infection attempts per day towards the end of the year.
On average, attack toolkits contain around 10 different exploits, mostly focusing on browser independent plug-in vulnerabilities like Adobe Flash Player, Adobe Reader and Java. Popular kits can be updated every few days and each update may trigger a wave of new attacks.
They are relatively easy to find and sold on the underground black market and web forums. Prices range from $40 to $4,000. …

The whole report is well worth a read! There is only so much you can put into an article.

Much more in the report!

Oracle Java SE Update – Critical Update

Oracle Java SE Update – Security Garden

Oracle Java released an update to Java SE 6 and Java SE 7.

Edited to clarify:  Included in the Oracle updates are eighty-eight (88) new critical security fixes across numerous Oracle products, listed in the Oracle Critical Patch Update Advisory.  It is strongly advised that the update be installed for those products as soon as possible due to the thread posed by a successful attack.

More in the article.

Time to start checking Java.com for updates from Oracle that fix the latest Bugfixes for Java for your Windows, Solaris, and Linux operating systems. Linux users can also check their distros for these updates, and Mac users should start checking rigorously for updates to Java SE 6 from Apple.

NOTE: As of 10:37 AM EDT today, April 28, 2012, the Java website still shows Java SE 6, Update 31.

You will want to check the download links on Security Garden’s posting for the most recent updates. Or here on Oracle’s download page for Java SE Runtime Environment 6 Update 32 for Linux, Solaris, Windows (mainstream version that works with most applications). Mac OS X users still need to get their Java SE 6, Update 32 from Apple, so please keep checking!

Thanks for keeping us updated on Oracle’s Java status, Security Garden!

The ‘ole Conficker worm still infecting PCs years later

‘Obstinate’ Conficker worm infests millions of PCs years later
By Gregg Keizer, Computerworld

Suppressed botnet has 7M Windows machines in its grip three years after it first appeared

And Mac users thought they had it bad with their Flashback, which is not good, so don’t get me wrong here. But Apple should be watching closely situations like Conficker worm/botnet. What’s that old saying? But by the grace of God go I? or something like that.

Of course this is one of the most widespread botnets to hit Windows PCs, but still, it’s only one of many that are out there for PCs. And although Microsoft made similar mistakes as Apple in regard to malware/viruses/botnets initially, they made up for it in time. They even put out their own antivirus/antimalware program – Microsoft Security Essentials for free to home users to help protect their users. But even with their experience with these things for many years and learning from their mistakes, there is this…

Concern about Conficker reached a crescendo when the mainstream media, including major television networks, reported that the worm would update itself on April 1, 2009. Because of the size of the Conficker botnet — estimates ran as high as 12 million at that point — and other mysteries, hype ran at fever pitch.

It also urged all Windows users to ensure they have applied the pertinent patch — MS08-067 — and for Windows XP and Vista machines, the March update that disables AutoRun.

Much more in the 2 page article.

Java update for OS X patches Flashback malware exploit

Java update for OS X patches Flashback malware exploit – CNET:

Following the recent Flashback malware developments for OS X where unpatched vulnerabilities in the latest Java runtime for OS X were being exploited, Apple has issued an update that brings Java up-to-date and patches these vulnerabilities.

The patch is available via Software Update for systems that have Java installed, but can also be downloaded from the following Apple support Web pages. The update is available only for OS X 10.6 and 10.7, since Apple has stopped supporting prior versions of OS X.

Java for Mac OS X 10.6 Update 7
Java for OS X Lion 2012-001

EDIT:

Mac Botnet Infects More Than 600,000 Apple Computers – eWeek

Apple’s security code of silence: A big problem – CNET
:

Security industry insiders have long known the Mac platform has its holes. The Flashback Trojan is the first in-the-wild issue that’s confirmed this, and big-time. More will follow unless Apple steps up its game.


Secure your Mac from Flashback infection – USAToday
:

Flashback is technically not a trojan-horse application at all, but a “drive-by download” that infects computers by exploiting a vulnerability in Web software.

That makes it much worse than a trojan: You just need to visit a malicious site, without downloading the wrong app or entering an admin password, to have this program silently take command of your Mac and begin altering the content of Web pages.

Find Out if Your Mac Has the Flashback Trojan — the Fast and Easy Way – Mashable – Two quick Applescript scripts if you are squeemish about running commands in a commandline terminal. I have not used them as I checked in commandline. Use at your own risk.

..

It is tragic that for all the online virus/malware scanners that are out there for Windows users, there do not appear to be any for Mac OS X. Now that is tragic.

A wave out to all my Google+ friends

[tweetmeme source=”franscomputerservices” only_single=false]And other Google+ users who might soon be wondering where I went…

EDIT 9/6/2011: In the comments, I continue to add articles. I hope to have this be a pretty inclusive list of articles on this issue. If you know of one I have missed please feel free to leave a comment with the link. Thanks!

I have found that as much as I absolutely love Google+ the ‘social network’ — now known to be an ‘identity service’, I am leaving on 9/9 along with some others that have identified 9/9 as the day to leave. Hopefully it will have some impact even if it’s only a small overall number of users. But more than anything, I hope it will have a lasting impression regardless on how dangerous ‘identity services’ appearing to be ‘social networks’ can be.

Google has determined that Google+ aka Google Plus or G+ is to be an ‘identity service’ and that Google/Google+ require your real/common name not a pseudonym, pen name, stage name but only western style two name real/common names apparently.

Some may say so what. But others will know that this is a major issue and has been since Facebook started this trend. Here‘s my Google+ posting on this and this one reshared from Tom Anderson both which will be gone after 9/9.

Not to mention the fact that Google+ is linked to things like your GMail account, Google Search, Picasa, Youtube, Google maps/location data, Android apps purchases, and so much more — and even more of Google’s offerings as time goes on (and boy do they have a lot of social types of offerings or apps). And if you don’t like that and decide to leave G+, you are prompted to remove all, what they call connections to their ‘social apps’ linked to your G+ GMail account.

“Just go somewhere else” is a fallacy. The name policy stretches far beyond Google+, and here’s why. (Todd Vierling on Google+)

Here’s just a couple early articles the weekend when Google started arbitrarily disabling accounts:

Google+ and the loss of online anonymity by Matthew Ingram (GigaOm)

Update: Complaints mount over Google+ account deletions by Juan Carlos Perez (Computerworld)

Dutch researcher downloads 35 million Google Profiles (State of Search)

So what’s the big deal? First, it’s a great security risk for users. Especially normal/average users since many business users already have their ‘real’ name out there and it’s part of their branding. I actually am one who has done just that. Fran Parker is Fran’s Computer Services and this posting is on my Fran’s Computer Services blog. And technically Fran Parker is a common variation on my real name, but that is ‘allowable’ on G+ because it is how I am commonly known. Also, there is some arbitrariness about it all too. If disabled users can ‘prove’ who they are, or can ‘prove’ that they have a ‘valid’ reason for allowing the ‘pseudonym’ to those at Google/G+ who handle complaints or vetting of those who want to try to get reinstated, you can be back in their good graces.

However I am leaving Google+ — and don’t get me wrong — it would certainly benefit me to stay on G+ and let their new service benefit my business networking online. Instead, I am leaving Google+.

My name is Clo | My Name Is Me

My name is Albatross | My Name Is Me

Why? I am leaving because Google has decided to build G+ as an identity service — in some ways like Facebook, but not really since G+ is a public profile server — yes, you can hide nearly everything but your public posts or responses to public posts, your +1 (think: Facebook Like), AND you can’t hide your real/common name because they make that public — and Google has changed the rules on their services so they can now link you, by name, and even by what you put in the field for ‘also known as’, or ‘nicknames’ field, on every one of their services and boy do they have a lot of services. And if you don’t believe me, try this. Especially if you are a member of Google+, search on your name, particularly your Google+ profile name.

Will cyberthugs exploit Google Plus ‘identity service’ for spear phishing attacks? by Darlene Storm (Computerworld)

What’s the big deal, you say? Oh, nothing much accept that by doing this, they have made each and every one of us a bigger phishing, actually more like spear phishing, and/or unethical hacking/cracking target by linking everything we do or say online. For business users whose names are linked to their branding, they live with that day in and day out and it’s a major pain, but they made that decision to deal with that consciously at some point. But the average user? I don’t think the average or normal user needs or wants those types of hassles. OK, so maybe you say, So what? It’s a greater security risk for users. You can be targeted so much easier by linking so much about yourself online. And there is this to think about:

Google fined in Brazil for refusing to reveal bloggers’ identities (TheNextWeb)

OK, and if that wasn’t bad enough. By limiting the ability to use pseudonyms, stage names, pen names, non-English Western civilization name standards, etc., Google is cutting of their nose to spite their face. And some folks have been known by nothing else but a pseudonym, pen name or stage name online for as much as 20+ years, by the way. But that’s OK, they don’t really want to be everyone’s Google+ friend, they obviously just want to make more money.

Why do I say that? Because all of this linking is data they can market with, sell to others in corporations, governments, highest bidder, whatever — in aggregate form of course, like Facebook does. Facebook makes a bundle on this already and Google apparently wants a piece of that action…well a bigger piece. Besides they already know you. Now they are getting your permission to basically track you further, and use more of your data that you share with them….errr, enter on their services, like Google+.

Also, but many of us have been working against abuse of marketing crap since Steve Gibson created OptOut when he became aware of the crap that was going on in the early days of computing online on the Internet. Marketing which was more like spyware than benign advertising in the newspapers or magazines where they can’t track you!

OK, enough about that side of things. Now on to the other side. The discrimination, the arbitrary decisions to disable accounts and require proof of who they are or the changing of their ‘name’ to something more western or 1st world or whatever you want to call it … two name (first and last name) like western countries do. Which is not at all like real/common names in other parts of the world.

Also, some folks really do need to use a pseudonym, or alternative name, stage name, pen name …whatever you want to call it. And many people in this type of situation would rightfully feel this is a discrimination against women. Many women have been stalked, have had abusive spouses or coworkers/bosses or have spouses or jobs where it would be ‘inconvenient’ (like they could lose their job or their spouses job for them or their position), if they were not able to speak out anonymously through a pseudonym.

There are so many angles on this issue. It was wrong when Facebook did it and it’s even more wrong (if there is such a thing) for Google to do it. Why is it more wrong for Google? Because we have higher expectations of Google. They have always tried to ‘do no evil’ in the past and now they will be right in the middle of it. Was ‘do no evil’ only to get people to trust them? Like Apple with their ‘think different’ and revolution anti-big brother stance in their 1984 commercial? But all the time they had other plans?

If you are not familiar, and it would likely be easy not to be familiar if you are not on G+ aka Google Plus service or have friends that are. Since it is an invite only ‘field test’ at the moment anyway, many would be not involved. But many geeks, technicians, artists, artisans, journalists, etc. are on it to help improve it and try it out as the new kid on the block in social networking. I have been one of these folks for some time now. First with a pseudonym which was quickly squashed through either someone turning me in for having a pseudonym or their algorithm bot got me because the name was obviously not a real name, and after that was disabled, I decided to come back as my business name.

Here are some, and just a few really of the articles that address the issues better than I could ever do:

Understanding the Nym Wars (BoingBoing) with several links and some great commentary


A Case for Pseudonyms (EFF.org)


Google+ Identity Crisis: What’s at Stake With Real Names and Privacy (Wired.com)

Violet Blue: just one of her many postings about Pseudonyms on G+ and she has a legitimate gripe and one of her articles on ZDNet


“Real Names” Policies Are an Abuse of Power (danah boyd blog)


Tracking the Nym Wars (G+ Insider’s Guide)

On Pseudonymity, Privacy and Responsibility on Google+ – Kee Hinkley

Why It’s Important To Turn the Tide on Google’s Real Name Policy (Botgirl’s Second Life Diary blog)

Who is harmed by a “Real Names” policy? (GeekFeminism – Wikia.com) (and related Pseudonymity article).

Who is harmed by a “Real Names” policy?

This page lists groups of people who are disadvantaged by any policy which bans Pseudonymity and requires so-called “Real names” (more properly, legal names).

This is an attempt to create a comprehensive list of groups of people who are affected by such policies.

The cost to these people can be vast, including:

  • harassment, both online and offline
  • discrimination in employment, provision of services, etc.
  • actual physical danger of bullying, hate crime, etc.
  • arrest, imprisonment, or execution in some jurisdictions
  • economic harm such as job loss, loss of professional reputation, reduction of job opportunity, etc.
  • social costs of not being able to interact with friends and colleagues
  • possible (temporary) loss of access to their data if their account is suspended or terminated

The groups of people who use pseudonyms, or want to use pseudonyms, are not a small minority (some of the classes of people who can benefit from pseudonyms constitute up to 50% of the total population, and many of the others are classes of people that almost everyone knows). However, their needs are often ignored by the relatively privileged designers and policy-makers who want people to use their real/legal names.


Nymwars – Wikipedia

The icing on the cake was Eric Schmidt the recent but former CEO of Google stating this (guess he can say anything now, eh?):

Eric Schmidt: Google+ Is An Identity Service; User Your Real Name Or Don’t Sign On (Huffington Post)

Schmidt: G+ ‘Identity Service,’ Not Social Network by David Gerard (slash dot or /.):

David Gerard writes
“Eric Schmidt has revealed that Google+ is an identity service, and the ‘social network’ bit is just bait. Schmidt says ‘G+ is completely optional,’ not mentioning that Google has admitted that deleting a G+ account will seriously downgrade your other Google services. As others have noted, Somewhere, there are two kids in a garage building a company whose motto will be ‘Don’t be Google.‘”

And here’s one I missed that I just saw over at Google+ on Nom DeB‘s profile posts:

Google+ Can Be A Social Network Or The Name Police – Not Both by Bob Blakley at Gartner Blogs

Really all you need to do to find out more about this is to search on Google or any other search engine for any number of combinations of words in this article.

Now we even have a place for Google Refuges to be able to link up after they leave Google+.

EDIT: grammer/clarity and to add Bob Blakley’s Gartner blog article. Also almost forgot my TWEETMEME link, and Added Todd Vierling’s “Just go somewhere else” is a fallacy. The name policy stretches far beyond Google+, and here’s why.”