Another Day, Another Adobe Flash Exploit

Flash used to be what I would call “Update of the Day Club”.  Start your computer and get into doing what you need, and surprise of surprises, there would be an update window popping up for Flash.

We seem to be back to that.

It’s a nuisance because with at least Firefox, it forces you to close your browser and go through the nonsense necessary to restart it.  Since Firefox isn’t exactly 100% accurate in reopening pages and tabs, I hold my breath each time.

In this case, there’s no reason to trash Firefox.  There was an exploit found with “Shockwave Flash” as it shows up in the addons page and it tells you it wants to be updated.

Except.

There is no update as of this writing.

So? What do you do?  Tread lightly, my friend.  What you need to do is put yourself through a bit of annoyance or uninstall the blighted software completely.

Since the annoyance is less of a problem than uninstalling Flash at this time, I’ll show you how to do that.

What I am doing is to tell the browser to ask me to run it.  I was going to uninstall it completely.  Youtube does not use Flash as a default to play videos any longer, favoring the newer HTML5.  Facebook does use Flash and at this point it does not apparently use HTML5.

Here is how to go in and tell Flash to run when you want it.  It will leave an ugly placeholder in Facebook with the a grey Lego brick or the international symbol for no, and some warning messages, but you can always turn it back on to watch that particular video of a dog doing something cute if you really want to.

In Firefox:

In the address bar enter:   about:addons and hit enter to load the page.

On your Addons page:

  • Find Shockwave Flash
  • Click the button that most likely says “Always Activate” and select “Ask to Activate
  • click the link to “Check to see if your plugins are up to date” to open another tab.

On your “Check Your Plugins” Page

  • Click the big red button that says “Update Now” under “Potentially Vulnerable Plugins” and follow the prompts to update your Flash.
  • This space intentionally left blank.
  • Flash will update through multiple steps that are documented on Flash’s site.  
  • They include downloading a program.  
  • Make certain that you clear the box that asks if you want to download any “Optional Offer” like McAfee or any other “helpful” programs since they are not helpful and will simply clutter up your computer or it could even lock it up.
  • Flash’s install will require you to close your Firefox, so save your work.
  • Note:  As Of This Writing, there is no update to Flash that will fix this problem.  That is why I told you to set Flash to “Ask To Activate”.
  • Flash will not be updated on Android, Apple’s IOS, or Linux.
  • Flash will eventually be updated on Windows 7 or newer, or Mac OSX… just not as of this writing.

Windows 7 – You Have Five Years Left

Start the drum beating.

Microsoft reminded us that yesterday, January 13, 2015, that they stop all support for Windows 7 on January 14, 2020.

Now for most people they will yawn and move on.  After all they will wear out the cheap $250 laptop they are using now and move onto another cheap $250 laptop by then, sliding it under the bed or into the closet and forgetting about it until cleaning day.

“Hey!  I need to do something about that old computer!”.

For large businesses who haven’t even migrated onto Windows 8, they will look at the notices and hopefully begin to plan.  It is five years in the future, and while you still can get Windows 7 today, the machines they buy today will still be in use in three years, and possibly five.

Most people just shrug and accept the operating system that comes with the computer anyway.  It’s easier and you don’t have to worry about it until it gets too many viruses and you start looking for an answer.  At $200 per “In Store” virus removal at a big box store’s “Squad”, it is probably cheaper to just “move on” and get new at the low end.

It’s not one of those doom and gloom things, after all.  You have five years.  The machine you are using to read this blather will most likely be “recycled” but it is something to consider.

If you are one of those poor folks who has soldiered on with Windows Vista, you have until April 11, 2017 – a mere two years and a bit.  Then the most hated operating system since Windows 8.0 will be completely unsupported, just like the dearly departed Windows XP.

To be fair, once you get all the Service Packs, Bug Fixes, and Additional Changes installed in Windows Vista, it works fairly well.  It’s just bloated, slow, and you’ll be better off on Windows 8.1 as well.

But for Windows 7, this means that you will still get patches, just no new features.  Virus updates, bug fixes, and any other patches will get sent along as usual, but nothing really new.

Oh, and about that old computer?  If it runs Windows 7, it probably can run Windows 8.  If it runs Windows 7, I am certain it can run some variation of Linux, and if you really are nervous about support, some of those server versions of Linux are supported for another 15 years while others get another 5 with easy upgrade paths.

After all, that is what this blog is written on – Linux on a hand me down computer.  But Linux isn’t for everyone, even if I did train a 69 year old lady and her 35 year old son how to use it. 

Great story for an interview, though!

How Do You Protect Your IPhone From Wirelurker When They Don’t Know What It Does?

I’m reading the tech news.  In reality I read it about every day and far too much of it is out there.  Your mind may haze up from time to time, and that’s normal.

There’s a new virus out there that they’re calling “Wirelurker”.  The big problem is with this one is that they are still figuring out how it works and what it does.

The group that discovered the virus, Palo Alto Networks, let out a rather gloomy press release.  Basically, it said that you’re probably already infected and even if you didn’t get infected it will get you anyway through use of chargers or your Mac.

Huh?

Apparently it started as a rather fringe infection vector.  People who Jailbreak-ed their iPhones and connected up to a third party app store called Maiyadi, in China got it first.

Chinese third party software.  Probably not the safest out there.

What it did was to rewrite the apps that ran on the iPhone and add code to it that caused the virus to replicate and move onto the next victim.

So someone stepped out of the Walled Garden that Apple made and they got caught, end of problem, right?

Nope.

It infected their Macs, and moved on.  It also infected any other iOS devices plugged into the machines such as iPads and iPod Touch.

The recommendations are one of the broadest that I have ever seen for avoiding this virus.

This is the first time I saw a third party app store used as an illustration of a safer app store.  They recommend that if you do use third party apps, make sure it is the Cydia app store and only go to trustworthy sources.  Problem there is that you never really know since those third party app stores aren’t really looking into the source code like Apple does.

They say don’t even plug it into a charger that you don’t know about and don’t use any non approved sources.  Since the virus is so stealthy you won’t know that your charger is infected until later – but basically that lets the rest of the windows world in.

There’s a vulnerability with the USB devices that you have in your house.  More accurately the USB devices you will buy to replace the ones you have now.  Plugs, cables, and chargers.  It can be rigged to push a virus into whatever it is connected with.  While this particular threat hasn’t been seen in the wild, yet, give it time.  Yes, it’s doom and gloom and fear mongering, but give it time.

Thinking about a new charger?  Better make sure that you spend the extra money and get it from a recognized source. 

If the whole charger thing is questionable, their stated concern is that if you have an infected iPhone on your network, the virus will walk back to the next phone that is connected to the network via email servers and the like. 

Once it is in your phone, it can theoretically grab your address book and spam your contacts thereby sharing the fun.  This is one of the first “traditional” viruses to hit the iPhone platform.

The Apple Myth of No Viruses Here was built because they have the reputation of “vetting” or looking over and analyzing the software that sits on their own app stores.  If you remain in the Walled Garden, all will be well.  That is the theory and for the most part, up until now, it works.  However since the infection vector is from outside of the walled garden and you have to go outside the garden to update or charge the phone, you will have a vulnerability.

The solution will be that Macs and iOS devices will need to run a virus scanner.  Once the virus definitions are kept up to date, this will clean out the problem. 

If it sounds familiar, welcome to the Windows world. 

Once the signature to the virus is found, it will get out to the Windows based virus scanners and that should clear it up as well.

But it isn’t there yet, so stay tuned.

Bottom line is that if you have an iOS device, make sure you stick with Apple’s App Store and stay tuned.

Security? Poodles? Sandworms? Here we go again.

If you have any passing interest in computer security, you have noticed a few announcements go by.

If you don’t, you may think it is overwhelming.

Yes, and Yes.

If you are worried, there’s a simple solution.  No matter what the computer, no matter what the operating system – make sure you are up to date.

Most home users are set up “from the factory” to automatically get updates.  This is true on Windows and on Mac OSX.  My Linux computers pop up a friendly sunburst to say it’s got updates too.

In both cases this will solve these two problems.

Poodle – Make sure your browser is up to date.  Windows update will fix this.  It is a low level problem that is more of a headache for systems administrators. So it’s not a major headache for most people.

The long description that 99 percent of us can skip is that it’s a bug that Google has found in the Secure Sockets Layer (SSL) version 3 that is seriously out of date.  It shouldn’t be used at this point anyway, but some folks haven’t updated that.

Sandworm – It’s a worm that goes after Powerpoint files.  Since Windows machines are set up to ask you if you want to open the file, don’t.  If your computer asks you to open anything with a “.INF” extension, don’t.  That is how the worm will propagate.

How to fix it?  Home users, make sure you go through your Windows Update.  It’s a windows problem.  But anyone else should be running the most up to date version of their operating systems that they can.  If their operating system is no longer supported, it’s best that you upgrade as best you can.  No more XP for you.

While you are at it, make sure your virus protection is up to date and you may want to just force a run of a full scan.  You never know what is running around on your computers these days and it is just good practice to do this once in a while.

Got Windows? Hit Windows Update – Even Windows XP

So that bug I have been banging on about?

The one that is a bug of doom, effects every version of Internet Explorer from Version 6 through present?

Windows XP
Windows Vista
Windows 7
Windows 8
and
Windows 8.1?

Yeah, the fix is in.

Microsoft has relented since 1/4 of the entire PC Market is still running Windows XP.  Not to patch this one would cause havoc on the Internet and crash web servers, and make little babies cry.

This morning, I started finding messages in the security blogs that mentioned it.  This bug, the 1776 bug, with a rather nasty hole has been exploited.

As far as XP is concerned, Microsoft has said in the past that while support has ceased for it, they may at their own choice make patches to it in the future.   Since this was a big one, and it is the future, take advantage of it.

Even if you don’t use Internet Explorer, you will want to get this fix.

The steps are simple.  You may have already downloaded the fix and there could be a message waiting for you to either shut down or restart your computer to apply the fix

If not, just:

Click Start
Click Control Panel
Click Windows Update
Click Install Updates

and you’re on your way!

Now, if you will excuse me, my computer wants to be restarted.  I guess I really do need to take a break anyway!

Now Homeland Security Suggests You Stop Using Internet Explorer Especially With Windows XP

You know things are getting dicey when the Department of Homeland Security gets involved.

Personally I never liked Internet Explorer.   It’s the browser that is baked into every version of Microsoft Windows out there since Windows 95.   The problem is that it’s a single point of failure.   If there’s a deep problem with the browser, your whole computer is at risk.   Slowdowns caused by Internet Explorer are common, and in my own experience it runs like a “Lead Sled”.

I try to use another browser wherever possible.

Now a little more tech jargon.  You may have read about some shadowy problems.  A “Zero Day” or “0-Day” attack.   Simply put, it is an attack at that low level of your software.  You won’t even know that you “got hit” and will be added to a hacker’s portfolio.

Every version of Internet Explorer that is in use since version 2 is involved in this mess.   No matter what version of Windows you are using, you are at risk.  Since they aren’t updating that old software, you really should have upgraded that old copy of Windows 95 well before now.

There is a fix from Microsoft, and you can now get it in Windows Update, and it didn’t even whine at me to restart Windows 8.1.  Until you do there are a few things to consider.

First, get a second browser.   I prefer Firefox, others choose Chrome, still more choose Safari, and there is always Opera.   Pick one and use it.  It is your choice!

Second, if you are on Windows XP, you need to upgrade, Now.  Windows XP will not be fixed at this point.  Microsoft may go back on its word, but you are at this point vulnerable.

Third there is another wrinkle to this mess – Flash.  It’s the most common way most people look at those cute cat videos and the video that I embedded below about this bug.  It has its own Zero Day exploit and needs to be upgraded to version 13. This Flash Bug is also a problem for Mac OSX and Linux, so I will have a busy day upgrading things around the house.  Basically everyone gets hit by this one no matter what computer you have!

With Windows7 and Firefox, you can check by following these steps:

  1. Start Firefox.
  2. Follow this link to the Plug In Checker.  It will open in a new page or browser window.
  3. Any plugins that you run that are out of date will show up with a red button on the right that says “Update Now” – click that button.
  4. It will open another page for Flash.  
  5. Click the check box to refuse the offer of McAfee Security Scan Plus since you just do NOT need that software.
  6. Click the Yellow Install Now Button.
  7. It will open another page, wait a bit, then ask you to save a program.
  8. When your download is complete, run the installer to update.  Flash does not do this behind the scenes.  You will find it in your downloads directory and you will have to run it separately.  The program it downloaded was called “install_flashplayer13x32_mssd_aaa_aih.exe” but it will change through time and versions.
  9. It will ask you if you want to install it, and personally I tell it to tell me to upgrade instead of doing it automatically.   Personal preference.
  10. When you get the green check and the “Installation Complete” message, you can click Finish.
  11. It will then bring up a message saying that you’re done and ask you if you want to get this fantastic deal from someone who I can’t see because my ad blocker has blocked it.   Shoo, Adobe, I don’t want your deals!

Yeah, 11 steps but it goes quickly.

Microsoft has a fix out now for Internet Explorer, but you really do need to get a different browser.   One that supports ad blocking since they’re also a vector for spyware and viruses.

The video from USA Today is at this link if you want to see if your Flash has been updated.

Now It Looks Like Windows XP Will Get Virus Updates After All

Microsoft blinked.

After saying April 8, 2014 XP Users will get nothing from Microsoft, they changed their minds a little.  It is a reprieve, and a temporary one at that.

Microsoft will provide Virus Warnings until July 14, 2015.

Bastille Day?  Interesting choice.  All the virus writers will have to wait to storm the defenses until that day.

Of course if you are using some other virus scanner like McAfee or Norton,  they will continue to support you like they have been.

This doesn’t mean that they promised to provide fixes in Windows Updates, the holes that scare the IT Guy at your office will still be there.   It only means that they will be providing updates to their anti virus program Microsoft Security Essentials for Windows XP until that date.  You will still be targeted by virus writers for those holes in the system.

Microsoft Security Essentials is the same program that runs on Windows Vista and Windows 7 and is included or “baked in” to Windows 8 and 8.1.   It seems like the virus signature file downloads are most likely the same in both products but there’s a switch somewhere that will be thrown to stop it from working with Windows XP.

Planned Obsolescence.  Pay more and upgrade or else.

Their response is straightforward – upgrade to a newer operating system.

This might be why I have so many Linux based computers around these days… But for people who don’t want to learn a new operating system, don’t stick with XP – the holes will still let the viruses get in, and if the antivirus doesn’t catch them, you won’t get a fix from Microsoft.  If you really are against learning a new Operating System, Windows 7 is the closest thing that you can get for that old beater of a computer that looks “normal”… you know – looks like XP.  Even Windows 7 may not save you if you have a really old machine with less than 2GB of memory, but Linux would run comfortably on most machines in that class.

Most.  Don’t get silly, that old Pentium 4 needs to be recycled.  I could get something  to run on that, but it would be limited and I’m not really interested in doing free support.

Also, if you really are going to keep your old machine and upgrade to Windows 7, remember that Windows 7 is an install not an upgrade.

About 30% of all desktop computers run some form of Windows XP.  I’ve read statistics that “Some Form Of Windows XP runs on 95% of all ATM Machines in the US”, although I really doubt that statistic.   That “Some Form” is probably Windows XP Embedded which is a very different monster than what you know and love on your desktop computer.   The networking component has been made more secure, although you have to wonder just how secure it really is.

I’ll stick with my earlier comments, time to upgrade folks.  XP is about to XPire.