Internet Exploder Strikes Again

I have often groused about the lack of security in Microsoft products. While looking to get a Raspberry Pi, I wandered down a set of links that ended up on Yet Another Microsoft Security Hole…

Seems that the Internet Explorer Browser has a hole in it allowing folks to take over your computer. Why am I not surprised?

I regularly rotate between machines, browsers, etc. party to assure that no given platform has “much of interest” on it if it gets hacked. Partly just as I like to play on different platforms. Partly because some platforms have particular bits of software that I need. In general, I’ve preferred Linux or Macintosh. The first for what it lets me do, the second for being about as secure and easy to use and you can get. For about the last year, I’ve been on an HP Laptop with Windoz… it’s “pretty good” but “has issues”. I won’t go into all of them here ( the only HP one is that the keyboard had letters ‘wear off’ inside 6 months. Now I’ve got maybe 1/3 of the keys blank. Good thing I touch type…)

One of the first things I did was to install “other browsers”. Generally I use Firefox or Opera. I avoid Chrome due to the tendency for Google to suck up all possible information about you and what you do, and sell it to folks or use it against your privacy. Internet Explorer gets used when some web site writes bad code that depends on I.E.isms to work. Other than that, I avoid it. At this point, I’m not even going to use it for that…

Oh, and in related news, Java has a critical hole in it, too… so folks are being advised to turn off Java ‘for a while’…

The links:

http://news.techeye.net/security/microsoft-warns-of-big-problems-with-internet-explorer-9

Microsoft has told us about a fresh bug in its Internet Explorer web browser which is being exploited in a zero day attack.

A spokesVole said attackers can exploit the bug to infect the PC of somebody who visits a malicious website and then take control of the victim’s computer.

The software maker advised customers on its website late on Monday to install the security software as an interim measure, buying it time to fix the bug.
Security researchers think that Vole will have an update for its browser in about a week.

The tool that Microsoft is suggesting is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available through an advisory on Microsoft’s website: blogs.technet.com/b/msrc/

The software needs to be downloaded, installed and then manually configured to protect computers from the newly discovered threat.

This makes it pretty useless to the great unwashed who still have not worked out how to program their video recorders.

A “zero day” attack is one that is done when a bug is found, but not yet known to the public and fixed by the vendor. The first day it shows up is in an attack on ‘day zero’…

So if you use I.E. you are running wide open, and will be for a while… Oh, and the “fix” is something suited for the Tech Savy to do… but they won’t be running I.E. anyway, IMHO.

Germany has told it’s folks to just bail on I.E. and move on. I agree.

http://news.techeye.net/security/germany-urges-users-to-ditch-internet-explorer

Germany urges users to ditch Internet Explorer
Exploit perils too risky

19 Sep 2012 09:58 | by Nick Farrell in Rome

History has repeated itself as the German government, famous for giving Firefox a leg up a few years ago, has told users to abandon Internet Explorer for something safer.

According to NDTV, the German government has told the Great Unwashed that they should temporarily stop using Microsoft’s Internet Explorer following the discovery of a yet-to-be repaired bug in the web browser that the software maker said makes PCs vulnerable to attack by hackers.

The flaw, which allows a zero day attack to be carried out on machines using IE9, surfaced over the weekend.

Yeah, I’m finding this about 10 days late. Somehow I think most folks are still just finding out…

The German Federal Office for Information Security, or BSI, said that it was aware of targeted attacks and all that was needed was to lure web surfers to a website where hackers had planted malicious software that exploited the IE bug to infect their PCs.

It announced that a fast spreading of the code has to be feared and has called on all users of Internet Explorer to use an alternative browser until the manufacturer has released a security update.

Microsoft has not said a word yet.

So 2 days ago, a Java “issue” popped up:

http://news.techeye.net/security/another-critical-java-bug-arrives

Another critical Java bug arrives
Just in time for JavaOne conference

26 Sep 2012 11:47 | by Nick Farrell in Rome

Oracle is setting up the bunting for its JavaOne 2012 conference in San Francisco, just as researchers from the Polish insecurity outfit Security Explorations found another critical hole in the company’s Java software.

According to Security Explorations’ researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects “one billion users of Oracle Java SE software”.

Gowdiak told Computerworld that the hole will have a bigger impact on Java users than any previous problem.

It affects Java 5, 6 and 7 while most of the previous problems with Java have effected its latest version 7.
[…]
This one is allegedly so bad that users were advised to disable Java on their browsers if they wanted to avoid it.

In this case all the latest web browsers with the latest Java SE software will have to do the same thing.

Gowdiak said his company found 50 problems in various Java SE implementations including 17 different complete sandbox bypass exploits.

That “sandbox bypass” means they can escape from the Virtual Machine in Java and get into the real world of your computer and operating system and files and networking and…

He said that all you can do is disable Java Plugin in the web browser and wait for the patches from Oracle.

There are still three weeks until the scheduled Java Oct Critical Patch Update, so it might be possible that the bug will be addressed by the company on 16 Oct 2012, he said.

I’ve been telling Java that I did NOT want an update for a while now (not liking the idea of going into brave new worlds of recently released bugs and holes; liking to stay with known good levels); so maybe in a few weeks I can let it go ahead and update…

So “Dancing Java Craplets”? Just say no…

For anyone needing a download of a new browser:

http://www.opera.com/download/

https://www.mozilla.org/en-US/firefox/new/

Both install very easily on Windows… Both work very well. I like both, but for different reasons. Opera has a nice ‘buffer’ feature that’s a great help on slow links (“turbo” Opera). Firefox “just feels right”… Though for some of them you may need to find and turn on some particular menu bars.

Folks wanting to do even more can set up a Virtual Machine and play with it (not too hard, but needs decent real hardware or it’s slow):

http://www.oracle.com/technetwork/server-storage/virtualbox/downloads/index.html

I also keep the bulk of all my stuff either on “offline” computers / disks or encrypted (or both). So WHEN a machine gets compromised, the “bad guys” get an encrypted bag of bits. I only decrypt the “bag of bits” on rare occasions, and then will often press the ‘disconnect from the network’ button during the process… so while it’s possible for some information to leak, it’s much harder. (The ‘few hundred GB’ of data in the “block” would have to be duplicated somewhere outside of it for transmission later when networking came back… I think I’d notice. So the malware has a couple of race conditions to deal with. It has to do “bad things” during the decrypted window, which can be short, and not leave them behind in that space as it goes back to encrypted before the network connection returns…)

Folks wanting a copy of Truecrypt will find it here:

http://www.truecrypt.org/downloads

I’ve been using it for a while and it looks both reliable and secure. Do NOT forget your password or you are hosed. If just using it for malware thwarts, you can use something trivial for the password (like your name, or name the file with the password “Decrypt with Forgleware” for example). Likely to prevent mechanical attacks, but a poor idea if a person gets on the box. I like using things like, for example, StarWars characters, but that’s just me ;-) It means I have a limited set to search if I forget.

So having an archive named “Archive Chewy” and a working set named “Working Droid” lets you only decrypt the active part of your files and leaving the more stable set even less likely to be accessible. Keep a backup copy on a removable drive so if the malware tries to re-write and / or append and screws up the bits so the decrypt fails, you don’t lose it all…

And you were wondering what you would do with the weekend ;-)

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , , . Bookmark the permalink.

19 Responses to Internet Exploder Strikes Again

  1. BobN says:

    I just downloaded and tried Opera, it seems very fast and looks and feels like firefox. It even gets the bookmarks that I have stored in firefox, are these two browsers linked. If I look at Chrome, its book marks are seperate.

  2. E.M.Smith says:

    @BobN:

    Opera and Firefox are very different browsers, but they know how to find each other in a crowd and see what’s in the bookmarks pocket… ;-)

  3. Eric Fithian says:

    So here I am, running AtlasX Linux almost exclusively (the alternative is eLive Linux– about 4 years old).
    And doing 90% of my browsing with Links2, which doesn’t do Java, JavaScript, video, audio, or any other modern Bells & Whistles….
    I prefer Opera for the other 10%, getting into that browser back when one had to actually *pay* for it…!
    I would run MicroSoft only in an emulator, and only for extremely specific apps! TeleChart, for example. Otherwise, the whole Experience is much too fraught with risk to be enjoyable…

    I keep threatening to have a shirt made, “The Internet is a Fun and Safe Place– when you run Linux!” (Picture of Tux the penguin below that statement)

  4. Steve C says:

    I like Firefox too, mostly for the stack of assorted blocker add-ons that are available for the paranoid (or just security-conscious!). Opera is nice and quick, but after years on FF I find it lets a disconcerting amount of stuff “just happen”.

    Probably the best security scheme I know is one used by a friend who occasionally surfs in places where you probably shouldn’t. (Think dodgy Russian hacking emporia and the like.)
    Instructions:
    1: Get Bart PE, and make yourself a Windows “live CD” (his is XP, no word on later versions) with your preferred options. Note: Be safe, do this offline! You’ll probably need a bit of time to learn Bart’s PE, but it’s worth it.
    2: Take a spare PC and remove the hard drive(s). Make sure it has a decent amount of memory (1GB is fine, 2GB ample).
    3: Connect the driveless PC direct to the modem (to keep everything else safe on your home net in case of anything happening). Apologise to the family for the temporary interruption.
    4: Boot the driveless PC on the Bart CD, and download stuff onto a memory stick.
    5: Mutter, “OK, you b######s, infect a CD, then!” and get surfing.
    In the event of anything unexpected happening, just hit the Reset button and you’re straight back in business. There’s no hard drive or boot sector for invaders to infect, and (assuming Plug’n’Pray is working today) you can pull the memory stick out when you’re not actually using it.

    (Sigh) But one of these days I really must learn how to drive Linux. A friend has already had his sound card settings, carefully worked out over a whole afternoon, “renormalised” by Microsoft during a regular patch to his Win 7 – a complaint to Microsoft resulted in them assuring him that they do it “to protect owners’ copyright” – and Win 8 has rapidly gained a reputation for being virtually unusable. Time to move on … I want an OS that does my bidding, not Sony’s.

  5. Pascvaks says:

    Please remember the line about cats and curiosity, and that old one too about no such thing as a stupid question; here goes –
    regarding old versions of software and new bugs, is there any advantage whatsoever to having an old, superceded version of Windoz or iExplorer with new bugs or is it that the code makes no difference at all and the old stuff is all the more vulnerable to new bugs because it is missing the newer programming that at least is a little more protective?

    PS: I know I’ve thought this before, if I’ve asked this before, please forgive;-)

  6. adolfogiurfa says:

    @Pascvaks: the newer programming that at least is a little more protective?
    The latest must include, for sure, some type of Cyber-Drones, only detectable by someone with a lot of experience in this field as our dear @E.M., who could explain us more about them.

  7. tckev says:

    On the Opera browser you could alter just about any preference you want from the menu. However as Opera site says ( http://www.opera.com/support/usingopera/operaini/ ) there are many others that are not normally touched.
    There is however one user preference worth a tweak which is to enable hardware acceleration – this is off by default. Turning it on speeds up page loading, and I (on Linux) have found it makes the playing of video more stable.
    Below is a method of getting to this screen. Needless to say I take no responsibility for any outcome on your machine! All of these setting are in a plain text file called operaprefs.ini so before altering the settings make and save a copy of this file. You can edit operaprefs.ini straight from it’s home folder when Opera is not running.

    *****WARNING – Adjusting some of these parameters can have unforeseen outcomes****

    Turning on Hardware acceleration –

    This is very simple –
    Open a new tab in the Opera browser, type –
    opera:config#UserPrefs
    You should now be in the User Preferences of Opera’s configuration.
    The items are listed alphabetically.

    Scroll down to ‘Enable Hardware Acceleration’ and change the default 0 to 1.
    Now scroll down to the end of the User Preferences section and press the ‘Save’ button.
    Close the tab, close Opera, reopen Opera and the new setting now apply.

    All of these setting are in a plain text file called operaprefs.ini this is an initialization file for Opera, essentially a settings file that specifies most of the user preferences. When you alter your preferences within the Opera user interface, this file is automatically modified and saved.

  8. Ian W says:

    I have been using ‘Pale Moon’ which is a stripped down version of Firefox explicitly for Windows and without developer add-ons. It is a LOT faster than standard Firefox but the look and feel are much the same. Currently, it is also faster than Chrome and IE9.

  9. A moment of truth arrived for me on the day I accidentally fired up MS Outlook. The Netsky W32 virus (worm?) pounced. I guess it was already on my computer. When the dust settled over 5,000 photographs had been converted into copies of the virus.

    That experience propelled me into Linux and there is no going back. One of the bext things about Linux is that software I paid for ten years ago such as Dreamweaver (Studio MX suite) and Photoshop work perfectly with Ubuntu 12.04 and Mint Maya. The same disks won’t install on any version of Windoze after XP.

  10. philjourdan says:

    If you have Windows and like Firefox, try Palemoon. It is a variant of firefox optimized for Windows. All the plugins for Firefox work for Palemoon, and it is a bit faster.

    I have Opera, Firefox, Chrome, Safari, Palemoon and IE. My first choice is Palemoon, but I like Opera as well since many of the Trojan websites now target both IE and Firefox (the fake AV ad sites).

  11. During my early years using Linux, I could not get Quickbooks and Turbo Tax to work properly. Eventually I gave up and transferred my accounting to “GNU Cash”. Not as slick as Quickbooks but it gets the job done. I use “Tax Act” for both personal and “S” corporation taxes.

    One of the things that drove me crazy with Windoze was the strange things that happened when I attached a projector to my laptop. I still teach at half a dozen universities and technical colleges. I much prefer to use my own laptop to run the projector and sound system. Since switching to Linux, Sony, Sharp, Canon and all the other projectors install automatically with none of those lame “New Hardware Detected” messages.

  12. E.M.Smith says:

    @GallopingCamel:

    Sorry to hear about the photos getting hit. (One of the features of keeping things in an encrypted container is that the virus doesn’t know to hit it – provided you use an obscure file type; but the risk is that if you use, say, jpg, a virus can whack the whole container….)

    I had “something” try to take over the laptop about 6 months back (despite my cautions). One nice feature of the HP was that I just told it to ‘roll back’ to the last system save restore point and all was well again. Nice touch…

    Oh, and Windoze never was my friend, but I’ve noticed that it has become ever harder to buy it and having it just keep working for a long time. More ‘auto-updating’ and more planned obsolescence. (I usually shut off all auto-updating I can find). While I bought this laptop with the idea in mind of being “dual boot” (and later found out that the HP disk format was primitive and painful and it needed a new and special video driver so didn’t get around to installing LInux – yet…) I’ve been “living on MS Windows” for about a year. “Mildly annoying” is the best description of the experience.

    On the plus side, it does generally work. Not as much as the old Mac “Just Works”, but reasonably well. (Don’t expect to run any old software on Windoze, though.) Oddly, the Mac is stellar at running old software. I have a Mac with OS 9 or 10 on it, that runs software from a decade+ old in an emulator of the old 68k based machines.

    What annoyed me most was the way the U.I. keeps mutating. Step away from MS Windoze for a release or two and you become functionally impoverished. Had to re-learn a whole bunch of things. (AND, they have hidden even more of the things a tech guy wants most, like command windows and direct inspection of routing tables and interface settings). Having the drop down menu contents constantly change and move is at best frustrating and at worst incredibly stupid.

    On both the Mac and Linux I’ve generally not had those problems. Step away from one of them for a few releases and when you come back it’s still mostly the same. (On Linux, the biggest heartburn is someone deciding to swap the whole U.I. for a distribution, say from KDE to GNOME, so you need to swap it back…) Things tend to work “after a while”, but once working keep on working. Frankly, if this laptop config had not been a pain, I’d have it running dual boot right now and be spending 95% of my time on Linux. As it takes a full disk reformat to make it dual boot, I’ve been unwilling to ‘make that leap’ when it was my dominant ‘world interface’. Then the desktop Windoze box had a hissy and now the laptop is my only Windoz box. Once I fix the NT release on the desktop and recover it, I’ll likely make it dual boot and migrate on to it. At that point, this laptop gets a ‘disk do-over’ and becomes dual boot.

    On a parallel track, I’ve been playing with virtual machines and looking at SBC Single Board Computer approaches. At present, the “plan” is to get a small SBC or two and then the OS goes on a chip, the data goes on a dongle, and the computer is just a fat spot in the middle of the wires… At that point, a corrupted OS becomes “swap the chip” and a corrupted set of data becomes “restore the encrypted container” from the external store. Basically, all the parts are disposable and replaceable.

    Which reminds me… I ought to go try and get that desktop MS box to run again…

    @PhilJourdan and Ian W:

    Pale Moon. Got it. Gonna get it…

  13. My OTDR (Optical Time Domain Reflectometer) program kept giving a “COM Port Error” in Linux. It turned out that the serial port chip set driver was “closed source”, so no Linux driver version is available! So I gave up and re-installed Windoze. It was like a blind bull in a china shop, trampling all over the incumbent Linux operating system.

    Those of us who are not rich enough to own “VMWare” or smart enough to create a “Virtual Machine Environment” need to make a clean Windoze install in a dedicated partition and then install Linux into what remains of the hard disk. Linux treats Windoze with undeserved respect and creates a simple but functional dual boot (grub2).

    I dislike the “Unity” GUI on recent versions of Ubuntu but the fix is simple. Just install “Gnome Shell” and then log in again. While I am still loyal to Ubuntu with its the superb “Cloud Backup” features of “Ubuntu One”, the simplicity of Mint Maya is quite appealing. This may mean that I am a software dummy.

  14. E.M.Smith says:

    @GallopingCamel:

    While the performance slows, I found VirtualBox easy to install and run on Windoz… no idea how easy to go the other way and put something like it on Linux. Maybe I ought to look into that…

    At any rate, it’s free and works. Frankly, what I’ve found to work best is to just keep an old box – or get one for nearly free when a neighbor on the Microsoft Treadmill ‘upgrades’ – and put Linux on it, dedicated. If I need Windows, I buy one already configured and just use it. If it breaks, it usually becomes my next Linux box and I look for a replacement Windows… (often one release old and nearly free during the ‘upgrade cycle’ ;-) so Vista becoming very cheap very soon ;-)

    Oddly, that means I slowly accumulate Linux machines (often dedicated to particular things, like my GIStemp box with matching compiler / OS level) that “just work” forever; while Windows is a slow river of semi-broken change that just flows by… and I ‘dip in’ from time to time when forced into it…

    About once a decade I buy a new Mac. Then about 8 years into it, it’s ‘too slow and old’ or the battery and wireless have failed or I’ve worn out my second keyboard … and move onto “something else” for a couple of years… Then just have to buy another Mac… Come to think of it, I retired the old Mac iBook about a year ago… One More Year and I get a new Mac ;-!

  15. E.M.Smith says:

    Well, an interesting experience…. In the “junk pile” was a Toshiba Satellite 2535 CDS laptop. The screen had died some years ago, but plugged into an outboard monitor it works. It was the “last MS” computer I’d had prior to the round of a “new” desktop (to do the dT/dt graphs) and the laptop (for the job in Florida). OK, I dig it out of the pile.

    I’ve made a backup before archiving it, but think “Maybe I ought to just check, scrub, and chuck it”. So this is being posted from that box… running Win 98. Talk about slow and painful. It’s pretty clear that web pages today expect LOTS of memory and CPU or slow way down. It’s not the network, as it’s the same as my other machines get.

    At any rate, it looks like the best thing to do with it is a ‘scrub and chuck’. I’d toyed with the idea of using it as a Linux disposible browser testbed, but I suspect it’s too slow even for that… The keybard isn’t bad, but the “eraser mouse” is hard to use and the mouse buttons stick (so I’m using an external mouse. At any rate, it is “working”, after a sort… but I’m not seeing the value in it…

    Oddly, it has some GHCN stuff on it, so I was using it for some of that stuff just a few years back. Possibly just as a place to download / save copies. At any rate, the rest of the day will likely go into assuring the backup copy of data ‘from the toyshiba’ on my newer laptop matches the folders here and that there isn’t any particular software release of (whatever) on on this machine. As it stands, as a Windoze box it is just too painful to use. As a Linux, I’m not seeing any value over my desktop boxes. As a testbed for ‘slow hardware’ it’s likely slower than the SBCs and has the wrong CPU type to directly map software and experience. I guess all hardware has to reach an end sometime…

  16. BobN says:

    Going cave man is interesting. I have noticed over the years that you can take a quiet seemingly well adjusted worker and promote them. Immediately, most of them become little Hitlers making demands about everything. To not cause chaos, these people always needed to be reined in and beat back to being normal people again. It seemed to always take about 6 months of training, control whatever to not get people to overstep their boundary. Don’t mean to sound sexist, but newly promoted women were always the worst. I’ve seen what a little power does to a first line manager, just think what real power does. Do people change or is the true personality emerging because it can.

    Another aspect that is most curious is the late bloomer. Some people hit the floor running in life and have everything figured out at 20, others like myself don’t wake up until much later in life. I’m a different person now than I was at 20, just woke up one day.

  17. E.M.Smith says:

    For unknown reasons, the MS NT CD I have is not happy with the Desktop Box. I thought it had NT on it, but maybe it was something newer. Seems the NT CD doesn’t like the hardware. Won’t even get past a basic “check what hardware you have” so I can’t get to the “repair the OS” state. God only knows what CD I need to find to fix the box… What came along between Windows NT and Vista? Windows 7? Whatever… So the Compaq Evo will stay “a brick” for a while until I get motivated enough to try again (or just give up and make it a dedicated Linux box)

    All the data is saved on that Seagate USB drive (that I didn’t like because it wouldn’t play well with anything but Windoze…) so I can restore it to the laptop. I lose the MS Software that was on the desktop box, but I didn’t use it anymore anyway (having moved to Open Office). I’ve found the disk for Storm Predator and put it on the laptop (and it was the one thing I really liked). Probably ought to do some kind of ‘software audit’ of what I’m losing if I wipe it… (Boot Linux from CD to inspect the disk read-only). Somehow it’s easier to just let it sit and be a brick…

    I’d been looking to make it ‘dual boot’ so I could use Linux more anyway. So I’m having difficulty thinking of what I give up if / when I wipe it. A Windoz licence that’s relatively worthless. Some software I didn’t use much (but was convenient for opening things folks sent to me – though OO looks to do as well). I’ve got my files archived. Hmmm…. I’ll likely just ask a Tech Buddy if he has a Win 7 or so (Evo friendly) CD and try the recovery again… in a few weeks ;-)

    @BobN:

    I think you were looking to post that comment on the Koran 2 thread?

    Yes, folks taking their first shot at real positional authority are interesting to train… I’m glad I had a decade or so as a consultant without positional authority before having real line authority. Left me with a good tool kit of ‘indirect influence’… and not much ego need / threat / worry… Even now, I’ll be in a group and if “something needs doing” just start making it happen. Position or not. Odd in that it’s now ‘habit’ and I don’t even think about it much…

  18. BobN says:

    @EM – Yes, posted on the wrong thread. Too many tabs open, that’s my excuse anyway.

  19. E.M.Smith says:

    @BobN:

    No problem. Not really an ‘on topic’ nazi anyway ;-)

Comments are closed.