Data breaches and security

One depressing aspect of modern technology is its failure to tackle security in a serious way. Almost on a weekly basis we hear of data breaches, lost passwords and patches.

In the last few days, manufacturers have rushed out updates to their products to fix newly discovered exploits.
noIE1
Internet Explorer is a frequent culprit and even US service personnel were affected by it. So, if you wish to remain secure stop using IE!

However, it is not just early versions of IE that are the problem, ZDnet reports:

“Microsoft has issued a security advisory for a vulnerability in Internet Explorer 9 and 10 being exploited in the wild.

We wrote last week on the initial reports of exploits in the wild, as reported by security firm Fireeye. Fireeye and Symantec are both credited in the Microsoft advisory as having worked with Microsoft on the issue.

The vulnerability is a “use after free” remote code execution vulnerability. As in the case found by Fireeye, it can lead to a system being taken over if the user is lured to visit a web site in a vulnerable browser. The vulnerability does not, on its own, elevate privilege, so if the user is running unprivileged, the exploit will also be unprivileged.

Internet Explorer 9 is vulnerable according to Microsoft, although the actual exploits in the wild are only targeting Internet Explorer 10. Microsoft says that IE versions 6, 7, 8 and 11 are not vulnerable, so if you are on a platform which supports it, upgrading to IE 11 will address the issue.”

Microsoft Security Research and Defense blog details it, but upgrading to IE11 is not a viable option for many people.

My advise: best patch regularly and then avoid IE.

Adobe Flash is problematic too, as IT News describes:

“Abobe planned to release an emergency update for Flash Player on Thursday, after security vendor FireEye pointed to a zero-day exploit used by attackers to target visitors to websites of three nonprofits, two of which focus on national security and public policy.

The Flash exploit allowed attackers to target users of the websites of the Peterson Institute for International Economics at PIIE.com, the American Research Center in Egypt at ARCE.org and the Smith Richardson Foundation at SFR.org. The exploit can compromise Flash users on Windows XP or those with Windows 7 who have Java 1.6 or an outdated version of Microsoft Office 2007 or 2010 installed, FireEye said.”

Malwarebytes blog is more direct:

“The following versions and operating systems are affected:

Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.336 and earlier versions for Linux
Adobe AIR 4.0.0.1390 and earlier versions for Android

In order to bypass Address Space Layout Randomization (ASLR) protection in Windows, this attack relied on either one of the following configurations:

Windows XP
Windows 7 and Java 1.6
Windows 7 and outdated Microsoft Office 2007/2010″

Finally, even Windows Update gets patched:

“Microsoft has released a non-critical, non-security update to fix a bug in the Windows Update system in certain versions of Windows.”

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s