vulnerability

If you use a Linksys router, you need to drop everything now and upgrade it

Dave Farquhar security , , ,

If you own a Linksys WRT54GL or EA2700 router, both devices have serious security vulnerabilities. Serious enough that the only way to continue using them safely is to load an alternative firmware such as DD-WRT on them. That’s not entirely a bad thing; DD-WRT is more capable, and unlike most consumer-oriented firmware, allows you to disable WPS.

The EA2700, in particular, is so trivially easy to hack it’s laughable–all it takes is entering a predictable URL into a web browser. That’s it.

Read more

And the most security-riddled program of 2012 was….

Dave Farquhar security , , , , , , , ,
Secunia released its annual vulnerability review, a study of the 50 most vulnerable pieces of software in 2012. It was a fairly tight-three way race at the top, and the distance between #3 and #4 was huge.

I was actually surprised at who the top three were. They weren’t the three usual suspects. But in the case of the top two, they did, to their credit, roll out fixes within 30 days of disclosure.

So now that I’m killing you with suspense….
Read more

And this is why I’ve been saying to uninstall Java, rather than disable it

Dave Farquhar Software , ,

Apple just uncovered and fixed a vulnerability that allowed an exploit to re-enable Java in a browser when it’s been disabled, which then of course allows a litany of exploits.

There are two lessons here. Macintoshes are hackable just like any other device, and latent software can be re-enabled. If you don’t think someone’s trying to do the same thing in Windows and Linux, you’re not paying attention.

Read more

Use Secunia PSI to keep all your programs up to date with minimal effort

Dave Farquhar security, Windows , ,

Did you know Adobe released three Flash updates this month? And that every last one of them was absolutely, positively necessary? (At the time. They’re cumulative.) Seriously, you need a computer to keep track of all this stuff.

Secunia PSI is a free program to keep track of these updates and pull them down and install them for you. I’ve written about it before, but not in any depth. I downloaded it to a machine that didn’t have it, and it scanned my system, found four out-of-date programs–it knows about 3,000 pieces of software–and updated three of the four without me doing anything at all. It’s dead simple. Download it, install it, accept the defaults, and let it run. If you can’t get by without the four horsemen of the security apocalypse (Quicktime, Flash, Acrobat, and Java), at least Secunia PSI will ensure you’re running the least insecure–I’m not calling any of those security nightmares any word that would suggest they’re good–version of each.

If you’re running Windows, go download it and install it, please. It’s not a substitute for antivirus software, but it’s a tool that can close the security holes that antivirus software can’t protect you against. Really, you probably need both.

Java is patched now, but still not very safe

Dave Farquhar security , , ,

Rapid7’s Chief Security Officer, HD Moore, estimated it will take two years for Oracle to fix all of the current issues with Java, not counting anything new that happens in that timeframe.

Futhermore, Kaspersky states that 50% of cyberattacks in 2012 utilized a Java exploit. Among those is the newly discovered Red October.

Think for a minute. Antivirus software is anywhere from 75 to 90% effective. Assuming the worst, that means the simple process of removing Java from your computer does 2/3 as much good as running antivirus software. Of course, you shouldn’t do one or the other; you should do both.

If you have a legitimate need for Java in your web browser, such as commercial intranet applications built with Java, enable Java in one and only one browser, then use that browser solely for accessing those Java-powered web sites.

But the best thing to do is just get rid of Java. And if you have something that uses Java, find something else to use.

It took Microsoft about two weeks to fix a critical vulnerability in Internet Explorer. It took Oracle five months. I never thought I’d say this, but Oracle needs to be more like Microsoft.

Yeah, you can quote me on that if you want.

But until Oracle gets religion on security like Microsoft did around 2002, we really have two choices: Avoid Oracle products whenever practical, or keep getting hacked. I’d rather you not choose the latter option.

Oracle (and Java) delenda est

Dave Farquhar security , ,

In case you haven’t seen, there’s a terrible unpatched vulnerability in Java right now that baddies are using to install randomware on PCs. Then, this morning, I saw that Oracle has known about this vulnerability since August, and hasn’t bothered to fix it properly yet. That should be criminal negligence, but the rules are different for billionaires.

Of course, I’ve been saying for ages that we’d all be better off if we just uninstalled Java completely, but I know very few people who’ve done it, out of fear they’ll break something. (Those same people often refuse to patch Java, out of the same fear.) I was trying to figure out why anyone would want to run Java these days anyway, and then I saw this quote, via David Huff:

“Given a choice between dancing pigs and security, users will pick dancing pigs every time.”  –Edward Felten and Gary McGraw

That explains everything. Java is exceptionally good at making animated dancing pigs.

All of the major sites are recommending that you disable Java in your web browser. I continue to recommend just uninstalling it entirely, since Oracle is more interested in dancing pigs than in security.

Apply this fix if you aren’t running IE9

Dave Farquhar Software, Windows , , ,

Windows XP users, and those running something older than IE9 on newer versions of Windows need to apply this fix immediately.

Read more

Macintosh malware continues to evolve

Dave Farquhar Macintosh, security , , , , , , ,

Security experts have long warned that [Apple’s] delay in delivering Java patches on Mac OS could be used by malware writers to their advantage, and the new Flashback.K malware confirms that they were right. — PC World magazine

Last week I argued that a Macintosh-based botnet currently being distributed via Word document would likely change distribution methods, perhaps to a PDF document, in order to spread itself more effectively.

That, to my knowledge, hasn’t happened, but today I learned of the above example of Mac malware doing exactly that, jumping from Java vulnerability to Java vulnerability. Read more

End of the innocence for Mac security

Dave Farquhar Macintosh, security , , , , , , , , , , , , , , , , , ,

Antivirus vendor Kapersky has identified a new trojan horse targetting Macintoshes.  It spreads a botnet based somewhere in China via an infected Microsoft Word document, typically sent as an e-mail attachment.

The spin is that if you don’t use Word on your Mac, you’re safe. That’s true–this week. But going forward, it’s going to take more than that. Read more

Apply your monthly patches just as soon as you can

Dave Farquhar security, Windows , , , , , ,

There are only six patches in this month’s edition of Patch Tuesday, and only one of them is critical, but it’s a big one.

The critical patch fixes a flaw in Remote Desktop Protocol, something typically only present in the business-oriented flavors of Windows. But if you don’t know whether you’re affected, it behooves you to let Windows update whatever it wants to update. Read more