Microsoft Releases Critical IE Security Update on Patch Tuesday

Standard

Microsoft released seven security bulletins today to address 24 vulnerabilities, including critical updates for Internet Explorer, Windows and Microsoft Office.

The Internet Explorer bulletin, MS14-080, has the broadest scope, and contains 14 CVEs – none of which are known to be under attack, said Ross Barrett, senior manager of security engineering at Rapid7. The IE bulletin also shares a CVE with MS14-084, the critical Windows update.

“The shared CVE with MS14-084 presents a patching and detection challenge because exactly which patch you get will depend on the configuration of your system and the version of IE,” he said. “Systems without IE will only be offered the MS14-084 patch.  Systems with IE 8 and older will be offered the MS14-080 AND the MS14-084 patch. Systems with IE 9 or later will not be offered the MS14-084 patch because the issue is addressed by the MS14-080 patch. Clear as mud, right?”

MS14-084 resolves a vulnerability in the VBScript scripting engine that could enable an attacker to remotely execute code if a user visits a specially-crafted website. MS14-081 is the final critical bulletin, and is aimed at vulnerabilities in Microsoft Word and Microsoft Office Web Apps. The vulnerabilities could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Microsoft Office software.

“In most cases this type of issue would only be important, because typically a document format use-after-free issue requires user interaction to exploit, but in this case because of the potential for exploitation through Sharepoint Web Apps the risk is greater,” Barrett said, who said that MS14-80 and MS14-084 should be the top patching priorities.

Next on the list, he added, should be MS14-081 and MS14-075, the latter of which addresses four vulnerabilities in Microsoft Exchange Server and is ranked as ‘important’. MS14-075 was deferred last month. The remaining bulletins are also classified as ‘important’, and impact Microsoft Office, Excel and Windows.

In addition to the Microsoft fixes, Adobe released patches for Flash, Shockwave, Reader, Acrobat and ColdFusion. The Flash update fixes six vulnerabilities, one of which is currently being exploited in the wild (CVE-2014-9163), noted Chris Goettl, product manager with Shavlik Technologies.

“Along with Flash, admins will need to deploy the Internet Explorer Advisory and a new release for Google Chrome, both of which will allow the plug-in to be updated in the browsers,” he said. “Adobe also had another release since last Patch Tuesday, so if you haven¹t patched your system in a month, you will have two pending updates.”

“The Adobe Acrobat and Reader updates include resolution to 20 vulnerabilities,” Goettl added. “Adobe also rates this as a Priority 1 update. Some of the vulnerabilities being resolved could allow an attacker to take control of the system.”

From the DMG

Standard

Sage advice from the inside cover of the new Dungeon Masters Guide

Disclaimer: Wizards of the Coast does not officially endorse the following tactics, which are guaranteed to maximize your enjoyment as a Dungeon Master. First, always keep a straight face and say OK no matter how ludicrous or doomed the players’ plan of action is. Second, no matter what happens, pretend that you intended all along for everything to unfold the way it did. Third, if you’re not sure what to do next, feign illness, end the session early, and plot your next move. When all else fails, roll a bunch of dice behind your screen, study them for a moment with a look of deep concern mixed with regret, let loose a heavy sigh, and announce that Tiamat swoops from the sky and attacks.

20141126_211819

Geek Christmas Gifts Under $20

Standard

Its that time of the year, when many spouses, parents, friends or family members cannot figure out what to get that special geek in their life.

Well, have no fear – here are a few suggestions….and all under $20.

I found these items while perusing the most excellent site ThinkGeek.com.  If you have never visited, I highly recommend it…but you better have some spare time and your wallet.

Kicking off, I feel its only fitting that we start with something featured on this very blog almost a year ago…..The 8-Bit Holiday Wreath for only $15.99. 

Next up, for the gamer in all of us…..how about a couple of D20 related items? 

Imagine the joy on your DM’s face when you present him with some cupcakes from your D20 Critical Hit Cake Pan ($7.79).

 

Even better?  What DM wouldn’t want to sit down to contemplate world domination with a cocktail cocktail containing D20 Ice ($7.99)?

And finally at ThinkGeek, what do you get when you cross a coffee mug with Legos?  Something so incredible that it almost defies words…the Build-On Brick Mug for ONLY $9.99!

What geeky item is on your Christmas list this year?

e-Cigs….Health Risk for Security?

Standard

There used to be a story going around the hacking world – where one technique was to load spyware onto a usb drive and leave it in the parking lot of the business you intended to hack.  The theory was, someone will find it……and the WILL plug it into their computer, because users cannot risk the temptation.

Now we have e-cigs, something I personally find ridiculous.  While deemed a “Safer” alternative, I personally doubt pumping those chemicals into your body is any different – just give me a great cigar.

Meanwhile, the story below notes the potential security risk for IT, when users want to charge their “cigs” at work.

Maybe NSA had it right way back in the day, by sealing up the USB Ports?

Now e-cigarettes can give you malware

E-cigarettes may be better for your health than normal ones, but spare a thought for your poor computer – electronic cigarettes have become the latest vector for malicious software, according to online reports.

Many e-cigarettes can be charged over USB, either with a special cable, or by plugging the cigarette itself directly into a USB port. That might be a USB port plugged into a wall socket or the port on a computer – but, if so, that means that a cheap e-cigarette from an untrustworthy supplier gains physical access to a device.

A report on social news site Reddit suggests that at least one “vaper” has suffered the downside of trusting their cigarette manufacturer. “One particular executive had a malware infection on his computer from which the source could not be determined,” the user writes. “After all traditional means of infection were covered, IT started looking into other possibilities.

“The made in China e-cigarette had malware hardcoded into the charger, and when plugged into a computer’s USB port the malware phoned home and infected the system.”

Rik Ferguson, a security consultant for Trend Micro, says the story is entirely plausible. “Production line malware has been around for a few years, infecting photo frames, MP3 players and more,” he says. In 2008, for instance, a photo frame produced by Samsung shipped with malware on the product’s install disc.

Even more concerning is a recent proof-of-concept attack called “BadUSB”, which involves reprogramming USB devices at the hardware level. “Very widely spread USB controller chips, including those in thumb drives, have no protection from such reprogramming,” says Berlin-based firm SRLabs, which released the code.

Combine the two, says Ferguson, “and a very strong case can be made for enterprises disabling USB ports, or at least using device management to allow only authorized devices.

“For consumers it’s a case of running up-to-date anti-malware for the production line stuff and only using trusted devices to counter the threat.”

Dave Goss, of London’s Vape Emporium, says that vapers can remain safe by buying from respected manufacturers such as Aspire, KangerTech and Innokin, and by checking for “scratch checkers” on the box, which mark out authentic goods from counterfeits.

“Any electrical device that uses a USB charger could be targeted in this way, and just about every one of these electrical devices will come from China,” he adds.

In early November, figures obtained by the Press Association revealed that e-cigarettes and related equipment, such as chargers, were involved in more than 100 fires in less than two years.

http://www.theguardian.com/technology/2014/nov/21/e-cigarettes-malware-computers