Archive for October, 2010

Google fixes 11 Chrome flaws as it debuts stable version 7

Posted October 31, 2010 By David Kolle

Google patched 11 vulnerabilities in Chrome last week as it updated the browser to version 7.

The security update was the fourth since Sept. 2., when Google first boosted Chrome 6 to the “stable” release, the browser’s most polished version.

Only one of the bugs patched in Chrome 7.0.517.43 was rated “critical” in Google’s four-step threat scoring system, with five tagged as “high.” Three others received the “medium” label, while two were pegged as “low.”

Google paid out only $1,000 in bounties to two researchers who reported a pair of bugs, the least it’s awarded since last June.

As usual, Google locked down its bug tracking database to hide technical details of the vulnerabilities. The company usually unlocks access to a flaw several weeks after a patch ships, to give users time to update before the information goes public.

Other browser makers, including Mozilla, do the same.

The single critical vulnerability was tersely explained as a “browser crash with form autofill.” Chrome’s developers added autofill only last August. The time-saving feature automatically enters the user’s name, address, phone number, e-mail address and credit card number in various Web site forms.

One Web site developer noted problems with Chrome’s autofill last week, saying that the browser was crashing when users submitted a form on one client’s site.

Last July, Google promised to pick up Chrome’s development pace, saying then that it would bump up the browser to a new version every six weeks or so.

The company’s made good on that with Chrome 7, which moved to the stable “channel” — Google’s term for its release editions — seven weeks after Chrome 6′s debut.

Google touted other changes to Chrome that apply to developers — including full AppleScript support on the Mac and a revamped HTML5 parser — and said that version 7 also boasted fixes for “hundreds” of non-security bugs.

According to Web metrics company Net Applications, Chrome accounted for 8% of all browsers used last month. At its current pace, Chrome will pass the 10% milestone by the end of the year.

Chrome 7 can be downloaded for Windows, Mac OS X and Linux from Google’s Web site. Users already running the browser will be updated automatically.

Be the first to comment

Oracle should piggyback on Microsoft’s update service to boost users’ chances of running a patched version of Java, a security expert said today.

“The solution would be to get rid of all these different update engines, and instead for companies like Oracle to collaborate with Microsoft to use Windows Update or WSUS to distribute fixes for Java,” said Wolfgang Kandek, CTO at Qualys.

WSUS, or Windows Server Update Services, is the business-grade update mechanism that most companies rely on to distribute Windows and other Microsoft software patches.

According to data mined from Qualys’ free BrowserCheck service, eight in 10 Windows PCs run one or more copies of Java, making Oracle’s software just as popular as Adobe’s Reader but behind Flash.

Of the systems with Java, more than 40% were running an outdated version that contained at least one critical vulnerability, Kandek said. That puts Java at the top of the unpatched list. Even Adobe’s Reader and Flash, which have gained reputations as criminals’ preferred targets , are more likely to be up-to-date.

“Malware operators are always looking for new ways to allow their programs to take control over machines,” said Kandek. “But the operating system has become increasingly difficult to attack, so exploit writers have focused their attention on critical vulnerabilities in third-party applications.”

Kandek’s spotlight on Java was no surprise: Earlier this week, Microsoft ‘s anti-malware team said an ”unprecedented wave” of attacks was exploiting long-patched Java bugs. More than 3.5 million of the more than 6 million attacks in the first nine months of 2010, for instance, tried to exploit a Java Runtime Environment  flaw patched nearly two years ago.

“While the first wave of these exploits focused on Windows Office and the second wave on Adobe Reader and Flash, we’re now seeing an increased attention on Java,” Kandek said. Oracle ‘s software meets hackers’ requirements: It’s widely installed, it contains a number of well-known bugs and it’s largely been ignored by IT staffers responsible for patching their organisation’s PCs.

While he acknowledged that the idea that Microsoft would distribute Java updates was a long shot, he thought it was worth considering. “The benefit is so big that if they could work together, it would result in a more robust [Windows] client,” Kandek said.

Java has an update service of its own, but it’s been criticized for being slow to notify users, and for allowing multiple editions to exist on a PC, leaving users vulnerable even if they’ve recently patched.There is a precedent for Kandek’s proposal. Apple , for example, distributes Javasecurity patches to Mac OS X users via its own update process. The problem there, however, is that Apple  has historically patched Java on the Mac months after the fixes were posted by Sun, Java’s maker and the company Oracle acquired earlier this year.

Qualys’ BrowserCheck scans Windows and Mac machines for vulnerable browsersor plug-ins, including Flash, Java, Apple’s QuickTime and Reader. Danish vulnerability tracker Secunia offers a similar tool, dubbed Personal Software Inspector , that checks a much larger number of plug-ins and programs for outdated versions.

Be the first to comment

Apple warns of the increasing threats of Mac attacks

Posted October 31, 2010 By David Kolle

Attacks on the Mac are now significant enough to warrant Apple users investing in an anti-virus product, security company Panda Security said as it launched a new product that offers such protection.

panda panda security!

Security Company Panda Security

Marketing spin to harvest the Apple economy or justified caution? Panda points to the numbers. There are now 5,000 ‘strains’ of malware that target the Mac and the company says it is seeing 500 new Mac-specific samples appearing every month.

In 2009, 34 vulnerabilities were detected in Apple’s OS X, which had risen to 175 so far for 2010, with a 20-year total of 170,000 macros ‘viruses’ affecting the platform.

To be clear, such security threats relate only to Apple desktop and laptop computers and not iPads of iPhones, which are only vulnerable if they have been ‘jailbroken’ or if, somehow, a rogue app breaks through the approval process.

Security companies eyeing the affluent Apple users is nothing new and every notable antivirus company now has a Mac product, driven in part by the somewhat larger user base in the US.

However, the scale of the threat is still under question.

Relative to Windows, the comparison is no contest. New Windows malware threats outnumber Apple ones by between 100-1 and 500-1 depending on who you ask, and that ignores the vastly greater sophistication they exhibit.

Many of the software vulnerabilities Panda notes were cross-platform browser flaws, and not specific to the Mac. As to the 170,000 macro viruses, while threatening in a general sense, such malware is so obsolete on the PC that vendors don’t even bother to count them.

The argument rests on the number of new malware threats now being seen and their complexity. So far, the evidence suggests that while the odd Trojan is now appearing, Mac malware is still a low-key threat.

“We have always held the theory that when Apple reaches a more significant market share, around 15 percent worldwide (which given its current rapid growth will be achieved shortly), hackers will begin to target attacks against this platform,” claimed Panda vice president, Ivan Fermon.

“We would even say that today, the Windows operating system is more secure than Mac, simply because Microsoft (MSFT) has been working proactively on security for many years,” he added.

There are few reliable figures about Apple’s market share and those that do exist tend to relate only to the US and the consumer market. With desktop computers waning in significance, the chances of Apple taking 15 percent of sales seems extremely remote. This scale matters because it is what drives criminal interest.Given the small but plausible nature of the threat, there is an argument that Apple itself should offer a security program as part of its offering, instead of leaving it up to third parties. It’s what Microsoft ended up doing, retro-fitting a firewall to XP and more recently giving away a free antivirus program, Security Essentials.

Ironically, the reason Microsoft avoided doing such a thing in the first place was worry over anti-trust probes which would have viewed such a move as anti-competitive. This free-market ethos woefully misunderstood the nature of the threat and the world is still cleaning up the mess today.

For the record, Panda antivirus for Mac offers realtime protection, file scanning and the ability to probe iPhones and iPads to ensure they are not harbouring malware even if that malware can’t hurt those devices.

Panda also points out that antivirus products on Macs stop Windows malware being passed on (as attachments) to PC users although it seems unlikely many people will want to buy protection for other users who probably have their own security anway.

Mac users interested in Panda Security for Mac can buy a one-year licence for the software for £42 (approx $66). This is higher than a Windows user would pay for equivalent protection but that is the case with all Mac software. Development costs are higher for a smaller number of users.

Be the first to comment

Millions of Facebook and Twitter users risk having private accounts hacked into after the release of an insidious new software program.

Strangers can now use “Firesheep”   freely available on the internet  to access the private accounts of anyone using unsecured wireless networks like those at hotels, cafes and libraries.

The alarming development means online hacking of private information is no longer the domain of computer experts… at the click of a button, anyone with a grudge or malicious intent could do it.

The Sunday Mail tested Firesheep last week and within 20 minutes had accessed 15 Facebook accounts and a Hotmail email account.

The first they knew that their private Facebook, Twitter and Hotmail accounts had been hacked was a tap on the shoulder.

“Oh my God,” said Austrian backpacker Carina Schmeissl, when approached byThe Sunday Mail in Brisbane’s Fortitude Valley mall last week.

“It’s awful. I am shocked  that is really scary.”

An insidious new computer program  freely available on the internet  is putting millions of users of social networking sites such as Facebook at risk.

At the click of a button, “Firesheep” can access the personal accounts of anyone using an unsecured wireless network like those available at hotels, cafes or libraries.

For the first time, online hacking is no longer the domain of computer experts  now anyone with a grudge or malicious intent can target account holders.

The Sunday Mail downloaded Firesheep last week and tested it in public areas where nearby computer users had no idea that their security had been breached.

Within 20 minutes at the State Library of Queensland our computer had access to the Facebook accounts of 15 people plus a Hotmail email account. Unsuspecting student Anna Westrin was stunned when showed how easy it was to access her profile.

“I think it’s really scary that it’s so easy, especially if you can just press one button,” the 23-year-old student said.

“I wouldn’t believe it if I hadn’t seen it for myself. I’ll definitely be a lot more cautious from now on.”

Ms Schmeissl and her Austrian backpacker friend Melanie Mayr were using the free wireless internet at a McDonald’s outlet in Fortitude Valley, when we showed them how easy it was to hack into their Facebook accounts.

Firesheep, available as a free add-on to the popular internet browser Firefox, can break into 26 major websites, including Facebook, Twitter, Yahoo, Hotmail (Windows Live) and Amazon.com.

More than 200,000 people downloaded it in the first three days after its release. The online program is outside the reach of legal authorities, but Detective Superintendent Brian Hay from Queensland’s Fraud and Corporate Crime Group said anyone using Firesheep could be committing an offence.

He acknowledged the program meant computer crime had entered a whole new era.

“What was once the domain of people who were highly skilled on computers is now available to anyone through the click of a button,” Supt Hay said.

“If someone has a nefarious intent, the opportunity they have to harvest vast quantities of personal information is there and the more information we put out there the more insecure we’re going to be.

“If you use unsecure wi-fi you have to go in with the mindset that someone is accessing your computer at all times.”

Firesheep will also be of great concern to the increasing number of businesses using  Facebook and Twitter accounts.

Malicious messages from their sites by hackers could expose businesses to lawsuits from customers or suppliers.

A Facebook spokeswoman said the social network was “hoping”  to provide protection against such attacks “in the coming months”.

“Be careful about the information you access or send from a public wireless network. To be on the safe side, you may want to assume that other people can access any information you see or send over a public wireless network,” she said.

Seattle-based software developer Eric Butler said he released Firesheep to show the dangers of using public wi-fi networks which do not have password protection.

Mr Butler said websites had ignored their responsibility to protect users for too long.

“The real story here is not the success of Firesheep but the fact that something like it is even possible. The same can be said for the recent news that Google Street View vehicles were collecting web traffic. It should not be possible for Google or anybody to collect this data,” Mr Butler wrote on his blog.

A Microsoft spokeswoman said all Hotmail accounts would soon be protected against Firesheep attacks by full-session SSL encryption.

Mozilla, which controls the Firefox browser, said it would not block the add-on from being used.

“(Firesheep) demonstrates a security weakness in a number of popular websites, but does not exploit any vulnerability in Firefox or other Web browsers,” Mike Beltzner, director of Firefox, told computerworld.com.

Backpacker Emma Lambeth, who was using the public wi-fi while on holidays, said she could have been emailing bank details or any personal information.

“You don’t know what people could have looked at. They (websites) need to do something about this.”

What you need to know

How does Firesheep work?

If you’re using an unsecured wireless network to surf the internet, anyone can use Firesheep to intercept the communication between your computer and a website and then log in to your account.

Are all websites vulnerable?

Firesheep only attacks 26 major websites, but this list includes Facebook, Twitter, Yahoo, Flickr, Windows Live, Amazon.com and Twitter.

How do you stop this?

If major websites, like Facebook and Twitter, adopt end-to-end encryption  so that cookies and not just usernames and passwords are protected  the problem would be solved

OK, but what can I do?

Several things. Avoid public Wi-Fi networks but if you can’t do that subscribe to a virtual private network (VPN) which will encrypt all traffic between your computer and the internet or download the HTTPS-Everywhere add-on for Firefox. This tool encrypts communication between your computer and a number of major websites, including Facebook and Twitter.

I want to learn more

Watch this video by the man who created Firesheep

Be the first to comment
%d bloggers like this: