Feed aggregator

Tiptoe through the bugs and get Windows and Office updated

Computer World Security - 9 hours 46 min ago

The fourth Tuesday of the month has come and gone, and it now looks reasonably safe to patch Windows and Office. I was expecting two big releases yesterday — one to fix numerous bugs in Win10 Creators Update, version 1703; the other to plug the bugs introduced by June’s Office security patches — but neither trove appeared. Given Microsoft’s past patterns, it’s unlikely that we’ll see any more serious patches until next month’s Patch Tuesday, on Aug. 8.

There’s also a bit of additional impetus right now. On July 17, security researcher Haifei published a proof of concept for running malware scripts directly in Office apps. I haven’t seen any exploits in the wild as yet, but it would be a good idea to install KB 3213640 (Office 2007), KB 3213624 (Office 2010), KB 3213555 (Office 2013) and/or KB 3213545 (Office 2016) in the short term. (Thx to @LeaningTowardsLinux.) Note that none of these patches, as best as I can tell, correct the Office bugs introduced in June.

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

Wasn't this supposed to speed things up?

Computer World Security - 16 hours 41 min ago

IT pilot fish is moving on with his career, but before he changes employers, he comes up with an easier way for users to get on the company intranet.

"I wanted to relieve the staff of the need to memorize yet another username/password combination -- or write it on a sticky note to be posted on the wall," says fish.

"So I set up an interface that used Windows Active Directory for access authorization, with appropriate fallback in case the domain controller couldn't be accessed. The whole thing worked like a dream."

Fast forward a couple years: Fish is brought back in to add more capabilities to the Intranet that's been faithfully chugging along since he left. But as fish starts on the new project, the IT director casually mentions that intranet logins have been running a lot slower. Could fish perhaps check into that too?

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

The big secret behind Google Play Protect on Android

Computer World Security - Tue, 07/25/2017 - 12:04

Have you heard the news? Your Android device is in the midst of being updated to include Google's comprehensive new security suite, Google Play Protect.

Play Protect, as you may recall, was one of the biggest bullet points to come out of this year's Google I/O keynote address. It's a "doubled-down" effort around Android security, as Google explains it, and it's designed to ensure every Android device is always protected from any form of harm.

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

The fate of Apple's Touch ID | Tech Talk Ep 1

Computer World Security - Tue, 07/25/2017 - 07:00
Is Apple about to replace Touch ID in its next iPhone?
Categories: Latest Security News

The paranoid Android traveler’s data-protection checklist

Computer World Security - Tue, 07/25/2017 - 06:01

International border crossings are often legal gray areas where government agents can, and sometimes do, ask travelers for access to their laptops, phones and other mobile devices. Complying with the request allows them to freely search, read or copy documents, emails, passwords, contacts and social media account information.

Here's how to safeguard corporate and personal data when traveling with recent Android-based phones and tablets, using the Chrome browser. (Part 1 of this series, which focuses on the legal background of border searches, and traveling tips for Apple devices, is available here.)

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

Stop blaming users for security misses

Computer World Security - Tue, 07/25/2017 - 01:00
Does the message to users about security need to change? Or does IT need to rebuild infrastructure so users can worry less about security? Wendy Nather, principal security strategist at Duo Security, talks with CSO senior writer Fahmida Rashid about how organizations can learn to do security right.
Categories: Latest Security News

Where are the fixes to the botched Outlook security patches?

Computer World Security - Fri, 07/21/2017 - 08:39

On June 13—five and a half weeks ago—Microsoft released a series of buggy patches for Outlook. We know they’re buggy because Microsoft acknowledged seven bugs (including one primarily caused by bugs in Windows patches) in those four original June 13 security patches. As of this morning, we still don’t have fixes for those seven bugs.

Here are the known buggy original security patches:

  • KB 3191898 – Security update for Outlook 2007, released June 13, 2017
  • KB 3203467 – Security update for Outlook 2010, released June 13
  • KB 3191938 – Security update for Outlook 2013, June 13
  • KB 3191932 – Security update for Outlook 2016, June 13

If you have Automatic Update turned on, you were treated not only to those patches, but to all of these three later, interim fixes for the bugs in the security patches. Don't get too excited about them. In fact, they didn't fix the bugs:

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

Tech Talk: The latest on Azure Stack, cyberattacks, the next iPhone and ... keyboards

Computer World Security - Thu, 07/20/2017 - 12:00
Get the details on Microsoft's new Azure Stack, why cyberattacks never seem to end, the fate of Apple's Touch ID and why QWERTY keyboards are now tech relics.
Categories: Latest Security News

More June security patch bugs: You can patch an IE flaw, CVE-2017-8529, or print inside iFrames -- but not both

Computer World Security - Wed, 07/19/2017 - 15:00

Strap on your hip waders. This particular “scare” article should have you thinking yet again about the advisability of installing Windows updates as soon as they’re available. As you’ll see, Microsoft itself has flip-flopped on the resolution and those who subscribe to Windows Update have been taken along for the ride.

Buggy June patches to Windows, Internet Explorer and Edge left customers in the horns of a dilemma:

  • You can plug a security hole known as CVE-2017-8529, in which IE or Edge reveal the presence of a specific file on your computer when you simply surf to a compromised web site, OR
  • You can print content on web pages that are inside an HTML construct known as an iFrame, using IE 9, 10 or 11.

Microsoft’s up against a hard bug that makes this an either-or proposition: Until Microsoft figures out how to fix both problems at the same time, either you patch the security hole, or you can print inside iFrames with IE, but not both.

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

Verifying and testing that Firefox is restricted to TLS 1.2

Computer World Security - Sun, 07/16/2017 - 15:56

TLS is the protocol invoked under the covers when viewing secure websites (those loaded with HTTPS rather than HTTP). There are multiple versions of the TLS protocol, and the most recent version, 1.2, is the most secure. Last time, I discussed tweaking Firefox so that it only supports TLS version 1.2 and not the older versions (1.0 and 1.1) of the protocol.

But that begs the question: what happens when a security-reinforced copy of Firefox encounters a website that does not support TLS 1.2? The answer is shown below.

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

Microsoft yanks bad Outlook patches-of-patches KB 3191849, 3213654, 401042

Computer World Security - Sat, 07/15/2017 - 16:16

I just received word from Gunter Born that Microsoft has pulled three of its Outlook patches:

  • KB 4011042 - July 5, 2017, update for Outlook 2010
  • KB 3191849 - June 27, 2017, update for Outlook 2013
  • KB 3213654 - June 30, 2017, update for Outlook 2016

As I mentioned last week, Microsoft still hasn't fixed any of the Office 2007 bugs it introduced in the June security patches.

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

Restricting Firefox to TLS version 1.2 makes browsing safer

Computer World Security - Thu, 07/13/2017 - 22:43

Although its common to think of a secure website as the opposite of an insecure one, the choice is not, in fact, binary. For a website to be truly secure, there are about a dozen or so ducks that all need to be lined up in a row.

Seeing HTTPS does not mean that the security is well done, secure websites exist in many shades of gray. Since web browsers don't offer a dozen visual indicators, many sites that are not particularly secure appear, to all but the most techie nerds, to be secure nonetheless. Browser vendors have dumbed things down for non-techies.

Last September, I took Apple to task for not having all their ducks in a row, writing that some of their security oversights allowed Apple websites to leak passwords.

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

Mingis on Tech: The language of malware

Computer World Security - Wed, 07/12/2017 - 06:00

Sometimes, how you say something can be as important as what you say -- especially when's there been a cyberattack and law enforcement officials are trying to figure out who you are.

That's what CSO senior writer Fahmida Rashid found when she looked into how cybersecurity firms go about tracking down the bad actors behind malware campaigns. While linguistics may not be the first thing companies worry about when trying to protect -- or retrieve access to -- their data, it can help pinpoint an attack's origin, Rashid told Computerworld Executive Editor Ken Mingis.

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

Mingis on Tech: How linguistics can help catch cyberattackers

Computer World Security - Wed, 07/12/2017 - 06:00
When it comes to tracking down the bad actors behind malware and ransomware, cybersecurity firms are turning to linguists.
Categories: Latest Security News

The 15 worst data security breaches of the 21st century

Computer World Security - Wed, 07/12/2017 - 00:00
Some of the largest companies in the U.S. have been targets of hackers, including Yahoo, JP Morgan Chase and TJX. Watch as we detail the top 15 breaches and their overall impact on customers or employees.
Categories: Latest Security News

Easy way to bypass passcode lock screens on iPhones, iPads running iOS 10

Computer World Security - Tue, 07/11/2017 - 11:05
Update for iOS 10.3.2

Apple still has not patched the hole allowing you to bypass the iPhone lock screen. As of iOS 10.3.2 (and the 10.3.3 beta), you can still trick Siri into getting into a person’s iPhone.

It works like this:

  • Press the home button using a finger not associated with your fingerprint authentication, prompting Siri to wake up.
  • Say to Siri: Cellular data.

Siri will then open the cellular data settings where you can turn off cellular data.

Anyone can do this—it doesn’t have to be the person who “trained” Siri.

By also turning off Wi-Fi, you cut off her connectivity access. You will get an error saying, “Siri not available. You are not connected to the internet.” But you don’t care about that error because you have already bypassed the iPhone lock screen.

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

Linux group pushes out production-ready blockchain collaboration software

Computer World Security - Tue, 07/11/2017 - 11:01

The Linux Foundation's Hyperledger project announced today the availability of Fabric 1.0, a collaboration tool for building blockchain distributed ledger business networks  such as smart contract technology.

The Hyperledger project, a collaborative cross-industry effort created to advance blockchain technology, said the Hyperledger Fabric framework can be a foundation for developing blockchain applications, products or customized business solutions

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

Kill it! Kill Windows XP now!

Computer World Security - Mon, 07/10/2017 - 07:20

The headline — “HMS Queen Elizabeth is ‘running outdated Windows XP’, raising cyber attack fears” — was startling, but wrong. The United Kingdom’s newest aircraft carrier wasn’t running Windows XP. But some of the contractors that built the warship were.

The U.S. Navy, meanwhile, has been purchasing Windows XP support, at least through this year, so odds are our military still has XP systems running to this very day.

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

With Patch Tuesday imminent, make sure you have Automatic Update turned off

Computer World Security - Mon, 07/10/2017 - 07:17

In case you hadn’t noticed, Microsoft has had a tough time with patches this year. From a total lack of patches in February (except for a late IE patch), to yanked and reissued botched patches that followed, to a jumble of problems with Windows and Office patches — including seven admitted bugs in last month’s Office patches — Microsoft has proved itself adept at Jack-in-the-box patching. You don't have to join the legions of unpaid patch beta testers.

To read this article in full or to leave a comment, please click here

Categories: Latest Security News

Pages

Subscribe to SecurityFeeds aggregator