As I prepare my notes for one to two GSD posts on recent rogue-security product malware-purges from heavily infected systems, I’m going to offer a brief public service announcement.
In both cases, a review of the logs generated and collected during the incident responses strongly suggests to me that both infections occurred during innocent web-surfing when the users unknowingly landed on maliciously seeded pages that took advantage of exploitable code in their older versions of Java.
While probably not the specific exploit they encountered, these YouTube videos do illustrate how the process can work.
- Java CVE-2010-4452 - YouTube
- CVE-2010-4452 : Oracle Java Applet2ClassLoader Remote Code Execution Exploit - YouTube
For more in-depth illustration and analysis of the problem, take a look at these security posts.
- Not Just Another Analysis of Scareware - Security Braindump
- Vulnerabilities in a Flash - WhiteHat Security Blog
Patch it like a hobo
Trying to guide Dad though all the hoops on how to check his Windows (Vista) system early for latest versions of these most popular browser plugins has been quite challenging. Not only do you you have to go confirm the current version you are running (either through the control panel or from the providers’ websites) but then you have to navigate through the download and install process, often trying to avoid an offered “bonus” software product installation in the process.
So, although at work I download such update packages directly from the provider’s source for security reasons, at home and in recommendations to family and friends, I usually just point them to the specific updated package as found on the FileHippo.com Plugins Downloads site. It’s just easier that way.
- Adobe Air -- FileHippo mirror site.
- Flash Player-- FileHippo mirror site. (be sure to get both the IE “ActiveX” and the “Non-IE” versions)
- Shockwave Player-- FileHippo mirror site.
- Java Runtime Environment-- FileHippo mirror site. (if you run x64, grab and install both the x32 and x64 versions)
If you do want to go the “official source only” path, then here you go.
Adobe - Flash Player - This page will tell you what version of Flash you are running and what the latest versions are.
Troubleshoot Flash Player installation | Windows - Links to both the update page as well as the direct manual download links for most current level of both versions; Flash Player 10 ActiveX and Flash Player 10 Plugin.
Adobe - Test Adobe Shockwave Player - this page will play and display a Shockwave file which then tells you your currently installed version of Shockwave. Write it down then…
…go to this page Adobe - Adobe Shockwave Player to see what the latest version actually is. If this one is newer, download and install (just watch out for the offered “bonus” software install and uncheck the box if you don’t want it.
To confirm you have the freshest Java beans, pop over to this Verify Java Version page and see what fortune you get. Need an update? Well then my bedraggled friend, stop in at All Java Downloads to pick from the buffet. You likely will be focusing on the Windows 32-bit and 64-bit versions.
I haven’t mentioned it, but Adobe Acrobat also is almost ubiquitously found on Windows systems and it also must be keep updated to avoid the worst of the PDF-related exploit issues out there.
Updates galore
This past month saw a banner crop of security patches and updates both to the Windows operating system environment as well as many popular Windows browser plugins. Hopefully everyone who needs these applied them to their systems. Adobe in particular has become more of a responsible citizen by changing the updating in their products to now do “auto-check” for updates. Oracle has been including a Java-update check service in their product for some time now.
It’s my personal experience that while these auto-update features do work, sometimes they don’t offer an available update for some time. And when in the case of Java they are sitting quietly in the system tray as an indicator icon, it is easy to overlook. Adobe at least throws the notice in your face.
I understand and acknowledge the challenges for many home-users in keeping informed and notified of these updates. Heck, it’s hard enough to get some home users to even care about patching third-party systems.
That said, as anyone who has either been a victim of a browser drive-by malware infection, or the guy or gal who had to spend many, many hours cleaning uncle Bob’s unpatched PC to save their system and Uncle Bob’s sanity again, it’s too serious to not keep an eye out and patch these browser plugins as soon as they get released.
- Adobe Ships Security Patches, Auto-Update Feature -- Krebs on Security
- Flash Player Patch Fixes Zero-Day Flaw -- Krebs on Security
- Patch Tuesday part two – Adobe patches Reader, Flash and more -- Naked Security
- Adobe releases patches -- ISC Diary post
- Java Patch Plugs 17 Security Holes -- Krebs on Security
- Microsoft Patches Fix 34 Security Flaws -- Krebs on Security
- IE 9.0.1 Available via Windows Update -- IEBlog
- ISC Diary | Microsoft June 2011 Black Tuesday Overview -- ISC Diary
- Patch Tuesday – June 2011 – 16 bulletins, 9 critical -- Naked Security
- Microsoft Security Bulletin Summary for June 2011 - Microsoft TechNet
Patch on Mr. Adams!
--Claus V.
1 comment:
Claus,
Thanks for bringing up this important issue.
Unpatched third-party apps (esp outdated Java and Flash) are probably the primary infection vector by which malware gets onto systems these days.
Considering how difficult it is to keep up with the constant patching and maintenance of all the third-party applications installed on a computer, you might want to give a shout out again (as you have in the past) to some of the various software packages that are available to help deal with this problem.
In my case, I simply advise all of my technically challenged relatives to just run Secunia PSI on their systems, and make sure they're at 100% before they start each web browsing session.
Post a Comment