Results 1 to 10 of 10
  1. #1
    2 Star Lounger
    Join Date
    Oct 2009
    Location
    Shoreline, Washington, USA
    Posts
    147
    Thanks
    0
    Thanked 1 Time in 1 Post



    TOP STORY

    Patch arrives for IE hole targeted by Chinese


    By Yardena ArarAs of this writing, Microsoft is scheduled to release on Jan. 21 an update that fixes the Internet Explorer vulnerability behind the recent, highly publicized cyberattacks on Google and other major corporations.

    The sophisticated "Aurora" exploit is delivered through common file attachments or links — typically in e-mail or other messages that appear to come from trusted sources — but proven security measures and a little common sense can negate all such threats.

    The full text of this column is posted at WindowsSecrets.com/2010/01/21/01 (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.
    Last edited by revia; 2011-01-20 at 14:53.

  2. #2
    New Lounger
    Join Date
    Dec 2009
    Location
    Australia
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Dear Yardena,

    Re: Protected Mode in IE 7 and 8 on Windows XP, Vista, Windows 7

    Thank you for a great article!

    I always wonder how the average PC user (guess the majority of users
    in the world) are having a hope in hell to keep their systems clean, up to
    date and secure.....

    Anyway, as to the Protected Mode settings:

    Protected Mode in IE7 and IE8 on Vista and Windows 7 appears not
    to work with UAC turned off! On all systems, I always turn the UAC
    off, as I find all the warning windows a major headache and most
    confusing and annoying for the average user. More so, users have
    grown to like Vista (and probably Win7 as well) much better with UAC
    turned off....

    Question: do you have any comments on the above and are there any
    work-arounds regarding this issue, being - can Protective Mode
    be enabled in IE without having to turn the UAC back on?

    Next, most users would not know how to open attachments in the inbox
    safely. As you suggest, contacting the sender, may not be a secure
    solution at all! He or she may have un-knowingly attached an infected file!
    My routine strategy is to save the/any un-opened attachment to my desktop
    (or other location) and scan the file with my virus program (in my case MSE),
    before opening the file.

    Question: what are your thoughts and remarks regarding that routine?

    Many thanks for a reply or inclusion in the next newsletter,
    keep up the good work,
    Hans Bool

  3. #3
    New Lounger
    Join Date
    Dec 2009
    Location
    Raymond. WA
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Well I was one of those that got hit with it. I DID NOT have to click on any link for it to activate. I have here in front of me a six page print out of the email that was infected. It says it was from Microsoft security focus. I subscribe to the security focus newsletter so mistakenly opened the email. I noticed at once it was phony (many links available to click). After printing the email out, I deleted the message. But, it had already attached itself to the computer. It sent the same email to everyone on my email account plus every email address in my favorites bar. I got a couple of dozen returns from some of the sights that would not accept the email. I have ran scans twice to see if it was still on my computer but everything was ok. I even tried to trace the IP address, but it is one that cannot be traced . I will try anything to make sure that it is off my computer and not sending out more emails in my name. By the way, I have McAfee on my computer and it passed the e-mail protection option, which was turned on. I reported this to McAfee but have not have received a response yet.

  4. #4
    New Lounger
    Join Date
    Jan 2010
    Location
    Portland, OR
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Security vendor SecureWorks described 'Aurora' as a framework, or collection of techniques, not as a single vulnerability or exploit. While the individual vulnerabilities or exploits are not very novel, overall the Aurora framework exhibited two novel characteristics:
    --The Adobe 0-day exploit was first seen in targeted attacks on selected companies that are considered of interest to the Peoples Republic of China
    --The command and control mechanism in the trojan horse associated with the 'Aurora' framework used a novel error correction algorithm that only appears to have been publicized on some Chinese language web sites.

  5. #5
    New Lounger
    Join Date
    Dec 2009
    Location
    MA
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    In your column you mention that disabling JavaScript in Adobe Reader can be useful, and that "Webroot's Brandt says very few people encounter legitimate PDFs that use JavaScript."

    I disabled JS in AR months ago, as it doesn't feel like a very useful feature to me, and _every_single_ .PDF file I've opened since then has complained that "JavaScript is currently disabled and this document uses it for some features. Enabling JavaScript can lead to potential security issues."

    I just ignore the "warning", but either the JS detector is broken, or there's a lot more JS out there than we think...

    BTW: McAfee has a Stinger out that'll remove just Aurora.

  6. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    San Diego, CA, USA
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Regarding "To disable JavaScript in Adobe Reader, open Reader and click Edit, Preferences. Choose JavaScript in the left pane, uncheck Enable Acrobat JavaScript in the right pane, and click OK."

    But nowhere can I find the place to click OK. Am I missing something?

  7. #7
    New Lounger
    Join Date
    Jan 2010
    Location
    Boston
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    A tale of woe, glanced away by the grace of the net goddess??? .... The day after I heard of the attack, and learned it was PDF based, I noticed that I had a PDF download pending in my Firefox queue that I dismissed instinctively. (Why is there a file in my download queue, I asked myself.)

    Disclaimer: I have IE6 on a Win XP2 box, Firefox is my default browser, IE is only for banks and other dinosaurs, etc.

    I then browsed around a bit as usual (using Firefox), and the same download appeared(!), interestingly just after I refreshed Boston.com for some local news. (I block Boston.com from opening pop-ups via my Firefox preferences (yet the site still manages to do so!) Somewhat stupidly (before finishing my coffee!), I accepted the download request out of coffee-deprived curiosity. I (again, stupidly/curiously) opened the PDF and it was blank!

    The silver lining to this story is that I opened the file using an open-source PDF reader, Sumatra, which I use because Adobe Reader is so bloated. After seeing this blank PDF, I immediately shift-deleted it, and so I now don't remember even the file name. However, I also instinctively (even in my coffee-deprived stupor) ran a deep scan immediately. Nothing was found -- likely because I sent it to never-never land instead of the Recycle Bin. So, maybe this tale is nothing but a blip in the universe of the brave new world. But did anyone else get pushed a PDF from some (seemingly random) site over the past few days??

    Followup 02-Feb-2010: I found this article which indicates that "McAfee ... has found evidence that a vulnerability in Internet Explorer—but not Acrobat Reader—was exploited in the attack" suggesting that PDFs were not the vector afterall??

  8. #8
    New Lounger
    Join Date
    Dec 2009
    Location
    Washington, DC, USA
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Did Adobe issue patches for the Aurora 0-day? Will Adobe change the default behavior of Reader so that Java Script is disabled unless the PDF actually needs it? If not, is it necessary to redisable Java Script after each update? Does Adobe notify users that updates are ready? (If the answer to any of the last three questions is negative, then the Average Joe Internet could be in trouble.)

  9. #9
    New Lounger
    Join Date
    Jan 2010
    Location
    NYC
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Acrobat Reader also has a setting in its "Security (enhanced)" section for enabling enhanced security. Are you also recommending that?

  10. #10
    2 Star Lounger
    Join Date
    Jan 2010
    Location
    Los Angeles, California, USA
    Posts
    120
    Thanks
    0
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by SanDiegan11 View Post
    Regarding "To disable JavaScript in Adobe Reader, open Reader and click Edit, Preferences. Choose JavaScript in the left pane, uncheck Enable Acrobat JavaScript in the right pane, and click OK."

    But nowhere can I find the place to click OK. Am I missing something?
    first of all, SanDiegan11, upgrade to Adobe Reader 9.3, which has the latest security fixes. then if you want, you can do the following to turn off Acrobat Javascript. also, the OK button is there to click on to save changes; if you can't see it, try changing your screen resolution to a higher one or move the Preferences dialog box upward until you see the OK and Cancel buttons. I know they're there.

    Quote Originally Posted by Solo Owl View Post
    Did Adobe issue patches for the Aurora 0-day? Will Adobe change the default behavior of Reader so that Java Script is disabled unless the PDF actually needs it? If not, is it necessary to redisable Java Script after each update? Does Adobe notify users that updates are ready? (If the answer to any of the last three questions is negative, then the Average Joe Internet could be in trouble.)
    Solo Owl: answer to first question is no. so far Adobe Reader is NOT affected by the Aurora 0day vulnerability unless Adobe themselves have published a security advisory for it and has offered an update for it. answer to 2nd question is maybe. answer to 3rd question is no. answer to 4th question is yes as long as the option in the Preferences dialog box in the Updater section of Adobe Reader is set to "Automatically Download Updates But Let Me Choose When to Install Them". otherwise, Adobe automatically downloads AND installs updates without your permission.

    responding to Yardena Arar's article: Internet Explorer 5.01 SP4 was originally NOT affected by the IE hole, but Microsoft has released a patch for IE 5.01 SP4 / Win2000 SP4. So that means IE 5.01 SP4 is also affected.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •