Archive for the “Technology” Category

Adobe Corrects At Least Seven Vulnerabilities in Flash Player and Air

They also warn of a zero day flaw in Illustrator CS3 and CS4

Severity: High

9 December, 2009

Summary:

§ This vulnerability affects: Adobe Flash Player 10.0.32.18 and earlier, running on all platforms. Some flaws also affect Adobe AIR 1.5.2

§ How an attacker exploits it: By enticing your users to visit a website containing malicious Flash content

§ Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it

§ What to do: Download and install the latest version of Adobe Flash Player and Air

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash, often formatted as a Shockwave (.SWF) file. Adobe’s Flash Player ships by default with many web browsers, including Internet Explorer (IE). It also runs on many operating systems.

In a security bulletin released on the same day as Microsoft Patch Day, Adobe warned of at least seven critical vulnerabilities that affect Adobe Flash Player 10.0.32.18 for Windows and Macintosh (as well as all earlier versions). Some of the flaws also affect Adobe Air 1.5.2 as well. Adobe’s bulletin refers to seven CVE numbers, which suggests that their update fixes seven security vulnerabilities. The bulletin doesn’t describe the flaws in much technical detail. However, it does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, he could exploit many of these unspecified vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC. If you use Adobe Flash Player in your network, we recommend you download and deploy the latest version throughout your network as soon as possible.
On a related note, the day before releasing the Flash update, Adobe also released an advisory about a critical buffer overflow vulnerability in Illustrator CS3 and CS4. The flaw has to do with Illustrator’s inability to properly parse specially crafted .EPS files. If an attacker can entice one of your Illustrator users into opening a malicious .EPS file, he can also exploit this flaw to execute code on that user’s computer, with the user’s privileges. There is no patch for this flaw yet. Adobe plans to release one in January.

Solution Path

Adobe has released a new version of Flash Player and Air. Specifically:

§ Flash Player 10.0.42.34

§ Air 1.5.3

If you use these products in your network, we recommend you download and deploy their updates as soon as possible.

Comments No Comments »

I am seeing around a two dozen or more virus laden emails a day right now all with the same general subject lines such as:

“payment request from "Qualcomm" or “payment request from "Google"” or “Your Credit Balance is over its limit”

These all contain a backdoor Trojan in the attachment so again and again I remind everyone to not click those attachments you get in email. I like that “transaction inspector module”, they are always looking for something that will just make people click away, well DON’T!

image

Comments No Comments »

When you leave messages on your e-mail server, you can choose from several options to delete your messages. To make your choice, you need to consider several factors about your e-mail usage, such as how long you want the messages to be accessible from multiple computers and the storage limits imposed by your e-mail server administrator. If you exceed your storage limit, you might be unable to receive new messages or might be charged additional fees.

  • On the Tools menu, click E-mail Accounts.
  • Click View or change existing e-mail accounts, and then click Next.
  • Select your ISP account, and then click Change.
  • Click More Settings.
  • Click the Advanced tab, and under Delivery, select the Leave a copy of messages on the server check box.

    Internet E-mail Settings dialog box

  • Comments No Comments »

    Here’s an early Christmas present for all those going in and out of Greensboro, Piedmont Triad Airport, FREE Wifi courtesy of Google. Unlike the typical $10 or more per day to get that twenty minutes of browsing before your flight you will be able to check that last email all thanks to Google. On top of this if your flying Virgin America, probably not for most of us, you will also be able to browse the Internet on any flight.

    image

    Word of warning as I’ve posted here before on using public WiFi:

    • Always use a software firewall, XP’s built in Firewall will suffice
    • Do not browse any site where you will enter private data unless that site is SSL, even then there is a risk of a man in the middle attack
    • NEVER send private data via email, on a Public WiFi or not!
    • Always assume your browsing is monitored when on a Public WiFi

    Comments No Comments »

    New Ways to Try and Buy Microsoft Office 2010

    Through our retail partners, Microsoft is introducing an all-new Product Key Card to help consumers more easily access and experience Office 2010 on new PCs that have been pre-loaded with Office 2010. The Product Key Card is a single license card (with no DVD media) that will be sold at major electronic retail outlets.

    The key number contained on the card will unlock Office 2010 software that has been pre-loaded by the PC manufacturers on their PCs, and enables a simpler and faster path for consumers to begin using any one of three full versions of Microsoft Office – Office Home & Student 2010, Office Home & Business 2010, or Office Professional 2010.

    As part of Office 2010 software that will be pre-loaded by the PC manufacturers on their PCs, we’re introducing Microsoft Office Starter 2010.

    Office Starter 2010 will include Office Word Starter 2010 and Office Excel Starter 2010, with the basic functionality for creating, viewing and editing documents. Office Starter 2010 will replace Microsoft Works.

    Comments No Comments »

    Severity: High

    5 November, 2009

    Summary:

    § This vulnerability affects: Adobe Shockwave Player 11.5.1.601 and earlier, running on Windows and Macintosh computers

    § How an attacker exploits it: By enticing your users to visit a website containing a malicious Flash file

    § Impact: An attacker can execute code on your computer, potentially gaining control of it

    § What to do: Download and install the latest version of Adobe Shockwave Player

    Exposure:

    Adobe Shockwave Player displays interactive, animated web content called Shockwave (.SWF) files. According to Adobe, Shockwave Player is installed on some 450 million PCs.

    In a security bulletin released late Tuesday, Adobe warned of critical vulnerabilities that affect Adobe Shockwave Player 11.5.1.601 for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin refers to five CVE numbers, which suggests that their update fixes five security vulnerabilities. The bulletin doesn’t describe the flaws in much technical detail. However, it does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Shockwave (SWF) content, he could exploit this unspecified vulnerability to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

    If you deploy Adobe Shockwave throughout your network, we recommend you download and install the latest version as soon as you can.

    Solution Path

    Adobe has released a new version of Shockwave Player, version 11.5.2.602. If you use Adobe Flash in your network, we recommend you download and deploy this updated player as soon as possible.

    Status:

    Adobe has released a Shockwave Player update to fix these vulnerabilities.

    References:

    § Adobe Security Bulletin

    This alert was researched and written by Corey Nachreiner, CISSP.


    Comments No Comments »

    T-Mobile has a message on their website saying customers may be experiencing trouble with both voice and data services.

    image

    Comments No Comments »

    As we all know Carbonite is dirt cheap and although I have issues with it nor would I recommend it there are clearly a large number of people that do. Recently however there has been a growing voice of concern with statements in Carbonite’s Terms of Service and Privacy Policy which has reached the general masses.

    “Carbonite may disclose your Personal Information to third parties if we believe that such action is necessary to (1) comply with a law, regulation, or governmental or judicial warrant, rule, or order; (2) protect and defend the rights or property of Carbonite; (3) enforce the Carbonite Terms and Conditions of Use and/or this Privacy Policy. Carbonite may also provide access to your Backup Data to government authorities if Carbonite suspects or believes that the data contain child pornography or other prohibited data, or that the data or the Carbonite Products or Services are being used for illegal purposes. Carbonite will provide access to your Backup Data to your surviving spouse and/or your executor upon presentation of a death certificate and identification which Carbonite reasonably believes to be valid and sufficient, or in response to a court order, warrant, subpoena or other judicial or administrative legal process.”

    http://www.carbonite.com/privacy/

    The above statement that Carbonite can and will provide access to stored, encrypted, data is an obvious concern but could also violate Federal regulations on data security. For example the only way I can see how a medical office can store data to an online service is if they can show there is no possible path to that data becoming compromised. With eSecureBackups we are secure in the belief that all data is encrypted locally with a key only the local computer (keyfile) or user knows.

    Your pass phrase is encrypted twice before it is stored on the server to prevent anyone but you from recovering the stored pass phrase. The system is designed so that recovering a pass phrase requires action from two people: the person that created the key and a senior level server technician. Neither person can recover the pass phrase without the cooperation of the other person. The system is also designed so that only the creator of the pass phrase can view the pass phrase once it is recovered. Data blocks are compressed, encrypted with AES-256-bit and your private pass phrase, digitally signed for integrity verification upon restore, and tagged with multiple strong checksums to provide data integrity assurance. The encrypted data is then encrypted again as it enters the Internet, until it reaches one of the secure data centers.

    Per the Carbonite paragraph they are clearly saying they have the ability to bypass encryption. If data can be accessed by a third party either through legal warrant or nefarious act then the requirements of HIPAA or PCI would prevent use of such services by most businesses. With eSecureBackups the Pass Phrase is wrapped twice using only data known to the end user as one of those protections. With the use of specific questions and answers known only to the end user the Pass Phrase cannot be recovered and without the Pass Phrase the data cannot be decrypted.

    Bottom line just because a service says your data is secure or encrypted it is still up to the end user to do some basic checking to see how the process is designed to work, does work and how any potential regulatory needs may apply. Also for the true security geek or totally paranoid there is nothing preventing you from encrypting your data manually by way of a third party application such as TrueCypt prior to using an online service.

    Comments No Comments »

    Optimization WordPress Plugins & Solutions by W3 EDGE