More from: Security Fixes

STOP USING NORTON!

In fact sop using all AV, it’s best to just stick with Windows built in free security. You are just as secure, it doesn’t hog resources, and at least you are not paying for the privilege of software that makes you totally vulnerable to comically easy to perform attacks that can take over your computer. This is just the latest and worst example of incredibly sever security holes found in security software.

http://arstechnica.com/security/2016/06/25-symantec-products-open-to-wormable-attack-by-unopened-e-mail-or-links

Much of the product line from security firm Symantec contains a raft of vulnerabilities that expose millions of consumers, small businesses, and large organizations to self-replicating attacks that take complete control of their computers, a researcher warned Tuesday.

“These vulnerabilities are as bad as it gets,” Tavis Ormandy, a researcher with Google’s Project Zero,wrote in a blog post. “They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”

The post was published shortly after Symantec issued its own advisory, which listed 17 Symantec enterprise products and eight Norton consumer and small business products being affected. Ormandy warned that the vulnerability is unusually easy to exploit, allowing the exploits to spread virally from machine to machine over a targeted network, or potentially over the Internet at large. Ormandy continued:

Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.

An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.

The flaws reside in the engine the products use to reverse the compression tools malware developers use to conceal their malicious payloads. The unpackers work by parsing code contained in files before they’re allowed to be downloaded or executed. Because Symantec runs the unpackers directly in the operating system kernel, errors can allow attackers to gain complete control over the vulnerable machine. Ormandy said a better design would be for unpackers to run in a security “sandbox,” which isolates untrusted code from sensitive parts of an operating system.

The researcher said one of the proof-of-concept exploits he devised works by exposing the unpacker to odd-sized records that cause inputs to be incorrectly rounded-up, resulting in a buffer overflow. A separate “decomposer library” included in the vulnerable software contained open-source code that in some cases hadn’t been updated in at least seven years. The lack of updates came even though vulnerabilities had been found in some of the aging code and in some cases the disclosures were accompanied by publicly available exploits. A list of additional vulnerabilities is here.

Tuesday’s advisory is only the latest to underscore game-over vulnerabilities found in widely available antivirus packages. Although the software is often considered a mandatory part of a good security regimen—on Windows systems, at least—their installation often has the paradoxical consequence of opening a computer to attacks that otherwise wouldn’t be possible. Over the past five years, Ormandy in particular has exposed a disturbingly high number of such flaws in security software from companies including Comodo, Eset, Kaspersky, FireEye, McAfee, Trend Micro, andothers.

In most cases, the updates disclosed Tuesday will be automatically installed, in much the way virus definitions are received. In other cases, end users or administrators will have to manually install the fixes. People running Symantec software should check the advisory to make sure they’re covered.


Yet Another Reason To Not Buy That Cheap Computer From A Box Store

Ever notice those annoying update centers that come preinstalled on every name brand PC.  They just sit there I’ve never actually seen them update anything, sometimes they give you annoying pop ups for no reason.  Just sitting there in the tray for no reason.

Well one thing they are doing is opening all sorts of security holes.

http://arstechnica.com/security/2016/06/how-pc-makers-make-you-vulnerable-to-man-in-the-middle-attacks-out-of-the-box/

The next time you’re in the market for a new Windows computer, consider this: if it comes from one of the top five manufacturers, it’s vulnerable to man-in-the-middle attacks that allow hackers to install malware.

That’s the take-away from a report published Tuesday by researchers from two-factor authentication service Duo Security. It found third-party updating tools installed by default threatened customers of Dell, HP, Lenovo, Acer, and Asus. The updaters frequently expose their programming interfaces, making them easy to reverse engineer. Even worse, the updaters frequently fail to usetransport layer security encryption properly, if at all. As a result, PCs from all five makers are vulnerable to exploits that allow attackers to install malware.

“Hacking in practice means taking the path of least resistance, and OEM software is often a weak link in the chain,” the Duo Security report stated. “All of the sexy exploit mitigations, desktop firewalls, and safe browsing enhancements can’t protect you when an OEM vendor cripples them with pre-installed software.”

In short, every single manufacturer was found to use pre-installed updaters that allowed someone with the ability to monitor a PC’s network traffic—say someone on the same unsecured Wi-Fi network or a rogue employee at an ISP or VPN provider—to execute code of their choice that runs with System-level privileges. The updaters are mostly used to deliver new versions of software and bloatware that come pre-installed on new PCs and are separate from Microsoft’s Windows Update, which is widely believed to be secure. The report provides a strong reason why it’s a good idea to wipe newly purchased machines and reinstall Windows minus all the custom crapware. At a minimum, third-party software should be uninstalled or blocked using a firewall.

Update: Lenovo has issued an advisory recommending customers uninstall the Lenovo Accelerator Application, which comes preinstalled on many notebooks and desktop systems running Windows 10. As the image at the top of this post illustrates, the Duo Security report uncovered several major shortcomings in the app’s update mechanism, including its failure to use any sort of encryption when checking for or downloading updates and the failure to validate digital signatures before installing them.


It’s Time to Uninstall Java

It’s Time to Uninstall Java

Java is the number #1 culprit behind computer infections. It’s ubiquitous and full of holes. Upgrades to HTML the code that is used to display webpages has gotten us to the point where many users will no longer need Java, and if you find a website that requires Java it’s might be a good idea to just stop using that site instead having Java installed on your system.
My Recommendation removes Java and only reinstall it if absolutely needed, for example a work related application uses it. Also if your job requires Java installed on PCs it might be time to bring up in your next meeting.

Instructions for removing Java can be found here.

From Krebs:

Oracle has shipped an update for its Java software that fixes at least eight critical security holes. If you have an affirmative use for Java, please update to the latest version; if you’re not sure why you have Java installed, it’s high time to remove the program once and for all.

According to Oracle’s release notes, seven of the eight vulnerabilities may be remotely exploitable without authentication — meaning they could be exploited over a network by malware or miscreants without the need for a username and password. The version with the latest security fixes is Java 8, Update 71. Updates also should be available via the Java Control Panel or from Java.com.

Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Otherwise, seriously consider removing Java altogether. I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an specific use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.

Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.


Another Patch Tuesday

As usual if you have any trouble installing updates on your system it could be a sign of a major problem and security rick on your computer.

From Krebs:
Adobe and Microsoft each issued updates today to fix critical security problems with their software. Adobe’s patch tackles 17 flaws in its Acrobat and PDF Reader products. Microsoft released nine update bundles to plug at least 22 security holes in Windows and associated software.

Six of the nine patches Microsoft is pushing out today address flaws the software giant considers “critical,” meaning the vulnerabilities could be exploited by malware or miscreants to break into vulnerable computers remotely without any help from users. The critical updates tackle problems with Internet Explorer, Microsoft Edge, Office and Silverlight, among other components. Links to all of the updates are available here.

As noted by security firm Qualys, several versions of Internet Explorer will get their last security updates this month, including IE 11 on Windows 7 and 10; IE 8, 9 and 10; IE 10 on Server 2012; IE 9 on Vista Service Pack 2 and Server 2008; and IE7 and IE8. If you’re using one of these older versions of IE, consider switching — either to a newer, supported version of IE, or to something less tightly bound to the Windows operating system, such as Google Chrome.

It appears that Microsoft pulled one of the updates (MS16-009) at the last minute, probably due to issues in testing the fix to make sure it won’t interfere with other programs. In any case, if you use Microsoft’s products, take a moment this week to make sure that you’re up to date with these and other available security patches from Redmond.

Separately, Adobe has released critical updates for Adobe Acrobat and Reader. Adobe said it was not aware of any active attacks against the vulnerabilities fixed in this month’s release. Adobe also is phasing out older versions of Acrobat and Reader: As the company notes in this blog post, Adobe Acrobat X and Adobe Reader X are no longer supported.

Adobe Reader comes bundled with a number of third-party software products, but many Windows users may not realize there are alternatives, including some good free ones. For a time I used Foxit Reader, but that program seems to have grown more bloated with each release. My current preference is Sumatra PDF; it is lightweight (about 40 times smaller than Adobe Reader) and quite fast.


A Busy Month For Security Patches

First we had a series of emergency patches from Adobe now this months patch Tuesday from Microsoft fixes several critical flaws.

 

From Krebs

Microsoft today released nine update bundles to plug at least 55 distinct security vulnerabilities in its Windows operating system and other software. Three of the patches fix bugs in Windows that Microsoft considers “critical,” meaning they can be exploited remotely to compromise vulnerable systems with little or no help from users, save for perhaps clicking a link or visiting a hostile Web site.

brokenwindowsThe bulk of the flaws (41) addressed in this update apply to Internet Explorer, the default browser on Windows. This patch should obviously be a priority for any organizations that rely on IE. Other patches fix bugs in the Windows OS itself and in various versions of Microsoft Office. A full breakdown of the patches is available here.

Among the more interesting critical patches is a fix for a vulnerability in Microsoft Group Policy that could present unique threats for enterprises that rely on Active Directory, the default authentication mechanism on corporate Windows networks.  The vulnerability is remotely exploitable and can be used to grant attackers administrator-level privileges on the targeted machine or device –  that means 10s of millions of PCS, kiosks and other devices, if left untreated.

Several readers who’ve already applied these updates report that doing so may require multiple restarts of Windows. Patches are available via Windows Update, the patching mechanism built into all recent and supported versions of Windows. For more granular information about these patches, check out this blog post by Qualys as well as the always-useful roundup at the SANS Internet Storm Center.

As always, if you experience any issues applying these patches or after applying them, please leave a note in the comments section below describing your experience.