Adobe fixes Reader and Acrobat

October 15, 2009 Leave a comment

Not only Microsoft released a bunch of patches to close security holes in their products, but also Adobe now ships updated software to fix several vulnerabilities in Adobe Reader and Acrobat which already get attacked with specially prepared PDF documents to take over control of vulnerable computers.

Users of Adobe Reader and Acrobat with earlier versions than the new 9.2 are advised to install the updated software immediately to protect themselves from the attacks; Adobe rates the vulnerabilities as critical. New versions of Reader are available for Windows, Mac and Unix. Further links for updates for different Acrobat versions are listed in Adobes security advisory.


13 Security Bulletins announced in Patch Tuesday

October 15, 2009 1 comment

Microsoft on tuesday announced 13 Security Bulletins for the October Patchday. 8 of them are concerning critical rated security vulnerabilities. The total count of security holes which the company plans to close is 34, according to the Microsoft Security Response Center.

The affected software includes Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Among the fixes that are gonna be provided is one for the SMBv2 vulnerability and one for the vulnerable FTP service IIS.

Administrators should prepare for those updates – most of them require a restart – and install them as soon as possible.

Are your Firefox plug-ins up-to-date?

October 15, 2009 Leave a comment

The Mozilla Foundation has published a check for web browser plug-ins. Just by visiting the web site you can immediately see if your plug-ins are up-to-date (green), outdated but without known vulnerabilities (yellow) or if they are known to have security holes and are outdated (red).

The check is supposed to work for Java, Adobe Reader, Flash, Shockwave, QuickTime, Windows Media Player and DivX. Supported operating systems are Windows, Mac OS X and Linux. If a plug-in is outdated, you can click on the button next to it to be sent to the manufacturer’s homepage and fetch the update.

Firefox 3 did warn of an invalid certificate. As the check isn’t final yet, this may be tolerable – but if the service gets official, Mozilla should definatly fix the certificate.

Exploit for SMBv2 hole in Vista publicly available

September 30, 2009 1 comment

10 days ago first exploit code for the security vulnerability in the SMBv2 protocol appeared in the underground. Today working exploit code for the open source penetration testing framework Metasploit was released. Therewith it is possible for the cybercriminals to produce malware which infects vulnerable systems – Windows Vista, Windows Server 2008 and Windows 7 up to Release Candidate 1.

Now administrators should take countermeasures if they haven’t done so yet. Microsoft doesn’t provide a patch to solve the issue, but offers a “1-click-tool” which disables SMBv2 services on the affected systems. This can have a small performance impact. Another suggested solution by Microsoft is to block traffic to the TCP Ports 139 and 445 – which would disable Windows Network Sharing altogether.

I’am constantly monitoring the malware scene – if malware using this attack vector appears we can protect our customers very fast. Anyhow it is a good idea to implement the workaround with the Fix-it-for-me-tool.

Proper Passwords

September 16, 2009 Leave a comment

Every now and then security researchers stumble over a database which holds user data like account names and passwords. Amazingly, each and every time the passwords seem to be the same when analysed.

This time Tõnu Samuel found such a database and counted the passwords. While he tried to spot differences between male and female password choosing habits, for me the most interesting part is the overall view. The top ten passwords are:

Password Gender Occurrences
123456 M 17601
password M 4545
12345 M 3480
1234 M 2911
123 M 2492
123456789 M 2225
123456 F 1885
qwerty M 1883
12345678 M 1791

So the best guess for a user password is still 123456. This isn’t coincidence – just take a look at the ‘Top 500 worst passwords of all time’.

When it comes to choose a password, you should always have such statistics in mind. Also dictionary attacks are quite usual – with all permutations like word combination, backwards spelling, capital letters in all positions, ‘leet substitution’ (31337) and also adding numbers.

A good password doesn’t contain words that you can find in a dictionary. Try to take the first letters of the words of a sentence that you can remember. Make some of them capital and add special signs and numbers. An example: ‘My two Children are getting up at 7 a.m. in the morning.’ could result in ‘M2Cagua7amitm’. There are still special signs missing, but you get the point. This password is also long enough to make brute force or rainbow table attacks less likely to be successful.

Microsoft Patchday Reloaded

September 16, 2009 1 comment

Now that didn’t happen for a while: Microsoft updated one of the security bulletins from Tuesday. It deals with a security flaw in TCP/IP networking. The first version of the bulletin mentioned Windows 2000, Vista, Server 2003 and Server 2008 as affected. The updated version also mentions Windows XP as affected.

Consequently, all Windows XP users should run Windows Update again (as soon as the patch is available for XP, it currently isn’t) – though the impact of the error isn’t as critical as in Vista or Server 2008, where it allows for remote code execution. In Windows XP it is possible to cause a Denial of Service (DoS) condition with sending manipulated network packets to the unpatched computer.

Update: Microsoft updated the bulletin once more. Now it states “By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability.” So an update won’t be available any time soon – if at all, because in the default installation no service is listening on the network interface.

Firefox Update closes Drive-by-Download-Flaws

September 16, 2009 Leave a comment

The Mozilla developers released Firefox 3.5.3, which fixes overall 4 security holes in the Web browser. 3 of them are considered to be critical and allow for executing code within the browser with highest privileges and to compromise the computer. Attackers could abuse these vulnerabilities to inject for example Trojans and other malware onto the victim’s computer – just with manipulated web pages.

With Firefox 3.5.3, the developers also added a nice new feature to the software: It’ll warn users if their Adobe Flash Player plug-in is outdated and must be updated. They’ll extend this feature for other plug-ins, according to the Mozilla Security Blog.

Please install the update as soon as possible. The easiest way is to go to the Help menu and click on “Check for Updates”. You can also download the whole installation package on the Firefox web site.