So the year has only just kicked off, and yet we’re already being scared shirtless by vulnerabilities, holes, and hacks in the wild.  Normally I’d have covered all of these in separate blogs, but because I’m playing catch-up after having eye problems, I get to mash them all up into one super-security warning. Let’s get down to utter chip-chilling tales of terror:

Microsoft

When it comes to security, Microsoft is always down in the dumps. This year starts off no differently. Not only has Microsoft’s Patch Tuesday nuked 12 vulns for us, which is quite a lot for a Patch Tuesday these days, but on top of that it doesn’t include one whopper of a security hole found this Holiday season in older versions of Internet Explorer that allows malware to be installed on a PC just by visiting a malicious (or hijacked) website. Microsoft released a temporary workaround for the vulnerability to IE6, IE7, and IE8, but that workaround has already been … worked around.  Oh the irony.  In the wild I might add.  So take it with a grain of useless rocks. Maybe it’ll be fixed next month, but not this one.

nVidia

While it shouldn’t really be a surprise to anyone that something as common as a graphics driver used by probably at least half of computers out there is a point of attack, it was something of a shocker to hear that you should immediately update to nVidia GeForce display driver version 310.90 right now to close the mother of all security holes allowing network attacks to gain super-user level access to your PC and to elevate privileges to lower-level access. Why would a graphics driver have that kind of a network bug in it? And why would a graphics driver allow you to elevate your access level? Goodness only knows. But if you’re got nVidia graphics under the hood and you don’t update your graphics drivers this second, you’re sitting on a huge security hole.

EDIT: But be prepared for other problems with this driver update!

Adobe

Of course a lot of people choose not to use Adobe’s Acrobat Reader. Plenty have switched to third-party alternatives, such as Foxit. And now, they’re suddenly wishing that they hadn’t. Why? Well, as if Adobe software wasn’t bad enough when it comes to security, it turns out that Foxit has its own buffer overflow bug worse than anything from Adobe. It can’t handle very long query strings after a filename and can be used to overwrite the program’s memory to execute arbitrary code. Yes, that’s right, just opening a file with a maliciously crafted filename will allow Foxit to execute whatever code a malware author wants to. Oops. This is one time when Foxit is definitely not “better than Adobe.”

But fear not. Firefox is coming to the rescue. Usually when the words “Adobe” and “security” are used in the same sentence, it means trouble, but here’s one time when it doesn’t: Firefox is now including PDF reader straight into their web browser using some fancy HTML 5 footwork. No more plug-in is needed to view a PDF file in Firefox, so you can kiss your Adobe plug-in (or even more dangerous Foxit plugin) goodbye and say hello to improved speed and security. Huzzah! I guess.  If you don’t actually use Firefox, well then, sucks to be you.  :p  Just kidding.  I’m sure everyone will be doing it before too long.  Except, perhaps, for Internet Explorer that is.

Java

Well, next up on the list of lowest common denominators in the security world is … Oracle.  Who doesn’t want some Java lovin’. Or perhaps in this case hatin’. A new Java zero-day exploit can compromise PCs, allowing a hacker to, you guessed it, execute arbitrary code, escalate privileges, etc. Basically any hacker can own your PC just by you visiting any malicious (or hijacked) website. At least assuming that you have Java enabled. It affects the latest and greatest Java 7 update 10 and prior versions and is being used widespread in the wild. Hopefully Oracle will fix that up for us some day. In the meantime, time to turn off Java.  How many times have you heard that?  Why does anyone even have it enabled?

Ruby on Rails

And surprisingly, our last security warning of the New Year isn’t for Adobe Flash. Nope. It’s far worse than that. Ruby on Rails has been derailed! With two critical security vulnerabilities, anyone can perform remote code execution against any Ruby on Rails application that has the XML parser enabled. (Which just so happens to be the default setting, and for good reason as it is heavily used.) Which is bad enough. But these holes also allow hackers to run system commands on the server with the same privilege level as the application. So if you were wondering about how a hacker can hijack someone’s website to serve up all of those malicious web pages that can use those security holes in Java, Internet Explorer, etc. to infect anyone’s PC just by visiting the website, there you go.

Fortunately Ruby on Rails has been patched already and if you update to the latest version, you’re safe once more. But the key there is “if”.

Conclusion

So all in all, this 2013 year has sure started out with a bang! Insecurity: 2013 reminds us once again that security is far from a given. Take it seriously and get updating!

SMS text message spam has been greatly increased in the US thanks to an Android Trojan horse that infects your phone and turns it into a spam-bot. The Trojan in this case is SpamSoldier, and it’s allegedly the first such spambot for Android phones and tablets. Whilst other spam bots have infected PCs to send text messages, this is the first SMS-happy spammer to infect Android phones. Thus reiterating my previous warnings that the more a smartphone becomes like a computer, the more viruses will be problematic for smartphones. It’s just the nature of the beast.

In this particular case, SpamSoldier likes to send out SMS messages enticing people to visit web links where they can snag games like Need for Speed: Most Wanted and Angry Birds Space. But, of course, that’s not all that you’re getting, even if the installer app does often times actually give you a free version of the game. That installer also gives you a virus, turning your Android device into an SMS-spewing monster. Which, of course, includes sending other people those same SMS messages that tricked you into downloading it in the first place. And thus it spreads.

It also provides the virus writer with a means to send out other SMS spam for free, which has been used for fishing attacks and other nefarious “fun” and profit. But not profit for you, because you’re the one paying for the SMS text messages that are annoying everyone else. Hope you have an unlimited account.

Antivirus packages, such useless things as they tend to be on phones so far, have as of yet not caught a darned instance of SpamSoldier. Sometimes I wonder why anyone even tries. What good is an antivirus package that doesn’t catch viruses after all?

Admittedly, so far SpamSoldier isn’t exactly spreading like wildfire. It’s not exactly “out of control” as good viruses tend to get. Though perhaps that’s part of the problem, that it’s staying under the radar enough so that people are taking it seriously.

In any event, consider yourself warned. If you want an app, get it from the proper marketplace, not from an unrequested SMS message. (Seriously people. It’s just like email. If you weren’t expecting it and the source is sketchy, don’t go all click-happy! Just delete it.) And if you own a smartphone, or plan to in the future, remember: the more it’s like a PC, the more it’ll get nasty viruses. So far security downright sucks on smartphones. Keep that in mind as you happily enter personal information into them. The more connected a gizmo is, the less secure it is. And you don’t get much more connected than a smartphone. So the next time you get a message for deal that’s too good to be true, please, practice safe text.

Windows users found themselves unable to express themselves appropriately after the latest Patch Tuesday thanks to security update KB2753842. This botched security update was supposed to close a vulnerability in the OpenType Compact Font Format (CFF) driver. It was marked “high priority”, ensuring that all the good little girls and boys downloaded and installed it right away, especially everyone hooked into automatic updates. But to many, it was actually a poison pill.

If by closing the vulnerability described in Microsoft Security Bulletin MS12-078 they meant to take away a great many of your completely safe, tried and true TrueType and OpenType fonts, then sure, Microsoft has protected you from the evils of the universe. Of course if your profession happens to actually depend upon using any of the multitude of affected fonts that weren’t a virus in disguise, well, sucks to be you then, doesn’t it? Thank you for being a valued Microsoft customer and all that.

Fortunately, uninstalling Microsoft’s misguided patch from a restore point allows all of your fonts to work again.

Unfortunately, should one of those fonts happen to actually be the type of Trojan horse that Microsoft was trying to protect you from, well, back to being vulnerable then.

Why didn’t Microsoft fully test this patch before pushing it upon the unwashed masses? Well, because they’re Microsoft. And they did test it. Didn’t you know that as Windows users you’re automatically enrolled in their beta testing program? Microsoft calls that being a “customer”. Enjoy!

And if by some miracle you haven’t had this patch applied to your computer yet and you actually use fonts for doing work, then don’t apply this patch!  At least not until Microsoft has fixed it.

I’ve said it before, and I’ll say it again: The more your smartphone becomes a PC, the more viruses and malware will be a problem to phones.

And I don’t just mean this in my vain hope that at some point an x86 SoC will turn the phone into the next shrink in portable computing, able to run every same program that your PC can as if the phone really were a PC … because it finally is.

I mean it literally, the more your phone can do, and the larger the target “market” becomes, the more likely someone is going to write a virus for it.

And now I have McAfee backing me up. (Warning! Sadly, with a PDF file, almost as though McAfee doesn’t even understand security at all…)

So for those of you disinclined to trust opening any PDF file (and I certainly wouldn’t blame you), or for those too lazy to read through all of that gobbledy-gook, what does McAfee have to say then?

Basically it’s simple: Now that smartphones are so easily capable of mass-emailing on networks with decent speed and lots of data, they make great spam zombies. Android, by merit simply of having he largest market share, is the biggest smartphone/tablet target. But don’t by any means declare your Apple iOS device safe just because it isn’t as likely to be targeted for having a smaller market share. Being in a smaller market share isn’t a replacement for real security. Just ask Apple Macintosh owners who have to put up with real security threats, even if Macs aren’t nearly so common as Windows PCs.

Basically, no matter what your device is, be it phone, tablet, laptop, or desktop computer, if the bugger connects to Ye Olde Interwebs in any way, you need security software. Antivirus and firewall at the very basic, but thorough anti-malware packages if you please.

According to Vincent Weafer, Senior Vice President of McAfee Labs, “Attacks that we’ve traditionally seen on PCs are now making their way to other devices.”

No s___, Sherlock! You heard it there last. McAfee VP of Obviousness has made the connection.

Granted, one could possibly try to argue that this being McAfee writing up that report, of course they’re going to say be afraid and buy more software. Especially from McAfee.

But frankly, regardless of the mouthpiece for better security, only an idiot can think that their internet-enabled device is safe without any security software to protect it.

I mean seriously. If you surf, you’re at risk. Period. The internet may have many great things about it, but it is also a cesspool of viruses. Anything that can access the internet is at risk of infection. There’s no such thing as inherently “safe”.

Besides the common trend of spam botnets to make a little cash, since any internet-enabled device can be taken over to send out loads of spam to people, there’s also an increase in the trend of data-jacking, AKA “ransomware”. Hackers are all too happy to use software to hold your pictures, songs, movies, documents and files hostage until you pay them. (If they even bother to release your data at all after you pay them. And if they don’t use your payment as the beginnings to the means to try to drain your bank account dry.) And that’s just the hackers trying to make a buck. There are also always those that just want to hurt the world.

I know that you don’t think of your phone as a computer. It doesn’t sit on a desk. You don’t have a keyboard and mouse. (Okay, maybe you might have a keyboard of some kind.) You don’t sit down to use it. There’s no big Microsoft Windows logo. It’s not a computer.

Except that it is.

Inside of your phone is a processor and memory. Your phone runs an operating system. Your phone can install software. Your phone connects to the internet. Think about it. It IS a computer. It’s just a very tiny computer. Just like desktop computers became laptops and laptops became netbooks, just keep following that shrinking train, netbooks became tablets and tablets became phones. (Figuratively. A literal technical path would be a lot more confusing.)

So these days, have phone, have target for hackers.

It’s that simple.

And as a side note, so far, phone security software sucks. Yes, I said it. It’s like any nascent software. The first few versions just don’t have what it takes. There’s a learning curve: what’s needed, what can be done, how to do it, etc. So far security on phones and tablets is just plain crap. Anything is better than nothing, but let’s face it, computers aren’t even 100% safe and we’ve had all this time to get that right. This whole security on phones idea is new, and so phones just aren’t even close to as secure. And we keep adding more entry points. There’s your phone/data network. There’s Wi-Fi. There’s Bluetooth. And now there’s even NFC. No one is safe. There’s no platform that is inherently secure. (In fact, Apple iOS and Google Android both have alarmingly poor security concepts.) At absolute best you’re just not in someone’s sights … yet.

But as even McAfee now admits, the proof is now real infections, not just theoretical “coulds” and “shoulds”. Hackers are out there, doing what they’ve always done since the dawn of computers. And your phone is now a computer. Whether you knew it or not doesn’t make it any less a target for hackers. So don’t hide your head in the sand and hope for the best. Be proactive. Secure your phone. Secure your tablet. And tell your friends and family to do so too. They’re not just people you love, they’re also potential sources of infections that you interact with frequently. Do it for them. Do it for you.

Here’s a helpful reminder for the new year: Back up your hard drives!

No, I don’t just mean a file copy. Not some lame internet service that backs up My Documents. I mean a full out hardcore backup of each and every hard drive in your PC. Including the master boot record.

Why?

Well, a bit before Christmas, my wife’s computer got hit with a nasty virus. Actually … multiple viruses. (Virii? I know, not technically. I once had a friend go into a long explanation why that wasn’t proper Latin because it couldn’t be pronounced, even if I did prove it could be.) Anywhen, my wife’s computer was a security mess. Because whatever the originating virus was, it was propagating countless other virus installs into her computer at the drop of a hat. It was adding new malware every time it felt like it. Even when disconnected from the network.

And for the record, yes, my wife had antivirus software running. A couple layers of malware protection actually. And a firewall up. And the latest updates to all of her software, including Windows itself.

They didn’t help.

Nor, for that matter, did any of the free antivirus and antispyware scanners. Or any of the pay ones that I tried. (And I tried all the big names.) Oh, don’t get me wrong, they all detected plenty and cleaned her computer as best they could. They just didn’t get that original back door that kept adding malware back onto her PC. So as soon as her computer was “clean” it was already being infected once more.

And some of these viruses were nasty buggers that tried to disable antivirus updating. It was fascinating, in a sick and annoying way.

And took a lot of time to deal with.

I’m pretty sure in the end it was some new kind of rootkit. (Or maybe not so new, but none that anyone could actually deal with.)

In the end I stopped trying to find the “easy” answer. Because, frankly, I should have just done the “long” process of cleaning her computer from the beginning: restore her hard drives (and their MBRs) from a backup point. It’s painful because you have to copy over things in a safe non-Windows way. And you have to reinstall anything that may have changed. But it gets you what you need: a clean PC.

If I hadn’t ever backed up her hard drives with a full image, including MBR, I don’t know that I’d ever have gotten her system clean without reformatting the hard drive and reinstalling Windows from scratch.

I know it’s a bad bad world where nasty people do bad bad things. But it’s a pretty sorry state when you can’t find a single antivirus program that can clean an infection. Fortunately, I plan ahead. And in case you ever find yourself in a similar situation one day, you’ll be glad that you listened to me and bought yourself an external hard drive and imaged your whole PC onto it before your security was breached, your computer hacked, your system infected with malware that couldn’t be found (let alone removed) by your antivirus software.

Rootkits are real, and they have the potential to be pretty much undetectable (let alone cleanable) to today’s security software.

System backups, just one of many tools in the fight against All Things Evil.