I have often groused about the lack of security in Microsoft products. While looking to get a Raspberry Pi, I wandered down a set of links that ended up on Yet Another Microsoft Security Hole…
Seems that the Internet Explorer Browser has a hole in it allowing folks to take over your computer. Why am I not surprised?
I regularly rotate between machines, browsers, etc. party to assure that no given platform has “much of interest” on it if it gets hacked. Partly just as I like to play on different platforms. Partly because some platforms have particular bits of software that I need. In general, I’ve preferred Linux or Macintosh. The first for what it lets me do, the second for being about as secure and easy to use and you can get. For about the last year, I’ve been on an HP Laptop with Windoz… it’s “pretty good” but “has issues”. I won’t go into all of them here ( the only HP one is that the keyboard had letters ‘wear off’ inside 6 months. Now I’ve got maybe 1/3 of the keys blank. Good thing I touch type…)
One of the first things I did was to install “other browsers”. Generally I use Firefox or Opera. I avoid Chrome due to the tendency for Google to suck up all possible information about you and what you do, and sell it to folks or use it against your privacy. Internet Explorer gets used when some web site writes bad code that depends on I.E.isms to work. Other than that, I avoid it. At this point, I’m not even going to use it for that…
Oh, and in related news, Java has a critical hole in it, too… so folks are being advised to turn off Java ‘for a while’…
Microsoft has told us about a fresh bug in its Internet Explorer web browser which is being exploited in a zero day attack.
A spokesVole said attackers can exploit the bug to infect the PC of somebody who visits a malicious website and then take control of the victim’s computer.
The software maker advised customers on its website late on Monday to install the security software as an interim measure, buying it time to fix the bug.
Security researchers think that Vole will have an update for its browser in about a week.
The tool that Microsoft is suggesting is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available through an advisory on Microsoft’s website: blogs.technet.com/b/msrc/
The software needs to be downloaded, installed and then manually configured to protect computers from the newly discovered threat.
This makes it pretty useless to the great unwashed who still have not worked out how to program their video recorders.
A “zero day” attack is one that is done when a bug is found, but not yet known to the public and fixed by the vendor. The first day it shows up is in an attack on ‘day zero’…
So if you use I.E. you are running wide open, and will be for a while… Oh, and the “fix” is something suited for the Tech Savy to do… but they won’t be running I.E. anyway, IMHO.
Germany has told it’s folks to just bail on I.E. and move on. I agree.
Germany urges users to ditch Internet Explorer
Exploit perils too risky
19 Sep 2012 09:58 | by Nick Farrell in Rome
History has repeated itself as the German government, famous for giving Firefox a leg up a few years ago, has told users to abandon Internet Explorer for something safer.
According to NDTV, the German government has told the Great Unwashed that they should temporarily stop using Microsoft’s Internet Explorer following the discovery of a yet-to-be repaired bug in the web browser that the software maker said makes PCs vulnerable to attack by hackers.
The flaw, which allows a zero day attack to be carried out on machines using IE9, surfaced over the weekend.
Yeah, I’m finding this about 10 days late. Somehow I think most folks are still just finding out…
The German Federal Office for Information Security, or BSI, said that it was aware of targeted attacks and all that was needed was to lure web surfers to a website where hackers had planted malicious software that exploited the IE bug to infect their PCs.
It announced that a fast spreading of the code has to be feared and has called on all users of Internet Explorer to use an alternative browser until the manufacturer has released a security update.
Microsoft has not said a word yet.
So 2 days ago, a Java “issue” popped up:
Another critical Java bug arrives
Just in time for JavaOne conference
26 Sep 2012 11:47 | by Nick Farrell in Rome
Oracle is setting up the bunting for its JavaOne 2012 conference in San Francisco, just as researchers from the Polish insecurity outfit Security Explorations found another critical hole in the company’s Java software.
According to Security Explorations’ researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects “one billion users of Oracle Java SE software”.
Gowdiak told Computerworld that the hole will have a bigger impact on Java users than any previous problem.
It affects Java 5, 6 and 7 while most of the previous problems with Java have effected its latest version 7.
This one is allegedly so bad that users were advised to disable Java on their browsers if they wanted to avoid it.
In this case all the latest web browsers with the latest Java SE software will have to do the same thing.
Gowdiak said his company found 50 problems in various Java SE implementations including 17 different complete sandbox bypass exploits.
That “sandbox bypass” means they can escape from the Virtual Machine in Java and get into the real world of your computer and operating system and files and networking and…
He said that all you can do is disable Java Plugin in the web browser and wait for the patches from Oracle.
There are still three weeks until the scheduled Java Oct Critical Patch Update, so it might be possible that the bug will be addressed by the company on 16 Oct 2012, he said.
I’ve been telling Java that I did NOT want an update for a while now (not liking the idea of going into brave new worlds of recently released bugs and holes; liking to stay with known good levels); so maybe in a few weeks I can let it go ahead and update…
So “Dancing Java Craplets”? Just say no…
For anyone needing a download of a new browser:
Both install very easily on Windows… Both work very well. I like both, but for different reasons. Opera has a nice ‘buffer’ feature that’s a great help on slow links (“turbo” Opera). Firefox “just feels right”… Though for some of them you may need to find and turn on some particular menu bars.
Folks wanting to do even more can set up a Virtual Machine and play with it (not too hard, but needs decent real hardware or it’s slow):
I also keep the bulk of all my stuff either on “offline” computers / disks or encrypted (or both). So WHEN a machine gets compromised, the “bad guys” get an encrypted bag of bits. I only decrypt the “bag of bits” on rare occasions, and then will often press the ‘disconnect from the network’ button during the process… so while it’s possible for some information to leak, it’s much harder. (The ‘few hundred GB’ of data in the “block” would have to be duplicated somewhere outside of it for transmission later when networking came back… I think I’d notice. So the malware has a couple of race conditions to deal with. It has to do “bad things” during the decrypted window, which can be short, and not leave them behind in that space as it goes back to encrypted before the network connection returns…)
Folks wanting a copy of Truecrypt will find it here:
I’ve been using it for a while and it looks both reliable and secure. Do NOT forget your password or you are hosed. If just using it for malware thwarts, you can use something trivial for the password (like your name, or name the file with the password “Decrypt with Forgleware” for example). Likely to prevent mechanical attacks, but a poor idea if a person gets on the box. I like using things like, for example, StarWars characters, but that’s just me ;-) It means I have a limited set to search if I forget.
So having an archive named “Archive Chewy” and a working set named “Working Droid” lets you only decrypt the active part of your files and leaving the more stable set even less likely to be accessible. Keep a backup copy on a removable drive so if the malware tries to re-write and / or append and screws up the bits so the decrypt fails, you don’t lose it all…
And you were wondering what you would do with the weekend ;-)