Security Quest #17: Microsoft Edition

Another second Tuesday of the month and another set of Microsoft patches. I realize it’s important to patch vulnerabilities as soon as possible and this monthly release schedule tends to go against that, but I like the consistency and ability to plan.

Anyway, this week brought two patches. The first is MS08-001 titled “Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution”. This affects all supported desktop OS’s. It’s rated as Important for Windows 2000 and Critical for all flavors of Windows XP and Windows Vista. I didn’t have any problems applying this update to my two Windows XP SP2 installations. There wasn’t any update through Windows Update for my Vista SP1 RC1 install so I don’t have any experience with that one.

MS08-002 is titled “Vulnerability in LSASS Could Allow Local Elevation of Privilege” and is for Windows 2000 and Windows XP on the desktop. It rated as important. If someone already has logon credentials they can use this vulnerability to elevate their privileges.

There’s no cumulative IE update or any Office updates this month.

 

Microsoft Security Resources

Additional security resources from Microsoft:

Microsoft Security Newsletter is a monthly e-mail covering security topics from Microsoft. To subscribe you’ll need a Microsoft Live ID (formerly passport) although the newsletter can go to any email address.  You’ll also be required to provide a name. By default the box to also receive other Microsoft emails is checked so be sure to uncheck it (unless you want the emails). You can also view the latest newsletter‘ without subscribing.

Microsoft provides several levels of security notifications via several methods. They provide either basic or comprehensive alerts along with additional non-vulnerability advisories and a blog. Delivery system include email, rss, Windows Live Alerts and the website.

A security bulletin search is provided that allows searching by date, product and severity rating.

They also have a new (at least to me) Malware Protection Center that lists information about malware and provides links to Microsoft tools.

Spam Counts

This weeks spam counts:

Primary Mailbox 30-day spam count: 2

This is down one from last week and none of it is new.

Public Mailbox 30-day spam count: 156

Down 20 from last week with new spam this week at 21 pieces.

Website comment and trackback spam: 7,573

This is up 73 from last week.

Security Quest #16: WordPress Edition

WordPress has released version 2.3.2 which it calls an “urgent security release”. WordPress 2.3.2 contains a total of 7 bug fixes. The security vulnerability would allow someone to see future posts by giving access to draft posts. Sixteen WordPress files were changed in this update.

This version will also suppress some DB error messages to avoid giving out to much information. The error messages will still be displayed if debug mode is enabled. Details on all the changes can be found at Westi on WordPress.

The update was released on the 29th and I got around to installing it this past weekend, along with updating numerous plug-ins. The update wasn’t too tough but mainly because I assumed things would work OK and didn’t do too much testing. I had seven plug-ins to update, although only five were actually in use. Against common sense I updated all the plug-ins and WordPress itself on my test site without doing a backup first. I replaced all the WordPress files rather than picking out the 16 that changed. There weren’t any DB changes but I ran upgrade.php on my test site just to be sure and was told there weren’t any DB changes.

Updating the regular site was just a matter of copying the new WordPress and plug-in files up to the new site. But in this case I did do backups first.

WordPress Update Notifications

With WordPress 2.3 notification about updates began to be included in the admin panel. If WordPress itself needs to be upgraded there a message along the top of the admin panel and down on the footer too. This makes it nice to not have to go looking for updates on a regular basis even if it doesn’t alleviate the annoyance of the moment when an unexpected update notification pops up. The plug-in page also displays info on plug-ins that are out of date, although this requires the plug-in to be hosted in WordPress.org’s plug-in library.

Some plug-ins don’t provide very much information about the update so it’s hard to know if it’s worth the update. I’ve avoided updating just because it says there’s a plug-in update. Instead I tend to group them together for when I have time or when I need to install a security related update (like this time). Some plug-ins can update frequently like the one that was updated twice (at least) this month. I found that out when the update I had download two days previously was out of date when I applied it.

There’s also been other little things that make doing update easier, like a link to deactivate all plug-ins at once.

WordPress Anti-Spam

The Akismet anti-spam plug-in is included with WordPress and it’s probably what most people use. It’s free (for non-commercial use on blogs that make less than $500/mth) so that’s a plus. The actual spam detection process occurs on Akismet’s. This means your server doesn’t have to handle the processing which could be a benefit. But it does mean that it the Akismet servers are busy your comments may not be processed and spam may get through. Paid Akismet users do get priority. Another benefit, at least in theory, is that Akismet can take the knowledge learned as it processed comments for spam and help everyone. I used it at first and have to say it worked well but did let some stuff through, especially trackback spam.

I started using Spam Karma 2 back in October and it’s worked almost flawlessly. I seem to recall a comment/trackback or two getting through but can’t remember anything specific. I also can’t recall it eating any legit comments. While the ability to tweak the settings is nearly endless I pretty much stuck to the defaults. The plug-in was just updated in May and the author recently announced another update is pending. But then he says:

This will also likely be the last update to Spam Karma (which should still give us all quite a few months respite from spam). Barring any unforeseeable circumstances, there will be no more compatibility update to try and keep up with WordPress’ habit of breaking compatibility with each of their [numerous] releases. Furthermore, there is increasingly little point in “competing” against Akismet, when it is bundled and marketed as the principal WordPress antispam tool (even if I personally do not like its approach).

It’s probably an unfair comment, but the bundling of Akismet reminds me of the bundling of IE with Windows. (But Akismet is a plugin so easily avoided, unlike IE) Still, Spam Karma 2 will work for the foreseeable future, hopefully through the next couple of WordPress upgrade cycles.

Dozens of other spam tools are available through the WordPress codex.

EMail Address Harvesting

There are several plug-ins available to protect email addresses from being harvested from WordPress. For awhile I used the email immunizer plug-in and this seemed to work well. This allows email addresses to be specified normally and they can be read by humans but put in their HTML equivalents for spam bots. But if the plug-in breaks or stops working the addresses will also appear in plain text for the bots. I stopped using this simply to reduce the number of plug-ins I used. There are several similar plug-ins at the previous spam tools link.

Backups

As with any security measures backups of data have to be included.

The WordPress Database Backup plugin can be used to backup the WP database. I only use this occasionally as I’ve had some problems with it. If I try to back up all the tables I inevitably exceed the cpu quota with my web host and get locked out for a minute or two. I still use it to back up the basic tables before an upgrade. I also had problems when trying to schedule backups through the plugin, again my web host didn’t seem to like it. The plugin has been updated since I tried scheduling backups but I’m not entirely comfortable sending a copy of my SQL database through email.

These days I’m more likely to use the built-in WordPress export feature to save all my posts, comments and categories to a local file than use the WPBackup plugin although the next two items are my primary backup methods.

I also use my web hosts own backup facility to back up my SQL databases and download the backup to my local computer.

To back up all the files on the site I schedule a nightly backup with Transmit.

WordPress Security Resources & Links

Some additional WordPress security resources:

BlogSecurity.Net – A site with information and tools related to blog security. Most of their content is related to WordPress.

The WordPress Development Blog will bring news of the latest releases.

Help Net Security is a general network security site that contains a lot of WordPress information. Their latest WordPress article is a list of WordPress security plug-ins.

Bad Neighborhood and the Bad Neighborhood blog are primarily SEO related sites but it includes the WordPress Login Lockdown plug-in which can be used to prevent brute force attacks to guess your WordPress admin password.

This article at Quick Online Tips has 3 suggestions for securing a WordPress blog such as removing the version info from the header and preventing the display of what’s in your plug-ins directory.

 

Spam Counts

This weeks spam counts:

Primary Mailbox 30-day spam count: 3

This is down one from last week and none of the spam is new, the last one arriving in the 13th.

Public Mailbox 30-day spam count: 176

The total is unchanged from last week but there was plenty of new spam.

Website comment and trackback spam: 7,500

This means there were 96 new ones from last week.

 

Other News & Links

Some non-WordPress news & links that caught my attention this week.

ArsTechnica.com: Adobe, Omniture in hot water for snooping on CS3 users – A little more info about the snooping being done in Adobe CS3. But no info from Omniture about the curiously crafted URL that the info is sent to.

CNet.com: Problems updating the Flash player in Firefox? Here’s help – The article provides the reasons I hate Flash player. What the rather long article explains is the steps necessary to remove the old, vulnerable versions of Flash Player.

Davidairey.co.uk: WARNING: Google’s GMail security failure leaves my business sabotaged – David has his GMail account hacked due to a vulnerability (since fixed) which led to him having his domain name stolen from him.

Dynamoo.com: Js/snz.a – likely false positive in eTrust / Vet Anti-Virus – Another probable false positive which will hopefully be fixed by the time you read this.

Lifehacker.com: How to Selectively Share Google Reader Feeds – There’s been a bit of a dust up over Google automatically sharing the Google Reader shared items with all contacts. Here’s a way to selectively share feeds.

Security Fix – Brian Krebs on Computer and Internet Security – (washingtonpost.com)– The storm work is now spreading via Google’s blogspot blogs.

Techdirt.com: Will Patent Battles Make Your Computer Less Secure? – TechDirt is concerned that patents could be used to hold back progress and make PCs less secure.

UneasySilence.com: Lies, Lies and Adobe Spies – No specifics as to what’s going on here, but Adobe CS3 seems to be calling home and trying to obscure exactly what it’s doing by using a website name designed to look like a local IP address.

Security Quest #15: Links & Numbers

 

Not much happening this holiday week so just some spam numbers and links.

Spam Counts

My primary mailbox (which manages multiple addresses) didn’t get any new spam messages and the 30-day count is down to four from last week’s seven.

My more public GMail address received a bunch of spam messages this past week, all of which was filtered by GMail. The thirty day count jumped to 176, up from 154 messages last week.

This site’s spam comment count jumped to 7,414, up 73 from last week. All were caught by the Spam Karma plugin.

News & Links

ArsTechnica.com: Malware construction kit authors arrested, to be tried – The Russians have arrested two malware toolkit authors.

 

CNet.com: Problems updating the Flash player in Firefox? Here’s help – The article provides the reasons I hate Flash player. What the rather long article explains is the steps necessary to remove the old, vulnerable versions of Flash Player.

Davidairey.co.uk: WARNING: Google’s GMail security failure leaves my business sabotaged – David has his GMail account hacked due to a vulnerability (since fixed) which led to him having his domain name stolen from him.

 

Engadget.com: Security exploit bricks HP and Compaq laptops – Engadget reports on a Polish security researching finding yet more exploits in HP/Compaq products.

 

Heise-Security.co.uk: Antivirus protection worse than a year ago – Heise Security points to a study that shows antivirus effectiveness has fallen from a year ago. One reason given is the “professionalization of the malware scene”.

 

Kaspersky.com: False positive detection – system file explorer.exe – Here’s the Kaspersky fix if you got bit by the false virus detection on explorer.exe

 

News.com: Kaspersky inadvertently quarantines Windows Explorer – Kaspersky had a problem with their virus definitions and quarantined explorer.exe as the Huhk-C virus.

 

Techdirt.com: Sears.com – Join Our Community… So We Can Spy On Your Every Online Move – Techdirt brings news of a report from CA that Sears.com’s “community” is really a ploy to get you to install the Comscore toolbar and watch your online moves.

Security Quest #14: Apple Releases Security Patches

Apple released Security Update 2007-009 for OS X 10.4.11 Tiger and OS X 10.5.1 Leopard on Monday. The Apple support article lists 41 vulnerabilities that were patched. Patched components include Core Foundation, CUPS, Flash Player Plug-in, Launch Services, perl, python, Quick Look, ruby, Safari, Samba, Shockwave Plug-in, and Spin Tracer. The update requires a reboot.

The Leopard update was a 35.4MB download on my Intel Macs through Apple Automatic Update. It’s also available as a 35.6MB standalone download. There are two versions for Tiger. The PPC version is a 15.9MB standalone download and the Universal version is a 27.4MB standalone download.

I applied the update to my iMac, MacBook and Mac Mini. All are running OS X 10.5.1 Leopard on Intel cpu’s. I’ve been running the update for a little over a day without a specific problem but have had some new instability. Not necessarily due to the updates, but they are new problems.

On my iMac Parallels is a bit unstable. Windows XP SP2 is having some network connectivity issues and some keyboard issues. On the network side of things some connections time out through Windows while connecting fine in OS X. There’s so many potential failure points for Internet sites it’s hard to point the finger at the update and be sure. The keyboard issue within Parallels is more annoying. Sometimes the VM starts up in caps mode (while staying lower case in OS X) until I restart the VM. It also buffers keystrokes and falls behind my two-finger typing. But, I haven’t seen any info that others are experiencing the problem.

My MacBook has gotten the gray screen of death once since the update. It was soon after startup and Safari was the only app running. I think that was the first OS crash for the MacBook. It’s been OK since and I’m using it now.

The problems can’t be tied to the update and they aren’t persistent, but my Macs have been stable and the updates were the last change before the problems occurred. That’s usually the place to start.

 

Spam Counts

Time to start keeping track of my spam again, at least for awhile.

Spam to my primary GMail mailbox (which manages multiple email addresses) has had seven spam messages in the last 30 days. What’s interesting is which e-mail addresses were used. Back in October when I redesigned the web site I decided to stop using two addresses which appeared on the site. I removed one at that time. I missed the second one and it still appears on the web site in clear text/html since I removed the obfuscation plug-in. The one in clear text since October picked up three email messages that are clearly spam. The address that I removed was picked up by a software company and I received three “promotional” emails from them. You could say they’re on topic for the blog but there’s no unsubscribe link and GMail sees them as spam.  The seventh spam email was sent to my Yahoo email which I’ve never given out. I canceled AT&T/Yahoo as my ISP but the email account remains.

A GMail address I use extensively picked up 2 spam messages in the last 30 days, both blocked by GMail. I don’t use this account with places that are high spam risks but I’m actually surprised there’s not more yet.

A third GMail address that gets used almost exclusively where there’s a high risk of spam received 154 spam emails in the last thirty days. This is less than 50% of what the count was in June. On June 24th there were 343 spam messages in the previous 30 days.

Much to GMail’s credit their spam filter works well for me a they didn’t let anything through and didn’t flag anything I wanted.

I use the Spam Karma plugin for WordPress on this website. So far its caught 7,341 spam comments.

 

News & Links

Apple.com: About the security content of Java Release 6 for Mac OS X 10.4 – Apple released a java security update for mac OS X 10.4 Tiger. I don’t have any Macs running Tiger so don’t have any first hand experience.

Apple.com: Safari 3 Beta Updated – Safari 3.0.4 beta for Windows XP/Vista.

Security Quest #1a: Introduction and Catching Up

I’ve been running another site called the Spam Chronicles which was last updated after Patch Tuesday in August. I’ve accepted that I don’t have time to keep both sites up to date. So, long story short – I’ll stop even thinking about updating the Spam Chronicles and will instead incorporate the new content here when it’s appropriate. The current Spam Chronicles will stay up, no reason to pull it down. (The site has been shut down.) When winter sets in I may find time to do a redesign.

A new feature here will be the Security Quest postings. I plan to do these every Wednesday (or so) since that gives me one easy topic each month – Microsoft Patch Tuesday. Today’s patch Tuesday information is in Security Quest #1b which will follow shortly. This one will serve as a round-up for news and information.

Software Updates

WordPress 2.2.3 is a security and bug fix release.

iTunes 7.4 (now 7.4.1) contained a security update which wasn’t mentioned in the download notification. If you get music files from unknown sources you should apply the update. If you only rip commercial CDs or download from iTunes you can hold off.

Lavasoft recently update Ad-Aware to work with Windows Vista. This includes the free version.

BitDefender recently updated the free version of their anti-virus software to version 10.

Security Information, News and Discussion

Skype is reporting that a worm is being spread through Skype for Windows. The worm spreads through the chat feature. via Wired Compiler Blog

Ars Technica has the story of Swedish security researcher that used TOR (The Onion Router) to collect password for embassy employees. TOR is used for anonymous Internet communication. He ran a sniffer on some tor exit nodes operated by his company. Unfortunately tor users probably didn’t realize their traffic was exposed to tor operators. A little encryption would help.

Ars Technica is also reporting an increase in botnet attacks on eBay users with the goal of stealing their eBay identity.

Mac OSX Hints tells us how to secure our Wireless connection at Starbucks. (Haven’t tried this myself, not being a T-Mobile user) via Lifehacker.

Tech.Blorg.com has the story of the Quechup social network using questionable techniques to get users. They want to make YOU the spammer. They will ask for you email address and password (for common email systems like GMail) and then send invites to every member of your address book and send them under your name. First, never give anyone your password. Second, avoid Quechup. Hopefully the company will fail.

It’s legal to call spyware “spyware”. Techdirt has an article about a lawsuit against anti-spyware vendors being dismissed.

Slashdot has a discussion of the Ophcrack opensource Windows password cracking program.

Microsoft Patch Tuesday news will be in the next post.