Monthly Archives: April 2014

Microsoft Internet Explorer Use-After-Free Vulnerability Being Actively Exploited

In case you’re wondering what the hell does “use-after-free” means, it’s when a program is no longer using previously used computer memory which then can be used for malicious purposes. Thus, use-after-free.

So, a vulnerability exploiting this type of scenario has been uncovered for all versions of Internet Explorer, and is currently being exploited in the wild by hackers. There is no current patch or remedy for it, other than, as I’ve advised before, stopping the use of Internet Explorer altogether by installing an alternate web browser such as Mozilla Firefox, Google Chrome, Apple’s Safari, Opera, etc.

Interestingly, every now and then somebody will ask me if it’s possible to infect a computer simply be opening (displaying) the wrong email. This is one of the cases where, given the right circumstances and with a properly crafted email, the vulnerability could be exploited by just opening that email, especially if you’re using an older version of Microsoft Outlook (2003 or older).

Similarly, this can be exploited by luring a user into the wrong page of a website, and displaying it using Internet Explorer.

I’ll advise once a patch is available for this vulnerability.

HeartBleed, All You Need To Know

I have seen so many people write about this that I was purposely not writing about it… I should know better – every time there’s a major issue in the field of computer security, if I don’t write about it I get a ton of emails asking me for my viewpoint on the issue or my viewpoint on what others write about the issue… It’s all good though. It’s my fault for being lazy and not writing about it in the first place. So here it is. I’m staying away from any technobable and keeping it simple.

The first thing you need to know is that HeartBleed is a vulnerability that, when exploited, can be used to steal information from websites. This is accomplished by accessing the memory of the computers where the websites’ data  is stored (ALL websites are stored in computers, “servers”, although not all websites are vulnerable to this “bug” ). What does that mean to you? If you deal with a particular website that is vulnerable,  let’s say your bank’s website, or your email’s website, and so forth, the information you provide to that website on a regular basis,  such as your username and password and potentially more, could be compromised (stolen).

I read somebody writing about the fact that the vulnerability was discovered by “good guys” and therefore has not been exploited by hackers. I laugh at that statement. The people attributed to discovering the vulnerability might be good guys, but I bet anything the bad guys know about it too.

And because of where the vulnerability is being exploited, i.e. not in your computer, it doesn’t matter what kind of security measures you have in place in your computer(s), the vulnerability is still a threat because it’s been exploited “server side”, meaning at the computers where the websites are stored.

So what do you do? The first thing that comes to mind to most users will be, since we’re talking about a potential information leak of your data, to change your passwords for all the websites that you use (that require a username and password). And that’s not a bad idea but let’s not rush into that. The reason for not doing that as a first immediate step is that there is an ongoing global evolution to fix the cause of the vulnerability so you want to make sure a particular website has been fixed before you change your password for it, otherwise your information could be stolen again and you’d be in the same spot.

Therefore the thing to do is to check every particular website you plan to change your password for, and make sure it has been fixed before proceeding to change your password for it, and so forth. How do you do that?

There are many websites that have been provided where you can enter a particular website address and it will tell you whether or not the website is vulnerable, or has been patched or is not affected to begin with. https://lastpass.com/heartbleed/ is one that comes to mind that you can use. Also, here’s a list of the top 100 websites people normally use, and their status as to whether they have been fixed or not (scroll down when you click on this link to see the list): http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

It is always a good idea to change your passwords periodically anyways, so go ahead and change them once you know a particular website you deal with has been fixed. And, don’t forget. If you’re the typical user that only has 1, 2 or 3 passwords for everything, change your passwords for the websites that are labeled as “were never affected” if you have used the same password in a website that was vulnerable.

Hope this helps. Feel free to ask any questions on the subject.

 

It Can Happen to Anyone

A cautionary tale. Yesterday a client forwarded me an email that he considered fishy, and asked for my opinion. The email contained an attachment, and so I set out to find out what opening the attachment did.

Now normally I take extra precautions when doing something like that, so that any bad “jujus” contained in suspicious files are not allowed to damage my computer. But I guess I had gotten overconfident with time and so I opened the attachment, with just the normal defenses I have in place, as per my own security model. Nothing seemed to happen, which made me suspicious. Anyways, I analyzed the attachment with a service that scans it against 49 different antivirus programs, and it did turn out to be a malicious file. I got rid of it but missed the fact that it had already delivered its payload and that in turn was now waiting to hack my computer. Ha.

Long story short, when I came to the computer this morning I found evidence that a hack attempt had been performed on my computer, emphasis on attempt. AppGuard had blocked the execution of a password stealer that was going to be used to attempt to steal the passwords stored in Internet Explorer, Firefox, Chrome, etc. (not that there are any, I have a standalone password manager and never use the browser’s capability to store passwords for that very reason).

With a chuckle at the clever attempt to hack my computer, I proceeded to scan and clean up any infected files. This was no doubt the closest I had come in years to an actual computer security breach. Mind you, the attempt failed, but only because the last layer in my security model, AppGuard, had stopped the unauthorized run of the password stealer that had been placed in an obscure location in my computer. Which brings me to the point of the story.

If it can happen to me, it can happen to anyone. Except the classic, usual outcome in most cases, if you open the wrong attachment or click on the wrong link, is an infected computer, passwords or other information stolen, and so forth. So when it comes to online related activities, always be alert, always be careful, never let your guard down. Oh, and implement my security model 🙂