Last week Adobe issued an out-of-band Flash patch, and once again Brian Krebs urged people to ditch Flash, noting that he’s done so and hasn’t missed it.
We decided to try ditching Flash at work a few months ago, but it didn’t go quite so smoothly for us. I thought I’d share my experience.
Continue reading The problem with ditching Flash and Java
I found a mention of a tool called Unchecky as a minor point in a story about something else entirely. Unchecky helps to solve the problem with downloaded programs including a bunch of extra junk you don’t want.
I won’t be running it myself, but the next time I fix a computer, I’ll probably install it on that one.
Continue reading Unchecky is another tool to help with staying out of trouble with malware
Bad things happen when security pros like me start asking our infrastructure brethren to patch Flash. We get better security, but the Flash upgrade fails enough of the time to cause extra workload, and it can be confusing.
Consequently, I see more Flash-related helpdesk tickets than I ever saw, even when I was doing desktop support long ago. Adobe doesn’t make it any easier by calling the plugin “Shockwave Flash.”
Continue reading Flash isn’t Shockwave and Shockwave isn’t Flash
Adobe has patched Flash twice in two weeks now. The reason for this was due to Hacking Team, an Italian company that sells hacking tools to government agencies, getting hacked. Hacking Team, it turns out, knew of at least three unpatched vulnerabilities (also known as “zero-days” or “0days”) in Flash, and exploits for these vulnerabilities were among the things that got breached.
That’s why Adobe is having a bad month.
Continue reading Expect a rough road ahead for Flash
Monthly patches and upgrades don’t always go well, but getting them down is increasingly critical, especially for applications like Flash, Reader, and the major web browsers. This week I called it “the new firewall.”
Twenty years ago, home users almost never bothered with firewalls. My first employer didn’t bother with them either. That changed in the late 1990s, when worms exploiting weaknesses in Microsoft software devastated the nascent Internet. Firewalls soon became commonplace, along with some unfortunate hyperbole that led some people to believe firewalls make you invisible and invincible, a myth that persists in some circles even today.
For this reason I’m a bit hesitant to declare anything a new firewall, but firewalls are necessary. So is protecting key software.
Continue reading The new firewall
I was talking breaches last week when a very high-up joined the conversation in mid-stream.
“Start over, Dave.”
“OK. I’m talking about breaches.”
“I know what you’re talking about,” he said, knowingly and very clearly interested.
Continue reading You’re telling me someone gave a stranger his password?
I’ve grown used to being asked what unpatched vulnerability was used in the most recent breach, in an effort to make sure some other company is protected.
I appreciate the desire to learn from other companies’ mistakes and not repeat them. But there are several reasons why the answer to that question is complicated, and not necessarily helpful.
Continue reading Why every breach is different
I’ve been seeing a lot of news this week about web browser plugins getting exploited to plant malware on computer systems. A lot of people know to keep Flash up to date, and to keep Java up to date or uninstall it–at least I hope so by now–but there are two targets that people generally forget about: Shockwave and Silverlight.
Because so many people have them installed and don’t know it, and therefore never update them, they are ripe targets for attack. Continue reading Web browser plugins you need to uninstall now–even if you have a Mac
“Oh, so you think you’re Mr. Genius Man,” the crackly voice said, drowned out by static caused by his cheap VOIP connection. “Enjoy your broken computer, Mr. Genius Man. Goodbye, Mr. Genius Man.”
So ended 23 minutes of my life that I’ll never get back, but I figure it’s 23 minutes he wasn’t spending scamming someone else. I don’t do it often, but my kids were playing nicely and we were all in the same room, so I guess I don’t regret it too much. Continue reading Windows Technical Support calls me again
I was listening to an interview between Paul Asadorian (of Pauldotcom fame) and Cigital CTO and software security expert Gary McGraw. They discussed how the target of attacks moved from Microsoft to Adobe and now that Adobe is showing signs of getting its act together, it’s going somewhere else.
“If I were Nvidia,” McGraw said, “I’d be thinking a lot about software security. Fortunately they are.”
Nvidia does sound like a juicy target. Continue reading The time bomb in your older computer