Protecting my Mom – Part 3 – How Easy is it to Get Hacked?

Keeping our moms safe can be a daunting task.

Keeping our moms safe can be a daunting task.

In our first installment of “Protecting my Mom” we discussed some phone phishing attack that I was targeted for. This was followed by our second part where I found myself being attacked over a Wi-Fi network that was setup for the express purposes of compromising machines that roamed onto it. In this final installment, we take on the role of an attacker and are reminded of how easy it is to be hacked.

My challenge to myself was simple,  how fast could I target a machine and compromise it using off the shelf tools. My goal: 5 minutes from start to finish. How much time did I need? The stopwatch showed a mere 2 minutes and 13 seconds. Scared yet?  — After doing that I was. After being the target of a hack twice in the span of less than a week, I decided to go from being the “prey” to being the “hunter.” How hard is it to be hacked? And if I was hacked, how long does it take me to start grabbing data that I could use? Don’t worry, I’m doing this as a bit of a test and I’m using my own Virtual Machines, so I’m not turning my abilities on any other person, it’s more of a challenge to see how hard it is.

Replace Dell Patch Authority Ultimate with Shavlik Protect

Dell offered Patch Authority Ultimate to its customers looking for a complete patch solution but not wanting the unwanted burden of a full client life cycle solution. Dell announced the end of life of the product last year and will discontinue support for the product on May 31, 2014.

RIP PAU

Having a good patch solution and process in place is critical to managing all the software updates in an organization, including both the OS and third party applications.  Dell Patch Authority did a good job keeping your systems up-to-date, but with the end-of-life announcement, you are now you are faced with a choice of either patching manually (unacceptable), using multiple tools to patch your enterprise, or choosing a more full featured systems management product which tends to be much more expensive.

Now that you’ve heard the bad news, let’s hear the good news. Shavlik Protect offers many of the same features of Dell’s Patch Authority and can even use the same patching database you have already built for your enterprise with Patch Authority.  For customers who are currently using Patch Authority, now is a good time to take a closer look at Shavlik Protect.

Stay tuned for my next blog where I go into details around product strategy for a large organization such as Dell.

This Week in Patching – 1/25/2013

After an eventful past couple of weeks in patch management, this week was relatively quiet.  Here is a quick recap in the happenings of patch management this week.

On Monday, a new version of Audacity was released.  Audacity 2.0.3 is a non-security update fixing numerous issues.

On Tuesday, Google released new security updates for their Chrome and Chrome Frame browsers.  Google Chrome / Chrome Frame version 24.0.1312.56 fixes three high, and two medium vulnerabilities.

On Wednesday, Core FTP released a new version with version 2.2.  This version was originally released on January 17th, but the details were provided on Wednesday.  This new version is a non-security update.

Last up for this week are new versions of MozyHome and MozyPro released today.  MozyHome and MozyPro version 2.18.3.247 are both non-security updates.

Happy Patching!

– Jason Miller

This Week in Patching – 1/11/2013

Happy New Year.  I hope IT administrators got some much needed patching rest over the past couple of weeks.  2013 is started out quite heavy in the world of patching.

This week was highlighted by a busy Patch Tuesday.  You can read my write up on the January 2013 edition of Patch Tuesday here.

There were also other vendors releasing critical security bulletins on Patch Tuesday.  Adobe released two security bulletins.  APSB13-02 was pre-announced last Thursday as a part of their quarterly update for Adobe Acrobat and Adobe Reader.  Adobe Acrobat / Reader versions 9.5.3 / 10.1.5 / 11.0.1 address 27 vulnerabilities and are rate Critical.  Adobe security bulletin APSB13-01 was not pre-announced by Adobe, but I expected this bulletin to be released after Microsoft announced an update for Adobe Flash Player in Microsoft Internet Explorer 10 last Thursday was set to be released on Patch Tuesday.  APSB13-01 addresses 1 vulnerability in Adobe Flash Player versions 10 and 11 (as well as Adobe Air 3.5).

Mozilla also released security updates to coincide with Microsoft’s Patch Tuesday.  The most notable of the releases by Mozilla was the major update for Firefox.  Mozilla Firefox 18 contains new features as well as security updates.  For those organizations that do not want to roll out new features in their Mozilla products due to concerns of the new features breaking functionality, Mozilla is continuing their effort with the Mozilla ESR products.  These product updates contain new security fixes but do not contain new features.

Here is the details list of Mozilla updates released on Patch Tuesday:

  • Mozilla Firefox 18
    • Security update addressing 12 Critical, 8 High and 1 Moderate Mozilla Security Advisories (30 vulnerabilities)
  • Mozilla Firefox ESR 17.0.2
    • Security update addressing 12 Critical and 7 High Mozilla Security Advisories (19 vulnerabilities)
  • Mozilla Firefox ESR 10.0.12
    • Security update addressing 8 Critical and 4 High Mozilla Security Advisories (14 vulnerabilities)
  • Mozilla Thunderbird 17.0.2
    • Security update addressing 12 Critical and 7 High Mozilla Security Advisories (26 vulnerabilities)
  • Mozilla Thunderbird ESR 10.0.12
    • Security update addressing 8 Critical and 3 High Mozilla Security Advisories (18 vulnerabilities)
  • Mozilla Thunderbird ESR 17.0.2
    • Security update addressing 12 Critical and 7 High Mozilla Security Advisories (26 vulnerabilities)
  • Mozilla SeaMonkey 2.15
    • Security update addressing 12 Critical, 7 High and 1 Moderate Mozilla Security Advisories (26 vulnerabilities)

 

The other notable updates this week were released on Thursday.  Google updated their Chrome and Chrome Frame browser with version 24.0.1312.52.  This new version fixes 24 vulnerabilities and includes an updated version of Adobe Flash Player that was released by Adobe on Patch Tuesday.  In the past year, Google has been in sync with Adobe on Adobe Flash Player releases.  Interestingly, Google’s release came two days after the Adobe Flash Player release.

There were also some non-security updates released on Thursday.  MozyHome and MozyPro updated their programs with version 2.18.2.244.  Microsoft released a new version of Skype with 6.1.0.129.  This version now integrates with Microsoft Office Outlook contact.

Happy Patching!

– Jason Miller

January 2013 Patch Tuesday Overview

To ring in the New Year, today Microsoft has released seven new security bulletins addressing 12 vulnerabilities.

However, the most notable headline from this Patch Tuesday is a security bulletin that was not released.  On December 29, 2012, Microsoft released a security advisory (2794220) informing administrators of a vulnerability in Internet Explorer was currently being exploited.  Microsoft provided a non-security update to prevent exploitation to that vulnerability.  Recently, security researchers have found a way to bypass this temporary fix to carry out an attack on the vulnerability.  As we continue to wait for a security bulletin for Internet Explorer, it is critical that administrators keep their antivirus definitions up to date and upgrade their Internet Explorer browsers to version 9 if possible.  Only Internet Explorer browser versions 6, 7 and 8 are affected by this vulnerability.

Of the seven Microsoft security bulletins released for the January 2013 edition of Patch Tuesday, administrators should look at patching MS13-002 first.  Microsoft has identified a vulnerability in Microsoft XML Core Services.  If an unpatched systems browses to a malicious website, an attacker can gain remote code execution.

The other browsing threat this month that needs attention from administrators is MS13-004.  In this security bulletin, Microsoft is addressing a vulnerability in their .NET software application.  If an unpatched machine browses to a malicious website, an attack can gain elevation of privilege on that machine.

The other critical update this month (MS13-001) addresses a vulnerability in the Windows Print Spooler.  If a machine is set up as a print server, an attacker can send a malicious print job to the machine and gain remote code execution.  Security best practices call for printer servers to reside behind a firewall that only allows internal users to print to the print server.  A most likely attack scenario is for an attacker to already be on the internal network.

And as is becoming a recurring theme, this Patch Tuesday is not just a Microsoft-focused security day.  Several non-Microsoft software vendors have also joined in with releases of their own.

Adobe has released security bulletin APSB13-02 affecting all supported version of Adobe Acrobat and Reader.  This security bulletin is part of their quarterly update for Adobe Acrobat and Reader and was expected.

Adobe also released updates for their Air and Flash Player products.  These updates are security updates were not previously announced (APSB13-01).  With any Adobe Flash Player update, Microsoft and Google update their latest browsers to include the new release of Adobe Flash Player.

Mozilla also released new versions of their products.  Mozilla Firefox 18 are new versions of their product that only contain new features.  Previous versions of the Mozilla products also received updates that contain security fixes.

 

Given that the January 2013 Patch Tuesday does not include a security update for the zero-day Microsoft Internet Explorer vulnerability, there is a good chance we will see an out-of-band update from Microsoft before the February 2013 Patch Tuesday.  Microsoft will continue to monitor the threat landscape and decide if this zero-day vulnerability warrants and out-of-band release.

I will be going over the January Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the December Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, January 9th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller

This Week in Patching – 1/4/2013

Patching quietly came to an end for 2012, and 2013 is starting off with a bang.  Here is a quick recap of the happenings in patch management this first week of the New Year:

On Wednesday, a new version of CDBurnerXP was released with version 4.5.0.3717.  This new version is a non-security update.  On Friday, Google released a non-security update for their Picasa program with version 3.9.136.120.

Microsoft announced their January 2013 Patch Tuesday Advance Notification.  You can read my write up here on the upcoming Patch Tuesday notification details.  In addition to the seven Microsoft security bulletins being released next Tuesday, there are quite a few non-Microsoft patches expected to be released as well.

Adobe announced they will be releasing updates for their Adobe Reader and Adobe Acrobat programs (versions 9/10/11).  These updates are rated as critical and are part of their quarterly update for Adobe Acrobat and Reader, which falls on this January Patch Tuesday.

In addition, Mozilla is lining up to release updates as well for their products.  You can expect updates for their Mozilla Firefox, Firefox ESR, Thunderbird, Thunderbird ESR and SeaMonkey products.

On Microsoft’s preannouncement page for upcoming non-security updates, they have listed Adobe Flash Player for Internet Explorer 10.  With this in mind, expect updates from Adobe for Adobe Flash Player and Google Chrome on Patch Tuesday.  With every Adobe Flash Player release, Microsoft and Google update their browsers to supply the latest version of the Flash Player program.

On the Microsoft Security Advisory front, Microsoft released a new security advisory on Thursday.  Microsoft Security Advisory 2798897 addresses issues with fraudulent digital certificates.  This security advisory places the offending certificates in the untrusted certificate store on systems.  In June 2012, Microsoft released a tool that will run on systems and quickly moves revoked certificates to the untrusted certificate stores.  This tool aids administrators that want an easy and quick way to update certificate issues Microsoft finds.  This tool can be downloaded here.  For those that do not want to use the tool, Microsoft has provided patches for this certificate issue that can be applied to systems.

I will be going over the January Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the December Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, January 9th at 11:00 a.m. CT.  You can register for this webcast here.

Until Patch Tuesday, Happy Patching!

– Jason Miller

January 2013 Patch Tuesday Advanced Notification

To ring in the New Year, Microsoft has announced their January 2013 advanced notification for Patch Tuesday.  The January 2013 edition of Patch Tuesday will be bringing seven security bulletins addressing 12 vulnerabilities.

Security Bulletin Breakdown:

  • 2 bulletins are rated as Critical
  • 5 bulletins are rated as Important
  • 2 bulletins addressing vulnerabilities that could lead to Remote Code Execution
  • 3 bulletins addressing vulnerabilities that could lead to Elevation of Privilege
  • 1 bulletin addressing a vulnerability that could lead to Security Feature Bypass
  • 1 bulletin addressing a vulnerability that could lead to Denial of Service

Affected Products:

  • All supported Microsoft operating systems
  • Microsoft Office 2003, 2007
  • Microsoft Word Viewer
  • Microsoft Office Compatibility Pack
  • Microsoft Expression Web, Web 2
  • Microsoft SharePoint Server 2007
  • Microsoft System Center Operations Manager 2007, 2007 R2

If Adobe sticks to their previous release schedule, this Patch Tuesday will also include security updates for Adobe Acrobat and Reader during their quarterly update.  Adobe stated earlier this year that they were moving to a more standard cadence on Patch Tuesdays when necessary.  We could very well be seeing Adobe updates as the last time Adobe Acrobat and Adobe Reader were patched was during the October 2012 Patch Tuesday.

Mozilla is also on track to release an update for their Firefox browser during the week of Patch Tuesday with version 18.  Typically, Mozilla releases on the same day as Microsoft’s Patch Tuesday when their release cycle is during that week.

I will be going over the January Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the December Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, January 9th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller

This Week in Patching – 12/14/2012

This week in patching was highlighted by Microsoft’s December 2012 Patch Tuesday.  Microsoft released seven security bulletins addressing 12 vulnerabilities.  You can read my full write up on Patch Tuesday here.

On the non-Microsoft front, Adobe released an update for their Adobe Flash Player and Air products.  Adobe Security Bulletin APSB12-27 addresses three vulnerabilities as is rated as Critical.  Adobe has started the trend of releasing security updates for Flash Player on Microsoft’s Patch Tuesday.  This trend will probably continue as Microsoft and Google both bundle Adobe Flash Player in their latest browsers.

On that note, Microsoft released an update for their security advisory (KB2755801) to include the latest version of Adobe Flash for Internet Explorer 10.  Google released an update on Patch Tuesday for their Chrome browser.  Google Chrome 23.0.1271.97 contains the latest version of Adobe Flash Player as well as addressing six Google Chrome vulnerabilities.

To wrap up Patch Tuesday, Apache released a new version of Tomcat for Windows with version 7.0.34.  This latest version of Tomcat is a non-security update.

On Thursday, Oracle provided updates for Java version 6 and 7.  Java 6 update 38 and Java 7 update 10 are non-security releases.  The next scheduled security update for Oracle Java is planned for February 19, 2013.  It is important to note that the next scheduled security update will be the last time Java version 6 will receive a security update.  At that time, Oracle will continue to provide security updates for Java version 7.  In the next few months, administrators should look at testing the upgrade for Java version 6 to version 7.  Java can be quite tricky to upgrade.  There are occasions where older software programs that rely on Java simply will not work with the latest version.  By June 18, 2013, administrators should be upgraded to Java 7.  That date will be the next scheduled security update after Java 6 has reached end of life for support.

On Friday, Apple provided updates for their iTunes product with version 11.01.  This update addresses non-security issues with their recent major upgrade in version 11.

Typically, the last two weeks of the year are very quiet for vendors releasing patches for their software.  If any vendor does release updates, I will be back next Friday with an update on the happenings in patch management.  If not, I will be getting a head start on ringing in the New Year.

Happy Patching and Happy Holidays!

 

– Jason Miller

December 2012 Patch Tuesday Overview

For December 2012 Patch Tuesday, Microsoft has released seven new security bulletins addressing 12 vulnerabilities.  This month’s Patch Tuesday is affects every Microsoft operating system and every supported version of Microsoft Internet Explorer.  All machines on an administrator’s network will need to be patched this month.

There are two security bulletins that will need to be addressed right away.  First, Microsoft security bulletin MS12-077 addresses three vulnerabilities in all supported versions of Microsoft Internet Explorer.  Navigating to a malicious website in an unpatched browser can result in Remote Code Execution.  With any Internet browser, it is important to patch immediately as browsers are one of the most targeted software programs by attackers.

The second bulletin administrators should look at patching right away is MS12-079.  This security bulletin addresses one vulnerability in Microsoft Word.  Opening a malicious RTF document can result in Remote Code Execution.  By default, Microsoft Outlook 2007 uses Word 2007 as the default email reader.  Organizations that use Microsoft Outlook 2007 will want to raise the priority of patching this bulletin as simply previewing a malicious document can exploit the vulnerability.

Back in October 2012, Microsoft released Security Advisory 2749655.  Microsoft identified an issue where patch packages and patch files were incorrectly signed.  With the digital certificate issue, Microsoft has been identifying these patches and re-releasing them with a correctly signed digital signature.  Today, Microsoft is re-releasing four bulletins with new patches.

MS12-043
MS12-057
MS12-059
MS12-060

This brings the Microsoft security bulletins up to 11 this month.  These re-released patches are not as critical to deploy to the network as the original seven December 2012 Patch Tuesday patches.  If you have already deployed these re-released patches when they were released, administrators are protected from the vulnerabilities.  Although, administrators will want to ensure they have patched the 10 re-released patches before early 2013.

On the non-Microsoft front, there are a few vendors releasing updates for their products.  Adobe has released two security bulletins.  Adobe security bulletin APSB12-026 addresses one vulnerability in Adobe ColdFusion and is rated as Important.  Adobe security bulletin APSB12-027 addresses three vulnerabilities in Adobe Flash Player 10/11 and Adobe Air 3.  Adobe has rated the security bulletin for Flash Player and Air as Critical.

With every Adobe Flash Player security update, Google and Microsoft are also involved with the security patch release.  Google has updated their Chrome browser with version 23.0.1271.97.  This new version includes the Adobe Flash Player security update as well as addressing six vulnerabilities in Google Chrome.  Microsoft updated their Security Advisory (2755801) to include the latest version of Adobe Flash Player for Microsoft Internet Explorer 10.  Microsoft’s Internet Explorer 10 on Windows 8 / Server 2012 embeds Adobe Flash Player in the browser as well.

The last vendor providing updates to their software so far on this Patch Tuesday is Apache.  Apache has released Apache Tomcat for Windows version 7.0.34.  This update is a non-security update.

The 2012 Patch Tuesday releases are not going out with a whimper the year.  With the seven new Microsoft security bulletins, the four Microsoft security bulletin re-releases and the Adobe Flash Player security update, administrators will have a significant amount of patching to complete before they can start focusing  on the holidays.

I will be going over the December Patch Tuesday patches in detail in addition to any other non-Microsoft releases since the last Patch Tuesday in our monthly Patch Tuesday webcast.   This webcast is scheduled for next Wednesday, December 12th at 11:00 a.m. CT.  You can register for this webcast here.

– Jason Miller

This Week in Patching – 12/7/2012

This week in patching was a very light week with very few releases.  This is not unusual for this time of the year.  In the past few years, I typically see a lighter number of releases from software vendors during the month of December.  Here is a quick recap on the happenings in patching this week:

On Monday, Foxit released a new version of Foxit Reader with version 5.4.4.11281.  This update is a non-security update.

On Wednesday, The Document Foundation released an update for their 3.6.x LibreOffice program with LibreOffice 3.6.4.  This release is also a non-security update.

Next Tuesday marks the December 2012 edition of Patch Tuesday.  I will be going into detail on all of the happenings here next Tuesday.

Happy Patching!

 

– Jason Miller