Login  |  Register  |  Contact

Hacking

Wednesday, December 12, 2007

Permanent Link For ipfw Rules

By Rich

Looks like the ipfw rules project that Chris is leading is pretty popular. We’ve set up a permanent link that we’ll redirect to the latest version as we keep refining this thing.

You can find it here.

Thanks again to everyone who has helped on this project:

–Rich

Tuesday, December 11, 2007

ipfw Rules, v2007/12/12

By reppep

Based on extensive feedback, these rules are now much improved over the initial draft. Thanks, all!

All the versions of this post are getting out of hand, so Rich has provided a permanent URL for the current Leopard ipfw post for future reference. Please use that link, so future visitors get the latest and greatest.

Chris


DO NOT USE THESE RULES without customizing them first!

Version: 2007/12/12

For more information, see http://securosis.com/2007/11/15/ipfw-rules/

& http://securosis.com/2007/11/16/ipfw-rules-20071116-revision/#comments

These rules MUST be customized to your requirements.

In particular, if you have a private home network (behind an AirPort

Base Station, Linksys WRT54G, etc.), change “10.42.24.0/24” below to

your private network range; duplicate rules with different ranges, if use use this computer on multiple networks.

Additionally, allow only ports you actually use; block unused ports.

Thanks to:

Rich Mogull http://securosis.com

windexh8er: http://www.slash32.com/

Rob

Lee: http://thnetos.wordpress.com/

Josh

Chris Pepper http://www.extrapepperoni.com/

Apple (Server Admin is a good way to create an ipfw ruleset)

http://www.apple.com/server/macosx/

FreeBSD (where Apple got ipfw) http://www.freebsd.org/

We don’t really want this, but it’s unavoidable on Mac OS X Server, so

document it here (serialnumberd).

100 allow udp from any 626 to any dst-port 626

Let me talk to myself over the loopback.

add 200 allow ip from any to any via lo0

Loopback traffic on a ‘real’ interface is bogus.

add 300 deny log logamount 1000 ip from any to 127.0.0.0/8

Block multicast unless you need it.

add 400 deny log logamount 1000 ip from 224.0.0.0/4 to any in

If we let a conversation begin, let it continue.

Let my clients go!

add 500 allow tcp from any to any out keep-state add 510 allow udp from any to any out keep-state

Block replies, if we don’t recall initiating the conversation.

add 520 deny log tcp from any to any established in

Allow DHCP responses (keep-state can’t handle DHCP broadcasts).

add 600 allow udp from any to any src-port 67 dst-port 68 in

Do you never need fragmented packets?

add 700 deny udp from any to any in frag

Let yourself ping.

add 1000 allow icmp from 10.42.24.0/24 to any icmptypes 8

Server Admin provides these by default.

add 1100 allow icmp from any to any icmptypes 0 add 1110 allow igmp from any to any

mDNS (Bonjour) from trusted local networks (fill in your own,

preferably non-standard, networks after ‘from’).

For Back to My Mac, you might need this from ‘any’.

add 5000 allow udp from 10.42.24.0/24 to any dst-port 5353

add 5010 allow udp from 10.42.24.0/24 5353 to any dst-port 1024-65535 in

ssh – should be restricted to trusted networks if at all possible; if

open to the Internet, make sure you don’t have “PermitRootLogin yes

in sshd_config (at least use

PermitRootLogin without-password”, please!)

add 5200 allow tcp from any to any dst-port 22

iTunes music sharing

add 5300 allow tcp from 10.42.24.0/24 to any dst-port 3689

AFP

add 5400 allow tcp from 10.42.24.0/24 to any dst-port 548

HTTP (Apache); HTTPS

add 5500 allow tcp from any to any dst-port 80

add 5510 allow tcp from any to any dst-port 443

L2TP VPN – is this complete?

add 5600 allow udp from any to any dst-port 1701

add 5610 allow esp from any to any

add 5620 allow udp from any to any dst-port 500

add 5630 allow udp from any to any dst-port 4500

iChat: local

add 5700 allow tcp from 10.42.24.0/24 to any dst-port 5298

add 5710 allow udp from 10.42.24.0/24 to any dst-port 5298

add 5720 allow udp from 10.42.24.0/24 to any dst-port 5297,5678

Server Admin SSL (Mac OS X Server only)

add 5800 allow tcp from 10.42.24.0/24 to any dst-port 311

add 5810 allow tcp from 10.42.24.0/24 to any dst-port 427

add 5820 allow udp from 10.42.24.0/24 to any dst-port 427

syslog – uncommon

add 5900 allow udp from 10.42.24.0/24 to any dst-port 514

ipp (CUPS printing)

add 6000 allow tcp from 10.42.24.0/24 to any dst-port 631

MTU discovery

add 10000 allow icmp from any to any icmptypes 3

Source quench

add 10100 allow icmp from any to any icmptypes 4

Ping out; accept ping answers.

add 10200 allow icmp from any to any icmptypes 8 out add 10210 allow icmp from any to any icmptypes 0 in

Allow outbound traceroute.

add 10300 allow icmp from any to any icmptypes 11 in

My default policy: log and drop anything that hasn’t matched an allow

rule above

add 65534 deny log logamount 1000 ip from any to any

Hard-coded default allow rule (compiled into Darwin kernel)

add 65535 allow ip from any to any

–reppep

Thursday, November 15, 2007

ipfw Rules, 2007/11/15 revision

By reppep

Rules revised.

As suggested by windexh8er, here’s a set of ipfw rules to customize for your own Macs or FreeBSD systems. Note that your private home network should have a non-standard IP range, both to support VPN across standard IP ranges, and for improved security, so your personal allow rules don’t match other networks you may find yourself wandering through.

The rules are below, but you’ll probably have an easier time if you download the rule file from http://securosis.com/wp-content/uploads/2007/11/ipfw-securosis.txt.

In WaterRoof, you can import these rules with “Tools > Rules Configuration > Import rules from file..”. To check your ipfw rules, use “sudo ipfw list”. When you’re satisfied with your rules, install them for future reboots with “Tools > Rules Configuration > Save to startup configuration” and “Tools > Startup Script > Install Startup Script”.

# DO NOT USE THESE RULES without customizing them first!
# Version: 2007/11/15

# For more information, see http://securosis.com/2007/11/15/ipfw-rules/

# These rules *MUST* be customized to your requirements.
# In particular, if you have a private home network (behind an AirPort
# Base Station, Linksys WRT54G, etc.), change "10.42.24.0/24" below to
# your private network range.
# Additionally, allow only ports you actually use; other ports should be
# blocked by the ipfw firewall.

# Thanks to:
# Rich Mogull http://securosis.com
# windexh8er: http://www.slash32.com/
# Lee: http://thnetos.wordpress.com/
# Chris Pepper http://www.extrapepperoni.com/
# Apple (Server Admin is a good way to create an ipfw ruleset)
# http://www.apple.com/server/macosx/
# FreeBSD (where Apple got ipfw) http://www.freebsd.org/

# We don't really want this, but it's unavoidable on Mac OS X Server, so
# document it here (serialnumberd)
# 100 allow udp from any 626 to any dst-port 626

# Let me talk to myself over the loopback
add 200 allow ip from any to any via lo0

# Loopback addresses on non-loopback interfaces are bogus
add 300 deny log logamount 1000 ip from any to 127.0.0.0/8
add 310 deny log logamount 1000 ip from 224.0.0.0/4 to any in

# Block multicast if you don't use it
# add 400 deny log ip from 224.0.0.0/4 to any in

# Accept responses to my client programs
add 500 check-state

# If we let the conversation begin, let it continue
add 600 allow tcp from any to any established

# Let my programs get out.
add 700 allow tcp from any to any out keep-state
add 710 allow udp from any to any out keep-state

# Change this to DENY fragments if you don't need them.
add 800 allow udp from any to any in frag

# Block bogus inbounds that claim they were established
# add 900 deny log tcp from any to any established in

# add 1000 allow icmp from 10.9.7.0/24 to any icmptypes 8

# Server Admin provides these by default
add 1100 allow icmp from any to any icmptypes 0
add 1110 allow igmp from any to any

# mDNS (Bonjour) from trusted local networks (fill in your own,
# preferably non-standard, networks after 'from')
# For Back to My Mac, you might need this from 'any'
# add 5000 allow udp from 10.42.24.0/24 to any dst-port 5353
# add 5010 allow udp from 10.42.24.0/24 5353 to any dst-port 1024-65535 in

# DNS (note TCP is required, but this one should scare you -- much
# better to only allow packets from your trusted nameservers, if you
# always use the same ones)
add 5100 allow tcp from any to any dst-port 53
add 5110 allow udp from any to any dst-port 53
add 5120 allow tcp from any to any dst-port 53 out keep-state
add 5130 allow udp from any to any dst-port 53 out keep-state

# ssh
add 5200 allow tcp from any to any dst-port 22

# iTunes music sharing
#add 5300 allow tcp from 10.42.24.0/24 to any dst-port 3689

# AFP
#add 5400 allow tcp from 10.42.24.0/24 to any dst-port 548

# HTTP (Apache); HTTPS
# add 5500 allow tcp from any to any dst-port 80
# add 5510 allow tcp from any to any dst-port 443

# L2TP VPN
# add 5600 allow udp from any to any dst-port 1701
# add 5610 allow esp from any to any
# add 5620 allow udp from any to any dst-port 500
# add 5630 allow udp from any to any dst-port 4500

# iChat: local
#add 5700 allow tcp from 10.42.24.0/24 to any dst-port 5298
#add 5710 allow udp from 10.42.24.0/24 to any dst-port 5298
#add 5720 allow udp from 10.42.24.0/24 to any dst-port 5297,5678

# Server Admin SSL (Mac OS X Server only)
# add 5800 allow tcp from 10.42.24.0/24 to any dst-port 311
# add 5810 allow tcp from 10.42.24.0/24 to any dst-port 427
# add 5820 allow udp from 10.42.24.0/24 to any dst-port 427

# syslog
# add 5900 allow udp from 10.42.24.0/24 to any dst-port 514

# ipp (CUPS printing)

# add 6000 allow tcp from 10.42.24.0/24 to any dst-port 631

# MTU discovery
add 10000 allow icmp from any to any icmptypes 3

# Source quench
add 10100 allow icmp from any to any icmptypes 4

# Ping out; accept ping answers
add 10200 allow icmp from any to any icmptypes 8 out
add 10210 allow icmp from any to any icmptypes 0 in

# Allow me to traceroute
add 10300 allow icmp from any to any icmptypes 11 in

# My default policy: log and drop anything that hasn't matched an allow
# rule above
add 65534 deny log logamount 1000 ip from any to any

# Hard-coded default allow rule (compiled into Darwin kernel)
add 65535 allow ip from any to any

–reppep

Wednesday, August 29, 2007

Sorry Cutaway, Hacking is Still For Fun

By Rich

In a recent post at Security Ripcord, Cutaway says:

Let me elaborate on the second topic a little more. The days of hacking for fun are over. I think it is safe to say that nearly everybody has come to that realization (there may be a few holdouts in upper management but they will not last long). This means that the stakes are higher for the good guys and the bad guys.

Sure, the stakes might be higher, but don’t always equate hacking with security research. Hacking is fun. Research is work. Sometimes they overlap. Let’s not take the sense of wonder out of hacking, which is an exercise in exploration, just because the term also applies to the occasional transgressions of bad guys.

Of course I know Cutaway knows this (Mystery Challenge and all), but like any good blogger I’m taking something out of context to have a little fun and make a point.

–Rich

Friday, January 12, 2007

How Full Disclosure is Like Torture

By Rich

No, I’m not calling all security researchers torturers. Before you flame me, read the post…

Not that I have any personal experience (beyond sitting through Black Dog the day my girlfriend dumped me), but torture is one of those things that rarely seems to give you the results you want, and even when it seems to work comes at an incredibly high cost

As I mentioned in the Three Dirty Secrets of Disclosure post, full disclosure, especially “no-knock” full disclosure (releasing everything before even reporting it to the vendor) helps the bad guys more than the good guys. End users don’t have the time or skill, in most cases, to protect themselves. They’re still beholden to their vendor to provide a solution, but now even the lesser-skilled bad guys have a new way to attack.

So how is full disclosure like torture?

It’s more valuable as a threat. Once used, you can’t take it back, it rarely gives you the results you want, and everyone involved is hurt. Actually, unlike torture full disclosure hurts any innocent bystanders in the process.

Some researchers think full disclosure forces vendors to respond and patch. Maybe; but in my experience vendors resist torture like James Bond and end up escaping and just getting really vengeful in the process.

I think we need full disclosure as a tool in our arsenal, and that most of the researchers dropping these vulnerabilities think they’re doing good, but full disclosure needs to be a last resort- not a first strike. It’s more powerful as an ever-present threat hanging over the heads of the most unresponsive of vendors. Dropping vulnerabilities and proof of concept code on a daily basis just hardens the vendors and lets them paint you as an out of control rogue.

You might think you’re saving the free world, but you’re no Jack Bauer.

–Rich

Friday, November 17, 2006

More Wireless Kernel Bugs With Exploits: This Time It’s Netgear

By Rich

The Month of Kernel Bugs has released their latest vulnerability.

There’s also a Metasploit exploit module.

I’m not going to post every time one of these pops up, but hopefully this puts some of the wireless flaw debates to bed.

–Rich

Saturday, November 11, 2006

New Wireless Exploit- Very Nasty, Patch or Shutoff Now!

By Rich

A new wireless exploit was released today over at the Month of Kernel Bugs affecting the Broadcom wireless chip set (one of the most widely used in the industry).

Just because you didn’t purchase anything with “Broadcom” in the name doesn’t mean you aren’t using it, since they provide the chips to a lot of manufacturers including HP, Dell, Gateway, eMachines, and Linksys.

There is already a Metasploit module, which means anyone with a modicum of technical skills, a wireless card, and a web browser can take over any vulnerable computer in wireless range.

If you use wireless, at all, it’s just a good time to go update your wireless drivers.

Although Broadcom released patched drivers, not every PC manufacturer has updated their versions. George Ou has instructions on using the Linksys drivers to update any Windows system, but I suggest most of you just be careful with your wireless in public places and wait for official patches from your hardware provider. Keep an eye out over at SANS, which is the best place to track these sorts of incidents.

Oh. Before I forget.

We told you so.

–Rich

Monday, November 06, 2006

Stop Using IE… Umm… Again… For Now. Anyone on Lynx?

By Rich

An unpatched vulnerability being exploited in the wild.

When I’m on a Windows system (I run it virtualized on my Mac for work) I tend to use multiple browsers since even Firefox has issues at times.

I even do this on my Mac- running Firefox and Safari, switching between the two depending on where I’m going.

But at this rate I’m going back to Lynx.

(And if you go to “those” sites do yourself a favor and only browse from a virtual machine you reset after every use).

–Rich

Saturday, November 04, 2006

Update: No Bluetooth 0day Vulnerability, but a New Exploit

By Rich

After reviewing the materials I could find online I directly contacted Thierry Zoller and he was kind enough to respond with more details. In his words (with permission). Short version is the flaw is well patched, but the exploit is a new technique of getting a remote shell. No kernel bugs this time:

Dear Rich Mogull, RM> Saw the ISC entry on your BT attacks. I’ve been writing a bit on this RM> issue and am wondering if you have any time for a couple quick RM> questions? RM> 1. Are currently patched Macs safe (OS X 10.4.8, 10.3.9)? Yes! The underflying flaw is patched since more than 1 year! I also mentioned and stressed this during my talk, that was the reason to to release the source code. HOWEVER and I also stressed this is the reason WHY this is marked as 0-day is that having a REMOTE SHELL over Bluetooth is something nobody knew and noticed, and yet it was feasable for over a year. RM> 2. Where’s the flaw- is this a device driver exploit that drops you RM> into kernel space? No, it’s a plain dumb directory traversal bug in the OBEX FTP server, Kevin used it to upload binaries/local root exploit to special directories. He then planted an Autostart using the INPUTMANAGER (a feature of MACos). Then after getting root through the local exploit (automated) he bound a RFCOMM shell to /etc/tty replacing the existing RFCOMM port 3 with an shell. And that’s it. No Kernel Space bugs demonstrated. – http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7

–Rich

Wednesday, November 01, 2006

Month of Kernel Bugs Starts With Apple: November Should be Fun

By Rich

The first flaw isn’t all that interesting (affecting older PowerBooks, and only under certain conditions) but methinks November will be pretty darn interesting:

http://blogs.zdnet.com/Ou/?p=359

http://kernelfun.blogspot.com/

http://www.securityfocus.com/brief/344

http://blog.washingtonpost.com/securityfix/2006/11/exploit_released_for_unpatched_1.html

http://www.mckeay.net/secure/2006/11/a_month_of_kernel_bugs.html

More later, but the nasty ones to watch out for will, I expect, generally be either for wireless drivers (like this one), or file systems (and make nasty USB keys with).

Remember, these all run in ring 0 and can do pretty much whatever they want.

For the record, I really don’t like full disclosure of 0 days like this, but I suppose it will draw needed attention to a nasty issue. I’d prefer to see it handled more responsibly than dumping code on the Internet.

(Updated 9/2: I was reminded that deauthenticating a mac using something like Void11 or KisMac can cause the vulnerable condition).

–Rich

Saturday, October 21, 2006

It’s Time to Turn Off WiFi and Bluetooth When Not In Use (Mac or PC)

By Rich

A little birdie pointed me to the latest post over at the Metasploit blog.

For those of you that don’t know, Metasploit is the best thing to hit penetration testing since sliced bread. To oversimplify, it’s a framework for connecting vulnerability exploits to payloads. Before Metasploit it was a real pain to convert a new vulnerability into an actual exploit. You had to figure out how to trigger the vulnerability, figure out what you could actually do once you took advantage of the vulnerability, and inject the right code into the remote system to actually do something. It was all custom programming, so script kiddies had to sit idly by until someone who actually knew how to program made a tool for them.

The Metasploit framework solves most of that by creating a standard architecture where you can plug the exploit in one end, then choose your attack payload on the other. Assuming you can script (or find) the exploit, Metasploit takes care of all the difficult programming to connect to convert that exploit into something that can actually do anything. New exploits and payloads appear on a regular basis, and the tool is so easy even an analyst like me can use it (web interfaces are just so friendly).

Commercial equivalents used by penetration testers are Core Impact and Immunity Canvas. I tend to think the commercial versions are more powerful, but the open source nature of Metasploit means exploits usually appear faster, and it’s plenty powerful. Besides, any script kiddie (or analyst) can download it for free and be up and running in no time (full disclosure- I use Core Impact and Metasploit in live demos, and am on the Daily Dave email list run by Immunity).

So what the heck does this have to do with turning off wireless?

Metasploit is working on a module to transition kernel mode exploits into user mode. This is, say, exactly what you’d need to plug in a wireless driver hack on one side, and use that to create a reverse shell under root on the other. Sound familiar? This was one of the tricks Maynor demonstrated in the Black Hat wireless video (and why he didn’t need root).

The kernel runs in ring 0- this is below any concept of a user account. Think of it as the world before root even exists. When you exploit something in the kernel you’ve bypassed nearly every security control and can do whatever you want, but since you’re running at such a low level, without any user accounts, the kinds of commands we’re used to are a lot more limited. You can’t list a directory because “ls” or “dir” don’t exist yet. If you want a reverse shell, to execute user commands, or whatever you need to convert that kernel mode access into userland access- where concepts like user accounts and shells exist. In Maynor’s case he dropped code in the kernel to create a reverse shell to his second system over a second wireless connection. Tricky stuff (so I hear, it’s not like I can do any of this myself).

The Metasploit team specifically cites wireless driver hacks as one of their reasons for adding this to the framework. With confirmed vulnerabilities on multiple platforms and devices this could foretell a new wave in remote exploits- attacks where you just need to be in wireless (including Bluetooth) range, not even on the same network. I’ve heard underground rumors of even more vulnerabilities on the way in all sorts of wireless devices. The module isn’t complete, but everything in Metasploit tends to move fast.

Based on this advancement I no longer feel confident in leaving my wireless devices running when they aren’t in use. I’m not about to shut them off completely, but my recommendation to the world at large is it’s time to turn them off when you aren’t using them.

More device driver hacks are coming in 2007, and wireless will be the big focus.

–Rich

Friday, October 13, 2006

Those Kooky Kids

By Rich

While I was out running around the country, turns out there was an interesting security article in my own backyard.

Seems the local school system can’t keep up with those innovative students exploring their network. A students was caught after hacking a teacher’s computer to steal a copy of an upcoming test.

“As a parent, I think it’s kind of scary all the technology, because the kids know more than we do,” she said. “They have different lines of communication compared to when we were growing up.” Haug added that it’s unfortunate that a student smart enough to hack into a computer did not put his intelligence to better use. But she said she is pleased that another student reported the hacker. “That’s pretty remarkable,” Haug said. “That says a lot about their morals and that they’re ethical enough to do that.”

I suspect it was another kid hitting on the same girl, but I suppose even high school kids have their ethical moments.

My brother in law works on the tech education side of a high school and has relayed some interesting stories about the problems of intelligent students on public education networks. At Symposium I met with a group from a school system struggling to limit access to MySpace and porn. The kids were avoiding URL filters by tunneling through their home computers. I used to work in higher ed, but that was in the days where we didn’t really care (well, I did, but not the higher admins).

I really feel for those of you working in public schools. School boards and activist parents (the ones not very involved with their kids lives, who scream and rant at the school system for fun) hold witch trials, complete with the public burning at the end, if any student so much as glances at a stray boob. Not that theses kinds of parents actually monitor their kid’s Internet and TV usage at home, using it as an educational tool. When it comes to censorship, China has nothing on an inflamed school board.

Here’s the problem. Smart teenage boys + technical skills + the Internet = boobs. You can take your best precautions, but you’ll never stop them. Every high school probably has one kid who can tunnel HTTP over SSH over DNS to their proxy at home and bounce out to MyBoobs.com.

I made some suggestions to the clients that should reduce their exposure significantly, but also told them that if they’ll face disciplinary action if that smart kid goes public, they might as well polish up the resumes now.

What’s a school district to do? Start by accepting you can’t control the Internet. Then install whatever reasonable security controls you can afford, especially a good URL filter and endpoint protection for teachers’ computers. Be smart about it- high school students will need to research breast cancer and read National Geographic; don’t low-ball and buy some tool that won’t even let them research Essex County.

Most important? Educate teachers and parents. Parents should actively participate online with your kids.

Nothing else will work. And there’s no humanly possible way to keep a teenage boy from his boobs. Trust me.

–Rich

Thursday, September 21, 2006

Sore Apples- Apple Updates Mac Wireless Drivers (With Prejudice)

By Rich

So Apple issued an update for the Mac wireless drivers to prevent a buffer overflow, but denies SecureWorks provided them anything useful.

Right. We believe you. Got it. You “just happened” to discover exactly the kind of vulnerability that Maynor and Ellch demoed, but they were evil, uncooperative bad guys for hinting they might be there. Considering SecureWorks works responsibly with all sorts of other vendors in the market I suspect the anger may be a tad misplaced.

Come on Apple; all software has vulnerabilities. It’s time to stop putting PR in charge of vulnerability management.

To quote the Macworld article linked above:

The internal audit came as a result of claims by a senior researcher at SecureWorks that said he had revealed a vulnerability in Apple”s MacBook wireless software driver that would allow him to take control of the machine. SecureWorks later clarified its position and said it had used a third-party driver and not Apple”s driver. Apple has maintained that SecureWorks has provided no proof that Mac drivers are vulnerable in any way. “They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit,” Apple spokesman, Anuj Nayar, told Macworld. “Today”s update preemptively strengthens our drivers against potential vulnerabilities, and while it addresses issues found internally by Apple, we are open to hearing from security researchers on how to improve security on the Mac.” According to the update issued by Apple, two separate stack buffer overflows exist in the AirPort wireless driver”s handling of malformed frames. An attacker in local proximity may be able to trigger an overflow by injecting a maliciously crafted frame into a wireless network. When the AirPort is on, this could lead to arbitrary code execution with system privileges.

It seems Apple also found some flaws in PowerPC systems, not just Intel Macs. At least the research spurred by Maynor and Ellch’s Black Hat/Defcon disclosures is improving security across the entire Mac product line.

But seriously- stop the security PR game or you’ll end up like Microsoft a few years ago…

edited 11pm : just want to state that based on additional information I believe it’s quite probable specific vulnerability details, especially on PPC, were discovered independently via Apple’s internal audit. My criticism is of the vitriolic handling of the situation when I believe this could have been resolved more quickly and responsibly had Apple played less with PR, and more with the researchers who obviously found something.

–Rich

Wednesday, September 20, 2006

We Did Warn You, Didn’t We…

By Rich

New IE Flaw Exploited on Porn Sites

Now we did warn you, and I quote:

Especially if you go to “those” sites. Yes, you. Stop pretending you don’t know what I’m talking about.

For the record “those sites” are porn and gambling. So you poker addicts are next. And you file sharers- don’t start thinking you’re all safe or something. Those torrent trackers are web pages you know.

Of course Disney World fingerprints everyone these days, so maybe they’ll pick this up.

–Rich

Saturday, September 16, 2006

Stop Using Internet Explorer (for now)! Today! Seriously!

By Rich

Symantec has just reported a new 0day security vulnerability in Internet Explorer that could allow someone to take over your computer.

For you non-geeks a 0day (or zero-day, or 0-day) is a vulnerability without a patch. In other words, you can’t fix the flaw on your computer so you either have to block the attacks before they hit you or disable the vulnerable software.

While details are sketchy it looks like this particular vulnerability could allow an attacker to take over your computer when you visit a website with the attack code on it. This isn’t the first time we’ve seen this in Internet Explorer (and a few other browsers) but if you’ve ever found some nasty spyware or a bot on your computer it’s quite possible this is how you got it.

Especially if you go to “those” sites. Yes, you. Stop pretending you don’t know what I’m talking about.

While you can turn off ActiveX in your browser at this point I recommend using an alternate browser until this flaw is patched. If you’re reading this site odds are you already use Firefox, but if not go and install it right now by clicking here.

You can also download the beta of Internet Explorer 7, which seems to be safe.

You Mac users are safe. Personally I use Safari and Firefox on my Mac, but I still use Internet Explorer for some sites on my PCs. Rumor is IE7 is pretty good, and much more secure than current versions, for those of you that want to keep using IE.

Don’t forget to tell grandma…

–Rich