Microsoft Security Bulletins for March 2008

Microsoft has released 4 security bulletins for March. All are for Office products and all are rated critical for one or more of the affected products. There weren’t any OS or IE updates this month. Since I don’t run any Office products I didn’t install any Microsoft updates this month, but these were the updates:

MS08-014 is a security update that patches several vulnerabilities in Microsoft Excel. Microsoft Excel 2003 Service Pack 3 and Microsoft Excel 2007 Service Pack 1 are not affected but other versions of Excel are vulnerable. Vulnerable versions include Office 2004 and Office 2008 for the Mac. The Office 2007 Compatibility pack is also vulnerable as is the Excel 2003 viewer.

MS08-015 is a critical update for Microsoft Outlook. Microsoft Outlook 2007 Service Pack 1 is not vulnerable but all other versions are vulnerable.

MS08-016 is a security update for Microsoft Office. Vulnerable versions include Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, Microsoft Office Excel 2003 Viewer (base version & Service pack 3), and Microsoft Office 2004 for Mac.

MS08-017 is a critical update for Microsoft Office Web Components. Client vulnerabilities include Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, and Visual Studio .NET 2003 Service Pack 1.

While none of these patches apply to me, my Windows Vista Home Premium and Windows Vista Ultimate installations did have three updates waiting in Windows Update. The Windows Malicious Software Removal Tools, the March Update for the Windows Mail Junk E-Mail filter, and a generic “Update fir Windows Vista” described as:

Update for Windows Vista (KB946041)

Download size: 581 KB

You may need to restart your computer for this update to take effect.

Update type: Recommended

This is a reliability update. This update resolves some performance and reliability issues in Windows Vista. By applying this update, you can achieve better performance and responsiveness in various scenarios. After you install this item, you may have to restart your computer.

More information:
http://support.microsoft.com/kb/946041

Windows Update also includes Microsoft Silverlight 1.0 as an optional installation. I decide to go ahead and install it. The updates installed without any issues, a restart was required. The first time I went to a Microsoft website I had to except the Silverlight license agreement and enable Silverlight itself.

Microsoft Security Bulletins for February 2008

Microsoft released 11 security bulletins for February 2008, six are rated critical and five are important.  My Windows XP Pro SP2 installation received the following updates through Windows Update:

MS08-010 – Cumulative Update for Internet Explorer (critical)

MS08-007 – Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution (critical)

MS08-008 –  Vulnerability in OLE Automation Could Allow Remote Code Execution (critical)

A reboot was required.

I’m running the Windows Vista SP1 Release Candidate so I didn’t get any updates on that machine. I don’t run MS Office apps so I avoided those updates too. I’m all updated out so I’m not going to cover the other updates. Suffice it to say that any copies of Windows or Office you have will get updated. For more information you can read CNet’s article which has the Cliff Notes version of the MS Bulletins.

Security Quest #17: Microsoft Edition

Another second Tuesday of the month and another set of Microsoft patches. I realize it’s important to patch vulnerabilities as soon as possible and this monthly release schedule tends to go against that, but I like the consistency and ability to plan.

Anyway, this week brought two patches. The first is MS08-001 titled “Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution”. This affects all supported desktop OS’s. It’s rated as Important for Windows 2000 and Critical for all flavors of Windows XP and Windows Vista. I didn’t have any problems applying this update to my two Windows XP SP2 installations. There wasn’t any update through Windows Update for my Vista SP1 RC1 install so I don’t have any experience with that one.

MS08-002 is titled “Vulnerability in LSASS Could Allow Local Elevation of Privilege” and is for Windows 2000 and Windows XP on the desktop. It rated as important. If someone already has logon credentials they can use this vulnerability to elevate their privileges.

There’s no cumulative IE update or any Office updates this month.

 

Microsoft Security Resources

Additional security resources from Microsoft:

Microsoft Security Newsletter is a monthly e-mail covering security topics from Microsoft. To subscribe you’ll need a Microsoft Live ID (formerly passport) although the newsletter can go to any email address.  You’ll also be required to provide a name. By default the box to also receive other Microsoft emails is checked so be sure to uncheck it (unless you want the emails). You can also view the latest newsletter‘ without subscribing.

Microsoft provides several levels of security notifications via several methods. They provide either basic or comprehensive alerts along with additional non-vulnerability advisories and a blog. Delivery system include email, rss, Windows Live Alerts and the website.

A security bulletin search is provided that allows searching by date, product and severity rating.

They also have a new (at least to me) Malware Protection Center that lists information about malware and provides links to Microsoft tools.

Spam Counts

This weeks spam counts:

Primary Mailbox 30-day spam count: 2

This is down one from last week and none of it is new.

Public Mailbox 30-day spam count: 156

Down 20 from last week with new spam this week at 21 pieces.

Website comment and trackback spam: 7,573

This is up 73 from last week.

Security Quest #15: Links & Numbers

 

Not much happening this holiday week so just some spam numbers and links.

Spam Counts

My primary mailbox (which manages multiple addresses) didn’t get any new spam messages and the 30-day count is down to four from last week’s seven.

My more public GMail address received a bunch of spam messages this past week, all of which was filtered by GMail. The thirty day count jumped to 176, up from 154 messages last week.

This site’s spam comment count jumped to 7,414, up 73 from last week. All were caught by the Spam Karma plugin.

News & Links

ArsTechnica.com: Malware construction kit authors arrested, to be tried – The Russians have arrested two malware toolkit authors.

 

CNet.com: Problems updating the Flash player in Firefox? Here’s help – The article provides the reasons I hate Flash player. What the rather long article explains is the steps necessary to remove the old, vulnerable versions of Flash Player.

Davidairey.co.uk: WARNING: Google’s GMail security failure leaves my business sabotaged – David has his GMail account hacked due to a vulnerability (since fixed) which led to him having his domain name stolen from him.

 

Engadget.com: Security exploit bricks HP and Compaq laptops – Engadget reports on a Polish security researching finding yet more exploits in HP/Compaq products.

 

Heise-Security.co.uk: Antivirus protection worse than a year ago – Heise Security points to a study that shows antivirus effectiveness has fallen from a year ago. One reason given is the “professionalization of the malware scene”.

 

Kaspersky.com: False positive detection – system file explorer.exe – Here’s the Kaspersky fix if you got bit by the false virus detection on explorer.exe

 

News.com: Kaspersky inadvertently quarantines Windows Explorer – Kaspersky had a problem with their virus definitions and quarantined explorer.exe as the Huhk-C virus.

 

Techdirt.com: Sears.com – Join Our Community… So We Can Spy On Your Every Online Move – Techdirt brings news of a report from CA that Sears.com’s “community” is really a ploy to get you to install the Comscore toolbar and watch your online moves.

Security Quest #14: Apple Releases Security Patches

Apple released Security Update 2007-009 for OS X 10.4.11 Tiger and OS X 10.5.1 Leopard on Monday. The Apple support article lists 41 vulnerabilities that were patched. Patched components include Core Foundation, CUPS, Flash Player Plug-in, Launch Services, perl, python, Quick Look, ruby, Safari, Samba, Shockwave Plug-in, and Spin Tracer. The update requires a reboot.

The Leopard update was a 35.4MB download on my Intel Macs through Apple Automatic Update. It’s also available as a 35.6MB standalone download. There are two versions for Tiger. The PPC version is a 15.9MB standalone download and the Universal version is a 27.4MB standalone download.

I applied the update to my iMac, MacBook and Mac Mini. All are running OS X 10.5.1 Leopard on Intel cpu’s. I’ve been running the update for a little over a day without a specific problem but have had some new instability. Not necessarily due to the updates, but they are new problems.

On my iMac Parallels is a bit unstable. Windows XP SP2 is having some network connectivity issues and some keyboard issues. On the network side of things some connections time out through Windows while connecting fine in OS X. There’s so many potential failure points for Internet sites it’s hard to point the finger at the update and be sure. The keyboard issue within Parallels is more annoying. Sometimes the VM starts up in caps mode (while staying lower case in OS X) until I restart the VM. It also buffers keystrokes and falls behind my two-finger typing. But, I haven’t seen any info that others are experiencing the problem.

My MacBook has gotten the gray screen of death once since the update. It was soon after startup and Safari was the only app running. I think that was the first OS crash for the MacBook. It’s been OK since and I’m using it now.

The problems can’t be tied to the update and they aren’t persistent, but my Macs have been stable and the updates were the last change before the problems occurred. That’s usually the place to start.

 

Spam Counts

Time to start keeping track of my spam again, at least for awhile.

Spam to my primary GMail mailbox (which manages multiple email addresses) has had seven spam messages in the last 30 days. What’s interesting is which e-mail addresses were used. Back in October when I redesigned the web site I decided to stop using two addresses which appeared on the site. I removed one at that time. I missed the second one and it still appears on the web site in clear text/html since I removed the obfuscation plug-in. The one in clear text since October picked up three email messages that are clearly spam. The address that I removed was picked up by a software company and I received three “promotional” emails from them. You could say they’re on topic for the blog but there’s no unsubscribe link and GMail sees them as spam.  The seventh spam email was sent to my Yahoo email which I’ve never given out. I canceled AT&T/Yahoo as my ISP but the email account remains.

A GMail address I use extensively picked up 2 spam messages in the last 30 days, both blocked by GMail. I don’t use this account with places that are high spam risks but I’m actually surprised there’s not more yet.

A third GMail address that gets used almost exclusively where there’s a high risk of spam received 154 spam emails in the last thirty days. This is less than 50% of what the count was in June. On June 24th there were 343 spam messages in the previous 30 days.

Much to GMail’s credit their spam filter works well for me a they didn’t let anything through and didn’t flag anything I wanted.

I use the Spam Karma plugin for WordPress on this website. So far its caught 7,341 spam comments.

 

News & Links

Apple.com: About the security content of Java Release 6 for Mac OS X 10.4 – Apple released a java security update for mac OS X 10.4 Tiger. I don’t have any Macs running Tiger so don’t have any first hand experience.

Apple.com: Safari 3 Beta Updated – Safari 3.0.4 beta for Windows XP/Vista.

Security Quest #13: Microsoft Patch Tuesday

Yesterday was patch Tuesday for December and Microsoft released seven security bulletins. There weren’t any Office updates but there were updates for all supported OS’s – Windows 2000 Professional SP4 to Windows XP SP2, and Windows Vista – along with updates for Internet Explorer 6 and IE 7. All the updates are available through Automatic Updates or the Microsoft web site. Microsoft has said that exploits for the IE vulnerabilities are already being used. Click the bulletin number to go directly to the MS bulletin. I do not mention server OS’s when saying what OS the patch is for, only desktop OS’s and app’s.

MS07-063 is for Windows Vista, including the 64-bit version, and is rated as Important. The vulnerability could allow remote code execution but it’s mitigated by the fact that SMB2 is off by default and not used when connecting to previous OS’s (like Windows XP).

MS07-064 is for DirectX 7 and 8 on Windows 2000; DirectX 9 on Windows 2000, Windows XP and Windows Vista; DirectX 10 on Windows Vista. The patch is rated Critical on all systems.

MS07-065 is for Windows 2000 Pro and Windows XP. It’s rated as Important on Windows 2000 and Moderate on Windows XP. An attacker that already has valid logon credentials could elevate their privileges.

MS07-066 is for Windows Vista, including 64-bit, and is rated as Important. The vulnerability could allow the elevation of privileges.

MS07-067 is for Windows XP and it’s rated as Important. It also allows privilege elevation.

MS07-068 is for Windows 2000, Windows XP and Windows Vista and it’s rated as Critical. The patch varies based of the version of the Windows Media Format Runtime that is installed and isn’t OS specific. The vulnerability can allow remote code execution.

MS07-069 is the always expected Internet Explorer Cumulative update and is for Internet Explorer 6 and Internet Explorer 7 on Windows 2000, Windows XP and Windows Vista. And also for Internet Explorer 5.01 on Windows 2000. It’s rated as Critical on all desktop OS’s.

I run a basic (no additional software) Windows Vista Ultimate VM and it updated without a problem. The same for a basic Windows XP SP2 VM I also run. The updates were installed through Automatic Update.

News & Links

ArsTechnica.com: Rating antivirus software: vendors to agree on standard testing guidelines – Software vendors are working to come up with a standard way of evaluating and comparing AV software.

ArsTechnica.com: SAFE Act won’t turn mom-and-pop shops into WiFi cops – There was a lot of hysteria about this bill in various articles. Mainly saying that it required free Wi-Fi providers to monitor users. Ars Technica has a more reasoned article (as they usually do).

Avast.com: Avast AntiVirus Home Edition – Free virus protection for your home PC – Avast has updated their free (or personal use) Anti-Virus software.

F-Secure.com: Data Security Summary – July to December 2007 – F-Secure has published their year-end data security summary in both written and video form.

Google Privacy: Emails, Off-the-record Chats – Continuing the privacy theme, information on GMail and Google chat.

News.Com: Free online service cuts back on catalog clutter – Reduce the snail-mail spam.

News.com: Grisoft acquires Exploit Prevention Labs – Grisoft adds web page scanning to its tools.

OpenOffice.org: OpenOffice.org 2.3.1 Released – OOo released version 2.3.1 which patches one vulnerability and includes a few other bug fixes.

Techdirt.com: Verizon’s Idea Of Security: We Block Spyware… Unless It’s From Our Partners – TechDirt says Verizon’s security service has some deficiencies.

WashingtonPost.com: Top 10 Best & Worst Anti-Phishing Web Registrars – Security Fix – Some registrars are better than others when taking down phishing sites. Plus, there’s an effort to standardize the take down process.

WinSuperSite.com: Windows Live OneCare 2.0 Review – Good review of the latest Windows OneCare version

Wired.com: AIM Hack Shows AOL Hasn’t Patched Critical Security Hole – AOL often plugs vulnerabilities in AIM by doing server-side filtering.

Yahoo.com: Google Disables Some Gmail Accounts by Mistake – Seems like Google disabled some GMail accounts for spamming or other TOS violations. It’s all better now, but some mail may have been bounded.

Security Quest #12:Privacy

Facebook caused an uproar over the past week with their new Beacon advertising service. Being the last human not to have a Facebook account I didn’t follow the story too much at first, but then it became hard to ignore. At the very least it was a public relations disaster for Facebook, although I suspect it won’t really affect their membership numbers. Ars Technica has a pretty good summary and includes the changes Facebook made in response to the outcry. But it appears Facebook may still have a ways to go. PC World reports that Beacon tracks non-Facebook users and logged off Facebook users. It appears nobody at Facebook talked to their users and they implemented Beacon without really explaining what it meant before it kicked in for users.

I find it interesting that Google most definitely has as much info about users but tries to keep a low profile. When there’s a uproar about Google it’s what they might do with the data. With Facebook it’s what they were actually doing with the data. Google pulls us in slowly, Facebook wanted it to overwhelm us.

Also in the privacy arena, the November 22nd Security Now Podcast talked about third -party cookies, specifically PayPal’s routing of links through Doubleclick to avoid the issue of browsers rejecting third-party cookies. As the podcast mentions, this could give the Doubleclick advertising access to information about you. I don’t use PayPal a lot, and while I don’t like what they do I won’t use it any less. I use PayPal when a credit card isn’t accepted or I don’t want to give a website my credit card number so it would remain my preferred, if reluctant, choice. It may get me go through the hassle of using a one-time credit card number my bank offers.

Software Vulnerabilities

Symantec is reporting than an active exploit is in the wild for a QuickTime vulnerability that was first reported last week. From the article:

Hamada said the exploit code was found on a compromised porn site that redirects users to a site hosting malicious software called “Downloader.” Downloader is a Trojan that causes compromised machines to download other malicious software from the Internet. Symantec rates Downloader as “very low” risk.

A second QuickTime flaw has also just been reported.

News & Links

Blogger in Draft: New feature: OpenID commenting – Google has begun testing OpenID with their “Blogger in Draft” program.

CNet.com: McAfee Internet Security Suite 2008 – complete package Internet security and firewall reviews – CNet review McAfee Internet Security Suite 2008 and rated it 7.3 out of 10 and said “McAfee Internet Security 2008 trounces Norton Internet Security 2008, offering a better designed product with more security tools.”

Google Online Security Blog: Help us fill in the gaps! – Google is asking users to report malicious websites they come across by filling out a online form.

MSNBC.com: Virus experts warn of ‘Google poisoning’ – The Red Tape Chronicles – Info about malware distribution via websites is making it’s way in to the general news.

News.com: Inviting the hackers inside – News.com article about how Microsoft has taken a more inclusive approach to security.

News.com: Yahoo, Adobe team on PDF ads – Advertising can now infect PDF files.

WinSuperSite.com: Windows Live OneCare 2.0 Reviewc- Good review of the latest Windows OneCare version

Wired.com: Spammers Giving Up? Google Thinks So – Google says that spam is down (as a percentage of all mail) through their GMail system.

theage.com.au: Flaw leaves Microsoft looking like a turkey – Vulnerability in Windows that was thought patched 5 years ago still exists under some conditions. Vista is affected too. via tech.blorge.com

Security Quest #10: Microsoft Patch Tuesday

Another second Tuesday of the month and another bundle of patches from Microsoft was expected. This time around there’s only one update for Microsoft desktops. Windows Vista goes patch-less this month.

MS07-061 is a critical update for Windows XP on the desktop. It’s for both the regular and 64-bit editions. It supersedes MS06-045 and patches a vulnerability that allowed remote code execution when a specially crafted URI was passed. Windows 2000 Professional & Windows Vista are not affected. Several server versions also require the patch. I needed to reboot after installing this patch through automatic update.

MS07-062 was also released but it is only for servers.

Old Business

I’d previously written about the Paypal security fob and VeriSign’s Personal Identity Protection program (PIP). Verisign has since added a credit card sized “security card” that can be carried in a wallet. It’s not available at the subsidized PayPal price and it’ll set you back $48. At least it appears these are gaining traction which is good. It appears that now multiple fobs can be registered with the same ID so you can have one for the home and one for the office if you don’t want to carry them.

News & Links

News.com: Microsoft exec calls XP hack ‘frightening’ – Not really news, but points out that patching is needed. A Windows XP SP1 PC without a firewall or other security software was easily hacked, is this really news? SP2 enables a firewall by default.

News.com: ‘Botmaster’ admits infecting 250,000 computers – Security consultant by day, botmaster by night. John Schiefer could get a 60 year jail sentence after pleading guilty.

News.com: Infamous Russian malware gang vanishes – The Russian Business Network has vanished. No one thinks they packed their toys away.

Wired.com: Encrypted E-Mail Company Hushmail Spills to Feds – HushMail’s easiest to use service not so private. Hushmail provides encrypted e-mail. They offer a service that provides encryption on their server. While easier to use it does mean they see your passphrase, unlike their client-side encrypt products.

arstechnica.com: Malware-pushing web sites on the rise, say researchers: 66,000 and counting – Malware hosting websites on the rise according to researchers.

crunchgear.com: Drive Erazer erazes your drivez – If you have a lot of hard drives that you really want to erase.

engadget.com: Some Maxtor Personal Storage 3200s shipped with virus – Oops.

Security Quest #9 – OSX.RSPlug.A Brings Macs Mainstream

There was news last week of a piece of malware targeting OS X. It’s called OSX.RSPlug.A (a.k.a. DNSChanger) and it’s a trojan distributed through porn sites (no puns). A lot was made of the fact that this *could* redirect browsers to malicious websites, such as phishing sites.

The only real news here was that OS X was specifically targeted by a malware writer. It didn’t exploit any deficiency in OS X security. The only way to get the malware to install was to convince the user that they wanted to install the software. Intego and other security software vendors are promoting the fact that they can detect the trojan.

Let’s look at what’s involved to infect a Mac with this bug. You had to:

  • Visit a website, in this case a porn site, and be enticed into downloading a file. In this case it was said to be a codec needed to view some videos.
  • After downloading the DMG file you had to open it and run the installer.
  • When the installer ran you’d be prompted for your password which you’d have to enter.
  • Then the software would install.

So the only security hole was between the keyboard and the chair, not in the software.

MacWorld has a good article on how to detect the trojan.

The first rule of PC (personal computer, including Macs) should always be only install software from trusted sources. This wasn’t a drive-by install where the user visited a website and it automatically installed. On the other hand, there are people who say they visit websites in bad neighborhoods with Macs since it’s safe and secure. This does show that Macs are beginning to be targeted so that is probably not a good attitude. As much care needs to be taken on Macs as on Windows machines.

One of the things that make Macs a less than perfect choice for visiting bad neighborhoods is that Safari has “Open Safe Files after downloading” enabled by default. It’s a poorly named option and should be turned off. Safari doesn’t determine safety. What it really means is that it will open files which don’t automatically execute anything when all system are working. This includes DMG and PDF files which have recently carried malware. If a vulnerability was found that enabled auto execution this default setting could be deadly. If nothing else, the name gives a false sense of security since it sounds like OS X can determine if the file is safe or not. This is set under Safari preferences, on the general tab. Click the thumbnail at the beginning of this paragraph to see the setting. The screen shot shows the Safari defaults.

If you want to visit bad neighborhoods or want an extra level of protection there is software available to help protect your Mac.

ClamXAV is an free (donationware) virus checker for OS X that’s built on the open source ClamAV anti-virus engine. The software allows certain directories to be watched and all file changes in those directories will be scanned. Scans can also be scheduled. There isn’t any real-time scanning, other than the watch directories feature. I used ClamXAV under Tiger but there are currently Leopard issues so I haven’t re-installed it since upgrading. These issues appear related to scheduling an other non-detection related features.

Intego has a full menu of security products. They are clearly the market leader in OS X security software. When I switched from Windows I naturally wanted anti-virus software so I purchased an earlier version of their anti-virus software. While I never came across any viruses for it to detect the software seemed fine. My main complaint is I feel they’re expensive. Be aware that their products that include definition updates may have just a one year subscription. I stopped using them when my subscription ran out and I didn’t feel the upgrade cost was justified for me. They also promoted paid upgrades through the same update engine that pulled down virus definition updates but didn’t identify them as paid until the update was selected, which was annoying. Intego has stated all their products are Leopard compatible. Trial versions are available.
MacScan by SecureMac is AntiSpyware program for OS X that is currently Leopard compatible. This is a traditional anti-spyware program that scans the Mac on demand or on a schedule. Detection ranges from tracking cookies to key loggers. A thirty day demo is available. I downloaded and ran the demo today. I’ll have more info when I’ve run it awhile but it’s a fairly simple interface as is shown by the thumbnail at the beginning of this paragraph (click to see full screen). The 41 pieces of spyware detected in the scan where all tracking cookies from websites and web ads. When spyware is detected you have the option of picking and choosing which you want “isolated” in MacScan terms. Despite the term, tracking cookies are just deleted.

Both McAfee and Symantec have security software for the Mac. Neither seems to have particularly good reviews available. The Symantec software can be viewed here (select Macintosh Products from the drop down list). McAfee information is here. Neither Symantec or McAfee products appear Leopard ready.

ClamXav and MacScan appeal to me because they are non-intrusive on the system. They are also the lowest cost solutions. I’ll probably stick with ClamXav.

The Intego, McAfee and Symantec products all cause me the same concern – that they’re too intrusive on the system and aren’t worth the performance cost. But if I knew I’d be going into bad neighborhoods I’d give Intego a try. At least they’re dedicated to the Mac platform. Just beware of feature bloat intended to justify their existence and upgrades.

I’m a believer that computer habits are better prevention than software. If your switching from Windows and used anti-virus, or have been using a paid virus scanner on the Mac ask yourself how many viruses were detected by the software you used.

Software News

CCleaner – Home – CCleaner is a freeware privacy tool and has recently been updated to version 2.02.525.

TUAW.com: Free download of 1Password 2.5.3, courtesy Macworld – 1Passwd is free for a limited time and with limitations (no upgrades, no access to online version). Mac software used by many.

News & Links

 

Apple.com: Mac OS X 10.5: About the PubSub Agent – Apple let’s us know that it’s OK for PubSub to access our keychain.

BlogSecurity.net: ModSecurity and WordPress: Defense in Depth – Paper about securing WordPress

Bogus FTC e-mail has virus | CNET News.com – FTC’s name is being used by spammers to spread malware

Intego reporting new OS X trojan horse in the wild – The Unofficial Apple Weblog (TUAW) – New Mac trojan. Like the article says, it doesn’t install itself. It requires the user to install and provide admin permission.

Macworld.com: Secrets: How to: Discover malware before installing – MacWorld provides some tips with how to avoid and detect Malware without having to buy software

WashingtonPost.comDeconstructing the Fake FTC E-mail Virus Attack – Security Fix – interesting Security Fix blog post about a successful email phishing attack. The vulnerability exploited was the user. Note the update at the end which links to a report showing only 1/2 of AV software detected the malware.

WashingtonPost.com: Hiding In Plain Sight – Security Fix – I’ve told windows to show file extensions for so long I forgot about this. A good reminder to set windows to tell all it knows.

WashingtonPost.com: Salesforce.com Acknowledges Data Loss – Security Fix – looks like salesforce.com fell for a phishing scam and lost control of some customer data, resulting in a wave of phishing emails targeting their customers.

Security Quest #8 – Leopard Default Insecurity

This article is obsolete. Images and broken external links have been removed.

The default OS X install has always annoyed me with it’s security holes. Since I did a fresh install of OS X 10.5 Leopard it was necessary for me to go through and change those settings. Here’s what I changed.

Under security preferences I enable requiring a logon when returning from sleep or screen saver and disable automatic logon.

 

It’s a minor inconvenience but if my Mac is ever stolen it will prevent them from logging on and using the Mac as me. It also makes it harder to get to the files on disk as they need some technical knowledge and another computer.

On a related note: I enable the Master Password in Firefox. I have to enter the password when I start Firefox but it would prevent someone from easily accessing website using my passwords by simply firing up Firefox.

Because my MacBook travels and is more likely to get stolen I usually enable FileVault, but I haven’t enabled it yet. I’ll enable it once I’ve used the laptop a few days and know it’s stable.

I was surprised to see that the firewall defaulted to “Allow all incoming connections”. This seems like a step back. The biggest single improvement Microsoft made to Windows security was the enable the firewall by default starting with Windows XP SP2. If your behind a home router there’s probably little cause for concern, but a direct Internet connection or a laptop that uses public networks would be at risk.

I set the firewall to block all incoming connections. Leopard will automatically open ports for the OS X services I enable. (This itself sounds like a problem in that it seems there’s not way to block some traffic on the firewall if Apple decides it’s needed.) If I find needed apps are being blocked I’ll change to “Set Access for Specific Servers and Applications” and add the apps to the list.

 

I also went into the Advance button and enabled logging (for curiosity) and Stealth mode.

 

When behind a home router (assuming it’s NAT enabled, almost all are) stealth mode is unnecessary and logging will (hopefully) confirm the Internet doesn’t see your Mac.

Then I went into my .Mac configuration and turned off Back to My Mac. I have nothing against it, but I won’t be using it for awhile and leaving it running seems to be inviting trouble. Some feel that back to My Mac has a security hole. But what it comes down to is how secure is your .Mac account? If it’s got a secure and secret password that’s not used by anyone you don’t want accessing your Mac then it seems fine.

 

I’ll have no problem turning it one once I’m ready to try it out.

The OS X firewall only blocks incoming connections. In the past I’ve used Little Snitch to manage outgoing connections but version 1 is not Leopard compatible and version 2 is still in beta. I’m not installing the beta , I’ll wait for the full release.

Security Vulnerabilities

There was a vulnerability announced in WordPress 2.3. It’s resolved in 2.3.1 and doesn’t appear to exist in earlier versions.

News & Links

 

BBC.co.uk | Technology | PC stripper helps spam to spread – Spammers use strippers and malware to circumvent captchas and spread spam.

Techdirt.com: Remember How TJX Was The Worst Data Breach In History? Well, It Was Actually Worse
– TJX even worse than reported with data being used in frauds. From the article: “t doesn’t seem like anything is really done to stop companies from being so careless…”

arstechnica.com: Microsoft security report: Our newer software is more secure – Microsoft has released the third installment of their MS Security Intelligence Report. Newer stuff is more secure.

news.com: McAfee to acquire ScanAlert – McAfee is acquiring ScanAlert. ScanAlert is the keeper of the “Hacker Safe” website security seal.

news.com: Report: U.S. tops list of spam-offending countries – Another report where the U.S. leads the world as the biggest spammer. It’s attributed to the large zombie population.

news.com:: Report: PDF files used to attack computers – PDF file attachments not being used to spread malware.

thereigster.co.uk: World’s most gullible supermarket chain falls victim to online scam – Email scam nets supermarket chain when they switch bank accounts based on an email. They claim due to our internal controls and processes, we were able to quickly discover…”. Perhaps they need better controls on email?