Latest Security News
This month’s Windows and .Net patches hold all sorts of nasty surprises — some acknowledged, some not, some easy to skirt, some waiting to swallow the unwary whole. Here’s a quick overview of what’s going on with this month’s missives.
Most important: If you can’t keep yourself (or your clients) from clicking “Enable Editing” in Word, you must install a broad range of .NET patches (if you’re running Windows 7 or 8.1) or cumulative updates (if you’re running Windows 10), like, NOW.Windows 10 Creators Update version 1703
Cumulative Update KB 4038788, which brings the build number up to 15063.608, has two acknowledged (but not fixed) bugs:
Keybase has unveiled a Slack-style team messaging service that promises to protect private communications with end-to-end encryption.
The company launched in 2015 with the aim of making encryption technology more accessible to consumers. Its latest service, Keybase Teams, has a look similar to Slack with features such as chat rooms and channels. Admins can add set up groups of users to work on a particular project, and encrypted files can be uploaded and shared.
An early release version of the software is now available for download for desktops and mobile devices.
The key advantage, Keybase said, involves enhanced security and privacy.
IDG Contributor Network: Microsoft Security stopped being an oxymoron with the acquisition of Hexadite
One of the most frustrating things to watch during the early years of Microsoft (Disclosure: Microsoft is a client of the author) was their lack of interest in security. It was almost as if, when anyone there heard the term, they’d cover up their ears and say “la, la, la, la, la” until you went away. And, as the century turned, Microsoft security meant anything but security, it was mostly bad joke that hit products like Windows and Internet Explorer particularly hard. But this week’s announcement (ranked as the 3rd most important acquisition this year) they are buying Hexadite showcases that over the last ten years Microsoft made a huge pivot. It finally understood that being unsecure could not only result in massive liability for the firm, but was creating a massive drag on the brand because it reflected poorly on quality. It particularly hurt sales of their products in the enterprise.
With one month left until Outlook 2007 hits end of life, Microsoft released a fix yesterday for the September security patch’s polyglot ways. You may recall KB 4011086 as the Outlook 2007 patch that displays Swedish menus in the Hungarian language version, Portuguese in Italian, Swedish in Slovenian, Spanish in Italian, and many more. One hitch: You have to manually uninstall the old patch before you can install the new patch.
For those of you using Outlook 2010 who got hit with the same language switcheroo, I haven't seen any notice that this month’s KB 4011089 has been fixed or pulled.
When Microsoft released its Outlook security patches on Sept. 12, several readers complained that their custom form printing capabilities disappeared. Ends up the bug that broke VBScript printing isn’t a bug at all.
Microsoft announced over the weekend that it intentionally disabled scripts in custom forms, and those with printable custom forms need to make manual Registry changes to bring the feature back.
Those of you who have installed any of this month’s Outlook security patches:
will have to dive into the Registry if you want to enable any custom form scripts, including the VBScript printing capability. It’s complicated, and the method varies, depending on which version of Office you’re using and the bittedness of Windows and Office. Diane Poremsky has detailed instructions on her Slipstick Systems site.
If you installed the free version of CCleaner after Aug. 15, a couple of nasty programs came along for the ride. Talos Intelligence, a division of Cisco, just published a damning account of malware that it found hiding in the installer for CCleaner 5.33, the version that was released on Aug. 15 and which, according to Talos, was still the primary download on the official CCleaner page on Sept. 11.
After notifying Piriform, CCleaner was, ahem, cleaned up and version 5.34 appeared on Sept. 12.
I just checked, and the current version available from Piriform is version 5.34. (Piriform was bought by antivirus giant Avast in July.)
When Apple announced the iPhone X last week, the most sophisticated (and widely predicted) feature revealed was the facial recognition approach, called Face ID. But by choosing to go all or nothing with the iPhone X — it's only Face ID, with no support for Touch ID — the big risk for Apple was that all the companies that support Touch ID in their apps wouldn't quickly make the move to Face ID. So Apple made the decision for them.
As the recent healthcare debate in the U.S. demonstrated, it's extremely hard to take back something people have grown to like. Apple's choice of biometric authentication faced the same problem. If Amazon, Chase, Fidelity or any of the other major companies whose apps use Touch ID as a way to log in without a password had failed to make the move to Face ID, their customers would have been forced to go back to typing in long passwords. Apple, ever mindful of customer experience, chose to not permit that to happen. To make sure that companies use Face ID in their apps, Apple simply didn't give them any practical choice.
Google has finalized a schedule that, over the next 12 months, will send companies scrambling to replace the digital certificates that secure their websites or risk being viewed with suspicion by users running Chrome, the world's most popular browser.
"Companies are staring down the barrel of a boat load of work," said David Anthony Mahdi, a research director at Gartner, and the industry research firm's resident expert on digital certificates and the CAs (certificate authorities) that issue them. "This is massive."
Beginning with Chrome 66, currently set to show up the third week of April next year, Google will "remove trust in Symantec-issued certificates issued prior to June 1, 2016," wrote three members of the browser's security team, in a post to a company blog. "If you are a site operator with a certificate issued by a Symantec CA prior to June 1, 2016, then prior to the release of Chrome 66, you will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome."
If you’ve installed KB 4011089, this month’s Outlook 2010 security patch, and you can no longer print custom forms, you aren’t alone. I’m seeing reports from several sources that installing the patch destroys printing functionality in custom Outlook 2010 forms.
It isn’t clear at this early stage if other versions of Outlook are affected or if other Office programs may have the same kind of problem.
In the normal course of events, it takes a week (or two or three) for the bugs in each month’s Windows and Office security patches to shake out. This month’s patches are no exception. There are lots of reports of problems with IE and Edge, for example, and many more are piling up.
In the normal course of events, the fresh-off-the-press security patches present more of a threat to most people, in the short term, than do the problems the patches are supposed to fix. You have to patch sooner or later, but by waiting for the screams of pain to die down, you can save yourself some major headaches.
This IT consultant pilot fish works at a real estate company once a week, performing SAN management and doing routine updates and security patching on the Windows PCs.
"I was using my Linux-based laptop to peruse the quarantine area of the antivirus application, checking out the many X-rated and infected email attachments that had been caught and sent to the folder," says fish.
"Several employees were standing around watching and commenting on the files. One of them decided to go back to his own PC to check out the pictures for himself.
"Shortly after opening several of the quarantined items, he suddenly called out, 'Hey, why is my computer acting weird?'
September brings a relatively large patch profile for Microsoft with 76 reported vulnerabilities, three public disclosures (thank you, Google) and unfortunately one zero day exploit. You used to be worried about browsers and Flash, now we have a publicly exploited vulnerability for augmented reality (AR) with a fix for Microsoft’s HoloLens headset.
For this September Patch Tuesday, Microsoft is only shipping security updates with patches to the following product groups:
Browsers (IE and Edge)
The iPhone X replaces the Home button and Touch ID with gesture controls and Face ID, sophisticated facial recognition software that learns to recognize your face and lets you use your device only after it has confirmed it is you. It is a new technology — here’s what we know about it so far:The hype machine
This is how Apple’s chief marketer, Phil Schiller put it: "With the iPhone X, your iPhone is locked until you look at it and it recognizes you. Nothing has ever been more simple, natural, and effortless. This is the future of how we'll unlock our smartphones and protect our sensitive information."
Microsoft on Tuesday released 259 individual security patches, covering 82 security holes (counting by CVE number). You may feel rushed to apply those patches, particularly when you hear about a really bad vulnerability involving Word, RTF, and the .NET Framework. The facts are a little less alarmist.
Authentication: the act of proving one’s identity to the satisfaction of some central authority. To most, this process means typing in a username and a password. It’s been this way for years and years.
When Gartner ranks a data breach as a 10 on a scale of 1-10, you know there is cause for alarm. A recent compromise at Equifax, a consumer credit reporting agency, resulted in 143 million records being stolen. Of those, at least 209,000 involved stealing a credit card number and over 182,000 records had to do with credit card disputes.
No doubt you’ve heard about the stolen data at credit reporting agency Equifax. The company’s official disclosure appeared yesterday:
Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. … The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.
Word comes down from on high that this company will be installing video surveillance systems in dozens of its remote warehouses, reports an IT manager pilot fish on the inside.
"The director of operations decided we needed video surveillance in order to monitor the warehouses in real time," fish says. "The ability to review video at our corporate office was key to the project.
"Then he signed a contract to start installing these systems with a national vendor without first consulting with IT."
That results in a series of unexpected phone calls to fish from installers, who need him to drop everything and help them by configuring firewalls, providing them with static IP addresses and then trying to test their systems.