In general terms, plug-ins are small additions to a larger program that enable certain additional functions. Synonym: Add-on.
10,000 viruses came through a vulnerability in Internet Explorer’s Flash plug-in.
All posts by remotehelpexpert
Speeding Up Your Web Browser
A client recently complained of extreme slowness in his computer, especially when browsing the Internet. Now, as many of you know, that is a possible sign of a malware infection and the client correctly suspected so. And so did I at first. A thorough check with specialized detection tools and detailed running programs analysis revealed… nothing. So with that possibility out of the way, I just went down the list of other possible reasons for the problem. The computer itself was not very fast, but even so the browsing was excruciatingly slow.
I checked the internet connection speed, which at some point had been a problem in the past. But not anymore, speed was very decent. The default browser was Mozilla Firefox, and although that’s not the fastest browser, it is at least faster than Internet Explorer (in case you’re wondering, as of this writing Chrome and Opera are the fastest). So I decided to look into the browser’s installed plug-ins (in general terms, plug-ins are small additions to a larger program that enable certain additional functions). I directed the client to use Firefox without ANY plug-ins running, and the speed change result was instantaneous and considerable. So we had the general area to address.
Rather than trying to find out which individual plug-ins were slowing the browser down to then proceed to disable them, I tried a different approach: I got ALL the plug-ins disabled, and enabled only the couple that were absolutely needed for the browser to function properly. At the end of that the browser was still quite faster than before.
Therefore, if your browser is slow as hell and pages take forever to load, providing your computer is not from 2000 or you use Internet Explorer ( 🙂 ), has no malware infection or a really slow internet connection (read this on how to test your internet connection speed), this is something you might want to look into, for this is one of the cases where less is more.
Record Number of Windows Updates Released Today
This number of monthly updates released today (October 12) by Microsoft is a record one at a total of sixteen. Windows updates can have 3 different enhancement purposes: stability, performance and security. In this case, the whole batch is classified under enhanced security. Products affected include both the operating system and the Office products (all versions actively supported currently on both); even, in the case of Office, Macs.
Four of the updates are classified as critical (the top classification as far as urgency is concerned). Ten are classified as important, the next level down, and two as moderate, the next one down from important. Nine of the sixteen updates are designed to prevent remote code execution (i.e. a hacker taking control of your computer remotely by exploiting a vulnerability in your computer).
If you have Windows Update set to automatically download and install updates in your computer, there is no action required (other than a restart when the updates have been installed). If you have Windows Update set to notify you but not download, or set to download but not install automatically, or turned off, installing these updates will require user intervention (Of course if you have Windows Update set to anything but automatic, you might have more than these 16 updates to install).
This Piece of Malware is a Little Scary
You may have read about it on the news. Stuxnet is the name of this piece of malware. Before you get the impulse of turning off your computer after you read about what it can do, let me say that this one targets specific windows based computers that manage industrial control systems (ICS), so the normal user computer is not a target, although that doesn’t mean your computer cannot get infected by it. It’s just not going to make your computer the target of its payload (what the virus does when it becomes active or executes). But even that is one of the remarkable things about this piece of malware – we’ll circle back to that.
The first unprecedented fact is the amount of zero-day exploits this malware uses: four, including this vulnerability I wrote about a little while ago. The second is the techniques it uses to infect and spread, including rootkit technology. The third is its size, unusually big for a virus. The forth is the fact that it uses two different stolen digital certificates to pretend being legit software and thus adding to its stealthiness. So it wasn’t long before it became evident that the amount of resources that came into play to generate such piece of malware, dubbed “the first cyber super-weapon” and “best malware ever”, were probably state-backed. Speculations have been flying around as to what is its country of origin. It apparently has been seen infecting industrial computer systems in Iran. It is very cleverly programmed. Although its main attack vector (entrance point) is USB flash drives, it is programmed to infect no more than 3 computers per infected USB flash drive, so it doesn’t spread too fast and thus it adds to its stealthiness.
One last thing about stuxnet, and this is the icing on the cake: the subject is so trendy that if you were to search for “stuxnet” on Google and other search engines, some of the search results are landing users in malicious websites that will infect your computer (not with stuxnet) in the usual drive-by download infection technique I’ve covered before. For the common user, it is ironically the most dangerous aspect of stuxnet.
Hotmail Password Reset Security Boosted
To balance the recent avalanche of vulnerabilities I’ve been writing about lately, here’s some good news on the subject of computer security. I’ve written about it in the past, but there are new security measures added to Windows Live Hotmail Web mail service to help users regain control of hijacked accounts.
Citing a trend of spammers seizing legitimate accounts, Microsoft said it was kicking off new techniques to sniff out compromised Hotmail accounts, as well as giving users more ways to reclaim inboxes snatched by criminals.
Rather than rely on an alternate e-mail address and a single secret question-answer pair for resetting an account password, Hotmail now lets a user set one or more “trusted PCs” or a mobile phone as proof that he/she is the real owner of the account.
In one of the most famous abuses of a password reset feature, University of Tennessee student David C. Kernell got control of the Yahoo Mail account of former Gov. Sarah Palin during the 2008 presidential election by answering a single security question.
Kernell was later convicted on a federal felony charge and a federal misdemeanor charge.
Instead, Hotmail users can now tag multiple PCs as proof. Users locked out of their account by a hijacker can regain control simply by logging in from one of the previously-set trusted machines.
To use a PC as proof, users must have installed Windows Live Essentials, a suite of for-free applications Microsoft offers for download.
Users can also enter a mobile number as another proof. That phone will then receive an unlocking code via a text message when the user asks for a password reset.
With those proofs in place, more users will be able to reset their passwords without help from Microsoft support.
To add additional proofs, such as a trusted PC or cell phone, to a Hotmail account, users must click “Options” in the upper right of the Hotmail screen, select “More options…” from the drop-down menu, then click “View and edit personal information” under the subheading of “Manage your account.” The proofs can be added under “Password reset information.”
Microsoft isn’t the only Web mail provider beefing up security. Last week, Google announced two-factor authorization that lets businesses protect Gmail log-ins by delivering a one-time code to a cell phone via text message.
It’s Been a Busy Summer for Vulnerability Attacks to Adobe
Less than a week after warning users that hackers were exploiting an unpatched bug in its Reader PDF viewer, Adobe said 8 days ago that Flash, its other prominent program, was also under fire. Adobe said that the current version of Flash contains a critical flaw already being used in the wild by criminals to attack Windows PCs. “This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system,” the advisory read. All editions of Flash, including those for Windows, Mac, Linux, Solaris and Google’s Android mobile operating system include the flaw.
The company said then it would patch Flash in two weeks. However just got word that they moved it up to today. Go to the download center at http://get.adobe.com/flashplayer/ to get the latest version.
Click here to find out what version of Flash you have installed. If it’s less than 10.1.85.3, you need to update it.
Noteworthy is the fact that Google Chrome browser users got the patch four days ago, one of the benefits of an April Google-Adobe deal. That’s one of the factors that has made Chrome my current official choice of web browser.
New PDF Exploit – “Scary, Clever, Impressive”
The newest zero-day exploit of the Adobe Reader and Adobe Acrobat programs, recently observed for the first time, sidesteps two land mines put there by Microsoft for the Windows operating system. I won’t go into the technical details but the security measures are related to the programs use of memory. Whether or not you fully understand this paragraph, this is what needs to be understood: the techniques used in this new exploit have been labeled as “scary”, “clever” and “impressive”. Not the kind of modifiers you want to hear when the subject at hand is exploits.
This exploit has been observed circulating in the wild, attached to e-mails touting renowned golf coach and author David Leadbetter with subject: “David Leadbetter’s One Point Lesson”. In addition to that it comes with a “valid” digital signature (to ascertain authenticity and legitimacy) stolen, of course. So heads up.
Mitigating Actions and Patches
Adobe warned Reader and Acrobat users last week of the vulnerability, but it has not said when it would patch the bug. Nor has it offered any advice about how to stymie attacks.
Disabling JavaScript in Reader and Acrobat would block the current exploit but might not protect people against future attacks. To disable JavaScript in Adobe Reader or Acrobat on Windows, select Preferences from the Edit menu, choose “JavaScript,” then uncheck the “Enable Acrobat JavaScript” option.
And of course security awareness and good habits when it comes to handle emails and surfing the web always help mitigate the propagation of these threats.
Fake Malware Alerts Are Getting Better
It is a known fact that malware creators often appeal to users, trying to lure them into action to aid infection of the target computer. In computer security this is called social engineering. The user is presented with a scenario that looks legit and then he/she is asked to click on something or install something in order to continue/avoid damage/correct what’s wrong, etc. All fake/rogue antivirus use this technique, trying to make the user install the rogue software or pay for the full version, lest an apocalypse of infections will go unhandled in the user’s computer. This subject has been covered before. But over time the techniques are getting better, and that deserves its own article.
One of the newest styles involves your web browser. Internet Explorer, Firefox, Google Chrome, they’re all potentially affected. Here’s how it works: A specific virus (called MSIL/Zeven) auto-detects which browser you’re using, then presents you with the “infected website” or “phishing website” alert, giving you an option to install an update to handle. The update is of course a fake antivirus. The problem is that the alert looks very legitimate (except maybe the Firefox one, which has a typo, “get me our of here”). The landing page if the user opts for installing the fake antivirus looks A LOT like the Microsoft Security Essentials website. Even a trained eye can be fooled. And this new social engineering technique relies on the user’s trust of the day-to-day web browser, a technique that is new. The telltale however is no browser would ever prompt you to install antivirus software.
So it behooves you to double check and be more alert when a computer prompts you for action. If you have doubts about this ask an expert.
A New Chapter in Malware Affecting Windows Computers
First, two definitions:
Rootkit: A computer program or series of programs designed to infect a computer and hide itself from view, making it very hard to uncover without special tools. It can also hide the presence of other malicious software in the system.
32-bit vs. 64-bit operating systems: These two terms refer to how the computer processor handles information. They have distinctly different architectures. 64-bit operating systems are also notorious for enhanced security features.
Now that we have those out of the way, to the point: Up until a few days ago, the 64-bit operating system was thought to be immune to rootkit infections… up until a few days ago. A famous rootkit, notorious for its advanced techniques and stealth features has been on the loose for sometime now, infecting 32-bit operating systems like there’s no tomorrow. Well, it was found a few days ago and for the first time it was observed infecting 64-bit operating systems, shattering the idea that rootkits could not infect such systems. Its name is TDL3, AKA Alureon, AKA TDSS.
So much for 64-bit immunity. A new chapter has begun.
Newest Vulnerability in Windows Computers, an Emerging New Class
If the expression “opening a can of worms” means anything to you, you’ll start to get the idea on what’s happening with this subject. Or maybe Pandora’s box is a better metaphor. At any rate, It seems that a vulnerability disclosed lead to another, and another. As predicted in a recent article, these are now surfacing. And one of the immediate problems is that is not only having to do with the Windows operating system per se, but with programs used in Windows. Many of them. Details on this new class are still sketchy, since the idea is to get patches developed before revealing too much about the vulnerability.
About a week ago a Slovenia based security company called Acros published an advisory regarding a vulnerability related to iTunes, that would allow a remote attacker to take control of the attacked computer. Acros has reportedly been working on analyzing this type of vulnerabilities since late 2008. A tool was developed to spot this vulnerability in many Windows based programs – over 200 programs were tested, and surprisingly, about 90% were found potentially vulnerable to the exploit. This testing had gone unpublished until a few days ago.
Hours after Acros published the above mentioned advisory, HD Moore, the Chief Security Officer of Rapid7, a US based security company, published the fact that he had discovered about 40 Windows based programs to be vulnerable to this new exploit. Then Acros decided to let the big cat out of the bag and next day they expanded the list of 40 to over 200. And then over this past weekend, academic researcher Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis also joined the party with the research paper he and Zhendong Su had published earlier this year on the subject. Then just yesterday Microsoft published a security advisory on the subject. That’s the time track so far when it comes to this new vulnerability class.
What to do
Patching this vulnerability is a bit of a catch-22 because the nature and reach of this vulnerability is so wide, that if Microsoft were to issue a single patch that would handle the vulnerability, it would break scores of legit applications. Plus the vulnerability lays mainly in the lax way the programs have been coded, so the programs creators are the ones that need to issue individual patches. For these reasons mitigating actions are all that can be done for now. One of the mitigating actions that can be taken is stopping and disabling the service that allows for a remote (over the internet) exploit of this vulnerability (the webclient service). Disabling this service will have no impact on most users machines as far as functionality is concerned.
To stop and disable the webclient service:
1a. for Windows XP users, click on start, All Programs, Run, type “cmd” (without quotation marks) and press enter.
1b. For Vista and 7 users, click on start, type “cmd” in the search box, go to the top of the list, right click on cmd.exe and select Run as Administrator. Click on continue if prompted.
2. Now let’s type a couple of commands in the black box that showed up.
First let’s stop the service. Type (or copy and paste):
SC stop webclient
And press enter.
Now let’s disable it so the service doesn’t restart automatically next time you reboot your computer. Type (or copy and paste):
SC config webclient start= disabled
And press enter.
(Notice the space after the equal sign in the above command. That’s mandatory.)
Now you can close the command prompt window where you typed all the above.
A well configured firewall will also help mitigate the effects of this problem. Incoming and outgoing ports 139 and 445 need to be blocked. (Port: In computer networking, specific channels are used to send and receive data. These are called ports and are numbered from 1 to 65536). Be aware that some functions like network file sharing, and printing over a network might be affected by blocking these ports. IF you block this ports and afterwards notice a loss of network connectivity, revert the changes.
Another action that can be taken is to close the door to the possibility of unauthorized programs execution, with programs like AppGuard by BlueRidge Networks. This has been covered before in other computer security articles.
If you have any questions on how to do any the above, I’ll be happy to answer them.