So the year has only just kicked off, and yet we’re already being scared shirtless by vulnerabilities, holes, and hacks in the wild. Normally I’d have covered all of these in separate blogs, but because I’m playing catch-up after having eye problems, I get to mash them all up into one super-security warning. Let’s get down to utter chip-chilling tales of terror:
When it comes to security, Microsoft is always down in the dumps. This year starts off no differently. Not only has Microsoft’s Patch Tuesday nuked 12 vulns for us, which is quite a lot for a Patch Tuesday these days, but on top of that it doesn’t include one whopper of a security hole found this Holiday season in older versions of Internet Explorer that allows malware to be installed on a PC just by visiting a malicious (or hijacked) website. Microsoft released a temporary workaround for the vulnerability to IE6, IE7, and IE8, but that workaround has already been … worked around. Oh the irony. In the wild I might add. So take it with a grain of useless rocks. Maybe it’ll be fixed next month, but not this one.
While it shouldn’t really be a surprise to anyone that something as common as a graphics driver used by probably at least half of computers out there is a point of attack, it was something of a shocker to hear that you should immediately update to nVidia GeForce display driver version 310.90 right now to close the mother of all security holes allowing network attacks to gain super-user level access to your PC and to elevate privileges to lower-level access. Why would a graphics driver have that kind of a network bug in it? And why would a graphics driver allow you to elevate your access level? Goodness only knows. But if you’re got nVidia graphics under the hood and you don’t update your graphics drivers this second, you’re sitting on a huge security hole.
Of course a lot of people choose not to use Adobe’s Acrobat Reader. Plenty have switched to third-party alternatives, such as Foxit. And now, they’re suddenly wishing that they hadn’t. Why? Well, as if Adobe software wasn’t bad enough when it comes to security, it turns out that Foxit has its own buffer overflow bug worse than anything from Adobe. It can’t handle very long query strings after a filename and can be used to overwrite the program’s memory to execute arbitrary code. Yes, that’s right, just opening a file with a maliciously crafted filename will allow Foxit to execute whatever code a malware author wants to. Oops. This is one time when Foxit is definitely not “better than Adobe.”
But fear not. Firefox is coming to the rescue. Usually when the words “Adobe” and “security” are used in the same sentence, it means trouble, but here’s one time when it doesn’t: Firefox is now including PDF reader straight into their web browser using some fancy HTML 5 footwork. No more plug-in is needed to view a PDF file in Firefox, so you can kiss your Adobe plug-in (or even more dangerous Foxit plugin) goodbye and say hello to improved speed and security. Huzzah! I guess. If you don’t actually use Firefox, well then, sucks to be you. :p Just kidding. I’m sure everyone will be doing it before too long. Except, perhaps, for Internet Explorer that is.
Well, next up on the list of lowest common denominators in the security world is … Oracle. Who doesn’t want some Java lovin’. Or perhaps in this case hatin’. A new Java zero-day exploit can compromise PCs, allowing a hacker to, you guessed it, execute arbitrary code, escalate privileges, etc. Basically any hacker can own your PC just by you visiting any malicious (or hijacked) website. At least assuming that you have Java enabled. It affects the latest and greatest Java 7 update 10 and prior versions and is being used widespread in the wild. Hopefully Oracle will fix that up for us some day. In the meantime, time to turn off Java. How many times have you heard that? Why does anyone even have it enabled?
Ruby on Rails
And surprisingly, our last security warning of the New Year isn’t for Adobe Flash. Nope. It’s far worse than that. Ruby on Rails has been derailed! With two critical security vulnerabilities, anyone can perform remote code execution against any Ruby on Rails application that has the XML parser enabled. (Which just so happens to be the default setting, and for good reason as it is heavily used.) Which is bad enough. But these holes also allow hackers to run system commands on the server with the same privilege level as the application. So if you were wondering about how a hacker can hijack someone’s website to serve up all of those malicious web pages that can use those security holes in Java, Internet Explorer, etc. to infect anyone’s PC just by visiting the website, there you go.
Fortunately Ruby on Rails has been patched already and if you update to the latest version, you’re safe once more. But the key there is “if”.
So all in all, this 2013 year has sure started out with a bang! Insecurity: 2013 reminds us once again that security is far from a given. Take it seriously and get updating!