Sophos

by

New, sneakier Flashback malware infects Macs

New, sneakier Flashback malware infects Macs – Computerworld

A new, sneakier variant of the Flashback malware was uncovered yesterday by the French security firm Intego.

Flashback.S, which Intego described Monday, uses the same Java vulnerability as an earlier version that has infected an estimated 820,000 Macs since its appearance and still plagues over 600,000 machines.

But unlike Flashback.K, the variant that first surfaced last month and has caused consternation among Mac users, Flashback.S never asks the victim to enter an administrative password for installation, but instead relies only on the silent exploit of the Java bug to sneak onto the system.

“The differences are very subtle,” Peter James, a spokesman for Intego, said in an interview Tuesday. “There’s no password request [by Flashback.S].”

Much more in the two page article.

Apple will likely need to update their seek and destroy tool very quickly to help users stay free of this new variant.

If you think you are beginning to need an antivirus/antimalware solution, there are quite a few out there. Below are just a few:


Sophos Anti-Virus for Mac Home Edition – Sophos has a worthy product out there and it is nice that they make their money on corporate/business computers and offer the home version for free.

ClamXav The Free Anti-Virus Solution for Mac OS X It uses the popular open source ClamAV engine as it’s back end and has the ability to detect both Windows and Mac threats.

There are other options as well for the Pay to Play crowd.

ESET Cybersecurity for Mac

And others from Intego Virus Barrier for Mac free and Pro versions available in the Mac App Store. Intego as noted above found this newest FlashBack in the wild). Other Mac antivirus firms Symantec/Norton, and many more.

Many of these come with a heavy CPU usage hit that is very annoying considering the small number of actual threats out there for the Mac. Of course some users may feel that the ones that provide real time protection are the way to go, some may feel it is worth it if their Macs are speedy enough and they have enough RAM.

For those who don’t think they need a Mac antivirus just yet, if you don’t use Java or none of your programs use Java, you could go to the ~/Applications/Utilities/Java Preferences.app and disable Java until you actually need it and then re-enable it as needed. It’s a very easy thing to do really.

Or you could set up AppleScript to monitor areas where malware might inject itself so it will alert you.

Monitor OS X LaunchAgents folders to help prevent malware attacks – CNET

Some additional locations to add can be found at MrAnderson.info here.

Also installing Piriform CCleaner for Mac is a great idea and can be run as needed very quickly every day even.

Certainly less of a system resource hit and one could still have a non-resident antivirus and scan at your convenience and respond if the Applescript tells you something is going on that you didn’t instigate by installing a program, etc.

The Applescript monitoring locations that you can set up is built with Mac OS X which is light on resources and free. The Applescript monitoring does a similar thing as WinPatrol does in Windows – but of course in a very small area comparatively. WinPatrol does so much more but the key similarity is the monitoring for changes to areas that malware can hit a Windows PC.

What we need for people who are not very savvy about these things is a MacPatrol app like WinPatrol.

Call Starkist

by

Certificate Authoritities, DigiNotar, GlobalSign, OSes, Browsers, Adobe, more

[tweetmeme source=”franscomputerservices” only_single=false]DigiNotar Breach Affected 531 Certificates (Tom’s Hardware):

The break-in in Certificate Authority (CA) DigiNotar back in July was much worse than previously thought.

A preliminary analysis of the incident now claims that there have been 531 fraudulent certificates. The hackers may have explored DigiNotar’s servers for the first time in early June and gained control on June 17. The company detected the hack on June 19, but failed to prevent the creation of the first rogue certificate on July 2. The hacker activity apparently ended on July 22.

As a Aryeh Goretsky stated at Scot’s Newsletter Forums noted so succinctly:

DigiNotar, a company which issues digital certificates used to establish cryptographically-secure connections to web sites, was hacked, and over 500 certificates were acquired for high-profile web sites. Amongst other things, this would allow someone* to monitor what would otherwise be secure, private connections to those sites. Passwords, emails, personally-identifiable information and other sensitive data could be viewed by someone* who would otherwise not be able to see that information.

*Such as a government, ISP, or government-owned ISP.

Aryeh, I couldn’t have said it better myself.

And highlighting the fact that it could be a government, ISP, or government-owned ISP is spot on to the concerns.

There was recently an article that suggested that this has already happened in Iran.

Hackers steal SSL certificates for CIA, MI6, Mossad (Computerworld):

Criminals acquired over 500 DigiNotar digital certificates; Mozilla and Google issue ‘death sentence’

Among the affected domains, said Markham, are those for the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft’s Windows Update service.

Google has pointed fingers at Iran, saying that attacks using an ill-gotten certificate for google.com had targeted Iranian users.

Much more in this two page article where a link to Markham’s blog details more about this:

On Monday August 29th at 6.30pm BST Mozilla was informed by Google about a misissued certificate for *.google.com which was being used in active attacks on users in Iran. This certificate was chained to the root of the Dutch CA “DigiNotar”. Since that notification, I have been part of the Mozilla team working on our response.

The CNs concerned were as follows:

*.10million.org
*.balatarin.com
*.google.com
*.logmein.com
*.microsoft.com
*.mossad.gov.il
*.skype.com
*.torproject.org
*.walla.co.il
*.wordpress.com
addons.mozilla.org
azadegi.com
DigiCert Root CA
Equifax Root CA
friends.walla.co.il
login.yahoo.com
Thawte Root CA
twitter.com
VeriSign Root CA
wordpress.com
http://www.cia.gov
http://www.facebook.com
http://www.sis.gov.uk

So much more in Markham’s blog posting.

Delay in disclosing SSL theft put Iranian activists at risk, says researcher (Computerworld)

The delay in disclosing a theft of the digital certificates for some of the Web’s biggest sites, including Google, Skype, Microsoft and Yahoo, put Iranian activists’ lives at risk, a researcher argued Wednesday.

But I think EFF explains the issues best.

Iranian Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of Certificate Authorities (EFF)

What’s worse than finding a worm in your apple? Finding half a worm.

What’s worse than discovering that someone has launched a man-in-the-middle attack against Iranian Google users, silently intercepting everything from email to search results and possibly putting Iranian activists in danger? Discovering that this attack has been active for two months.

People all over the world use Google services for sensitive or private communications every day. Google enables encrypted connections to these services in order to protect users from spying by those who control the network, such as ISPs and governments. Today, the security of this encryption relies entirely on certificates issued by certificate authorities (CAs), which continue to prove vulnerable to attack. When an attacker obtains a fraudulent certificate, he can use it to eavesdrop on the traffic between a user and a website even while the user believes that the connection is secure.

The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals. Today Internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden.

This latest attack was reportedly caught by a user running the Google Chrome browser in Iran who noticed a warning produced by the “public key pinning” feature which Google introduced in May of this year. Basically, Google hard-coded the fingerprints for its own sites’ encryption keys into Chrome, and told the browser to simply ignore contrary information from certificate authorities. That meant that even if an attacker got a hold of a fake certificate for a Google site—as this attacker did—newer versions of the Chrome browser would not be fooled.

Certificate authorities have been caught issuing fraudulent certificates in at least half a dozen high-profile cases in the past two years and EFF has voiced concerns that the problem may be even more widespread. But this is the first time that a fake certificate is known to have been successfully used in the wild. Even worse, the certificate in this attack was issued on July 10th 2011, almost two months ago, and may well have been used to spy on an unknown number of Internet users in Iran from the moment of its issuance until it was revoked earlier today. To be effective, fraudulent certificates do not need to have been issued by the same authority that issued the legitimate certificates. For example, the certificate in question here was issued by a Dutch certificate authority with which Google had no business relationship at all; that didn’t make it any less acceptable to web browsers.

Much more in the article…

This problem is not only related to issues of privacy related to people who’s lives would be in danger, but also, victims of malware purveyors as well.

Cryptographic keys for SSL sites are only as good as the honesty of the holder and issuer of those keys, as well as the honesty and security diligence of the issuer, in this case DigiNotar.

They would like us to think that SSL is extremely safe, but it’s not as safe as those who issue them would like us to believe either. Anyone with money can purchase a SSL certificate, and there have been malware purveyors that have also bought them so folks would ‘feel’ secure. If you see the lock, you think, “Safe”. That’s what they want you to think.

However, just like anyone can purchase what is considered a ‘legitimate’ SSL certificate, good, bad or indifferent, there are worse things.

‘Legitimate’ SSL certificates can be created by site owners as well, good, bad, or indifferent.

The companies that sell SSL certificates and browser makers put out root certificates for their browers and show green or gold with the lock for those obtained by big name sellers of these certificates. So if you are legitimate site owner who creates their own to save money, you are automatically assumed to be ‘not legitimate’ by browsers and it shows as red/dangerous to users.

I don’t see what the solution is, but it really doesn’t matter whether you make your own, or if you buy one, you are still playing craps with SSL certificates in many ways these days.

As Corrine noted in the same topic at Scot’s Newsletter Forums:

Microsoft Security Advisory 2607712 has been updated to revoke the trust of the DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store.

The update is available via Automatic Update and applies to all supported releases of Microsoft Windows, including Windows XP, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Within short order, Mozilla sent out updates to their products including Firefox, Thunderbird, et. revoking the certificates.

Opera has done the same thing yesterday, disabling the root store for DigiNotar.

Because Apple was slow to act, one researcher (thanks Corrine) rapped Apple for not blocking the stolen SSL certificates, and various places on the Internet were trying to help Mac users to take care of disabling and removing the DigiNotar certificates from the KeyChain so Safari and other browsers would be safer online on the Mac. Since then, Apple released an update to revoke DigiNotar from their trusted list:

If you are running an older Mac you can still protect yourself, but you will need to do it manually. You can follow the excellent instructions posted over at the ps | Enable blog.

And most recently, Adobe has posted instructions on how to remove DigiNotar from the Adobe Approved Trust List (AATL) for Adobe Reader.

And here we go again (thanks zlim)…

GlobalSign Stops Issuing Digital Certificates After Hack (PCWorld)

Second firms stops issuing digital certificates (CNET)

How many more will have fallen before it’s all said and done? I am beginning to wonder if we wouldn’t be better off just generating our own SSL certificates, it would likely be as safe as this fiasco has become…

by

We love you Facebook but privacy and security are important

[tweetmeme source=”franscomputerservices” only_single=false]UPDATED 5/22/2010*, 5/23/2010**: EDIT: Added additional links

Yes, most of us do love our Facebook, or at least we enjoy the feature set and keeping in easy contact with our friends and family, but some of us feel that it is not worth the expense of our privacy and security and potential malware infections due to rogue apps on our own or others’ accounts. But Facebook privacy concerns are heating up. Or the risks from other sites getting at our data:

New security hole in Facebook through Yelp (here on our blog last week, apparently fixed now), or having our chats exposed to people other than those we are talking to, even if they are our friends.

So, you think Facebook is safe? Hmmm. Really?

* Hackers can delete Facebook friends, thanks to flaw (By Robert McMillan at ITWorld May 21, 2010):

A bug in Facebook’s Web site lets hackers delete Facebook friends without permission.

The flaw was reported Wednesday by Steven Abbagnaro, a student at Marist College in Poughkeepsie, New York. But as of Friday morning, Pacific time, it had still not been patched, based on tests conducted by the IDG News Service on a reporter’s Facebook friends list.

* Fake joke worm wriggles through Facebook (By John Leydon at The Register May 21, 2010)

Shifty sorts have created a new worm which spread rapidly on Facebook on Friday.

The malware, for now at least, does nothing more malicious than posting a message on an infected user’s Facebook wall that point to a site called fbhole.com. Nonetheless, the speed of its spread on the social networking site has net security experts worried.

* Facebook Fixing Embarrassing Privacy Bug (by Robert McMillan at NYTimes on May 19, 2010):

Facebook is fixing a Web programming bug that could have allowed hackers to alter profile pages or make restricted information public.

Facebook Violates Privacy Promises, Leaks User Info to Advertisers (by Tim Jones at Electronic Frontier Foundation May 21, 2010):

A Wall Street Journal article today draws attention to yet another unexpected way in which Facebook’s privacy practices have not complied with its public statements and have disregarded users’ privacy rights. Just last week, when asked about Facebook’s privacy practices with advertisers, Facebook executive Elliot Schrage wrote:

We don’t share your information with advertisers. Our targeting is anonymous. We don’t identify or share names. Period.

As the Wall Street Journal report shows, this was not true. In fact, Facebook’s architecture at the time allowed advertisers to see detailed personal information about some Facebook users.

Much more in the article! Must read.

** Facebook privacy: Zuckerberg overruled? (By Richi Jennings at Computerworld IT Blogwatch May 19, 2010)

** Facebook Leaks Usernames, User IDs, and Personal Details to Advertisers (By privacy advocate Ben Edelman at BenEdelman.org on May 20, 2010):

Browse Facebook, and you wouldn’t expect Facebook’s advertisers to learn who you are. After all, Facebook’s privacy policy and blog posts promise not to share user data with advertisers except when users grant specific permission. For example, on April 6, 2010 Facebook’s Barry Schnitt promised: “We don’t share your information with advertisers unless you tell us to (e.g. to get a sample, hear more, or enter a contest). Any assertion to the contrary is false. Period.”

My findings are exactly the contrary: Merely clicking an advertiser’s ad reveals to the advertiser the user’s Facebook username or user ID. With default privacy settings, the advertiser can then see almost all of a user’s activity on Facebook, including name, photos, friends, and more.

In this article, I show examples of Facebook’s data leaks. I compare these leaks to Facebook’s privacy promises, and I point out that Facebook has been on notice of this problem for at least eight months. I conclude with specific suggestions for Facebook to fix this problem and prevent its reoccurrence.

The sexiest video ever? Facebook users hit by Candid Camera Prank attack (Graham Cluley’s Sophos Blog)

MASSIVE FACEBOOK ATTACK OVER THE WEEKEND (posted May 17, 2010 by Roger Thompson, AVG Blogs)

Facebook CEO’s latest woe: accusations of securities fraud (VentureBeat posted May 19, 2010 by Owen Thomas)

I sure hope that the BBC report is correct, “Facebook looks likely to cave into pressure from users and simplify its privacy settings in the near future.” But other places are saying Facebook is just simplifying the existing privacy settings.

I don’t think there are many people who have experienced Facebook that don’t love most of the features on Facebook–at least the ones that help you keep in contact with your friends and family, and share (on the Facebook site) your photos, videos, links to articles of interest, chatting, direct messaging, posting between yours and your friends/family members walls, sharing in holidays, or fun, happy, sad conversations, and more. But, Facebook is wrong about privacy – it really is still very important. It is important and for more reasons than many may think. Even the Wall Street Journal has acknowledged that Facebook, MySpace and other social networking sites are having to confront the privacy loophole.

But, when the trust that Facebook used to get people to sign up in the first place (a trust that your privacy is important to Facebook and will be protected by default – unlike MySpace, et al) is breached by that very same service, then there is a problem.

If you don’t remember the early days of Facebook, many of us do. Facebook did made claims that they would protect our privacy by default, that our privacy was important to Facebook. Zuckerberg made these ‘claims’ when they were trying to woo millions of MySpace’s users over to Facebook in Facebook’s early days. It worked too.

Privacy by default. What is that exactly? When Facebook started out and pushing to try to gain membership, and about the time that MySpace went through a huge privacy fiasco because new users had to immediately change their privacy settings if they didn’t want the whole world to see all their information (it was all public by default on MySpace). And many users, just like many new users at Facebook, didn’t know to change their settings, or even think about it. Many users were just not that savvy to know why it was even important to share only some information with the world/public. Or even understand why that might be a prudent move. But due to the marketing used by Facebook, people started to understand that privacy was important and they wanted their friends and family to be in a ‘safer’ environment. A place where they could connect and share with each other without concern that their data would be made public. After all, Mark Zuckerberg said he did care about our privacy (unlike the other guys).

Then after Facebook gets all these users, and gets them used to the convenience and ‘hooked’ on the service, THEN Facebook just seems to keep changing the rules — little by little — chipping away at the privacy and security standards that got them all the users in the first place. Not long after I finally joined Facebook, they went through this pretty big, and I actually deactivated my account at that time too. When Facebook changed their tune, I came back. Now they are doing it again, and even though I really enjoyed the service, I felt the need to again deactivate my account.

So, tell me, why would Facebook be surprised when users get up in arms about all these changes, especially in light of other security problems and vulnerabilities within their newest ‘features’ as well as their existing features? One group has even created a Facebook Group entitled, “1,000,000 Strong to leave Facebook by July 4 unless FB respects our privacy is on Facebook” (See there can be appropriate public facing things on Facebook). And EFF’s various articles enlightening folks about the changes and affects of those changes and how you can mitigate them, at least most of the problems.

Features are a great thing except when the service starts to change your privacy settings for you, and they don’t bother to tell you about it until after they have done it. That is a real problem of trust, because, if even for a short time, your data is left to the search engine spiders to start indexing data that shouldn’t have been made ‘public’ in the first place without user permission.

So, then users start complaining, and getting no satisfaction from the service because the changes they made will make them a ton of money, so some users start deactivating their accounts — many users are upset with Facebook, and for good reason. A basic trust was broken and it wasn’t by the users.

But privacy issues are not the only issues. There are also other security issues as well; vulnerabilities and more vulnerabilities. And only God knows how many more vulnerabilities are known by the bad guys that expose users’ data that are not yet known to the good guys.

I had already checked and reset all my privacy settings multiple times since December 2009 when this fiasco starting getting into high gear, even before the now known vulnerabilities that still put users at risk made me say, ‘enough is enough’. I still struggled with the decision before I decided I could put it off no longer. Even the benefits for business, family and friends wasn’t worth security risks not only directly but indirectly by friends who might get hit with these vulnerabilities, or the potential for unwise decisions about their accounts where their data might overlap with mine.

It is not an easy thing to make a decision to deactivate, or go through the hoops (or even find a link to get information) on deleting your Facebook account. Especially when you enjoy the service. And the service really is a good service, if not for the bad decisions about security and privacy have caused, and of course there are those related vulnerabilities. Sure they fix the vulnerabilities when they are made public, but how long was your data, your information, exposed through these vulnerabilities before it was brought to light?

The Consumerist actually did an article on deleting your Facebook account since it’s not easy to find. It’s entitled, “Delete Your Facebook Account Forever” by Ben Popken (April 20, 2010).

And if you think they will figure out all the vulnerabilities and then it will be safe, think again. Facebook is 440 Million strong and growing. Just like the huge bullseye target on Microsoft’s Windows’ back, Facebook is the biggest target in Social Networking. Too big for the bad guys to let it alone. It’s a treasure trove of information (and not just aggregate information like Facebook sells, oh, no, this is the actual connections, the actual information linked to individual people that’s at risk). Between the vulnerabilities, as well as some decisions by users regarding Friends, their choices of third party Facebook apps, and their privacy settings, this could become a real nightmare, very quickly, and for some it already has.

Have you ever thought how much information about you is actually public on Facebook? Or even on the Internet in general? What about your family and friend connections, or business connections? What about your choices regarding purchases, what you like or dislike? Do you want them made public? And Facebook has much of that information in one place just ripe for the picking. And who would want to pick that information? Even in aggregate form it is very valuable data, but to bad guys, it is fodder for social engineering, phishing attempts in email, potential ways to get malware on your system by presenting it as though it is from people you are friends with, and so much more.

It’s an especially hard decision when you have gotten used to keeping in contact with friends and family through one particular service via browsers and mobile devices. And it really is great to have a place where your family pictures (your children and grandchildren, travel/trips, conversations between many friends and family, and so much more), are right at your fingertips and can be posted, responded to, and still be safe from the prying eyes of the general public. At least that’s how it was, or at least we thought it was.

Of course, Facebook makes it even more difficult to make the choice to deactivate or delete your account. When you choose to deactivate, which by the way, doesn’t actually delete your data (in case you want to come back), Facebook tries to use emotional blackmail, err, pressure to try to keep you from deactivating your account. As you are trying to deactivate, they show you some pictures of your ‘friends’ and talk about how you won’t be able to contact your friends and family anymore, or your friends and family won’t be able to contact you anymore. As if Facebook is the ONLY way to contact your friends and family?! It might make it easier, but it’s not the ONLY way to keep in contact with your friends and family.

Also, note that Facebook doesn’t allow you to delete your own account on your own — you have to actually contact them directly to ask them to delete your account — as if you were an errant child who couldn’t be trusted to do this on your own?! Even MySpace and other social networking sites let you delete your own account!

Oh, no. This is not about whether you would be able to delete your account, this is about another attempt to coerce you to stay with Facebook. Besides they don’t actually delete your data, oh, no. They still make use of that data in aggregate form, it’s just not linked by your name supposedly, after your account is deleted:

How Companies Are Using Your Social Media Data (by Leah Betancourt at Mashable)

Facebook Data Mining: Not Just for Advertisers Anymore (SCI Social Capital Inc.)

More on Facebook, Privacy & Data Mining (by Greg Sterling at ScreenWerk)

data-extraction-facebook (Google Code website)

End of Year Data: Facebook Currently Leads (Data Mining: Text Mining, Visualization and Social Media)

Facebook Data Reveal Secrets of American Culture (by Matt Safford at LiveScience)

Microsoft Inks Twitter, Facebook Data Mining Deal (by Jennifer Martinez at GIGAOM October 21, 2010)

The Man Who Looked Into Facebook’s Soul (by Marshall Kirkpatrick at ReadWriteWeb February 8, 2010)

Even though it has been stated that at least 60% of users are upset and are actually considering one of these options (deactivation or deletion of their account), with over 400 million active users worldwide and over $300USD million in annual revenue (estimated in 2008) and ranked #2 site on the Internet in May 2010 according to Alexa, does Facebook even care? Have we just become so much advertising and data mining fodder that translate to hundreds of Millions of dollars annually (Billions over time) for Mark Zuckerberg and company? Is that what it was all about from the beginning? If some articles are to be believed, Mark Zuckerberg may have played a good game when he told us he was concerned about our privacy right from the beginning.

And we even have some who think that malware and hacking haven’t caught up with it all on Facebook … yet. But I think we have determined that this is not really the case.

So, even with all that, maybe you still feel it’s safe to continue to with Facebook, what next? There are some very good places to study up on how to make yourself as safe as possible, and understand the account and privacy settings, and their implications, and how they interact with each other and with your friends and the public. Things like ReclaimPrivacy and others are cropping up to help folks deal with their Facebook privacy that is so complex. Who knows if this will be squashed by Facebook, but it could help out right now to help get your settings set.

WindowsSecret’s Complimentary portion of their Newsletter has an excellent article by Scott Mace called, “Tighten your Facebook privacy settings” with a great outline of the various areas and some great thoughts on how to keep yourself as safe as you can be on Facebook.


Facebook Security | Facebook Privacy | Best Practices at Sophos (be sure to read through all the pages listed on the right side – like WindowsSecrets, Sophos goes through all the different facets of Facebook)

Fast Company also has an article to help called, “Online Privacy: Check Yourself Before You Wreck Yourself

It’s your life, it’s your data, it’s your choice…what will you do?

UPDATED 5/22/2010*, 5/23/2010**: EDIT: Added additional links

by

Race Conditions aka TOCTOU and now KHOBE

[tweetmeme source=”franscomputerservices” only_single=false]There is a ‘supposedly new’ threat on the horizon for Windows XP users, and more so on multi-core systems called KHOBE (Kernel HOok Bypassing Engine).

Although this is a threat, it is not a new threat — in fact, this type of thing has been a threat to computing since 1998 when it was written about in PDF format: RaceConditions.pdf, and in 1996 in this PDF: racecond.pdf and many times since then in articles online about TOCTOU (noted below in this posting).

It definitely sounds pretty bad when it is reported that this ‘new’ KHOBE can bypass EVERY Windows security product in an article by the respected Adrian Kingsley-Hughes at ZDNet Blogs and as reported and tested by MATOUSEC here. And it certainly isn’t a non-issue…

However, let’s look at this objectively. First this is not the first, last or only situation that has or will arise. Race Conditions as noted above have been created by TOCTOU (Time of check to time of use) situations since the dawn of computing and yes, they are not easy to test for in all situations/hardware prior to release of software/Operating Systems, but these types of conditions have been a potential threat for a very long time in all kinds of software.

A time-of-check-to-time-of-use bug (TOCTTOU − pronounced “TOCK too”) is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition.

Before Windows was capable of true multi-tasking/multi-threading, it was possible to create these conditions on UNIX machines as noted in this 2001 article at InformationWorld.

So, why the fuss now? Windows 7 is basically claimed to be immune — by its omission in the ‘affected Windows Operating Systems’ list. Apparently only Windows XP (ONLY about 60% of Windows users –eeek! — per Adrian Kingsley-Hughes article above), or earlier Windows OSes are affected and in this particular case, and then only by security software that use the KHOBE (Kernel HOok Bypassing Engine).

Graham Cluely at his Sophos Blog notes,

Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of “doing something extra” if the bad guys’ malicious code manages to get past your anti-virus software in the first place.

In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that’s one of the reasons, of course, why we – and to their credit other vendors – offer a layered approach using a variety of protection technologies.

In addition, Paul Ducklin’s Sophos blog notes,

The security panic of the week is the widely-reported story of a “vulnerability” called KHOBE. One news headline goes so far as to announce that this “new attack bypasses virtually all AV protection”.

I disagree.

The sample “attack”, which claims to be an 8.0 earthquake for desktop security software, describes a way in which the tamper protection implemented by some anti-malware products might potentially be bypassed. Assuming you can get your malicious code past the anti-malware product in the first place, of course.

Much more in his blog entry. All of these links are must read if you wish to understand as much as is possible what the real threat is.

So, given all this, is the game over on security software because this is now disclosed to be possible (READ: it was always possible) — at least till they figure out how to prevent Race Conditions in security software?

Hardly. But due to the release of the information, this situation may make life interesting security-wise for Windows XP users (earlier Windows OSes like Win2K, Win98, WinME, WinNT shouldn’t even be on the net at this point for many reasons, the least of which is this situation).

So, if you are a Windows user what can you do in the meantime?

  • Keep your systems up to date
  • Make sure you have a hardware NAT or SPI Firewall/Router on your local network, and a software firewall in place and working properly and updated (if it’s a third party firewall – Windows Firewall is updated with your Windows Updates)
  • Keep your browsers up to date
  • Keep your browser plugins (Adobe products, Apple products, Java, etc.) and extensions (like Firefox’s AdBlock Plus, etc.) up to date
  • Keep all Internet facing programs (Adobe, Microsoft, etc.) up to date
  • Run your CCleaner (or other Temporary Files/Temporary Internet Files cleaner program) frequently (I actually run mine several times a day) – Fully close any browsers before running your ‘cleaner’ and then re-open it as needed after you run the ‘cleaner’
  • Make sure your antivirus software is updating as it should and doing its scheduled scans
  • Update and Run any cleaner software and secondary anti-malware programs (like Malwarebytes Anti-malware) at least once a week or more often and immediately if something seems odd on your computer
  • Don’t open suspicious emails, even from known senders
  • Be careful where you go on the Internet. Even some legitimate sites have been hacked
  • Be careful about links and friends on Facebook (if you haven’t deactivated your account yet), Twitter, LinkedIn, and other Web 2.0/dynamic Social Networking sites.

In short, do what you should always be doing to keep yourself safe. Because this isn’t over. It was always a possibility whether we were aware or not, and it will likely be a possibility for a long time to come.

You might also consider installing a preventative program like BillP’s WinPatrol on your system to make you aware of potential changes to your system. *See EDIT below for a note from BillP about WinPatrol and kernel hooks.

And as I noted earlier, the focus of this issue, at this time, is apparently Windows XP, but any operating system is vulnerable to this type of attack and always has been — and that is not likely going to change any time soon.

EDIT: Added the following comment from BillP who developed WinPatrol:

* Thanks! I’m honored by the mention.
It’s a great topic and mentioning WinPatrol is appropriate since I don’t use any kernel hooking to detect changes. Thumbs Up!

Bill