Category Archives: Computer Security

Virus, malware in general and all evil programs, begone!

New PDF Exploit – “Scary, Clever, Impressive”

Computer Security

The newest zero-day exploit of the Adobe Reader and Adobe Acrobat programs, recently observed for the first time, sidesteps two land mines put there by Microsoft for the Windows operating system. I won’t go into the technical details but the security measures are related to the programs use of memory.  Whether or not you fully understand this paragraph, this is what needs to be understood: the techniques used in this new exploit have been labeled as “scary”, “clever” and “impressive”. Not the kind of modifiers you want to hear when the subject at hand is exploits.

This exploit has been observed circulating in the wild, attached to e-mails touting renowned golf coach and author David Leadbetter with subject:  “David Leadbetter’s One Point Lesson”. In addition to that it comes with a “valid” digital signature (to ascertain authenticity and legitimacy) stolen, of course. So heads up.

Mitigating Actions and Patches

Adobe warned Reader and Acrobat users last week of the vulnerability, but it has not said when it would patch the bug. Nor has it offered any advice about how to stymie attacks.
Disabling JavaScript in Reader and Acrobat would block the current exploit but might not protect people against future attacks. To disable JavaScript in Adobe Reader or Acrobat on Windows, select Preferences from the Edit menu, choose “JavaScript,” then uncheck the “Enable Acrobat JavaScript” option.

And of course security awareness and good habits when it comes to handle emails and surfing the web always help mitigate the propagation of these threats.

Fake Malware Alerts Are Getting Better

Computer Security

It is a known fact that malware creators often appeal to users, trying to lure them into action to aid infection of the target computer. In computer security this is called social engineering. The user is presented with a scenario that looks legit and then he/she is asked to click on something or install something in order to continue/avoid damage/correct what’s wrong, etc. All fake/rogue antivirus use this technique, trying to make the user install the rogue software or pay for the full version, lest an apocalypse of infections will go unhandled in the user’s computer. This subject has been covered before. But over time the techniques are getting better, and that deserves its own article.

One of the newest styles involves your web browser. Internet Explorer, Firefox, Google Chrome, they’re all potentially affected. Here’s how it works: A specific virus (called MSIL/Zeven) auto-detects which browser you’re using, then presents you with the “infected website” or “phishing website” alert, giving you an option to install an update to handle. The update is of course a fake antivirus. The problem is that the alert looks very legitimate (except maybe the Firefox one, which has a typo, “get me our of here”). The landing page if the user opts for installing the fake antivirus looks A LOT like the Microsoft Security Essentials website. Even a trained eye can be fooled. And this new social engineering technique relies on the user’s trust of the day-to-day web browser, a technique that is new. The telltale however is no browser would ever prompt you to install antivirus software.

So it behooves you to double check and be more alert when a computer prompts you for action. If you have doubts  about this ask an expert.

A New Chapter in Malware Affecting Windows Computers

Computer Security, ,

First, two definitions:

Rootkit:  A computer program or series of programs designed to infect a computer and hide itself from view, making it very hard to uncover without special tools. It can also hide the presence of other malicious software in the system.

32-bit vs. 64-bit operating systems: These two terms refer to how the computer processor handles information. They have distinctly different architectures. 64-bit operating systems are also notorious for enhanced security features.

Now that we have those out of the way, to the point: Up until a few days ago, the 64-bit operating system was thought to be immune to rootkit infections… up until a few days ago. A famous rootkit, notorious for its advanced techniques and stealth features has been on the loose for sometime now, infecting 32-bit operating systems like there’s no tomorrow. Well, it was found a few days ago and for the first time it was observed infecting 64-bit operating systems, shattering the idea that rootkits could not infect such systems. Its name is TDL3, AKA Alureon, AKA TDSS.

So much for 64-bit immunity. A new chapter has begun.

Newest Vulnerability in Windows Computers, an Emerging New Class

Computer Security, ,

If the expression “opening a can of worms” means anything to you, you’ll start to get the idea on what’s happening with this subject. Or maybe Pandora’s box is a better metaphor. At any rate, It seems that a vulnerability disclosed lead to another, and another. As predicted in a recent article, these are now surfacing. And one of the immediate problems is that is not only having to do with the Windows operating system per se, but with programs used in Windows. Many of them.  Details on this new class are still sketchy, since the idea is to get patches developed before revealing too much about the vulnerability.

About a week ago a Slovenia based security company called Acros published an advisory regarding a vulnerability related to iTunes, that would allow a remote attacker to take control of the attacked computer. Acros has reportedly been working on analyzing this type of vulnerabilities since late 2008. A tool was developed to spot this vulnerability in many Windows based programs – over 200 programs were tested, and surprisingly, about 90% were found potentially vulnerable to the exploit. This testing had gone unpublished until a few days ago.

Hours after Acros published the above mentioned advisory, HD Moore, the Chief Security Officer of Rapid7, a US based security company, published the fact that he had discovered about 40 Windows based programs to be vulnerable to this new exploit. Then Acros decided to let the big cat out of the bag and next day they expanded the list of 40 to over 200. And then over this past weekend, academic researcher Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis also joined the party with the research paper he and Zhendong Su had published earlier this year on the  subject. Then just yesterday Microsoft published a security advisory on the subject. That’s the time track so far when it comes to this new vulnerability class.

What to do

Patching this vulnerability is a bit of a catch-22 because the nature and reach of this vulnerability is so wide, that if Microsoft were to issue a single patch that would handle the vulnerability, it would break scores of legit applications. Plus the vulnerability lays mainly in the lax way the programs have been coded, so the programs creators are the ones that need to issue individual patches. For these reasons mitigating actions are all that can be done for now. One of the mitigating actions that can be taken is stopping and disabling the service that allows for a remote (over the internet) exploit of this vulnerability (the webclient service). Disabling this service will have no impact on most users machines as far as functionality is concerned.

To stop and disable the webclient service:

1a. for Windows XP users, click on start, All Programs, Run, type “cmd” (without quotation marks) and press enter.

1b. For Vista and 7 users, click on start, type “cmd” in the search box, go to the top of the list, right click on cmd.exe and select Run as Administrator. Click on continue if prompted.

2. Now let’s type a couple of commands in the black box that showed up.

First let’s stop the service. Type (or copy and paste):

SC stop webclient

And press enter.

Now let’s disable it so the service doesn’t restart automatically next time you reboot your computer. Type (or copy and paste):

SC  config webclient start= disabled

And press enter.

(Notice the space after the equal sign in the above command. That’s mandatory.)

Now you can close the command prompt window where you typed all the above.

A well configured firewall will also help mitigate the effects of this problem. Incoming and outgoing ports 139 and 445 need to be blocked. (Port: In computer networking, specific channels are used to send and receive data. These are called ports and are numbered from 1 to 65536). Be aware that some functions like network file sharing, and printing over a network might be affected by blocking these ports. IF you block this ports and afterwards notice a loss of network connectivity, revert the changes.

Another action that can be taken is to close the door to the possibility of unauthorized programs execution, with programs like AppGuard by BlueRidge Networks. This has been covered before in other computer security articles.

If you have any questions on how to do any the above, I’ll be happy to answer them.

Adobe Confirms New PDF Vulnerability, Patch to be Issued Shortly

Computer Security

In what seems to be yet one more vulnerability found in a string of recent ones, Adobe said a few days ago it would issue an emergency patch the week of Aug. 16 to fix a critical flaw in its Reader and Acrobat software.
The bug was disclosed at last month’s Black Hat USA 2010 security conference (Black Hat: a series of highly technical security briefings held annually). Shortly after Adobe announced it would release a rush security update during the week of Aug. 16-20. Adobe issues its quarterly security updates for Reader and Acrobat on Tuesdays, and has shipped emergency fixes on that same day of the week. If the company continues the practice, it would most likely deliver the out-of-band patch later today, Aug. 17.

Adobe hinted that the out-of-band update will include fixes for vulnerabilities other than the one recently uncovered. The company also said it would still ship its next regularly-scheduled quarterly update on Oct. 12.

Affected software versions

Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh

Vulnerability has been classified as critical. As usual, make sure you update your Adobe Acrobat and Reader version as soon as possible, if not earlier 🙂

More Vulnerabilities in Windows Computers

Computer Security, Glossary

Last week’s article was about a vulnerability affecting Windows computers running on Windows XP, Vista, and yes, 7 as well. That was, however, the tip of the iceberg of a broader and more general flaw in Windows that predicts more zero-day exploits will be coming from that direction in the near future. The specifics on this are a little over the level of the average user, so I will try to break it down to its simplest possible form while recommending remedies.

First, a definition. The vulnerabilities referred to above are related to Windows PowerShell. Windows WHAT? PowerShell. Shell: The simplest way to communicate this is the command prompt window you sometimes might have seen. You can invoke it by going Start, Run, type “cmd” and press enter. You’ll see a black window with a prompt, problably something like c:\windows\system32>_ or perhaps c:\users\username>_ . That would be an example of a shell. If you know how to, you can enter commands the computer will understand and execute, providing you know the correct syntax.

Ok so PowerShell has been around since 2006. More about why is it called POWERshell below. But the important thing is, the second release of it (version 2.0) was released in Aug 2009. And THAT is the version currently being exploited in the wild.

One thing you need to be aware of: PowerShell is, as its name indicates, very powerful. For that reason many security measures were put in place to limit its improper use. Unfortunately, those measures fell short and now we are starting to experiences the consequences of it.

What to do? The passive way to go about this is to wait for Windows to release patches as the specifics vulnerabilities involving PowerShell are discovered. For the more proactive users, there’s a remedy that resolves the issue even before resorting to patches. In an article written about a year ago on what is the best security model for a Windows computer, I mentioned a specific program designed to avoid unauthorized execution of programs. That model is still valid and the program is AppGuard by Blue Ridge Networks. Computers protected by AppGuard are immune to the particular family of zero-day exploits covered here, and more. No other product that I’m aware of provides such protection. To understand fully why you’ll have to read that article.

Recently Found Vulnerability in Most Versions of Windows, and What to Do

Computer Security

From time to time vulnerabilities are found in Windows systems, and are patched via Windows Update. This recent one deserves special attention because it is classified as critical for Windows XP, Vista and 7. The vulnerability allows for remote code execution (meaning a remote attacker could take control of your computer) and is related to the displaying of an especially crafted shortcut icon.

If your system does not have Windows Update configured to automatically download and install updates, your computer might be at risk. If you want to browse through available updates and decide to install only the one related to this vulnerability, this is the keyword (Remember if you have Windows XP, it must have at least Service Pack 3 installed, and if you have Windows Vista, at least Service Pack 1 installed): “KB2286198”.

Contact me if you need help dealing with this.

Only One of Each Kind Please

Computer Security,

When it comes to computer security, more is less. Having two firewalls on at the same time can cause conflicts, slowdowns and crashes in a computer.

If your Operating System is Windows XP and you have an additional firewall (whether by itself or as part of a security suite), and both the built-in and the additional firewalls are on, my advice is turn the XP firewall off and let the other one perform its function. If your operating system is Vista or 7, is a tougher call since the built-in firewall has improved. Your call on what fits you better as a user.

Having two antivirus programs with real-time protection (a.k.a. resident shield,  active protection, et cetera) operating in one computer will also create potential conflicts, slowdowns and crashes in a computer.

Too often I find violations of the above in new clients’ computers, so figure I write about it to clarify.

New Vulnerability in Adobe Flash and Acrobat Reader

Computer Security, , ,

The 10.0 generation version of Flash and the 9.x versions of Adobe Acrobat Reader are subject to a critical vulnerability exploit that is, as of now, unpatched. In plain English: there is a problem with the above programs versions that makes it possible for a hacker to successfully attack your machine and take control of it.

Flash versions 10.0.45.2 and earlier are affected. Follow this link to find out what version of Adobe Flash Player you have installed in your computer:

http://kb2.adobe.com/cps/155/tn_15507.html

While the official patch is released to handle the vulnerability, you can disable flash content display in Acrobat Reader by deleting or renaming the following file:

C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll.

After that’s done, opening an acrobat document with Flash multimedia content will cause an application crash, but there will be no exploit available for hackers to exploit. If you need assistance with this, I can help you.

How Browsing the Internet Affects Your Computer

Computer Security, Technical Tips

Cookies: Delicious, yes. But computer cookies, not always. A cookie in computer terms is a file written to your computer by a website you have visited. Sometimes cookies can have a good purpose. Like storing information that can be used to speed up the next time you visit that website. But sometimes cookies are used to keep track of what websites you visit. So they sort of spy on you. Thus, when used that way they’re considered spying software, or spyware. Cookies are not the only type of spyware and not all cookies are spyware.

Now, you might have also heard about temporary Internet files, stored in your computer. What are they? when you visit a website, more often than not, there are graphics (pictures, drawings) and other files that your computer’s web browser (Internet Explorer, Firefox, Safari, are example of web browsers) must download and open for the website to display properly. The computer keeps some of those files in a local cache folder, the temporary Internet files folder, to be able to display the website faster the next time you visit it. In other words, instead of having to access and download those files from the Internet again the next time you visit a website, it simply accesses them from the computer’s storage. As a concept that’s good and useful, but it opens the door to your computer collecting the wrong types of files from the internet, thus infecting your computer – This is known as a drive-by-download infection.

The application of the above theory is immediate. It tells you that a sound action, if you suspect the possibility of an infection in your computer from having visited a malicious website, is to delete all cookies and temporary internet files. How do you do that? it depends on the browser you’re using. You can always search the help file for your browser, or ask an expert for specific instructions on how to do that in your particular browser.

Some antivirus products will inspect every file your computer accesses to display a website, and IF it can recognize it as malign, it can stop it from infecting your computer and alert you to the fact. Of course that is IF. Some products keep lists of known malicious websites to prevent you accidentally accessing one of them and thus infecting your computer.

Well, now you know more about what these computer security products do and why, and what can you do about it as well.