Security Alerts

Windows 7/8.1 Users: Microsoft is Watching You!

Okay, maybe not ‘watching you’, but they are spying on you. Seems that Microsoft MSFT 246,79 -2,41 -0,97% was not content with just spying on Windows 10 users. They have pushed through some ‘Telemetry’ updates on Windows 7 and 8.1 which allow Windows to collect and send data back to Microsoft. Keep in mind if you have opted-out of previous ‘feedback/telemetry’ programs with Microsoft, these updates undo all that (including user privacy settings in the Windows hosts file). …(the updates) all add “customer experience and diagnostic telemetry” to Windows 7 and Windows 8. This is shorthand for monitoring how you use Windows…

Read More

Firefox 38.1.1 ESR/39.0.3 Security Update Released

On August 6, 2015 Mozilla released an emergency security update for Firefox 38 ESR and Firefox 39 with the Firefox 38.1.1 ESR and Firefox 39.0.3 releases. These releases were a result of MFSA 2015-78: Same origin violation and local file stealing via PDF reader. From The Mozilla Security Blog: The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able…

Read More

WARNING: Fake Windows 10 Upgrade Email

Something I have learned over the years, Microsoft is never going to offer you something via email and if it looks fishy it is! So, now there is a ransomware email going around originating Thailand (with the address update@microsoft.com) claiming to be from Microsoft with a Windows 10 installer already attached (how handy!)  First red flag should be getting an unsolicited email from Microsoft, much less one WITH an attachment. Windows Insider Program participants will get emails from Microsoft, but those will not have attachments. Next, there is an encoding issue with the email (likely since it originated from Thailand) though overall…

Read More

Beware of Amazon Appstore Update

I was checking Amazon.com this morning on my Samsung Galaxy S4 with the Amazon Shopping App. Today is Prime Day so was seeing what they had to offer. I was presented with a pop-up notification to update what I thought was for the Amazon Shopping App. I started the update and the first red flag that came up was it wanted me to Enable Unknown Sources on my device’s security settings. Basically, this is to allow you to be able to install apps outside the Google Play Store. I was somewhat confused why I needed to do this, but went ahead and…

Read More

Third Hacking Team Flash Zero-Day Revealed

On Monday (July 13th), Trend Micro reported the now third bug (CVE-2015-5123) to Adobe’s Security Team.  This comes just as Adobe was getting ready to push out the update 18.0.0.209 which had addressed two Zero Day vulnerabilities discovered with verison 18.0.0.203 earlier. No word yet when Adobe is going to push out a patch for this vulnerability. via: Krebs on Security

Read More

Facebook CSO wants ‘End of Life Date’ for Flash

Adobe is dealing with a a lot of problems in the past week with Flash. Things got a whole lot worse from them this week. On Monday night, Mozilla Blacklisted (disabled) in Firefox, Flash Player version 18.0.0.203 for all Firefox users. On Sunday, Facebook’s new Chief Security Officer took to Twitter and called for Adobe “announce an end-of-life date for Flash,” so that we can finally “disentangle the dependencies and upgrade the whole ecosystem.” Adobe did release Flash Player version 18.0.0.209 earlier on Tuesaday morning. Source: Ars Technica  

Read More

Mozilla Blacklists Flash 18.0.0.203

If you updated your Flash Player Plugin last week to version 18.0.0.203, you will need to update again today in order to use Flash in Firefox. Mozilla has blocked the 18.0.0.203 version of Shockwave Flash which contained security fixes for 0-day vulnerabilities, but was found to contain vulnerabilities itself. Adobe released version 18.0.0.209 ealier this morning which patched two vulnerabilities. To upgrade from within Firefox go to Tools > Add-ons then select Plugins on the left side. Above the list of plugins click the Check to see if your plugins are up to date link. A new tab will open with…

Read More

The Perils of Flash

Adobe Flash is one of those browser plugins that a lot of people can not live without, with Java being a close second. Problem with Flash (and Java) is there are major security exploits that are being discovered daily. Adobe just release an updated for Flash last week and already has plans on releasing another update this week to patch an exploit just discovered in the last fix. Some people such as Grand Stream Dreams blogger Claus have opted to do away with Flash (and other Adobe products) on some their systems: Taking Flash Player out to the Bins. Unfortuantly,…

Read More

Firefox 37.0.2 Released

Mozilla released an update to the Firefox 37 branch on Monday, April 20th with the Firefox 37.0.2 release. This update addressed these issues: Google Maps may render incorrectly in some cases Stability fixes for select graphics hardware and feature sets Mozilla Foundation Security Advisory (MFSA) 2015-45: Memory corruption during failed plugin initialization Depending on their update settings, users will be prompted to update within the next 24-48 hours. Users can also manually update by going to the Firefox Help Menu and selecting About Firefox and follow the prompts to update. Alternatively users can also down and manually install the update…

Read More

Getting Superfish out of Firefox

From the Mozilla Security Blog: First things first: If you are reading this post on a recent Lenovo laptop, please click the lock icon in the URL bar, then click “More Information…”.  If you see “Verified by: Superfish, Inc.”, you are infected with Superfish, and you should follow these instructions to remove it. The Superfish adware distributed by Lenovo has brought the issue of SSL interception back to the headlines.  SSL interception is a technique that allows other software on a user’s computer to monitor and control their visits to secure Web sites — however, it also enables attackers to…

Read More