Sign up for our Technology Newsletter 
Can Malwarebytes Protect XP?
Malwarebytes has launched anti-exploit services to protect Windows users from hacking attacks on vulnerabilities in popular targets including Microsoft Office, Adobe software products and Java, a service which even offers protection for Windows XP users.
Consumer, Premium and Corporate versions of the service are available, and are designed to pre-emptively stop hackers from infecting Windows machines with malware.
“An exploit will typically first corrupt the memory of an application process, take control, then execute code,” said Malwarebytes director of special projects Pedro Bustamante.
“From the shell code it executes a payload that tells the exploit what to do and that in turn usually downloads malware from the internet and executes it. The final stage is usually where antivirus kicks in, when it’s being downloaded from the internet, and starts doing things like behavioural analysis to see if it’s malicious.
“We don’t care about that, what we do comes before then. We just look for exploit-like behaviour and block anything that looks like it at the shellcode or payload stages. We come into play before the malware even appears on the scene.”
The Consumer version of the anti-exploit service is free and offers basic browser and Java protection.
The Premium version costs $37.00 per user and adds Office and Adobe protection services as well as the ability to add custom shields to other internet-facing applications, like Messenger or Netflix.
The Corporate version costs$40.00 person user and offers complete anti-exploit protection and comes with Malwarebytes’ Anti-malware service and a toolkit for IT managers.
Bustamante explained that the technology is designed to help businesses and general web users defend against the new wave of exploit-based cyber attacks.
“Traditional security can’t deal with exploits. Every day we see people getting infected, even if they have the latest up-to-date antivirus readers, because of exploits,” he said. “This is why we care about the applications you run – Firefox, Chrome, Internet Explorer, Java, Acrobat [and Microsoft] Word, Excel [and] Powerpoint.”
Bustamante added that the service is doubly important for Windows XP users since Microsoft officially ceased support for the OS in April.
“We’re still seeing over 25 percent of our users running XP. For them this product is even more important,” he said.
“We see new zero-days if not every week, every month, and for XP users who are not getting any more patches from Microsoft this product will be essential.
“Every month Microsoft will be releasing security patches for newer versions of Windows. Every time Microsoft does this it’ll be a treasure map for hackers to find exploits on Windows XP.
“It’ll show them exactly where the vulnerabilities are, so every month will see an influx of new exploits targeting Windows XP.”
Javascript Security Flaws Discovered
Polish researchers have released technical details and attack code for 30 security issues affecting Oracle’s Java Cloud Service. Some of the flaws make it possible for attackers to read or modify users’ sensitive data or to execute malicious code.
Security Explorations said it would normally withhold public airings until after any vulnerability has been fixed. But apparently Oracle representatives failed to resolve some of the more crucial issues including bypasses of the Java security sandbox, bypasses of Java whitelisting rules, the use of shared WebLogic server administrator passwords, and the availability of plain-text use passwords stored in some systems.
Oracle apparently has admitted to the researchers that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centres in the future.
Adam Gowdiak, CEO of Security Explorations said Oracle unveiled the Java Cloud Service in 2011 and held it up as a way to better compete against Salesforce.com.
Will Chrome’s API Work?
March 25, 2014 by admin
Filed under Around The Net
Comments Off on Will Chrome’s API Work?
Google has targeted web browser settings hijacking in its latest update to Chrome for Windows.
On the Chromium blog, Google engineering director Erik Kay announced an extension settings API designed to ensure that users have notice and control over any settings changes made to their web browsers.
As a result, the only way extensions will be able to make changes to browser settings such as the default search engine and start page will be through this API.
Bargain hungry consumers are often unaware that freeware programs often bundle add-on programs for which developers receive payment but can create irritating, rather than malicious, changes to user settings.
Although there is usually consent sought at installation, quite often it is ignored or not understood, and the people who miss the warnings are generally the same ones who find it hard to change the settings back.
Kay said that the API is available in the Chromium developer channel, with a rollout to the stable channel set for May.
The Chromium stable channel has been updated to version 33.0.1750.149. The main change is an update to the embedded Flash Player for Windows, which is now version 12.0.0.77.
There are seven new security fixes, most of which were user submitted via the open source Fast Memory Detector Address Sanitizer.
Although the user community and Chrome team continue to proactively protect the Chromium project, third party extensions can still cause problems, with several already having been removed from the Chrome Store this year.
Software Glitch Hits Prius
February 25, 2014 by admin
Filed under Around The Net
Comments Off on Software Glitch Hits Prius
Toyota is recalling nearly 1.9 million Prius hybrid automobiles globally in order to fix a software glitch that could damage transistors and cause a loss of power.
Some 700,000 of the Priuses are in the U.S., according to a statement. Another 997,000 are in Japan, 130,000 in Europe and the remainder in other places around the world, according to media reports. Toyota didn’t immediately respond to a request for confirmation of those details on.
Toyota plans to tweak software in the Priuses for the motor/generator ECU (engine control unit) and the hybrid control ECU. The current settings “could result in higher thermal stress in certain transistors, potentially causing them to become damaged,” Toyota said. “If this happens, various warning lights will illuminate and the vehicle can enter a failsafe mode. In rare circumstances, the hybrid system might shut down while the vehicle is being driven, resulting in the loss of power and the vehicle coming to a stop.”
Toyota is also recalling about 260,000 2012 RAV4 compact sport utility vehicles, 2012-2013 Tacoma trucks and 2012-2013 Lexus RX 350 SUVs in the U.S., the company said Wednesday.
Toyota will apply an update to skid control ECU software on cars in this recall to fix an “electronic circuit condition” that could cause the vehicles stability control, anti-lock braking systems and traction control function to shut down intermittently, Toyota said. However, in the event of such a failure the standard brakes will still work, according to the company.
No accidents or injuries have been reported in connection with the software problems, Toyota said. The software update will be applied free of charge at local dealers.
IBM’s Watson Goes To Africa
IBM has detailed plans to apply its Watson supercomputer the critical development issues facing Africa.
The machine is capable of holding more intelligent conversations than most Big Brother contestants, and in 2011 it beat human contestants on the US TV game show Jeopardy.
However, in Africa it will be used to help solve the pressing problems facing the continent such as agricultural patterns and famine relief.
The initiative, named Project Lucy after the earliest human remains discovered on the continent, will take 10 years and is expected to cost $100m.
“I believe it will spur a whole era of innovation for entrepreneurs here,” IBM CEO Ginni Rometty told delegates at a conference on Wednesday.
“Data… needs to be refined. It will determine undisputed winners and losers across every industry.”
The technology will be used to find ways to enable the developing world to leapfrog over stages of development that have hitherto been too expensive.
One example cited was Nigeria, where two companies have already committed to use Project Lucy to analyse the poorly maintained road system and determine project priorities for repair.
IBM recently announced that it will invest $1bn to spin off Watson into a separate business unit, however this could be quite a gamble as Reuters reported that although Watson has proved to be a quantum leap, it has yet to make any significant money for the company, netting less than $100m in the past three years.
Twitter Tightens Security
Twitter Inc said it has put in place a security technology that makes it harder to spy on its users and called on other Internet firms to do the same, as Web providers look to thwart spying by government intelligence agencies.
The online messaging service, which began scrambling communications in 2011 using traditional HTTPS encryption, said on Friday it has added an advanced layer of protection for HTTPS known as “forward secrecy.”
“A year and a half ago, Twitter was first served completely over HTTPS,” the company said in a blog posting. “Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.”
Twitter’s move is the latest response from U.S. Internet firms following disclosures by former spy agency contractor Edward Snowden about widespread, classified U.S. government surveillance programs.
Facebook Inc, Google Inc, Microsoft Corp and Yahoo Inc have publicly complained that the government does not let them disclose data collection efforts. Some have adopted new privacy technologies to better secure user data.
Forward secrecy prevents attackers from exploiting one potential weakness in HTTPS, which is that large quantities of data can be unscrambled if spies are able to steal a single private “key” that is then used to encrypt all the data, said Dan Kaminsky, a well-known Internet security expert.
The more advanced technique repeatedly creates individual keys as new communications sessions are opened, making it impossible to use a master key to decrypt them, Kaminsky said.
“It is a good thing to do,” he said. “I’m glad this is the direction the industry is taking.”
Java 6 Security Hole Found
Security firms are urging users of Oracle’s Java 6 software to upgrade to Java 7 as soon as possible to avoid becoming the victims of active cyber attacks.
F-secure senior analyst Timo Hirvonen warned about the exploit this weekend over Twitter, advising that he had found an exploit in the wild actively targeting an unpatched vulnerability in Java 6, named CVE-2013-2463.
PoC for CVE-2013-2463 was released last week, now it’s exploited in the wild. No patch for JRE6… Uninstall or upgrade to JRE7 update 25.
— Timo Hirvonen (@TimoHirvonen) August 26, 2013
CVE-2013-2463 was addressed by Oracle in the June 2013 Critical Patch Update for Java 7. Java 6 has the same vulnerability, as Oracle acknowledged in the update, but since Java 6 became unsupported in April 2013, there is no patch for the Java 6 vulnerability.
Cloud security provider Qualys described the bug as an “implicit zero-day vulnerability”. The firm’s CTO Wolfgang Kandek said he had seen it included in the spreading Neutrino exploit kit threat, which “guarantees that it will find widespread adoption”.
“We know about its existence, but do not have a patch at hand,” Kandek said in a blog post. “This happens each time a software package loses support and we track these instances in Qualysguard with our ‘EOL/Obsolete’ detections, in this case.
“In addition, we still see very high rates of Java 6 installed, a bit over 50 percent, which means many organisations are vulnerable.”
Like F-secure, Kandek recommended that any users with Java 6 upgrade to Java 7 as soon as they can.
“Without doubt, organisations should update to Java 7 where possible, meaning that IT administrators need to verify with their vendors if an upgrade path exists,” he added.
PayPal Extend Bug Bounty
PayPal is expanding its bug bounty program to individuals aged 14 and older, a move intended to reward younger researchers who are technically ineligible to hold full-fledged PayPal accounts.
PayPal’s program, which is a year old this month, only applied to those 18 years and older. Under the old rule, participants in the program were required to hold valid accounts, which excluded minors, said Gus Anagnos, PayPal’s director of information security.
In May, 17-year-old Robert Kugler, a student in Germany, said he’d been denied a reward for finding a vulnerability. PayPal said the bug had already been found by two other researchers, which would have made Kugler ineligible for bounty.
In an apparent miscommunication, Kugler said he was initially told he was too young rather than the bug had already been discovered. Nonetheless, PayPal said it would look to bring younger people into its program, which pays upwards of $10,000 for remote code execution bugs on its websites.
Those who are under 18 years old can receive a bug bounty payment through a PayPal student account, an arrangement where a minor can receive payments via their parent’s account, Anagnos said.
Anagnos said other terms and conditions have been modified to make its program more transparent, such as clarifying which PayPal subsidiaries and partner sites qualify for the program.
PayPal pays much less for vulnerabilities on partner websites, which have a URL form of “www.paypal-__.com.” A remote execution bug found on that kind of site garners only $1,500 rather than up to $10,000 on the company’s main sites.
Like other bug bounty programs run by companies such as Microsoft and Google, PayPal will publicly recognize researchers on its website with a “Wall of Fame” for the top 10 researchers in a quarter. Another “honorable mention” page lists anyone who submitted a valid bug for the quarter.
Eusebiu Blindu, a testing consultant from Romania, was one of the researchers listed on the Wall of Fame for the first quarter of this year.
“I think Paypal is the best bug bounty program, and I am glad I participated in it from the first days of its launching,” he wrote on his blog.
Adobe Gives Up On Windows XP
Adobe said today that the current CS6 version of Photoshop will be the last one to support the operating system.
Adobe Product Manager Tom Hogarty said in a blog post that the Photoshop team would like to provide advanced notice that Photoshop CS6 (13.0) will be the last major version of Photoshop to support Windows XP. He said that modern performance-sensitive software requires modern hardware graphics interfaces that Windows XP lacks, in particular a way to tap into the power of GPUs. By only working on newer operating systems and hardware Adobe can bring in significantly better performance.
Photoshop CS6 already demonstrates that relying on a modern operating system, graphics cards/GPUs and graphics drivers can lead to substantial improvements in 3D, Blur Gallery and Lighting Effect features not available to Windows XP customers, he said.
Adobe hopes that by providing this information early it will help you understand our current decisions around operating system support and where we we’re headed with future releases of Photoshop. It is hard to see how any serious user of Adobe products could be using an XP machine anyway. The move away from XP started with CS 5 which only ran on Vista.
Huawei Investigating Security Flaws
August 14, 2012 by admin
Filed under Network Services
Comments Off on Huawei Investigating Security Flaws
Huawei Technologies said on Thursday it was investigating claims that its routers contained critical vulnerabilities, after security researchers disclosed alleged problems last.
“We are aware of the media reports on security vulnerabilities in some small Huawei routers and are verifying these claims,” Huawei said in an email. The company added it uses “rigorous security strategies and policies” to protect the networks of its customers, while following industry standards and best practices concerning security.
“Huawei has established a robust response system to address product security gaps and vulnerabilities,” the company said. The company is also calling on industry to promptly report all product security risks so that the problems can be addressed and fixed, it said in its email.
The alleged security vulnerabilities were disclosed at the Defcon hackers conference this past Sunday by two security researchers. The vulnerabilities were found in the firmware of Huawei AR18 and AR29 series routers, which once exploited through the flaws, could be taken over via the Internet.
One of the researchers, Felix Lindner the head of security firm Recurity Labs, described the security of the Huawei devices he analyzed as “the worst ever”, and said there were bound to be more security flaws with the products.