Microsoft Security Advisory (2798897)

Microsoft Security Advisory (2798897)

This is a security advisory about fraudulent certificates that need to be revoked!

As Security Garden wrote here:

Microsoft released Security Advisory 2798897 to provide notification regarding a a fraudulent digital certificate issued by TURKTRUST Inc.

TURKTRUST Inc. incorrectly created two subsidiary Certificate Authorities: (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was used to issue a fraudulent digital certificate to *.google.com.

The Certificate Trust list update is available through Windows Updates.

Be sure to apply any Windows Updates that are waiting (showing in the lower right corner in the system tray) to be installed and/or check for Windows Updates manually to be sure you have the update!

This is an important update since fraudulent digital certificates can make spoofing attacks possible.

More information at KrebsOnSecurity here:

Google and Microsoft today began warning users about active phishing attacks against Google’s online properties. The two companies said the attacks resulted from a fraudulent digital certificate that was mistakenly issued by a Turkish domain registrar.

In a blog post published today, Google said that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the “*.google.com” domain.

More info from WOT and Firefox and Chrome:

Google blocked both certificates in Chrome on December 26. It now plans to no longer display “Extended Validation” status in Chrome for any certificate issued by TurkTrust. It’s debating whether to also block any connection to HTTPS sites validated by the CA.

Mozilla announced that it too was revoking trust for the two problem certificates in a Firefox update landing next Tuesday. TurkTrust’s root certificate is also being excluded from Firefox for the time being. Microsoft is doing the same, as are other browser vendors.

I would imagine that Apple will be also releasing an update to their Digital Certificate list if this is a universal issue.

Advertisements

Microsoft issues Fix It for IE vulnerability

Microsoft issues Fix It for IE vulnerability

According to this Computerworld article and Security Garden Blog:

Microsoft has released a quick fix for a vulnerability in older versions of its Internet Explorer browser that is actively being used by attackers to take over computers.

Microsoft Fix it

Microsoft Fix it

Fix it for Security Advisory 2794220 now available – Microsoft TechNet Blog

We have updated Security Advisory 2749920 to include the Fix it we discussed in Saturday’s blog post.  This easy, one-click Fix it is available to everyone and prevents the vulnerability from being used for code execution without affecting your ability to browse the Web. Additionally, applying the Fix it does not require a reboot. While we have still observed only a few attempts to exploit this issue, we encourage all customers to apply this Fix it to help protect their systems.

BOLD emphasis mine.

Even if you use another browser, this Fix it should still be applied.

Oracle to stop patching Java 6 in February 2013

Oracle to stop patching Java 6 in February 2013 – Computerworld

The article notes that of course this will be a hardship for Mac OS X Snow Leopard users and for users of earlier versions of OS X, but that is not as far as this rabbit hole goes. Very good article. Well worth a read.

That will leave a significant portion of Mac users without the means to run an up-to-date Java next year. According to Web metrics company Net Applications, approximately 41% of all Macs still run versions of OS X older than Lion.

Apple will presumably issue the final OS X patches for Java 6 in February alongside Oracle’s update.

It will also be hard on businesses, and even government agencies and departments, that will now be forced to work over their Java based programs to make sure they will still work with the current versions of Java 7.

That also means that Oracle themselves will have to update their Forms and Reports (or maybe these are things built by the companies using them too), to work with Java 7 so companies and some government agencies and departments can allow vendors that provide service and products to them. Currently, many of them must make use of Oracle Forms and Reports built on Java 6 from a special site like the MyInvoice subdomain that the government military still uses. That site requires a later version of Java 6 even now. This puts them and their vendors at risk by requiring an old Java on their systems in order to even work with them.

And what about the medical community. I have seen them falling down on the job as well on keeping up with the version of Java that physicians must use on their computers in order to read X-Rays remotely from home or on the road.

The article further is concerned about even upgrading to Java 7:

On Tuesday, Polish researcher Adam Gowdiak, who reported scores of Java vulnerabilities to Oracle this year, told the IDG News Service, “Our research proved that Java 7 was far more insecure than its predecessor version. We are not surprised that corporations are resistant when it comes to the upgrade to Java 7.”

Now that is sad news indeed. There are many sites that make use of Java and with good reason! Even Android is based on Linux — C,C++ and Java. As are many embedded systems, phones, and many electronic devices around the home.

Oracle needs to fix this problem and their Java. If they are going to be the owner of Java, they need to do better with the Java programming language that companies are not concerned about moving to their Java 7! So many programming eco systems out there depend on Java.

They inherited Java and the huge eco systems that depend on them, and base of users when they bought out Sun Microsystems. They can’t make swiss cheese with a door and think people will be be fine with this. Even things like OpenOffice.org and LibreOffice depend on Java — thankfully the current Java, but even that is according to this article, problematic. And what about all the embedded devices that depend on Java? When you install Java and are waiting for it to install, Oracle proudly talks about the billions of devices, that run Java. Oracle’s Java.com About page proudly states:

To date, the Java platform has attracted more than 9 million software developers. It’s used in every major industry segment and has a presence in a wide range of devices, computers, and networks.

Java technology’s versatility, efficiency, platform portability, and security make it the ideal technology for network computing. From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!

  • 1.1 billion desktops run Java
  • 930 million Java Runtime Environment downloads each year
  • 3 billion mobile phones run Java
  • 31 times more Java phones ship every year than Apple and Android combined
  • 100% of all Blu-ray players run Java
  • 1.4 billion Java Cards are manufactured each year
  • Java powers set-top boxes, printers, Web cams, games, car navigation systems, lottery terminals, medical devices, parking payment stations, and more.

To see places of Java in Action in your daily life, explore java.com.

The bold on the bullet list above is mine.

Oracle really needs to wake up now before they totally destroy the great reputation that Sun Microsystems had when they conceived and built so much with Java. And all for nothing!

Trust is a terrible thing to waste.

 

 

Java flaws already included in Blackhole exploit kit within 12 hours

Java flaws already included in Blackhole exploit kit, Oracle was informed of vulnerabilities in April – Sophos Naked Security

It took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit.

Brian Krebs was first to mention having heard that CVE 2012-4681 was being added to the Blackhole exploit kit, and SophosLabs confirmed seeing it in the wild a few hours later.

And this about Macs in particular:

Some have asked if Mac users are at risk from the CVE 2012-4681 exploit and the answer is “Maybe.” The version officially distributed by Apple is Java 6, which is not vulnerable.

Interesting that an older version is not vulnerable to this particular zero day exploit. But if users of Lion and Mountain Lion have installed Java 7 directly from  Oracle’s Java.com site (which is the only way to even get Java on Lion and Mountain Lion), then they are vulnerable.

And of course, Windows and Linux/UNIX/BSD are all vulnerable as well if Java 7 has been installed.

Soon Twitter users were tweeting that Mac users were being attacked, but that the malware apparently on the blackhole server is serving Windows malware. Gives Mac users a reprieve to get their Java updated … if they installed it at all.

What is really sad is that Oracle was made aware of this vulnerability back in April and didn’t fix it in a timely manner.

Thankfully Firefox and Google Chrome will disable or at least not automatically run Java if it’s outdated. Other browsers (Internet Explorer, Opera, etc.) should be doing the same thing.

Java 7 ‘super dangerous’ vulnerability

There is a recently discovered ‘super dangerous’ vulnerability in Java 7.

This vulnerability affects all Java 7 users; whether they run a version of Windows, or using a Mac, or an Opensource Linux operating system:

Macs at risk from ‘super dangerous’ Java zero-day – Computerworld:

Hackers are exploiting a zero-day vulnerability in Java 7, security experts said today.

The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said Tod Beardsley, the engineering manager for Metasploit, the open-source penetration testing framework used by both legitimate researchers and criminal hackers.

I think the reason they have singled out Mac users in the article is that most Windows users if they have a recent version of Java installed will get upgrade notifications from Oracle’s Java. Where many Mac users until Lion had Java being updated (albeit late) by Apple. Now they are responsible to keep it updated on Lion IF they decide to install Java manually themselves. Lion and Mountain Lion do not come with Java installed by default. But if you do have it installed on your Mac:

Maynor said he was able to trigger the vulnerability with the Metasploit code in both Firefox 14 and Safari 6 on OS X 10.8, better known as Mountain Lion.

These exploits are mainly aimed at Windows users, but Macs are becoming more and more popular because overall they have less issues than Windows for viruses, etc.

But browser exploits are a bain for all computer users. And we have to keep our plugins updated to stay one step ahead.

If you are using Firefox, there is a page you can go to where you can check to see if your plugins can be checked to make sure you are up to date:

Firefox Check Plugins page

Interestingly that Check Plugins page also seems to work pretty well on Google Chrome’s browser as well. Just remember that if it tells you Flash is outdated, Google Chrome will be updating that for you on their next update.

Looks like I am off for a new Flash update… see ya next time.

Don’t lose your Internet on Monday – Use the DNSChanger check tool

Internet will vanish Monday for 300,000 infected computers – Computerworld

It’s not just consumer PCs and Macs — DNSChanger was equal-opportunity malware — that remain infected, but also corporate computers and systems at government agencies, said Tacoma, Wash.-based Internet Identity (IID), which has been monitoring cleanup efforts.

Last week, IID said that its scans showed 12% of Fortune 500 firms, or about one out of every eight, harbored DNSChanger-compromised computers or routers. And two out of 55 scanned U.S. government departments or agencies — or 3.6% — also had failed to scrub all their PCs and Macs.

According to the article, the numbers are down though, back in January, the numbers were still 50%!

Without the server substitutions, DNS Changer-infected systems would have been immediately severed from the Internet.

Yesterday, U.S. District Court Judge Denis Cote extended the deadline for shutting down the replacement servers by four months, from March 8 — this Thursday — to July 9, 2012.

Well, now the deadline is coming up again. Monday, July 9, 2012 they will be turning off the safe substitute go-between servers and anyone who still has DNS Changer-infected systems at that time, will be severed from the Internet on Monday.

Checking is pretty easy and generally will determine if you have a DNSChanger infected system. The DNSChanger Working Group (DCWG), a volunteer organization of security professionals and companies has provided a great way to do just that.

You can go directly to their site Detect Help Guide page with the DNSChanger Detect Tool pages:

http://www.dcwg.org/detect/

You will find lists of servers in various languages there and some information about their checker and what it does. One of the English servers available to provide the DNS Changer Check-Up are:

http://www.dns-ok.us/

You should get the following response if your computer does NOT have DNSChanger or other malware that changes your DNS Servers on your computer:

DNS Changer Check - DCWG - Source: Computerworld

DNS Changer Check – DCWG – Source: Computerworld

In case it is too small to read, at the bottom of the DNS Resolution – GREEN image, it says the following:

Had your computer been infected with DNS changer malware you would have seen a red background. Please note, however, that if your ISP is redirecting DNS traffic for its customers you would have reached this site even though you are infected. For additional information regarding the DNS changer malware, please visit the FBI’s website at:
http://www.fbi.gov/news/stories/2011/november/malware_110911

BOLD emphasis mine.

DNSChanger check tool: Malware infection could cause internet loss Monday, FBI responds – WPTV.com

The WPTV.com article goes a step further and also lists some additional help locations for malware removers, etc.

If your computer is infected, click here to learn how to get rid of the infection: http://www.dcwg.org/fix

The following sites can also help you with free or low-cost products to check and fix your computer if it’s infected:

· Microsoft Safety Scanner – http://www.microsoft.com/security/scanner/en-us/default.aspx

· Kaspersky Labs TDSSKiller – http://support.kaspersky.com/faq/?qid=208283363

· McAfee Stinger – http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

· Hitman Pro (32bit & 64bit versions) – http://www.surfright.nl/en/products/

· Norton Power Eraser – http://security.symantec.com/nbrt/npe.aspx

· Trend Micro Housecall – http://housecall.trendmicro.com

· MacScan – http://macscan.securemac.com/

· Avira – http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199

If you are still concerned that you might lose Internet come Monday, you can use one of the above products to determine if you are infected with the DNSChanger or other malware.

Or just wait till Monday and see, and if you lose Internet, you can use one or more of the products, at that time, or call your computer specialist to help you remove it. With only a few hundred thousand computers still being infected, you could be infected, but chances are, you are not.

Also, without actually running one or more of the programs listed to determine if you are infected, and because the government’s substitute DNS Changer servers are currently in place until Monday, you may not be able to even tell if you are infected from the detect tool alone.

EDIT NOTE: It couldn’t hurt to have a copy of the downloadable antimalware programs and update/run them before Monday: such as McAfee Stinger or Kaspersky’s TDDSKiller just in case — BEFORE they turn off the substitute safe DNS servers. What’s the logic in that? If it turns out you are infected (albeit unlikely), you may not be able to get to the sites to get these antimalware tools later. Of course come Monday, any online tools listed, like Trend Micro’s Housecall and any other online tools would not be available if your computer turns out to be infected and loses Internet.

Adobe Flash Zero Day Bug Emergency Patch

Adobe patches new Flash zero-day bug with emergency update – Computerworld

Adobe today warned that hackers are exploiting a critical vulnerability in its popular Flash Player program, and issued an emergency update to patch the bug.

“There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message,” the Friday advisory said.

All editions of the Flash player are affected, but those abusing this vulnerability are targeting Internet Explorer with this current exploit and Adobe is giving it their Priority 1 status:

The update was pegged with Adobe’s priority rating of “1,” used to label patches for actively-exploited vulnerabilities or bugs that will likely be exploited. For such updates, Adobe recommends that customers install the new version within 72 hours.

In this case of course it’s already actively being exploited. So don’t wait! Don’t be a target, get your Adobe Flash Player update today!