Adobe fixes Reader and Acrobat

October 15, 2009 Leave a comment

Not only Microsoft released a bunch of patches to close security holes in their products, but also Adobe now ships updated software to fix several vulnerabilities in Adobe Reader and Acrobat which already get attacked with specially prepared PDF documents to take over control of vulnerable computers.

Users of Adobe Reader and Acrobat with earlier versions than the new 9.2 are advised to install the updated software immediately to protect themselves from the attacks; Adobe rates the vulnerabilities as critical. New versions of Reader are available for Windows, Mac and Unix. Further links for updates for different Acrobat versions are listed in Adobes security advisory.

Categories: freeware, malware, news, software, windows Tags: , , , , ,

13 Security Bulletins announced in Patch Tuesday

October 15, 2009 1 comment

Microsoft on tuesday announced 13 Security Bulletins for the October Patchday. 8 of them are concerning critical rated security vulnerabilities. The total count of security holes which the company plans to close is 34, according to the Microsoft Security Response Center.

The affected software includes Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Among the fixes that are gonna be provided is one for the SMBv2 vulnerability and one for the vulnerable FTP service IIS.

Administrators should prepare for those updates – most of them require a restart – and install them as soon as possible.

Categories: microsoft, news, security Tags: , , ,

Are your Firefox plug-ins up-to-date?

October 15, 2009 Leave a comment

The Mozilla Foundation has published a check for web browser plug-ins. Just by visiting the web site you can immediately see if your plug-ins are up-to-date (green), outdated but without known vulnerabilities (yellow) or if they are known to have security holes and are outdated (red).

The check is supposed to work for Java, Adobe Reader, Flash, Shockwave, QuickTime, Windows Media Player and DivX. Supported operating systems are Windows, Mac OS X and Linux. If a plug-in is outdated, you can click on the button next to it to be sent to the manufacturer’s homepage and fetch the update.

Firefox 3 did warn of an invalid certificate. As the check isn’t final yet, this may be tolerable – but if the service gets official, Mozilla should definatly fix the certificate.

Categories: firefox, internet, news, security, websites Tags: , , , ,

Exploit for SMBv2 hole in Vista publicly available

September 30, 2009 1 comment

10 days ago first exploit code for the security vulnerability in the SMBv2 protocol appeared in the underground. Today working exploit code for the open source penetration testing framework Metasploit was released. Therewith it is possible for the cybercriminals to produce malware which infects vulnerable systems – Windows Vista, Windows Server 2008 and Windows 7 up to Release Candidate 1.

Now administrators should take countermeasures if they haven’t done so yet. Microsoft doesn’t provide a patch to solve the issue, but offers a “1-click-tool” which disables SMBv2 services on the affected systems. This can have a small performance impact. Another suggested solution by Microsoft is to block traffic to the TCP Ports 139 and 445 – which would disable Windows Network Sharing altogether.

I’am constantly monitoring the malware scene – if malware using this attack vector appears we can protect our customers very fast. Anyhow it is a good idea to implement the workaround with the Fix-it-for-me-tool.

Categories: microsoft, security, windows Tags: , , ,

Proper Passwords

September 16, 2009 Leave a comment

Every now and then security researchers stumble over a database which holds user data like account names and passwords. Amazingly, each and every time the passwords seem to be the same when analysed.

This time Tõnu Samuel found such a database and counted the passwords. While he tried to spot differences between male and female password choosing habits, for me the most interesting part is the overall view. The top ten passwords are:

Password Gender Occurrences
123456 M 17601
password M 4545
12345 M 3480
1234 M 2911
123 M 2492
123456789 M 2225
123456 F 1885
qwerty M 1883
12345678 M 1791
<NAME-OF-PORTAL-WAS-HERE> M 1489

So the best guess for a user password is still 123456. This isn’t coincidence – just take a look at the ‘Top 500 worst passwords of all time’.

When it comes to choose a password, you should always have such statistics in mind. Also dictionary attacks are quite usual – with all permutations like word combination, backwards spelling, capital letters in all positions, ‘leet substitution’ (31337) and also adding numbers.

A good password doesn’t contain words that you can find in a dictionary. Try to take the first letters of the words of a sentence that you can remember. Make some of them capital and add special signs and numbers. An example: ‘My two Children are getting up at 7 a.m. in the morning.’ could result in ‘M2Cagua7amitm’. There are still special signs missing, but you get the point. This password is also long enough to make brute force or rainbow table attacks less likely to be successful.

Categories: internet, news, passwords, security Tags: , ,