Skip to content

Security News

Google Chrome vows to carpet bomb meddling Windows antivirus tools

Quote

Browser will block third-party software from mucking around with pages next year.

By mid-2018 Google Chrome will no longer allow outside applications – cough, cough, antivirus packages – to run code within the browser on Windows.

“In the past, this software needed to inject code in Chrome in order to function properly; unfortunately, users with software that injects code into Windows Chrome are 15 per cent more likely to experience crashes.”

In particular, the target here seems to be poorly coded AV tools can not only crash the browser or cause slowdowns, but also introduce security vulnerabilities of their own for hackers to exploit.

Rather than accept injected code, Chrome will require applications to use either Native Messaging API calls or Chrome extensions to add functionality to the browser. Google believes both methods can be used to retain features without having to risk browser crashes. With Chrome 68, the browser will block third-party code in all cases except when the blocking itself would cause a crash. In that case, Chrome will reload, allow the code to run, and then give the user a warning that the third-party software will need to be removed for Chrome to run properly. The warning will be removed and nearly all code injection will be disabled in January of 2019.

“While most software that injects code into Chrome will be affected by these changes, there are some exceptions,” said Hamilton.

“Microsoft-signed code, accessibility software, and IME software will not be affected.”

Big Cable’s pillow talk with FCC to forbid US states from writing own net neutrality rules

Quote

The stomach-churning love-fest between the American cable industry and FCC Ajit Pai continues apace with Big Cable now pillow talking the federal regulator into how to prevent individual US states forming their own net neutrality protections.

Pai is expecting to call for a vote on dismantling net neutrality rules on December 14 – despite widespread opposition to the idea – but cable companies are worried that state legislators will simply write their own laws to effectively reintroduce them.

And so, joining a determined campaign by cable giants Verizon and Comcast to lobby against such actions, the wireless comms trade association CTIA has joined the fray, sending a letter to the FCC informing it how it can usurp such state efforts.

The CTIA even has its own simple anecdote to explain why it makes sense for the FCC to set the rules across the entire US: a train journey.

“A passenger riding on Amtrak between Washington D.C. and New York City travels through five different jurisdictions during the course of a 3.5-hour trip,” the letter argued. “If each of these jurisdictions were permitted to enforce its own rules regarding (for example) traffic prioritization, the rider’s mobile broadband usage during the trip would be subject to five different legal regimes, even if the rider spent the entire trip watching a single movie. This would be impracticable, and only underscores the risks inherent in a patchwork quilt of broadband regulation.”

The argument is, of course, gibberish: internet users pull content from all over the world every second of every day with it passing through hundreds of jurisdictions. And yet somehow the internet continues to function. How? Because internet traffic is not road or rail traffic.

Whether Pai and the other FCC commissioners are able to see through such obvious, false manipulation or get seduced by the appeal to their own importance, we will have to see. Or perhaps the bigger question: how far is Pai willing to go to please the cable industry? And is he prepared to make a fool of himself doing so? Infatuation is a difficult thing to judge.

More Holes than Swiss Cheese

Quote

Microsoft and Adobe are getting into the holiday spirit this month by gorging users and admins with a glut of security fixes.

The November of Patch Tuesday brings fixes for more than 130 bugs between the two software giants for products including IE, Edge, Office, Flash Player and Acrobat.

Microsoft’s patch dump addresses a total 53 CVE-listed vulnerabilities, including three that already have been publicly detailed. Those include CVE-2017-11827, a memory corruption flaw in Edge and IE that lets webpages achieve remote code execution, CVE-2017-8700, a flaw in ASP.NET that lets web apps access restricted memory contents, and CVE-2017-11848, a flaw in IE that allows webpages to track users when they leave the website.

As usual, memory corruption and scripting engine flaws in IE and Edge make up the bulk of what Microsoft considers to be the highest risk flaws.

Those include a total of 17 CVE entries (CVE-2017-11837,CVE-2017-11839, CVE-2017-11841, CVE-2017-11861, CVE-2017-11862, CVE-2017-11870, CVE-2017-11836, CVE-2017-11838, CVE-2017-11840, CVE-2017-11843, CVE-2017-11846, CVE-2017-11859, CVE-2017-11871, CVE-2017-11873) described as browser scripting engine memory corruption holes that would allow attackers to execute arbitrary evil code on vulnerable PCs by crafting webpages that exploit the programming blunders.

Three other flaws, CVE-2017-11845, CVE-2017-11855, CVE-2017-11856, concern similar remote code execution holes in other components of Edge and Internet Explorer that can be exploited by malicious webpages.

….

And then there’s Adobe

Elsewhere, Adobe’s Flash Player has once again earned its moniker of The Internet’s Screen Door as the Windows, macOS and Linux versions of the browser plugin received fixes for five remote-code execution vulnerabilities.

The largest Adobe patch load, however, was reserved for Acrobat and Reader this month. The PDF readers were the subject of a whopping 62 CVE entries, most of which are remote code execution flaws triggered by opening a malformed PDF file.

Remember Shockwave Player? It got an update to fix CVE-2017-11294, a memory corruption flaw that would let a malformed Shockwave file achieve remote code execution.

Adobe also released updates for Photoshop CC, Connect, DNG Converter, InDesign, and Digital Editions, and Experience Manager

Updating Things: IETF bods suggest standard

Quote

A trio of ARM engineers have devoted some of their free time* to working up an architecture to address the problem of delivering software updates to internet-connected things.

Repeated IoT breaches – whether it’s cameras, light bulbs, toys or various kinds of sex toys – have made it painfully clear that too many Things aren’t updated, and/or can’t be.

A step in the right direction.

Equifax – the Disaster Continues

So I called Equifax this am after logging into the Trust-ID site and seeing that after two weeks, the account was still stuck in Enrollment Processing. Awful. I was connected to poorly trained agents in the Philippines. They could not understand the issue. When I asked to speak to a supervisor I was simply put on hold. I called back and the same issue. Next I tried to speak to an agent in the US. I was told to redial the number. Oh great, routed back to Philippines. When I finally tried for a fourth time and demanded to speak to someone in the US, I was on hold for 10 minutes (after being promised 2 minutes) and I finally gave up.

Clearly by outsourcing this they are still more concerned about making money than helping customers protect their private information

Equifax needs to be completely wound down. It is dysfunctional from the top down.

Microsoft silently fixes security holes in Windows 10 – Leaves Win 7, 8 out in the cold

Quote

Microsoft is silently patching security bugs in Windows 10, and not immediately rolling out the same updates to Windows 7 and 8, potentially leaving hundreds of millions of computers at risk of attack.

Flaws and other programming blunders that are exploitable by hackers and malware are being quietly cleaned up and fixed in the big Windows 10 releases – such as the Anniversary Update and the Creator’s Update. But this vital repair work is only slowly, if at all, filtering back down to Windows 7 and Windows 8 in the form of monthly software updates.

Windows 8.1 is supposed to receive monthly security fixes until January 10, 2023, and for Windows 7, January 14, 2020

Read: We want you all on Windows 10 Spyware Platform so can farm all your information and target you with adverts.

Downloaded CCleaner lately? Oooops..malware laden

Quote

Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users….Cisco Talos discovered that servers distributing the program were leveraged to deliver malware to unsuspecting victims.

“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” researchers explained. “On September 13, 2017, Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities.”

CCleaner has been downloaded over 2 billion times, with 5 million additional downloads a week.

We estimate that 2.27 million users had the v5.33.6162 software, and 5,010 users had the v1.07.3191 of CCleaner Cloud installed on 32-bit Windows machines. We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.

There is no indication or evidence that any additional malware has been delivered through the backdoor. In the case of CCleaner Cloud, the software was automatically updated. For users of the desktop version of CCleaner, we encourage them to download and install the latest version of the software.

Equifax TrustID – Only Old Insecure IE8 Works!

So this afternoon I was told by email I had an account with Equifax TrustedID when I went to check on the status of the report lock. My password did not work. I tried to use the password reset. The page worked but when you enter all the information and hit the continue button, it does not go anywhere. I called the support telephone and that rings busy. Gave up on that.

Clearly more buggy code.

I finally got it to work using an old Windows Explorer 8 Browser on an old XP machine instead of Firefox. I even tried ieExplorer 11 and that did not work. But old insecure ie8 works fine with no out of date browser warnings.

Next – Then using the same Firefox Browser, I was able to login. And guess what, despite signing up, my report was still unlocked! When I tried to lock it, no dice, lock button not working. No go on ie11, but old insecure ie8 worked just fine.

What royal cock up Equifax. Totally incompetent!

(off topic: I also notice that uBlock Origin identified 147 trackers on Equifax.com. And they look out for my privacy and security. Bullshit!)

Why Equifax & others will Fail at Self Policing

The simple answer is they will not do anything to hurt their own business. They sell your information and rake in too money doing so. A credit freeze prevents that. I finally found a good article to share on this by Brice Schneider.

Quote

This happened because your personal information is valuable, and Equifax is in the business of selling it. The company is much more than a credit reporting agency. It’s a data broker. It collects information about all of us, analyzes it all, and then sells those insights.

Its customers are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you’d be a profitable customer — everyone who wants to sell you something, even governments.

It’s not just Equifax. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about you — almost all of them companies you’ve never heard of and have no business relationship with.

Surveillance capitalism fuels the Internet, and sometimes it seems that everyone is spying on you. You’re secretly tracked on pretty much every commercial website you visit. Facebook is the largest surveillance organization mankind has created; collecting data on you is its business model. I don’t have a Facebook account, but Facebook still keeps a surprisingly complete dossier on me and my associations — just in case I ever decide to join.

The companies that collect and sell our data don’t need to keep it secure in order to maintain their market share. They don’t have to answer to us, their products. They know it’s more profitable to save money on security and weather the occasional bout of bad press after a data loss. Yes, we are the ones who suffer when criminals get our data, or when our private information is exposed to the public, but ultimately why should Equifax care?

This market failure isn’t unique to data security. There is little improvement in safety and security in any industry until government steps in. Think of food, pharmaceuticals, cars, airplanes, restaurants, workplace conditions, and flame-retardant pajamas.

Market failures like this can only be solved through government intervention. By regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative. They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.

If you don’t like how careless Equifax was with your data, don’t waste your breath complaining to Equifax. Complain to your government.