Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Microsoft lines up 8 bulletins for its November edition of patch Tuesday

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

November 8, 2013

Microsoft said earlier this morning that it's currently lining up no less than eight security bulletins for its November edition of patch Tuesday on November 12, including three critical fixes.

However, there's still no relief in sight for a zero-day security vulnerability in how Office 365 handles .TIFF graphics files, something that has hounded Windows and Office users for the past several months.

Hackers are currently exploiting a zero-day security vulnerability in a graphics library that is used by Microsoft Office and older versions of Windows in a targeted attack.

There is no patch available for this, and nothing is scheduled to arrive next Tuesday, or even for December's edition of Patch Tuesday at the time of this writing.

But at least for now, Microsoft's security department have issued a temporary workaround to defend against possible attacks that works by disabling TIFF rendering in the affected graphics library.

TIFF is a format used frequently when scanning large documents and is generally used in the publishing industry.

A comprehensive security patch against the vulnerability, which only surfaced last week, will probably have to wait until later, and Microsoft is still quiet as to when that might be.

In the meantime, there is next week's eight-strong bulletin to seriously consider, which covers security flaws in both Windows and Microsoft Office software.

The three critical security bulletins affect both Internet Explorer and Windows, with the remaining five important bulletins affecting Office and Windows.

"All of these critical security bulletins and one of the important bulletins result in a remote code execution and should be prioritized higher," explains Wolfgang Kandek, CTO of cloud security firm Qualys.

"The rest of the important bulletins result in the elevation of privileges or a denial of service condition," he said.

Microsoft's pre-release advisory, which leaves out details of the security vulnerabilities to be addressed pending their release next Tuesday, is available on its website.

Ross Barrett, senior manager of security engineering at Rapid 7, said November's medium Patch Tuesday edition is likely to provoked mixed feelings among system admins across the globe.

"The November Patch Tuesday Advance Bulletin is out and I think everyone is breathing a sigh of both relief and frustration at the same time," Barrett commented. "Relief because for the first time in a few months, this is a relatively straightforward security patch, with fixes for most Windows versions, the ever-present IE roll up patch, and some Office components, but nothing esoteric or difficult to patch. No SharePoint plugins, no complicated .NET patching, no esoteric office extensions."

"There is some frustration because according to the MSRC blog, this round of security patches doesn't include a fix for the recently published, exploited in the wild Office vulnerability described in Microsoft Security Advisory 2896666."

In other internet security news

The IETF (Internet Engineering Task Force) has vowed that the U.S. NSA won't be allowed to get away with its questionable surveillance of the internet any more, as soon as about 1,100 engineers of its group can agree on a PRISM-proofing scenario.

The IETF met this week in Canada and the communiqué that it issued makes it very clear that the internet standards body is very angry about the way that the NSA carries out its online surveillance and won't allow it anymore.

“Several discussions over the past few months, including many in the more than 100 working group sessions this week, are carefully and systematically reviewing internet security and exploring several ways to improve privacy and other aspects of web security for different applications," IETF chair Jari Arkko said in the communiqué.

Stephen Farrell, an IETF security area director, added “There are many challenges isolating the specific areas of attack that IETF protocols can mitigate” but added that “all of the working groups that considered the topic have started planning to address the threat using IETF tools that can efficiently address several aspects of the issue."

Notes taken from the Vancouver meetings considered a few ways to harden the internet, including transport layer security (TLS) and “possibilities to get the TLS-secured versions more widely and consistently deployed.”

“Plans for upgrading the handling of mail, instant messaging and voice-over-IP protocols, in each case with a view to improving the resistance of the deployed base to pervasive monitoring,” also received some consideration, as did opportunistic encryption of multipath TCP/IP protocol.

So exactly what will emerge, and when if any, isn't known at this time. But the NSA can consider itself warned-- the internet standards committee has decided to make their lives very difficult for the next ten to fifteen years. The very popular (or unpopular, depending which side you're on) NSA leaker Edward Snowden must be happy.

In other internet security news

Whatever you may have heard or read about Bitcoin, whether good or bad, some observers still view it as a high-quality intellectual achievement.

So much so that now, a group of researchers from Johns Hopkins University are suggesting that its cryptographic implementation could actually help solve the certificate issue for ordinary users.

Apart from whether or not they could be universally compromised by it, an issue with Public Key Infrastructure (PKI) certificates is that they depend on users' trust of the certification authority (CA) that sits at the top of the trust hierarchy.

But as we know from several incidents such as the DigiNotar hacking attempt, any loss of trust is fatal to a CA, and Bitcoin is no different.

Bitcoin did away with its centralized trust system in favor of its own cryptographic model, relying instead on a distributed transaction ledger.

In that paper, published at the International Association for Cryptologic Research, researchers Christina Garman, Matthew Green and Ian Miers of Johns Hopkins University's Department of Computer Science propose a similar model in which anonymous credentials could exist without a centralized CA acting as a trusted issuer.

Their concept is that the distributed, public, append-only ledger model used by Bitcoin could be used “by individual nodes, to make assertions about identity in a fully anonymous fashion” – while doing away with CAs as a single point of failure.

“Using this decentralized ledger and standard cryptographic primitives, we propose and provide a proof of security for a basic anonymous credential system that allows users to make flexible identity assertions with strong privacy guarantees,” they write.

Key components of the system are:

  • A Decentralized Direct Anonymous Attestation
  • Anonymous resource management in ad hoc networks
  • Credential auditability
  • And while the researchers present an implementation, they note that this work (still very much pre-Alpha) needs further development in the security of the transaction ledger, and in the efficiency of the algorithms.

    In other internet security news

    Do you remember that Adobe security breach in early October that leaked the account records of some 3 million customers? Well that number is totally wrong-- the real number was at least 38.3 million and still counting, news have emerged in the last few days.

    Three weeks ago, Adobe warned of sophisticated attacks on its network in which hackers gained access to data for what was then believed to be about 2.9 million customers. That data included names, encrypted credit or debit card numbers, expiration dates, and other sensitive and personal information relating to customer orders.

    Additionally, Adobe said that hackers managed to abscond with source code for numerous Adobe products as well. But in a blog post yesterday, investigative journalist Brian Krebs said that those early estimates were far too low, and that the actual list of accounts that had been compromised numbered in the tens of millions.

    How does Krebs know? Because he's seen the list. Over the weekend, he says posted a 3.8 GB file called "users.tar.gz" that contained more than 150 million user and password pairs that had apparently been lifted from Adobe's system.

    Adobe spokeswoman Heather Edell has since confirmed the breach to Krebs, adding that the company has contacted the owners of the affected accounts and has reset the passwords for all of the Adobe IDs that it believes were involved in the security breach.

    "But so far, our own investigation has confirmed that the attackers obtained access to Adobe IDs and (that were at the time valid) encrypted passwords for approximately 38 million active users," Edell said. "We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident."

    Edell also said that the attackers were able to gain full access to at least some of the source code for Adobe Photoshop. Krebs was able to confirm that as well, since a second 2.56 GB file posted to contained what appeared to be new Photoshop code.

    Source code for Adobe Acrobat, Adobe Reader and the ColdFusion web application server software is also believed to have leaked during the incident, but at least some of this data appears to have been password protected and may not be readily accessible, at least it is hoped by Adobe.

    Adobe has offered one year's worth of free credit monitoring by Experian to any customer whose account was compromised in the attack.

    But as Krebs points out, this kind of service isn't guaranteed to spot all of the forms of identity theft that might arise from such incidents, so Adobe customers are advised to place fraud alerts on their accounts and monitor their credit reports very closely. In all honesty, that sounds like good advice.

    In other internet security news

    Internet security researchers sais today they have discovered a hidden backdoor in all wireless routers made by Chinese hardware maker Tenda.

    Craig Heffner, the same security researcher who uncovered a backdoor in routers from D-link, discovered the latest issue. He uncovered the functionality, which ships with Tenda's products, after unpacking firmware updates and locating what he described as suspicious code at the outset.

    Hackers can take over the router and execute commands by sending a UDP packet with a special string, The Hacker News claims.

    "The backdoor only listens on the LAN, thus it is not exploitable from the WAN. But it is exploitable over the wireless network, which has WPS enabled by default with no brute force rate limiting,” Heffner explains in a detailed advisory.

    “My new ReaverPro box made relatively short work of cracking WPS,” he claimed, “providing access to the WLAN and a subsequent root shell on the router, and that's very bad.”

    Heffner also says that the backdoor exists on Tenda’s W302-R and W330-R router models as as well as re-branded models, such as the Medialink MWN-WAPR150N.

    "They all use the same 'w302r_mfg' magic packet string," he notes. Follow-up work by other internet security researchers also uncovered a more comprehensive list of potentially backdoored products.

    Source code for the GoAhead web server used in Tenda products has been made available on GitHub. We've asked Tenda for its reaction but have yet to hear back from the company. We'll update this story as and when we hear more.

    In other internet security news

    For more than 10 years now, Paypal has enabled internet users and ecommerce sites to send and receive payments with a level of security that's usually very good. Now there's a new service that someone else is offering, but it somehow doesn't offer the same level of security, some internet security experts suggest.

    Not content with traditional internet shopping as we know it, a new startup service called Square has launched a peer-to-peer payment system. But it's secured only by an SMTP password...

    Square – the payment firm developed by Twitter founder Jack Dorsey – has debuted the new service, Square Cash, which authorizes transactions with an email.

    You just email the payment recipient, you also CC, and specify the amount of cash to be moved in the subject line.

    The money is then deducted from one's debit or credit card (which must be registered with the service – either in advance or Square sends you instructions on how to do so) and credited to the recipient, who will in turn be asked to provide one debit card if he or she is not already registered with the service.

    The key to securing Square transactions, however, is that their security depends entirely on the impossibility of forging an email message.

    Square apparently wanted to simplify the process of sending and receiving money, and thinks that email should be sufficiently secure to authorize payments totalling up to $2,500 a week.

    As an SMS is sent to the payee every time money is deducted, they've plenty of time to dispute a payment during the 1-2 business days it takes to process.

    Forging emails isn't as trivial as it used to be some years ago, when one could telnet into an SMTP server and spit out an email from anyone.

    These days, SMTP servers commonly require a username and password, and use Transport Layer Security, but you might not wish to bet your bank account on it. They are now a bit more secure yes, but email communications are still largely viewed as insecure unless they are encrypted with strong SSL technology and backed by a valid certificate from a trusted entity.

    A while back, Square tried implementing an iPhone-based magnetic-stripe card reader without any obvious security features, but if the company can get away with it in most cases, then the security is probably good enough. Or is it?

    Square Cash transactions cost 2.75 percent per transaction, but the dealbreaker may be those two business days it takes for transactions to be credited to the recipient's account, while similar services offered by some banks can do the same thing in less than one business day.

    In other internet security news

    An internet security researcher based in Germany is asking why Google is still using the unsafe RC4 and MD5 cipher as its first-default technology for SSL connections.

    The change has gone unnoticed since December 2010, when the Android 2.3 release swapped from a default preference for the AES256-SHA1 cipher, followed by the 3DES and the AES128, instead defaulting to RC4-MD5 and RC4-SHA1 as its first and second default preference.

    For those unfamiliar with encryption implementations, there's a long list of different cipher types available to encryption applications.

    And to fully ensure that both ends can negotiate an encrypted connection, each end needs to know which ciphers the other end can support, which means stepping through a list of ciphers during the traditional handshaking.

    As the researcher, George Lukas notes, internet security exploits based on MD5 collisions have been known for several years and continue.

    The guilty party, he asserts, isn't the Android development team, but rather Java developers, and it's an implementation recommendation first made in 2002.

    As Lukas notes-- “So what the Google engineers did to reduce our security was merely to copy what was in the Reference Implementation, defined by the inventors of Java!

    If you need reliability when it comes to SMTP servers, get the best, get Port 587.

    Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

    Share on Twitter.

    Source: Microsoft.

    Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

    You can link to the Internet Security web site as much as you like.

    Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
    Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

    Click here to order our special clearance dedicated servers.

    Get your Linux or Windows dedicated server today.

    Click here to order our special clearance dedicated servers.

    Click here to order our special clearance dedicated servers.