Hackers launch millions of Java exploits, says Microsoft

By Gregg Keizer, Computerworld
November 29, 2011 03:05 PM ET

Hackers launch millions of Java exploits, says Microsoft

Cryin' shame: 60% of Windows PCs lack 18-month-old Java update, adds expert

Hackers continue to launch attacks exploiting vulnerabilities in Oracle's Java software in record numbers, Microsoft said Monday.

Citing research from a recent report, Tim Rains, a director in the company's Trustworthy Computing group, said that up to half of all attacks detected and blocked by Microsoft's security software over a 12-month period were Java exploits.

Altogether, Microsoft stopped more than 27 million Java exploits from mid-2010 through mid-2011.

Computer infected? Blame yourself, Microsoft report concludes

Most of those exploits targeted long-ago-patched vulnerabilities, said Rains.

The most commonly-blocked Java attacks — to the tune of over 2.5 million of them — in the first half of 2011 exploited a bug disclosed in March 2010 and patched by Oracle the same month. Second on the popularity chart for the full 12-month stretch was an exploit of a bug patched in early December 2008, nearly three years ago.

Other bugs that made the actively-exploited list were quashed in November 2009 and March 2010.

Rain's comments followed a similar message from Microsoft in October 2010, when the company said an "unprecedented wave" of attacks were exploiting Java flaws.

Microsoft's findings were no surprise to outside security researchers.

"Most [Windows] machines are just not up-to-date with Java," said Wolfgang Kandek, chief technology officer at Qualys, a California developer of security risk and compliance management software and services.

Qualys regularly mines data from the customers' machines it protects to get a feel for updating practices. And for Java, those practices are pathetic.

"Java updates lag behind seriously," said Kandek, like Rains reiterating a 2010 take . "Eighty-four percent of the machines we see don't have the June 2011 Java update installed, 81% don't have the February 2011 update and 60% don't have the March 2010 update."

Qualys doesn't have enough scanning data yet to measure the patch rate for the October 2011 update , Oracle's latest, but Kandek estimated that as many as 90% of Windows PCs hadn't deployed those fixes.

Enterprises typically patch vulnerabilities in Microsoft's Windows much faster, Kandek continued, citing a "half-life" — meaning that half of all machines are patched — of 29 days for run-of-the-mill Windows bugs. Critical patches are deployed even quicker: Their half-life is about 15 days.

The pervasiveness of Java is one explanation for the high volume of attacks exploiting its bugs, said Andrew Storms, director of security operations for nCircle Security, in an interview conducted via instant message.

But its virtual invisibility to users is another.

"Java is not something [most users] interact with … similar to how Adobe Flash or Reader became the big, but silent, target," said Storms. "It's on everyone's computer, but rarely do you interact with it. [So] from the attackers' perspective, using Java as the silent killer is a smart move. If people don't know what it is or know what it does, they are less likely to update it. As such, you have to imagine there are tons and tons of old vulnerable installs out there."

Some of Qualys' enterprise customers are among those running out-of-date editions, said Kandek. "One issue is internal applications that require older versions of Java," he said.

Qualys' recommendation to companies in that boat: Block Java's use outside the network perimeter.

Criminal developers who craft exploit kits are constantly adding new Java exploits to their wares, Kandek continued, to supplement the older-but-still-effective exploits of older bugs. Those kits already have been equipped with exploits of the bugs Oracle patched in October.

Qualys provides its clients with an exploit mapper that shows which vulnerabilities are being leveraged in such kits. "If they cannot patch every vulnerability, this gives them a list of those that we know are being used in the wild right now," Kandek said.

Others have taken a much more aggressive line on Java.

Noted security blogger Brian Krebs , a former Washington Post reporter, has repeatedly urged consumers to uninstall Java from their Windows machines.

On Monday, echoing Kandek's claim that exploit kits are now armed with attack code that targets Java vulnerabilities Oracle patched in October, Krebs again advised users to scrub the Java plug-in from their browsers.

Microsoft's Rains didn't go that far, instead telling users that they should update Java, and keep it up to date.

"There is just too little focus, even now, on Java and its updates," said Kandek. "It's being exploited … right now."

Incoming search terms:

block java update 2012
java exploit 2012
java vulnerability december 2 2012
java vulnerability 2012
2011 computer vulnerabilities
is java vulnerable 2012
java expliots 2012
java vulnerabilities 2012
java vulnerabilities antivirus 2012
hacker robs 6 million

Filed Under: InTheNews, SecurityUpdates

The P4ssw0rd Myth?

by AVG Blogs

The P4ssw0rd Myth?

It’s nothing new that there are bad people out there on the internet who, if they should get the chance, would steal your personal details and your banking ones too.

The news is full of hacking these days, with companies, multinational organisations, governments and individuals on the receiving end of some pretty serious privacy breaches.

Obviously, most of us don’t have a say in government or company security policy so it’s up to us to keep our own digital lives safe and while this can involve a number of steps including both software and hardware, it often comes down to passwords.

Your password is your basic online defence, the key to much of your information. We at AVG and other security experts recommend you to use a different password for each site (or at least a few variations) limiting any damage were your password to be compromised. However, we understand that most people aren’t overly worried by hacking and multiple passwords can be difficult to remember.

Interestingly, randomly generated passwords have become all the rage over the last few years and we at AVG have recommended passwords with a mix of characters and symbols. Sometimes these come in the form of passwords that are generated completely at random such as PhuR7Tr$.

Of course, the difficulty comes in remembering these random passwords, and that’s not even taking into account if you were a good citizen and have a dozen or so of them for the various websites you use.

Maybe there is another way, below is an episode of the famous webcomic xkcd which touches on this very subject.

This comic is saying that the password in the top frames “Tr0ub4dor&3″ is easier for password cracking software to guess than “correcthorsebatterystaple”. And it is absolutely true that people make passwords hard to remember because that means that they are “safer”.

The important thing to take away from this comic is that longer passwords are better because each additional character adds much more time to the breaking of the password.

Steve Gibson from the Security Now podcast did a lot of work in this arena and found that this password “D0g…………………” is harder to break than this password “PrXyc.N(n4k77#L!eVdAfp9″. Steve Gibson makes this very clear in his password haystack reference guide and tester:

“Once an exhaustive password search begins, the most important factor is password length!”

That’s what xkcd is trying to get through here. Complexity does not matter unless you have length in passwords. Complexity is more difficult for humans to remember. Length is not.

Filed Under: ComputerTips, SecurityUpdates

Apple to support reps: “Do not attempt to remove malware”

Apple to support reps: "Do not attempt to remove malware"

By Ed Bott | May 19, 2011, 5:00am PDT

Apple is actively conducting an internal investigation into the Mac Defender malware attack I wrote about yesterday (here and here). An internal document with a Last Modified date of Monday, May 16, 2011 notes that this is an “Issue/Investigation In Progress.”

The document (shown below) provides specific instructions for support personnel to follow when dealing with a customer who has called AppleCare to request help with this specific attack.

There are two different resolution paths, depending on whether the customer says Mac Defender / Mac Security has or has not been installed.

According to this document, if the caller says he or she has not installed the software, the support rep should “suggest they quit the installer and delete the software immediately.” That is followed by this disclaimer:

AppleCare does not provide support for removal of the malware. You should not confirm or deny whether the customer’s Mac is infected or not.

If the software is already installed, support personnel are instructed to make sure all security updates have been installed using Software Update. They are then to direct the customer to the “What is Malware?” Help document using Finder. The final step is clear:

Explain that Apple does not make recommendations for specific software to assist in removing malware. The customer can be directed to the Apple Online Store and the Mac App Store for antivirus software options.

Finally, that is followed by these four bullet points.

Important:

Do not confirm or deny that any such software has been installed.

Do not attempt to remove or uninstall any malware software.

Do not send any escalations or contact Tier 2 for support about removing the software, or provide impact data.

Do not refer customers to the Apple Retail Store. The ARS does not provide any additional support for malware.

Apple has not responded to a request for comment on the ongoing Mac Defender attack or this policy.

http://www.zdnet.com/blog/bott/apple-to-support-reps-do-not-attempt-to-remove-malware/3362?tag=nl.e539

Filed Under: InTheNews, SecurityUpdates

Modern Mac owners need to ignore the dinosaurs and get protection

By Adrian Kingsley-Hughes | May 19, 2011, 6:12am PDT

I can’t believe that we’re still having a discussion over whether or not the bad guys have begun targeting Mac users. I really can’t. I’m truly staggered by the fact that people who have been around computers for decades and who are supposedly keeping their finger on the tech pulse are still clinging on for dear life to the notion that Mac is somehow immune of invulnerable to modern malware.

John Gruber, the guy behind the Mac site Daring Fireball says that those who dare to suggest that there’s a problem are crying wolf. To back up his ‘claim’ (and I can’t put enough quotes around that word so I won’t bother trying) he pulls quotes from the internet going all the way back to 2005. His point seems to be that because someone made a prediction in 2005 that a wave of Mac malware was coming, and it didn’t materialize, then it can’t possibly happen in 2011 either because of some ancient lore that says that things never change and the past always equals the future.

It’s a shame the world isn’t that simple.

I’ve one word to describe these people who choose to ignore the real problems facing the modern Mac user and instead choose to live in the past – Dinosaurs.

The Mac dinosaur, it its natural habitat!

Look around you, do you see any dinosaurs? No. Here’s why …

I bet the dinosaurs didn’t see that coming either!

Times have changed. The old-guard, fervor-filled dinosaurs of the past who for some reason (ego, self esteem, ignorance …) want to frantically and fanatically cheer lead have been replaced by the modern Mac user who sees the Mac as a tool rather than an idol. What is a modern Mac user? Well, for starters I see them as someone who started using a Mac since its transition from the PowerPC architecture to Intel architecture, a move which began in mid-2006. Much of the zealotry and nonsense spouted today dates back to the PowerPC years when owning a Mac was seen by many as a deviant pastime. Times have changed.

The modern Mac user also uses their machine in a very different way to the dinosaurs of old. People nowadays surf a lot more, social media has in many ways replaced email as the preferred method of communication. Multimedia on the web has exploded. More people doing more things in ways that we couldn’t really have dreamed possible a decade ago.

The modern Mac user is also very likely to be someone who, prior to owning a Mac, owned a PC (this is based on data from Apple which says that around 50% of those buying a new Mac are first-time buyer). This is important to bear in mind since these users are likely to have bought their bad Windows habits (bad habits that perhaps caused them to switch to Mac in the first place?) with them to the new platform.

The threats posed by the bad guys are also different. Very different. Rather than rely on viruses which spread by using system vulnerabilities, the bad guys have turned to the Trojan. This is malware disguised as something desirable – a game, a software utility, a porn video – and it relies on the user choosing to install it onto their system. It’s hard to protect against this kind of stuff because the user chooses to override the operating system’s desire to be cautious when it comes to installing stuff. Getting people to install their own malware has been a popular trick used against Windows users for some time now, and there’s no reason to think that the same trick wouldn’t work against the modern Mac users, especially given how many of them were Windows users not long ago.

The piece of malware that’s currently making the rounds is called Mac Defender (there are other variants called Mac Protector and Mac Security). It’s not particularly sophisticated. Infections goes something like this:

A user does a Google image search.
Among the listings are poisoned listings.
Clicking on these listings will take the Mac user to a web page that looks a lot like the Mac OS X Finder (the website uses browser and OS detect scripts to deliver different views and malware for different operating systems).
The fake Finder displays a ‘Scanning for viruses’ message followed by the inevitable ‘Your computer is at risk!’ message and offers a ‘Fix your problem’ link.
Link goes to the page where the user can download the Trojan.
Users install the Trojan
Trojan nags users for money to remove malware.

This scheme will be familiar to most Windows users. While the trick might not be older than dirt, it sure has been around for a while. And against novices who are scared of malware, it’s a pretty efficient way to get them to install the very malware they’re afraid of onto their systems.

How big a problem is Mac Defender? It’s hard to get a accurate picture. Personally, I’ve head from nearly a dozen people affected by it and a few dozen more who have been redirected to the fake Finder screen. My colleague Ed Bott has uncovered 42 separate discussion threads on Apple’s support forum and a confidential internal Apple document has seen some 20,000 page views since it was created (I’m assuming Apple support folks were accessing the document because of calls received and not for fun).

Fortunately, it’s pretty easy to remove … here’s a simple guide for removing Mac Defender. Unfortunately, Mac malware is likely to become more sophisticated and harder to remove.

Regular readers of this blog will know that I don’t feel the need to be a fanboy or cheerleader for one multibillion dollar corporation over another, and that instead I offer up what is my honest opinion as to what’s best for the user (usually the advice I give mirrors closely what I do myself). My advice for the modern Mac owner is simple – Ignore the dinosaurs and protect yourself for malware. Personally I use Sophos Free Antivirus for Mac but there’s plenty to choose from.

It’s that simple.

Ignore the dinosaurs. Download protection. Install it. Get on with life.

http://www.zdnet.com/blog/hardware/modern-mac-owners-need-to-ignore-the-dinosaurs-and-get-protection/12857?tag=nl.e539

Filed Under: InTheNews, SecurityUpdates