IE Zero-Day Vulnerability

Microsoft Security Advisory 2963983 – Vulnerability in Internet Explorer Could Allow Remote Code Execution – TechNet

General Information

Executive Summary

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.

Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.

Mitigating Factors:

• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

• An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

More information in the full article. There is no patch. But Microsoft has given some recommendations which are easier to understand at Security Garden’s posting:

Recommendations

As illustrated in the “Security Research and Defense Blog” reference below, users of IE 10 and 11 should ensure they haven’t disabled Enhanced Protection Mode.

Another option is to install the Enhanced Mitigation Experience Toolkit (EMET). The recommended setting for EMET 4.1, available from KB Article 2458544, is automatically configured to help protect Internet Explorer. No additional steps are required.

See the Tech Net Advisory for instructions on changing the following settings to help protect against exploitation of this vulnerability:

• Change your settings for the Internet security zone to high to block ActiveX controls and Active Scripting

• Change your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

 

Those still using Windows XP on the Internet, please be aware:

VERY IMPORTANT FOR ANY HOLD OUT WINDOWS XP USERS

This is the first of the security vulnerabilities that DOES NOT include workarounds  for Windows XP. The oldest Windows noted as being affected are: Windows Server 2003 SP2 and Vista SP2.

IMPORTANT NOTE: Once a Microsoft product’s support has expired — as is true now about Windows XP SP3 since April 8, 2014 — Microsoft no longer lists it as affected by the vulnerabilities being patched. Microsoft only list Windows versions which are still under Mainstream Support or Extended Support. This has always been the case.

If anyone is still using Windows XP on the Internet (UNWISE!!), it would be strongly recommended to disallow IE (Internet Explorer) access to the Internet through your software firewall*, and use another browser like Firefox and Google Chrome which will still be getting updates for a time.

* Any Windows XP users still on the Internet should at least have:

• a hardware router with Stateful Packet Firewall
• should be using a ‘real’ software firewall as well as a good AV program. Just one good choice that will continue to support Windows XP is ESET’s Smart Security which is a very good antivirus and firewall. It is the one I use. It is not free. There are several free antivirus programs but not many free security suites.
• block Internet Explorer through the ESET or other software firewall.
• should be using a 3rd party browser like Mozilla Firefox with NoScript, Adblock Plus and WOT to help sort out safer search results on search engines, or Google Chrome with ScriptSafe, Adblock Plus and WOT Extension.
• uninstall Java entirely, keep Adobe Flash religiously updated for Firefox as long as Adobe continues to provide them. Google Chrome updates Flash within itself. Might want to switch from Adobe Reader to Sumatra PDF reader which is a simple PDF viewer.
• need to be even more careful than ever before about where you go. The bad guys will be looking with great anticipation for computers with expired Windows XP.
• no risky behavior
• no banking … note very soon banks will be disallowing expired Windows XP entirely anyway.

IMPORTANT: You can not block a program from getting out to the Internet with the Windows XP Firewall. It is only a one way firewall. It only monitors incoming Internet requests, instead of both ways as any real firewall including Windows 7 and Windows 8 built-in software firewalls do.

Here’s a quote from a ZDNet article:

To those planning to stick resolutely with the aged Windows XP operating system even after Microsoft ends support next year, the advice from experts is simple: Don’t do it.

Again: I would strongly suggest you get a new computer, upgrade your computer if it can be upgraded to a modern/still supported Windows such as Windows 7 or Windows 8, or get a Mac, or you could  convert/upgrade the computer to Linux or use a Linux LiveCD to visit the Internet and still use Windows XP as a standalone NOT CONNECTED TO THE INTERNET computer.

If you need help with any of this, please contact your computer guru, join a forums like Scot’s Newsletter Forums – BATL (Bruno’s All Things Linux) to ask questions, or you can use the contact info on my website  to contact me for some help.

Support Ends today for Windows XP and Office 2003

RIP Windows XP and Office 2003!

Well, like it or not, Windows XP Home and Professional, as well as Microsoft Office 2003 support ends today, April 8, 2014.

Windows XP Home and Professional Support Ends today, April 8, 2014!

 

Windows XP support end: 10 steps to cut security risks – ZDNet

“While doing nothing is an option, we do not believe that most organisations — or their auditors — will find this level of risk acceptable,” vice president and Gartner fellow Neil MacDonald said in a report, Best practices for secure use of XP after support ends.

Between 20 percent and 25 percent of enterprise systems are still running XP, and one-third of organisations continue to use it on more than 10 percent of their machines, Gartner estimates.

For those still using the venerable OS after the end of routine Microsoft updates and security patches, MacDonald has come up with 10 best practices to minimise the risks.

Rest in Peace, Windows XP – PCMag SecurityWatch

Rest in Peace Windows XP 2001-2014 You will be missed! Image links to PCMag article.

This is the end. Your Windows XP computer will get its last update today. Oh, it’s not going to roll over and kick the bucket, but continuing to use it will be more and more dangerous, since any new vulnerabilities that arise won’t be patched. We checked in with a number of security experts to discuss just how risky life will be for those who continue to run XP.

It’s the end of the line for Windows XP – USAToday

The software — introduced in an era before texting, Facebook, Snapchat, the iPhone and iPad — has lingered thanks to the reluctance of many consumers and small businesses to change. Despite its age, XP is the No. 2 computer operating system, and many folks are in store for a rude wake-up call.

Microsoft on Tuesday ceases official support for XP. The company will no longer issue patches or system updates to protect against viruses and other malware. If you run into any snags at all, you won’t be able to call Microsoft for technical assistance.

Microsoft Ends Support for Windows XP – Mashable

“Microsoft has provided support for Windows XP for the past 12 years. But now the time has come for us, along with our hardware and software partners, to invest our resources toward supporting more recent technologies so that we can continue to deliver great new experiences,” wrote Microsoft in an announcement.

…

Launched on October 25, 2001, Windows XP is one of the most successful Microsoft products ever; its successor, Windows Vista, was quickly replaced with Windows 7, and it took as long as September 2012 for Windows 7 to overtake XP as the most popular desktop operating system.

Microsoft ends support for Windows XP and Office 2003 – TheNextWeb

If you’re wondering why April 8, 2014 is the date support for both of these products ends, it’s really quite simple. Microsoft releases regular patches on Patch Tuesday, the second Tuesday of every month.

Microsoft supports its products for many years, and depending on when service packs as well as successors are released, the company eventually announces, in advance, when it will cut off support. April 8 happens to be the last Patch Tuesday for both products, meaning if security holes are found after today’s date, they won’t be plugged.

Excellent point!

Netmarketshare.com for Operating Systems pulled today showed March 2014 tallies:

Networkmarketshare, as of March 2014, pulled today, still shows Windows XP as 27.69% of the MarketShare. Link goes to metmarketshare.com

I personally still find it unbelievable that Microsoft, or any company really, would retire/pull support an OS that still garners nearly 30% of Windows users around the world.

Of course if you are an Enterprise company that can afford $200 PER PC for the first year, and increasing amounts each year THEREAFTER for Windows XP updates (security updates only by the way)…

Windows XP support will be available after April 8—just not for you – PCMag

Meet Microsoft’s Custom Support for Windows XP, described as a last-ditch effort for big businesses to quite literally buy some more time to migrate from Windows XP to a more modern operating system. The U.K. paid 5.548 million pounds to Microsoft for an additional year of support to maintain critical and important security updates for Windows XP, Office 2003, and Exchange 2003. Otherwise, Microsoft plans to end support for Windows XP by April 8.

Microsoft has been warning about the demise of Windows XP support since September, 2007, and Custom Support will extract a heavy toll from businesses that were too slow to act: up to $5 million per year (according to a report from Gartner), negotiated on a custom, per-company basis. Last year, Gartner issued a report claiming that the prices could go as high as $200 per PC, per year. The firm called such prices “punitive”.

…

Should consumers get the same break?

To date, Microsoft has given no indication that it will extend consumer support for Windows XP after the April 8 deadline, even though it has extended anti-malware support through July, 2015. After that date, any and all vulnerabilities found for Windows XP will live on forever, even though there are some avenues to keep your PC safe and protected after the deadline expires.

BTW: Apple‘s Mac OS X Mavericks holds 3.75% of the market (putting it between Windows 8.1 and Vista), however, if you include all Mac OS X operating systems listed: Mac OS X 10.6 1.29% (support ended), Mac OS X 10.8 1.18%, Mac OS X 10.7 1.05% Mac OS X 10.5 .24% (support ended), Mac OX X 10.4 0.06% (supported ended), and Mac OS X no version reported 0.01%, then the total is 7.58% of the operating system total market share (which puts it on the low end between Windows XP and Windows 8).

But, that does mean that only 1.59% of all Mac OS X users are running expired versions with no support.

Compare that with 27.69% of Windows users running  Windows XP.

NOTE: That doesn’t count the expired/no support users running Windows NT at 0.15%, Windows 2000 at 0.03%. Apparently Windows 98 users have finally fallen off at 0.00%.

Windows XP end of support: why it concerns you – OnWindows.com

Reto Haeni explores the risks of running Windows XP after its end of service and the benefits of migrating to newer operating systems

This article was first published in the Spring 2014 issue of Touch

…

Designed in a different era

Computers running Windows XP routinely experience a significantly higher malware infection rate than computers running any other supported version of Windows. Much of the elevated infection rate on Windows XP can be attributed to the fact that some of the key built-in security features included with more recent versions of Windows are not present in Windows XP. Windows XP, designed in a different era, simply can’t mitigate threats as effectively as newer operating systems, like Windows 7 and Windows 8. As the threat landscape has evolved over the past twelve years since the release of Windows XP, so has software security.

It’s time folks! If you haven’t done it yet, and if you are still running Windows XP on the Internet, it is high time to correct this by upgrading to a modern OS that is still supported, or disconnect from the Internet.

Please, unless you are a technical person who truly understands the risks and has taken steps to mitigate the overwhelming risks, then please be responsible and disconnect your Windows XP computer now!

Or move to new computer running a current version of Windows, or a Mac from Apple, or the Open Source ‘UNIX like’ Linux operating system and run Windows XP programs with Crossover as suggested here, or you could use Windows XP offline, and use a Linux LiveCD for Internet surfing and email, etc as suggested here and not mess up your offline Windows XP system. No matter how you do it, PULL THE PLUG on Windows XP – Disconnect the Ethernet or Wireless connection to the Internet! Just as soon as you get any April 8th Windows Updates on Patch Tuesday.

Unless you know what you are doing, you will be playing Russian Roulette with your Windows XP computer if you allow it to be online once Microsoft ends support after April 8, 2014. And that has been only Life Line extended support since 2009.

 

Microsoft Office 2003 support ends today, April 8, 2014!

We also mentioned Microsoft Office 2003. Oh, yes, Microsoft Office 2003 has also expired today. No more security updates will be provided for Office 2003 either, just like Windows XP.

If you are still using Office 2003, it’s high time to remove it and move to a current version of Microsoft Office, or move to one of the Open Source alternatives such as;  Apache Foundation‘s OpenOffice.org or Document Foundation‘s LibreOffice, or move to using online versions of MS Office software like MS Office Web Apps or move over to Google’s online document handling programs; Google Docs.

 

XP SP3 and Office 2003 Support Ends April 8, 2014

Windows XP has been around since August 24, 2001 – 12 years ago now. It is getting VERY long in the tooth.

Windows XP SP3 and Office 2003 Support Ends April 8th, 2014

Like many Operating System versions, Windows XP was not such a great OS in the beginning. BUT, like many Microsoft products, it got better after Service Pack 1 (SP1), but wasn’t the best it could be till after Service Pack 2 (SP2) and mildly better after Service Pack 3 (SP3). SP3 is the current version of Windows XP.

I loved Windows XP for a long time, even though it was getting long in the tooth. But I have come to love Windows 7 even more. Windows 8 … the jury is still out. For me I use several different operating systems. I also love and use Mac OS X or just OS X (as it is called now) and Debian Linux.

Windows XP has been on life support or Extended Support since April 8, 2009 when Mainstream Support ended. That was after two says of execution as it were since it was supposed to be ended earlier than 2009.

Windows XP has been the main stay for many folks for a long time in the Windows world — the last 12 years. That’s a long time for an Operating System version.

Windows XP still holds the #2 spot at 31.24% of computer users as shown below in the graph from NetMarketShare.com:

NetMarketShare.com Operating System Breakout – November 1, 2013

Windows 7 holds the #1 spot for a very good reason. It is still the best of the newer Operating Systems from Microsoft to date — in my opinion and nearly half of all Windows users to date. And Windows 7 is still good to go until January 14, 2020 (end of Extended Support – it is still in Mainstream Support until January 15, 2015). Here’s the break out of the Windows lifecycle fact sheet info:

Windows Life Cycles from the Windows Life Cycle Fact Sheet

I have said all this because we need to see where were are, and where we need to be as computer users, particularly as Windows users with April 8, 2014 looming over those of us still using Windows XP.

Especially in the light of the pervasive malware purveyors out there today.

We need to make sure we are all no longer using Windows XP of any kind before or at least by April 8, 2014 when Microsoft will no longer be providing ANY security updates for Windows XP.

A few years back they did the same thing with Windows 2000. It’s now Windows XP’s turn.

Please read the following articles to see why this will be very important:

Windows XP infection rate may jump 66% after patches end in April – Computerworld

Microsoft yesterday again put the scare into Windows XP users, telling them that after April 8, 2014, the chance that malware will infect their PCs could jump by two-thirds.

Windows lifecycle fact sheet – Microsoft.com (image above)

New stats show Windows 8 usage up sharply as XP usage plummets – ZDNet (for curiosity though, look at the difference between the table on ZDNet’s article and the one today).

NetMarketShare (choose Operating Systems from the dropdown to see the chart above in real time)

Gartner Says Worldwide PC, Tablet and Mobile Phone Shipments to Grow 4.5 Percent in 2013 as Lower-Priced Devices Drive Growth – Gartner.com

Source: Gartner Oct 2013 – Worldwide Device Shipments by Segment

It would appear, that, as predicted, many around the world are moving to other types of computers, in particular mobile devices. This was forecast and it would seem to be coming to pass rather dramatically now.

It is amazing to see the number of people who rarely if ever use their desktop computers these days, relying on their mobile devices for almost all, if not all, their computing and Internet needs. Some folks no longer even have a computer other than a tablet, like the iPad or Nexus Tablet, or Surface, etc., or just use their smartphones for their email, browsing, messaging, gaming, etc. which is the bulk of what people seem to do on the Internet these days. Unless of course if their work or business, or gaming bents, are important to them. Having said that, even gaming has very much gone mobile for many people.

I am hoping that folks will take a look at the overall picture and determine which direction they wish to go now that there are only a few months left before Windows XP will no longer be a viable Internet connected computer.

Will a Desktop or Laptop be the way to go, or will a Mobile device like a Tablet or maybe even just a smartphone be enough for many folks? Staying with Windows or moving to a Mac may also be a consideration.

No matter which way folks ultimately go, deciding will be important and thinking about this is really needed with Windows XP going away in just a short few months.

Over 31% of computer users will need to make this decision before April 8, 2014, if they wish to remain as safe as they can be on the Internet.

Even with Google Chrome continuing to support Windows XP SP3 a year after Microsoft (till 2015), if the Operating System itself has no updates, that will certainly not be enough.

Lots to think about and only a few months to decide … Windows XP SP3 and Office 2003 Support Ends April 8th, 2014

Critical Java SE update due Tuesday fixes 40 flaws

Critical Java SE update due Tuesday fixes 40 flaws – The Reg

And yes, most are remotely exploitable

According to Oracle’s security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, and 7 are affected by the flaws, as are all versions of JavaFX.

Of the 40 bugs, all but three are remotely exploitable over a network without the need for a username or password.

Oracle plans to release its latest Java SE Critical Patch Update on June 18, 2013.

Watch for it and install it if you have Java installed on your system. If you are sure you don’t need Java for anything, it would be best to uninstall it or disable it until the update, or at least disable Java in your browsers.

Disable Java – Windows, Mac, Linux

US Department of Homeland Security advises disabling Java following fresh zero-day vulnerability – The Verge

A new Trojan horse has been discovered that exploits a flaw found in Java, leaving computers running Windows, Mac OS, and Linux vulnerable to attack. Mal/JavaJar-B allows attackers to remotely trigger code once it infects a system, potentially leading to the installation of malware, or even ransomware. Oracle hasn’t yet patched the vulnerability, which targets even the latest version of Java.

US-CERT RECOMMENDS THAT USERS DISABLE JAVA IN WEB BROWSERS

Apple has already taken care of this on the Mac by updating to disallow all Java except including the new one that hasn’t even been released yet. Excellent move from Apple.

Firefox and Google Chrome has had you click to even use Java for awhile now. From my experience, I believe that includes the current version of Java as well. As noted above, Firefox now includes the current version of Java in their blacklist. You have to personally choose to actually use Java using their Click to Play feature. Thank you Mozilla!

Google Chrome has instituted on December 21, 2012, noted in their blog posting, a feature that disallows silent extension addon installations. I believe this is something that Mozilla did some time ago when they experienced problems with it. Or maybe not.

So you will definitely want to disable Java in all browsers in Windows, Linux and on the Mac just to be safe for now.

Internet Explorer now allows you to disallow plugins by default and only allow those you specifically allow. But if you have allowed Java in the past, you will want to disable it:

How to Disable Java – PCMag

The PCMag article gives instructions for all the main browsers. Check it out and please for your sake don’t use a browser for general use that allows Java at least for now.

Disable it in at least one browser that you can use for general purpose use.

Whichever method you choose, visit the Java test page at http://java.com/en/download/testjava.jsp to confirm that Java is disabled. Yes, you’ll occasionally run across a website that relies on Java. If necessary, you can temporarily enable Java for those sites. But you may be surprised at how little you miss it.

More here at Security Garden, Dottech.org (How to/tutorial with images) and Venture Beat as well.

I have Java totally disallowed in my main browser, and enabled in one of my other browsers so I can still go to Secunia.com to use their OSI (Online Security Inspector) to check plugins and Internet facing programs. I also compare that with Firefox’s plugin checker. This in Windows. On my Mac, I have Java disabled in all but one browser and turn Java on and off as needed overall. In Linux Java is also disabled in my main browser.

This is very important until Oracle gets this updated and is quick to fix these vulnerabilities.

Oracle really needs to get on the stick before they and all the programs that make use of them are made obsolete! And there are millions of them!!!

EDIT: As of 1/11/2013 – Added Mozilla’s and Apple’s change to include blacklisting of the current version of Java due to the Trojan affecting even the current version of Java. See the info earlier in the posting.

Oracle to stop patching Java 6 in February 2013

Oracle to stop patching Java 6 in February 2013 – Computerworld

The article notes that of course this will be a hardship for Mac OS X Snow Leopard users and for users of earlier versions of OS X, but that is not as far as this rabbit hole goes. Very good article. Well worth a read.

That will leave a significant portion of Mac users without the means to run an up-to-date Java next year. According to Web metrics company Net Applications, approximately 41% of all Macs still run versions of OS X older than Lion.

Apple will presumably issue the final OS X patches for Java 6 in February alongside Oracle’s update.

It will also be hard on businesses, and even government agencies and departments, that will now be forced to work over their Java based programs to make sure they will still work with the current versions of Java 7.

That also means that Oracle themselves will have to update their Forms and Reports (or maybe these are things built by the companies using them too), to work with Java 7 so companies and some government agencies and departments can allow vendors that provide service and products to them. Currently, many of them must make use of Oracle Forms and Reports built on Java 6 from a special site like the MyInvoice subdomain that the government military still uses. That site requires a later version of Java 6 even now. This puts them and their vendors at risk by requiring an old Java on their systems in order to even work with them.

And what about the medical community. I have seen them falling down on the job as well on keeping up with the version of Java that physicians must use on their computers in order to read X-Rays remotely from home or on the road.

The article further is concerned about even upgrading to Java 7:

On Tuesday, Polish researcher Adam Gowdiak, who reported scores of Java vulnerabilities to Oracle this year, told the IDG News Service, “Our research proved that Java 7 was far more insecure than its predecessor version. We are not surprised that corporations are resistant when it comes to the upgrade to Java 7.”

Now that is sad news indeed. There are many sites that make use of Java and with good reason! Even Android is based on Linux — C,C++ and Java. As are many embedded systems, phones, and many electronic devices around the home.

Oracle needs to fix this problem and their Java. If they are going to be the owner of Java, they need to do better with the Java programming language that companies are not concerned about moving to their Java 7! So many programming eco systems out there depend on Java.

They inherited Java and the huge eco systems that depend on them, and base of users when they bought out Sun Microsystems. They can’t make swiss cheese with a door and think people will be be fine with this. Even things like OpenOffice.org and LibreOffice depend on Java — thankfully the current Java, but even that is according to this article, problematic. And what about all the embedded devices that depend on Java? When you install Java and are waiting for it to install, Oracle proudly talks about the billions of devices, that run Java. Oracle’s Java.com About page proudly states:

To date, the Java platform has attracted more than 9 million software developers. It’s used in every major industry segment and has a presence in a wide range of devices, computers, and networks.

Java technology’s versatility, efficiency, platform portability, and security make it the ideal technology for network computing. From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!

• 1.1 billion desktops run Java
• 930 million Java Runtime Environment downloads each year
• 3 billion mobile phones run Java
• 31 times more Java phones ship every year than Apple and Android combined
• 100% of all Blu-ray players run Java
• 1.4 billion Java Cards are manufactured each year
• Java powers set-top boxes, printers, Web cams, games, car navigation systems, lottery terminals, medical devices, parking payment stations, and more.

To see places of Java in Action in your daily life, explore java.com.

The bold on the bullet list above is mine.

Oracle really needs to wake up now before they totally destroy the great reputation that Sun Microsystems had when they conceived and built so much with Java. And all for nothing!

Trust is a terrible thing to waste.

 

 

Java flaws already included in Blackhole exploit kit within 12 hours

Java flaws already included in Blackhole exploit kit, Oracle was informed of vulnerabilities in April – Sophos Naked Security

It took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit.

Brian Krebs was first to mention having heard that CVE 2012-4681 was being added to the Blackhole exploit kit, and SophosLabs confirmed seeing it in the wild a few hours later.

And this about Macs in particular:

Some have asked if Mac users are at risk from the CVE 2012-4681 exploit and the answer is “Maybe.” The version officially distributed by Apple is Java 6, which is not vulnerable.

Interesting that an older version is not vulnerable to this particular zero day exploit. But if users of Lion and Mountain Lion have installed Java 7 directly from  Oracle’s Java.com site (which is the only way to even get Java on Lion and Mountain Lion), then they are vulnerable.

And of course, Windows and Linux/UNIX/BSD are all vulnerable as well if Java 7 has been installed.

Soon Twitter users were tweeting that Mac users were being attacked, but that the malware apparently on the blackhole server is serving Windows malware. Gives Mac users a reprieve to get their Java updated … if they installed it at all.

What is really sad is that Oracle was made aware of this vulnerability back in April and didn’t fix it in a timely manner.

Thankfully Firefox and Google Chrome will disable or at least not automatically run Java if it’s outdated. Other browsers (Internet Explorer, Opera, etc.) should be doing the same thing.

Java 7 ‘super dangerous’ vulnerability

There is a recently discovered ‘super dangerous’ vulnerability in Java 7.

This vulnerability affects all Java 7 users; whether they run a version of Windows, or using a Mac, or an Opensource Linux operating system:

Macs at risk from ‘super dangerous’ Java zero-day – Computerworld:

Hackers are exploiting a zero-day vulnerability in Java 7, security experts said today.

The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said Tod Beardsley, the engineering manager for Metasploit, the open-source penetration testing framework used by both legitimate researchers and criminal hackers.

I think the reason they have singled out Mac users in the article is that most Windows users if they have a recent version of Java installed will get upgrade notifications from Oracle’s Java. Where many Mac users until Lion had Java being updated (albeit late) by Apple. Now they are responsible to keep it updated on Lion IF they decide to install Java manually themselves. Lion and Mountain Lion do not come with Java installed by default. But if you do have it installed on your Mac:

Maynor said he was able to trigger the vulnerability with the Metasploit code in both Firefox 14 and Safari 6 on OS X 10.8, better known as Mountain Lion.

These exploits are mainly aimed at Windows users, but Macs are becoming more and more popular because overall they have less issues than Windows for viruses, etc.

But browser exploits are a bain for all computer users. And we have to keep our plugins updated to stay one step ahead.

If you are using Firefox, there is a page you can go to where you can check to see if your plugins can be checked to make sure you are up to date:

Firefox Check Plugins page

Interestingly that Check Plugins page also seems to work pretty well on Google Chrome’s browser as well. Just remember that if it tells you Flash is outdated, Google Chrome will be updating that for you on their next update.

Looks like I am off for a new Flash update… see ya next time.

Don’t lose your Internet on Monday – Use the DNSChanger check tool

Internet will vanish Monday for 300,000 infected computers – Computerworld

It’s not just consumer PCs and Macs — DNSChanger was equal-opportunity malware — that remain infected, but also corporate computers and systems at government agencies, said Tacoma, Wash.-based Internet Identity (IID), which has been monitoring cleanup efforts.

Last week, IID said that its scans showed 12% of Fortune 500 firms, or about one out of every eight, harbored DNSChanger-compromised computers or routers. And two out of 55 scanned U.S. government departments or agencies — or 3.6% — also had failed to scrub all their PCs and Macs.

According to the article, the numbers are down though, back in January, the numbers were still 50%!

Without the server substitutions, DNS Changer-infected systems would have been immediately severed from the Internet.

Yesterday, U.S. District Court Judge Denis Cote extended the deadline for shutting down the replacement servers by four months, from March 8 — this Thursday — to July 9, 2012.

Well, now the deadline is coming up again. Monday, July 9, 2012 they will be turning off the safe substitute go-between servers and anyone who still has DNS Changer-infected systems at that time, will be severed from the Internet on Monday.

Checking is pretty easy and generally will determine if you have a DNSChanger infected system. The DNSChanger Working Group (DCWG), a volunteer organization of security professionals and companies has provided a great way to do just that.

You can go directly to their site Detect Help Guide page with the DNSChanger Detect Tool pages:

http://www.dcwg.org/detect/

You will find lists of servers in various languages there and some information about their checker and what it does. One of the English servers available to provide the DNS Changer Check-Up are:

http://www.dns-ok.us/

You should get the following response if your computer does NOT have DNSChanger or other malware that changes your DNS Servers on your computer:

DNS Changer Check – DCWG – Source: Computerworld

In case it is too small to read, at the bottom of the DNS Resolution – GREEN image, it says the following:

Had your computer been infected with DNS changer malware you would have seen a red background. Please note, however, that if your ISP is redirecting DNS traffic for its customers you would have reached this site even though you are infected. For additional information regarding the DNS changer malware, please visit the FBI’s website at:
http://www.fbi.gov/news/stories/2011/november/malware_110911

BOLD emphasis mine.

DNSChanger check tool: Malware infection could cause internet loss Monday, FBI responds – WPTV.com

The WPTV.com article goes a step further and also lists some additional help locations for malware removers, etc.

If your computer is infected, click here to learn how to get rid of the infection: http://www.dcwg.org/fix

The following sites can also help you with free or low-cost products to check and fix your computer if it’s infected:

· Microsoft Safety Scanner – http://www.microsoft.com/security/scanner/en-us/default.aspx

· Kaspersky Labs TDSSKiller – http://support.kaspersky.com/faq/?qid=208283363

· McAfee Stinger – http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

· Hitman Pro (32bit & 64bit versions) – http://www.surfright.nl/en/products/

· Norton Power Eraser – http://security.symantec.com/nbrt/npe.aspx

· Trend Micro Housecall – http://housecall.trendmicro.com

· MacScan – http://macscan.securemac.com/

· Avira – http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199

If you are still concerned that you might lose Internet come Monday, you can use one of the above products to determine if you are infected with the DNSChanger or other malware.

Or just wait till Monday and see, and if you lose Internet, you can use one or more of the products, at that time, or call your computer specialist to help you remove it. With only a few hundred thousand computers still being infected, you could be infected, but chances are, you are not.

Also, without actually running one or more of the programs listed to determine if you are infected, and because the government’s substitute DNS Changer servers are currently in place until Monday, you may not be able to even tell if you are infected from the detect tool alone.

EDIT NOTE: It couldn’t hurt to have a copy of the downloadable antimalware programs and update/run them before Monday: such as McAfee Stinger or Kaspersky’s TDDSKiller just in case — BEFORE they turn off the substitute safe DNS servers. What’s the logic in that? If it turns out you are infected (albeit unlikely), you may not be able to get to the sites to get these antimalware tools later. Of course come Monday, any online tools listed, like Trend Micro’s Housecall and any other online tools would not be available if your computer turns out to be infected and loses Internet.

Adobe Flash Zero Day Bug Emergency Patch

Adobe patches new Flash zero-day bug with emergency update – Computerworld

Adobe today warned that hackers are exploiting a critical vulnerability in its popular Flash Player program, and issued an emergency update to patch the bug.

“There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message,” the Friday advisory said.

All editions of the Flash player are affected, but those abusing this vulnerability are targeting Internet Explorer with this current exploit and Adobe is giving it their Priority 1 status:

The update was pegged with Adobe’s priority rating of “1,” used to label patches for actively-exploited vulnerabilities or bugs that will likely be exploited. For such updates, Adobe recommends that customers install the new version within 72 hours.

In this case of course it’s already actively being exploited. So don’t wait! Don’t be a target, get your Adobe Flash Player update today!