MS08-038 addresses a vulnerability in Windows Explorer and is for Windows Vista and carries an “important” rating. The update includes the original Vista, Vista SP1 and Vista x64.

MS08-037 addresses a vulnerability in DNS and is for Windows 2000 SP4, Windows XP SP2 & SP3, and Windows XP x64 original release & SP2. it’s rated as “important”. [Updated: This patch is part of a coordinated, multi-vendor DNS patch.]

These patches, and the others, also affect server OS’s. There’s no Internet Explorer update this month.

Also, Microsoft will begin rolling out an update to Windows Update later this month. Last time they did this they catch grief for updating PCs that were set to “do not update”. This time around they’ll be doing things differently and won’t update PCs set to not update.

ShareThis

This month’s updates included:

KB945553 (MS08-020) - Vulnerability in DNS client could allow spoofing. This is rated as "Important" for all supported desktop OS’s except Windows Vista SP1, which doesn’t need the update.

KB948590 (MS08-021) - Vulnerability in GDI could allow remote code execution. This is rated as "Critical" for all supported desktop OS’s.

KB944338 (MS08-022) - Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution. This is rated as "Critical" for all desktop OS’s except Windows Vista, which doesn’t need the update.

KB948881 (MS08-023) - Critical security update for ActiveX killbits. This is required for all supported desktop OS’s, although the severity ranges from "Important" to "Critical".

KB947864 (MS08-024) - Cumulative security update for Internet Explorer. As expected, all supported versions of IE get the update and all are rated "Critical".

KB941693 (MS08-025) - Vulnerability in Windows Kernel could allow elevation of privileges. This one has an "Important" rating for all supported desktop OS’s.

There were also some security patched for applications. MS08-018 patches a Project vulnerability while MS08-019 patches a vulnerability in Visio. I don’t run either Project or Visio so I didn’t install the updates.

The Malicious Software Removal Tool, Junk Email Filter update (Vista only, in my case at least) and Windows Defender definition updates were also included.

I also received KB938371 (on my Vista SP1 vm) which is an updated needed to add or remove Vista SP1. Since I received Vista SP1 successfully I already had some of the components. According to the bulletin Vista SP1 install "will only install the new components in this rereleased update."

Non-security related patches included an update to Live Writer and a optional Group Policy patch. For some reason my Windows XP Home installation also received .NET 2.0 SP1 although it appears that it was released back in December and I installed the base .NET 2.0 in early January, two patch Tuesday’s ago.

As expected, a reboot was required. So far I haven’t encountered an differences or problems since applying the updates. A subset of these updates also installed on my Windows Home Server and I covered the WHS March Updates here.

ShareThis

MS08-014 is a security update that patches several vulnerabilities in Microsoft Excel. Microsoft Excel 2003 Service Pack 3 and Microsoft Excel 2007 Service Pack 1 are not affected but other versions of Excel are vulnerable. Vulnerable versions include Office 2004 and Office 2008 for the Mac. The Office 2007 Compatibility pack is also vulnerable as is the Excel 2003 viewer.

MS08-015 is a critical update for Microsoft Outlook. Microsoft Outlook 2007 Service Pack 1 is not vulnerable but all other versions are vulnerable.

MS08-016 is a security update for Microsoft Office. Vulnerable versions include Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, Microsoft Office Excel 2003 Viewer (base version & Service pack 3), and Microsoft Office 2004 for Mac.

MS08-017 is a critical update for Microsoft Office Web Components. Client vulnerabilities include Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, and Visual Studio .NET 2003 Service Pack 1.

While none of these patches apply to me, my Windows Vista Home Premium and Windows Vista Ultimate installations did have three updates waiting in Windows Update. The Windows Malicious Software Removal Tools, the March Update for the Windows Mail Junk E-Mail filter, and a generic "Update fir Windows Vista" described as:

Update for Windows Vista (KB946041)

Download size: 581 KB

You may need to restart your computer for this update to take effect.

Update type: Recommended

This is a reliability update. This update resolves some performance and reliability issues in Windows Vista. By applying this update, you can achieve better performance and responsiveness in various scenarios. After you install this item, you may have to restart your computer.

More information:
http://support.microsoft.com/kb/946041

Windows Update also includes Microsoft Silverlight 1.0 as an optional installation. I decide to go ahead and install it. The updates installed without any issues, a restart was required. The first time I went to a Microsoft website I had to except the Silverlight license agreement and enable Silverlight itself.

ShareThis

MS08-010 - Cumulative Update for Internet Explorer (critical)

MS08-007 - Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution (critical)

MS08-008 -  Vulnerability in OLE Automation Could Allow Remote Code Execution (critical)

A reboot was required.

I’m running the Windows Vista SP1 Release Candidate so I didn’t get any updates on that machine. I don’t run MS Office apps so I avoided those updates too. I’m all updated out so I’m not going to cover the other updates. Suffice it to say that any copies of Windows or Office you have will get updated. For more information you can read CNet’s article which has the Cliff Notes version of the MS Bulletins.

ShareThis

Quicktime required a reboot on my Macs, as do all Quicktime updates. On Windows I have the iTunes+Quicktime combo installed and that also required a reboot.

The update is available through Apple software update or as individual downloads from Apple’s download page. There are versions for Leopard, Tiger, Panther and Windows.

ShareThis

Anyway, this week brought two patches. The first is MS08-001 titled “Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution”. This affects all supported desktop OS’s. It’s rated as Important for Windows 2000 and Critical for all flavors of Windows XP and Windows Vista. I didn’t have any problems applying this update to my two Windows XP SP2 installations. There wasn’t any update through Windows Update for my Vista SP1 RC1 install so I don’t have any experience with that one.

MS08-002 is titled “Vulnerability in LSASS Could Allow Local Elevation of Privilege” and is for Windows 2000 and Windows XP on the desktop. It rated as important. If someone already has logon credentials they can use this vulnerability to elevate their privileges.

There’s no cumulative IE update or any Office updates this month.

Microsoft Security Resources

Additional security resources from Microsoft:

Microsoft Security Newsletter is a monthly e-mail covering security topics from Microsoft. To subscribe you’ll need a Microsoft Live ID (formerly passport) although the newsletter can go to any email address.  You’ll also be required to provide a name. By default the box to also receive other Microsoft emails is checked so be sure to uncheck it (unless you want the emails). You can also view the latest newsletter‘ without subscribing.

Microsoft provides several levels of security notifications via several methods. They provide either basic or comprehensive alerts along with additional non-vulnerability advisories and a blog. Delivery system include email, rss, Windows Live Alerts and the website.

A security bulletin search is provided that allows searching by date, product and severity rating.

They also have a new (at least to me) Malware Protection Center that lists information about malware and provides links to Microsoft tools.

Spam Counts

This weeks spam counts:

Primary Mailbox 30-day spam count: 2

This is down one from last week and none of it is new.

Public Mailbox 30-day spam count: 156

Down 20 from last week with new spam this week at 21 pieces.

Website comment and trackback spam: 7,573

This is up 73 from last week.

ShareThis

This version will also suppress some DB error messages to avoid giving out to much information. The error messages will still be displayed if debug mode is enabled. Details on all the changes can be found at Westi on WordPress.

The update was released on the 29th and I got around to installing it this past weekend, along with updating numerous plug-ins. The update wasn’t too tough but mainly because I assumed things would work OK and didn’t do too much testing. I had seven plug-ins to update, although only five were actually in use. Against common sense I updated all the plug-ins and WordPress itself on my test site without doing a backup first. I replaced all the WordPress files rather than picking out the 16 that changed. There weren’t any DB changes but I ran upgrade.php on my test site just to be sure and was told there weren’t any DB changes.

Updating the regular site was just a matter of copying the new WordPress and plug-in files up to the new site. But in this case I did do backups first.

WordPress Update Notifications

With WordPress 2.3 notification about updates began to be included in the admin panel. If WordPress itself needs to be upgraded there a message along the top of the admin panel and down on the footer too. This makes it nice to not have to go looking for updates on a regular basis even if it doesn’t alleviate the annoyance of the moment when an unexpected update notification pops up. The plug-in page also displays info on plug-ins that are out of date, although this requires the plug-in to be hosted in WordPress.org’s plug-in library.

Some plug-ins don’t provide very much information about the update so it’s hard to know if it’s worth the update. I’ve avoided updating just because it says there’s a plug-in update. Instead I tend to group them together for when I have time or when I need to install a security related update (like this time). Some plug-ins can update frequently like the one that was updated twice (at least) this month. I found that out when the update I had download two days previously was out of date when I applied it.

There’s also been other little things that make doing update easier, like a link to deactivate all plug-ins at once.

WordPress Anti-Spam

The Akismet anti-spam plug-in is included with WordPress and it’s probably what most people use. It’s free (for non-commercial use on blogs that make less than $500/mth) so that’s a plus. The actual spam detection process occurs on Akismet’s. This means your server doesn’t have to handle the processing which could be a benefit. But it does mean that it the Akismet servers are busy your comments may not be processed and spam may get through. Paid Akismet users do get priority. Another benefit, at least in theory, is that Akismet can take the knowledge learned as it processed comments for spam and help everyone. I used it at first and have to say it worked well but did let some stuff through, especially trackback spam.

I started using Spam Karma 2 back in October and it’s worked almost flawlessly. I seem to recall a comment/trackback or two getting through but can’t remember anything specific. I also can’t recall it eating any legit comments. While the ability to tweak the settings is nearly endless I pretty much stuck to the defaults. The plug-in was just updated in May and the author recently announced another update is pending. But then he says:

This will also likely be the last update to Spam Karma (which should still give us all quite a few months respite from spam). Barring any unforeseeable circumstances, there will be no more compatibility update to try and keep up with Wordpress’ habit of breaking compatibility with each of their [numerous] releases. Furthermore, there is increasingly little point in “competing” against Akismet, when it is bundled and marketed as the principal Wordpress antispam tool (even if I personally do not like its approach).

It’s probably an unfair comment, but the bundling of Akismet reminds me of the bundling of IE with Windows. (But Akismet is a plugin so easily avoided, unlike IE) Still, Spam Karma 2 will work for the foreseeable future, hopefully through the next couple of WordPress upgrade cycles.

Dozens of other spam tools are available through the WordPress codex.

EMail Address Harvesting

There are several plug-ins available to protect email addresses from being harvested from WordPress. For awhile I used the email immunizer plug-in and this seemed to work well. This allows email addresses to be specified normally and they can be read by humans but put in their HTML equivalents for spam bots. But if the plug-in breaks or stops working the addresses will also appear in plain text for the bots. I stopped using this simply to reduce the number of plug-ins I used. There are several similar plug-ins at the previous spam tools link.

Backups

As with any security measures backups of data have to be included.

The WordPress Database Backup plugin can be used to backup the WP database. I only use this occasionally as I’ve had some problems with it. If I try to back up all the tables I inevitably exceed the cpu quota with my web host and get locked out for a minute or two. I still use it to back up the basic tables before an upgrade. I also had problems when trying to schedule backups through the plugin, again my web host didn’t seem to like it. The plugin has been updated since I tried scheduling backups but I’m not entirely comfortable sending a copy of my SQL database through email.

These days I’m more likely to use the built-in WordPress export feature to save all my posts, comments and categories to a local file than use the WPBackup plugin although the next two items are my primary backup methods.

I also use my web hosts own backup facility to back up my SQL databases and download the backup to my local computer.

To back up all the files on the site I schedule a nightly backup with Transmit.

WordPress Security Resources & Links

Some additional WordPress security resources:

BlogSecurity.Net - A site with information and tools related to blog security. Most of their content is related to WordPress.

The WordPress Development Blog will bring news of the latest releases.

Help Net Security is a general network security site that contains a lot of WordPress information. Their latest WordPress article is a list of WordPress security plug-ins.

Bad Neighborhood and the Bad Neighborhood blog are primarily SEO related sites but it includes the WordPress Login Lockdown plug-in which can be used to prevent brute force attacks to guess your WordPress admin password.

This article at Quick Online Tips has 3 suggestions for securing a WordPress blog such as removing the version info from the header and preventing the display of what’s in your plug-ins directory.

Spam Counts

This weeks spam counts:

Primary Mailbox 30-day spam count: 3

This is down one from last week and none of the spam is new, the last one arriving in the 13th.

Public Mailbox 30-day spam count: 176

The total is unchanged from last week but there was plenty of new spam.

Website comment and trackback spam: 7,500

This means there were 96 new ones from last week.

Other News & Links

Some non-WordPress news & links that caught my attention this week.

ArsTechnica.com: Adobe, Omniture in hot water for snooping on CS3 users - A little more info about the snooping being done in Adobe CS3. But no info from Omniture about the curiously crafted URL that the info is sent to.

CNet.com: Problems updating the Flash player in Firefox? Here’s help - The article provides the reasons I hate Flash player. What the rather long article explains is the steps necessary to remove the old, vulnerable versions of Flash Player.

Davidairey.co.uk: WARNING: Google’s GMail security failure leaves my business sabotaged - David has his GMail account hacked due to a vulnerability (since fixed) which led to him having his domain name stolen from him.

Dynamoo.com: Js/snz.a - likely false positive in eTrust / Vet Anti-Virus - Another probable false positive which will hopefully be fixed by the time you read this.

Lifehacker.com: How to Selectively Share Google Reader Feeds - There’s been a bit of a dust up over Google automatically sharing the Google Reader shared items with all contacts. Here’s a way to selectively share feeds.

Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com)- The storm work is now spreading via Google’s blogspot blogs.

Techdirt.com: Will Patent Battles Make Your Computer Less Secure? - TechDirt is concerned that patents could be used to hold back progress and make PCs less secure.

UneasySilence.com: Lies, Lies and Adobe Spies - No specifics as to what’s going on here, but Adobe CS3 seems to be calling home and trying to obscure exactly what it’s doing by using a website name designed to look like a local IP address.

ShareThis

Not much happening this holiday week so just some spam numbers and links.

Spam Counts

My primary mailbox (which manages multiple addresses) didn’t get any new spam messages and the 30-day count is down to four from last week’s seven.

My more public GMail address received a bunch of spam messages this past week, all of which was filtered by GMail. The thirty day count jumped to 176, up from 154 messages last week.

This site’s spam comment count jumped to 7,414, up 73 from last week. All were caught by the Spam Karma plugin.

News & Links

ArsTechnica.com: Malware construction kit authors arrested, to be tried - The Russians have arrested two malware toolkit authors.

CNet.com: Problems updating the Flash player in Firefox? Here’s help - The article provides the reasons I hate Flash player. What the rather long article explains is the steps necessary to remove the old, vulnerable versions of Flash Player.

Davidairey.co.uk: WARNING: Google’s GMail security failure leaves my business sabotaged - David has his GMail account hacked due to a vulnerability (since fixed) which led to him having his domain name stolen from him.

Engadget.com: Security exploit bricks HP and Compaq laptops - Engadget reports on a Polish security researching finding yet more exploits in HP/Compaq products.

Heise-Security.co.uk: Antivirus protection worse than a year ago - Heise Security points to a study that shows antivirus effectiveness has fallen from a year ago. One reason given is the "professionalization of the malware scene".

Kaspersky.com: False positive detection - system file explorer.exe - Here’s the Kaspersky fix if you got bit by the false virus detection on explorer.exe

News.com: Kaspersky inadvertently quarantines Windows Explorer - Kaspersky had a problem with their virus definitions and quarantined explorer.exe as the Huhk-C virus.

Techdirt.com: Sears.com - Join Our Community… So We Can Spy On Your Every Online Move - Techdirt brings news of a report from CA that Sears.com’s "community" is really a ploy to get you to install the Comscore toolbar and watch your online moves.

ShareThis

The Leopard update was a 35.4MB download on my Intel Macs through Apple Automatic Update. It’s also available as a 35.6MB standalone download. There are two versions for Tiger. The PPC version is a 15.9MB standalone download and the Universal version is a 27.4MB standalone download.

I applied the update to my iMac, MacBook and Mac Mini. All are running OS X 10.5.1 Leopard on Intel cpu’s. I’ve been running the update for a little over a day without a specific problem but have had some new instability. Not necessarily due to the updates, but they are new problems.

On my iMac Parallels is a bit unstable. Windows XP SP2 is having some network connectivity issues and some keyboard issues. On the network side of things some connections time out through Windows while connecting fine in OS X. There’s so many potential failure points for Internet sites it’s hard to point the finger at the update and be sure. The keyboard issue within Parallels is more annoying. Sometimes the VM starts up in caps mode (while staying lower case in OS X) until I restart the VM. It also buffers keystrokes and falls behind my two-finger typing. But, I haven’t seen any info that others are experiencing the problem.

My MacBook has gotten the gray screen of death once since the update. It was soon after startup and Safari was the only app running. I think that was the first OS crash for the MacBook. It’s been OK since and I’m using it now.

The problems can’t be tied to the update and they aren’t persistent, but my Macs have been stable and the updates were the last change before the problems occurred. That’s usually the place to start.

Spam Counts

Time to start keeping track of my spam again, at least for awhile.

Spam to my primary GMail mailbox (which manages multiple email addresses) has had seven spam messages in the last 30 days. What’s interesting is which e-mail addresses were used. Back in October when I redesigned the web site I decided to stop using two addresses which appeared on the site. I removed one at that time. I missed the second one and it still appears on the web site in clear text/html since I removed the obfuscation plug-in. The one in clear text since October picked up three email messages that are clearly spam. The address that I removed was picked up by a software company and I received three "promotional" emails from them. You could say they’re on topic for the blog but there’s no unsubscribe link and GMail sees them as spam.  The seventh spam email was sent to my Yahoo email which I’ve never given out. I canceled AT&T/Yahoo as my ISP but the email account remains.

A GMail address I use extensively picked up 2 spam messages in the last 30 days, both blocked by GMail. I don’t use this account with places that are high spam risks but I’m actually surprised there’s not more yet.

A third GMail address that gets used almost exclusively where there’s a high risk of spam received 154 spam emails in the last thirty days. This is less than 50% of what the count was in June. On June 24th there were 343 spam messages in the previous 30 days.

Much to GMail’s credit their spam filter works well for me a they didn’t let anything through and didn’t flag anything I wanted.

I use the Spam Karma plugin for Wordpress on this website. So far its caught 7,341 spam comments.

News & Links

Apple.com: About the security content of Java Release 6 for Mac OS X 10.4 - Apple released a java security update for mac OS X 10.4 Tiger. I don’t have any Macs running Tiger so don’t have any first hand experience.

Apple.com: Safari 3 Beta Updated - Safari 3.0.4 beta for Windows XP/Vista.

ShareThis

MS07-063 is for Windows Vista, including the 64-bit version, and is rated as Important. The vulnerability could allow remote code execution but it’s mitigated by the fact that SMB2 is off by default and not used when connecting to previous OS’s (like Windows XP).

MS07-064 is for DirectX 7 and 8 on Windows 2000; DirectX 9 on Windows 2000, Windows XP and Windows Vista; DirectX 10 on Windows Vista. The patch is rated Critical on all systems.

MS07-065 is for Windows 2000 Pro and Windows XP. It’s rated as Important on Windows 2000 and Moderate on Windows XP. An attacker that already has valid logon credentials could elevate their privileges.

MS07-066 is for Windows Vista, including 64-bit, and is rated as Important. The vulnerability could allow the elevation of privileges.

MS07-067 is for Windows XP and it’s rated as Important. It also allows privilege elevation.

MS07-068 is for Windows 2000, Windows XP and Windows Vista and it’s rated as Critical. The patch varies based of the version of the Windows Media Format Runtime that is installed and isn’t OS specific. The vulnerability can allow remote code execution.

MS07-069 is the always expected Internet Explorer Cumulative update and is for Internet Explorer 6 and Internet Explorer 7 on Windows 2000, Windows XP and Windows Vista. And also for Internet Explorer 5.01 on Windows 2000. It’s rated as Critical on all desktop OS’s.

I run a basic (no additional software) Windows Vista Ultimate VM and it updated without a problem. The same for a basic Windows XP SP2 VM I also run. The updates were installed through Automatic Update.

News & Links

ArsTechnica.com: Rating antivirus software: vendors to agree on standard testing guidelines - Software vendors are working to come up with a standard way of evaluating and comparing AV software.

ArsTechnica.com: SAFE Act won’t turn mom-and-pop shops into WiFi cops - There was a lot of hysteria about this bill in various articles. Mainly saying that it required free Wi-Fi providers to monitor users. Ars Technica has a more reasoned article (as they usually do).

Avast.com: Avast AntiVirus Home Edition - Free virus protection for your home PC - Avast has updated their free (or personal use) Anti-Virus software.

F-Secure.com: Data Security Summary - July to December 2007 - F-Secure has published their year-end data security summary in both written and video form.

Google Privacy: Emails, Off-the-record Chats - Continuing the privacy theme, information on GMail and Google chat.

News.Com: Free online service cuts back on catalog clutter - Reduce the snail-mail spam.

News.com: Grisoft acquires Exploit Prevention Labs - Grisoft adds web page scanning to its tools.

OpenOffice.org: OpenOffice.org 2.3.1 Released - OOo released version 2.3.1 which patches one vulnerability and includes a few other bug fixes.

Techdirt.com: Verizon’s Idea Of Security: We Block Spyware… Unless It’s From Our Partners - TechDirt says Verizon’s security service has some deficiencies.

WashingtonPost.com: Top 10 Best & Worst Anti-Phishing Web Registrars - Security Fix - Some registrars are better than others when taking down phishing sites. Plus, there’s an effort to standardize the take down process.

WinSuperSite.com: Windows Live OneCare 2.0 Review - Good review of the latest Windows OneCare version

Wired.com: AIM Hack Shows AOL Hasn’t Patched Critical Security Hole - AOL often plugs vulnerabilities in AIM by doing server-side filtering.

Yahoo.com: Google Disables Some Gmail Accounts by Mistake - Seems like Google disabled some GMail accounts for spamming or other TOS violations. It’s all better now, but some mail may have been bounded.

ShareThis

I find it interesting that Google most definitely has as much info about users but tries to keep a low profile. When there’s a uproar about Google it’s what they might do with the data. With Facebook it’s what they were actually doing with the data. Google pulls us in slowly, Facebook wanted it to overwhelm us.

Also in the privacy arena, the November 22nd Security Now Podcast talked about third -party cookies, specifically PayPal’s routing of links through Doubleclick to avoid the issue of browsers rejecting third-party cookies. As the podcast mentions, this could give the Doubleclick advertising access to information about you. I don’t use PayPal a lot, and while I don’t like what they do I won’t use it any less. I use PayPal when a credit card isn’t accepted or I don’t want to give a website my credit card number so it would remain my preferred, if reluctant, choice. It may get me go through the hassle of using a one-time credit card number my bank offers.

Software Vulnerabilities

Symantec is reporting than an active exploit is in the wild for a QuickTime vulnerability that was first reported last week. From the article:

Hamada said the exploit code was found on a compromised porn site that redirects users to a site hosting malicious software called “Downloader.” Downloader is a Trojan that causes compromised machines to download other malicious software from the Internet. Symantec rates Downloader as “very low” risk.

A second QuickTime flaw has also just been reported.

News & Links

Blogger in Draft: New feature: OpenID commenting - Google has begun testing OpenID with their “Blogger in Draft” program.

CNet.com: McAfee Internet Security Suite 2008 - complete package Internet security and firewall reviews - CNet review McAfee Internet Security Suite 2008 and rated it 7.3 out of 10 and said “McAfee Internet Security 2008 trounces Norton Internet Security 2008, offering a better designed product with more security tools.”

Google Online Security Blog: Help us fill in the gaps! - Google is asking users to report malicious websites they come across by filling out a online form.

MSNBC.com: Virus experts warn of ‘Google poisoning’ - The Red Tape Chronicles - Info about malware distribution via websites is making it’s way in to the general news.

News.com: Inviting the hackers inside - News.com article about how Microsoft has taken a more inclusive approach to security.

News.com: Yahoo, Adobe team on PDF ads - Advertising can now infect PDF files.

WinSuperSite.com: Windows Live OneCare 2.0 Reviewc- Good review of the latest Windows OneCare version

Wired.com: Spammers Giving Up? Google Thinks So - Google says that spam is down (as a percentage of all mail) through their GMail system.

theage.com.au: Flaw leaves Microsoft looking like a turkey - Vulnerability in Windows that was thought patched 5 years ago still exists under some conditions. Vista is affected too. via tech.blorge.com

ShareThis

MS07-061 is a critical update for Windows XP on the desktop. It’s for both the regular and 64-bit editions. It supersedes MS06-045 and patches a vulnerability that allowed remote code execution when a specially crafted URI was passed. Windows 2000 Professional & Windows Vista are not affected. Several server versions also require the patch. I needed to reboot after installing this patch through automatic update.

MS07-062 was also released but it is only for servers.

Old Business

I’d previously written about the Paypal security fob and VeriSign’s Personal Identity Protection program (PIP). Verisign has since added a credit card sized “security card” that can be carried in a wallet. It’s not available at the subsidized PayPal price and it’ll set you back $48. At least it appears these are gaining traction which is good. It appears that now multiple fobs can be registered with the same ID so you can have one for the home and one for the office if you don’t want to carry them.

News & Links

News.com: Microsoft exec calls XP hack ‘frightening’ - Not really news, but points out that patching is needed. A Windows XP SP1 PC without a firewall or other security software was easily hacked, is this really news? SP2 enables a firewall by default.

News.com: ‘Botmaster’ admits infecting 250,000 computers - Security consultant by day, botmaster by night. John Schiefer could get a 60 year jail sentence after pleading guilty.

News.com: Infamous Russian malware gang vanishes - The Russian Business Network has vanished. No one thinks they packed their toys away.

Wired.com: Encrypted E-Mail Company Hushmail Spills to Feds - HushMail’s easiest to use service not so private. Hushmail provides encrypted e-mail. They offer a service that provides encryption on their server. While easier to use it does mean they see your passphrase, unlike their client-side encrypt products.

arstechnica.com: Malware-pushing web sites on the rise, say researchers: 66,000 and counting - Malware hosting websites on the rise according to researchers.

crunchgear.com: Drive Erazer erazes your drivez - If you have a lot of hard drives that you really want to erase.

engadget.com: Some Maxtor Personal Storage 3200s shipped with virus - Oops.

ShareThis

The only real news here was that OS X was specifically targeted by a malware writer. It didn’t exploit any deficiency in OS X security. The only way to get the malware to install was to convince the user that they wanted to install the software. Intego and other security software vendors are promoting the fact that they can detect the trojan.

Let’s look at what’s involved to infect a Mac with this bug. You had to:

• Visit a website, in this case a porn site, and be enticed into downloading a file. In this case it was said to be a codec needed to view some videos.
• After downloading the DMG file you had to open it and run the installer.
• When the installer ran you’d be prompted for your password which you’d have to enter.
• Then the software would install.

So the only security hole was between the keyboard and the chair, not in the software.

MacWorld has a good article on how to detect the trojan.

The first rule of PC (personal computer, including Macs) should always be only install software from trusted sources. This wasn’t a drive-by install where the user visited a website and it automatically installed. On the other hand, there are people who say they visit websites in bad neighborhoods with Macs since it’s safe and secure. This does show that Macs are beginning to be targeted so that is probably not a good attitude. As much care needs to be taken on Macs as on Windows machines.

One of the things that make Macs a less than perfect choice for visiting bad neighborhoods is that Safari has “Open Safe Files after downloading” enabled by default. It’s a poorly named option and should be turned off. Safari doesn’t determine safety. What it really means is that it will open files which don’t automatically execute anything when all system are working. This includes DMG and PDF files which have recently carried malware. If a vulnerability was found that enabled auto execution this default setting could be deadly. If nothing else, the name gives a false sense of security since it sounds like OS X can determine if the file is safe or not. This is set under Safari preferences, on the general tab. Click the thumbnail at the beginning of this paragraph to see the setting. The screen shot shows the Safari defaults.

If you want to visit bad neighborhoods or want an extra level of protection there is software available to help protect your Mac.

ClamXAV is an free (donationware) virus checker for OS X that’s built on the open source ClamAV anti-virus engine. The software allows certain directories to be watched and all file changes in those directories will be scanned. Scans can also be scheduled. There isn’t any real-time scanning, other than the watch directories feature. I used ClamXAV under Tiger but there are currently Leopard issues so I haven’t re-installed it since upgrading. These issues appear related to scheduling an other non-detection related features.

Intego has a full menu of security products. They are clearly the market leader in OS X security software. When I switched from Windows I naturally wanted anti-virus software so I purchased an earlier version of their anti-virus software. While I never came across any viruses for it to detect the software seemed fine. My main complaint is I feel they’re expensive. Be aware that their products that include definition updates may have just a one year subscription. I stopped using them when my subscription ran out and I didn’t feel the upgrade cost was justified for me. They also promoted paid upgrades through the same update engine that pulled down virus definition updates but didn’t identify them as paid until the update was selected, which was annoying. Intego has stated all their products are Leopard compatible. Trial versions are available.
MacScan by SecureMac is AntiSpyware program for OS X that is currently Leopard compatible. This is a traditional anti-spyware program that scans the Mac on demand or on a schedule. Detection ranges from tracking cookies to key loggers. A thirty day demo is available. I downloaded and ran the demo today. I’ll have more info when I’ve run it awhile but it’s a fairly simple interface as is shown by the thumbnail at the beginning of this paragraph (click to see full screen). The 41 pieces of spyware detected in the scan where all tracking cookies from websites and web ads. When spyware is detected you have the option of picking and choosing which you want “isolated” in MacScan terms. Despite the term, tracking cookies are just deleted.

Both McAfee and Symantec have security software for the Mac. Neither seems to have particularly good reviews available. The Symantec software can be viewed here (select Macintosh Products from the drop down list). McAfee information is here. Neither Symantec or McAfee products appear Leopard ready.

ClamXav and MacScan appeal to me because they are non-intrusive on the system. They are also the lowest cost solutions. I’ll probably stick with ClamXav.

The Intego, McAfee and Symantec products all cause me the same concern - that they’re too intrusive on the system and aren’t worth the performance cost. But if I knew I’d be going into bad neighborhoods I’d give Intego a try. At least they’re dedicated to the Mac platform. Just beware of feature bloat intended to justify their existence and upgrades.

I’m a believer that computer habits are better prevention than software. If your switching from Windows and used anti-virus, or have been using a paid virus scanner on the Mac ask yourself how many viruses were detected by the software you used.

Software News

CCleaner - Home - CCleaner is a freeware privacy tool and has recently been updated to version 2.02.525.

TUAW.com: Free download of 1Password 2.5.3, courtesy Macworld - 1Passwd is free for a limited time and with limitations (no upgrades, no access to online version). Mac software used by many.

News & Links

Apple.com: Mac OS X 10.5: About the PubSub Agent - Apple let’s us know that it’s OK for PubSub to access our keychain.

BlogSecurity.net: ModSecurity and Wordpress: Defense in Depth - Paper about securing Wordpress

Bogus FTC e-mail has virus | CNET News.com - FTC’s name is being used by spammers to spread malware

Intego reporting new OS X trojan horse in the wild - The Unofficial Apple Weblog (TUAW) - New Mac trojan. Like the article says, it doesn’t install itself. It requires the user to install and provide admin permission.

Macworld.com: Secrets: How to: Discover malware before installing - MacWorld provides some tips with how to avoid and detect Malware without having to buy software

WashingtonPost.comDeconstructing the Fake FTC E-mail Virus Attack - Security Fix - interesting Security Fix blog post about a successful email phishing attack. The vulnerability exploited was the user. Note the update at the end which links to a report showing only 1/2 of AV software detected the malware.

WashingtonPost.com: Hiding In Plain Sight - Security Fix - I’ve told windows to show file extensions for so long I forgot about this. A good reminder to set windows to tell all it knows.

WashingtonPost.com: Salesforce.com Acknowledges Data Loss - Security Fix - looks like salesforce.com fell for a phishing scam and lost control of some customer data, resulting in a wave of phishing emails targeting their customers.

ShareThis

Under security preferences I enable requiring a logon when returning from sleep or screen saver and disable automatic logon.

It’s a minor inconvenience but if my Mac is ever stolen it will prevent them from logging on and using the Mac as me. It also makes it harder to get to the files on disk as they need some technical knowledge and another computer.

On a related note: I enable the Master Password in Firefox. I have to enter the password when I start Firefox but it would prevent someone from easily accessing website using my passwords by simply firing up Firefox.

Because my MacBook travels and is more likely to get stolen I usually enable FileVault, but I haven’t enabled it yet. I’ll enable it once I’ve used the laptop a few days and know it’s stable.

I was surprised to see that the firewall defaulted to “Allow all incoming connections”. This seems like a step back. The biggest single improvement Microsoft made to Windows security was the enable the firewall by default starting with Windows XP SP2. If your behind a home router there’s probably little cause for concern, but a direct Internet connection or a laptop that uses public networks would be at risk.

I set the firewall to block all incoming connections. Leopard will automatically open ports for the OS X services I enable. (This itself sounds like a problem in that it seems there’s not way to block some traffic on the firewall if Apple decides it’s needed.) If I find needed apps are being blocked I’ll change to “Set Access for Specific Servers and Applications” and add the apps to the list.

I also went into the Advance button and enabled logging (for curiosity) and Stealth mode.

When behind a home router (assuming it’s NAT enabled, almost all are) stealth mode is unnecessary and logging will (hopefully) confirm the Internet doesn’t see your Mac.

Then I went into my .Mac configuration and turned off Back to My Mac. I have nothing against it, but I won’t be using it for awhile and leaving it running seems to be inviting trouble. Some feel that back to My Mac has a security hole. But what it comes down to is how secure is your .Mac account? If it’s got a secure and secret password that’s not used by anyone you don’t want accessing your Mac then it seems fine.

I’ll have no problem turning it one once I’m ready to try it out.

The OS X firewall only blocks incoming connections. In the past I’ve used Little Snitch to manage outgoing connections but version 1 is not Leopard compatible and version 2 is still in beta. I’m not installing the beta , I’ll wait for the full release.

Security Vulnerabilities

There was a vulnerability announced in Wordpress 2.3. It’s resolved in 2.3.1 and doesn’t appear to exist in earlier versions.

News & Links

BBC.co.uk | Technology | PC stripper helps spam to spread - Spammers use strippers and malware to circumvent captchas and spread spam.

Techdirt.com: Remember How TJX Was The Worst Data Breach In History? Well, It Was Actually Worse
- TJX even worse than reported with data being used in frauds. From the article: “t doesn’t seem like anything is really done to stop companies from being so careless…”

arstechnica.com: Microsoft security report: Our newer software is more secure - Microsoft has released the third installment of their MS Security Intelligence Report. Newer stuff is more secure.

news.com: McAfee to acquire ScanAlert - McAfee is acquiring ScanAlert. ScanAlert is the keeper of the “Hacker Safe” website security seal.

news.com: Report: U.S. tops list of spam-offending countries - Another report where the U.S. leads the world as the biggest spammer. It’s attributed to the large zombie population.

news.com:: Report: PDF files used to attack computers - PDF file attachments not being used to spread malware.

thereigster.co.uk: World’s most gullible supermarket chain falls victim to online scam - Email scam nets supermarket chain when they switch bank accounts based on an email. They claim due to our internal controls and processes, we were able to quickly discover…”. Perhaps they need better controls on email?

ShareThis

Apple has 11 new security features listed on their “300+ New Features” page. Some of the non-security features seem to be padding for the list, such as an “empty trash button”. How lame are the security features and which ones are padding?

The 11 from Apple’s list are:

1. Tagging Downloaded Applications:It all depends upon implementation but this sounds like a really good feature that contributes to security. When an application is downloaded to the Mac it is tagged as a downloaded app. Before it runs for the first time your prompted for your consent and are told it was downloaded, what application downloaded it and if possible what URL it came from. This one is definitely a useful feature.

2. Signed Applications: All apps shipped with Leopard are digitally signed and third-party developers can sign their applications. This one is probably more beneficial to sysadmins and all small segment of users, but most users probably won’t care. I’d still put this in the useful feature category.

3. Application-Based Firewall: In addition to port blocking you can also configure individual applications to allow or block incoming connections. OK, this is new for Leopard, but an evolutionary improvement that’s already in the Windows XP firewall and most third-party firewalls.

4. Stronger Encryption for Disk Images:OK, stronger is better, but this is borderline “new button” territory. It’s 256-bit AES instead of 128-bit AES. 128 bit is still an option. It’s an improvement, not a new feature and I suspect one most Mac users don’t care about. Governments and enterprises will probably welcome it.

5. Enhanced VPN Connection Compatibility: Like encryption, this is an improvement. A welcome improvement for people who need VPN. This could include people forced to use a public Wi-Fi network and wanting VPN for extra security.

6. Sharing and Collaboration Configuration: You can now share any folder on your Mac the same as Windows. I can see sysadmins cringe now. I’m not sure I’d call this a security improvement since users are often the weak link in security. It all depends upon implementation but it’s easier to share a directory to everyone rather than have to manage access and it’s easier to share an entire drive than folders. (I speak from experience.) I guess I’d agree this is new to OS X but I don’t think I’d put it in the security category unless it’s really well implemented.

7. Sandboxing: This one really depends upon the implementation but it’s a new feature and has the potential to significantly improve security. Applications can have their file access, network access, and ability to launch other apps limited. Apple has sandboxed Bonjour, Quick Look and the Spotlight indexer. A good security improvement but it depends upon the application and developers. This does deserve the “new feature” designation.

8. Multipe User Certificates: Allows you to maintain different digital certificates for different email addresses. Keychain can be used to associate certificates with email addresses. Signing email is becoming more common and anything that helps implement it is welcome. Another one that deserves the new feature monicur.

9. Enhanced Smart Card Capabilities: This is a welcome improvement targeted towards government and business.

10. Library Randomization: This loads system libraries to randomly assigned addresses which makes it harder for hackers. Vista has this too but it’s new to OS X and welcome.

11. Windows SMB packet Signing: Even the description makes this sound like something thrown in to pump up the numbers: “Enjoy improved compatibility and security with Windows-based servers.” So improved security is a good thing but it should hardly be on a new features list.

There’s one they put under the Network category that could help with security: New Airport Menu, now we’ll be able to identify secure WiFi networks. Sounds like they took it from Windows, but no shame in taking something that works.

Leopard Security Enhancement Summary

It’s actually not too bad. Only two shouldn’t be on the new feature list (6 and 11) and three are more along the lines of small enhancements (3, 4, 5) but the other six are worth identifying as new.

It’s nice to see Apple continue to address and improve security despite their reputation as a secure OS. I’d have to agree they aren’t paying lip service to security and made significant improvements.

Security Vulnerabilities

Real has released updates to several Windows versions of RealPlayer to address a security vulnerability. Mac and Linux versions are not affected.

Firefox 2.0.0.8 was released to address eight security vulnerabilities and add Leopard support.

Wordpress 2.3 has a vulnerability that allows a blogroll to be spammed. This thread describes the vulnerability and has a link to download an updated link.php file to plug it.

Security Software

AVG Anti-Virus Free Edition has been update to version 7.5.503 has been released.

Links & News

ArsTechnica.com: Comcast’s law enforcement handbook leaked, could teach telecoms a thing or two - Comcast document leaked. Makes them look good compared to telcos.

Macworld.com: I will behave cautiously online - Some tips for safe browsing. Even Mac users are vulnerable in this area since the operating system is irrelevant.

Macworld.com: I will keep my Mac safe from other users - Some tips on securing a Mac. Can’t say I do all these things

Macworld.com: I will use good passwords - Some tips for using passwords

ShareThis