Secunia Personal Software Inspector

The Secunia PSI detects installed software and categorises your software as either Insecure, End-of-Life, or Up-To-Date.

https://psi.secunia.com/

I think this deserves a serious look by many Windows PC users. I'd run it myself, but my Windows is obsolete (98).

I forgot, the online scan is here http://secunia.com/software_inspector/ The online version probably uses Java or Active-X, I assume, to implement its scan.

DH

Yes, secunia is very good and worth using by everyone running windows.

I tried the online scan on a Win XP PC.

It told me that I had insecure version of Adobe Acrobat Reader version 5.?? installed. So I downloaded the latest version 8. I did not really watch what I was doing. Ver. 8 was already installed. Blithely I went ahead and DL'd ver.8 and installed it. The DL exe did a REPAIR when run. So I don't really know if there was any vulnerability at all.

When I realized that ver. 8 had already been installed, I thought that maybe there were two versions of Reader on the PC. Went to Control Panel Add/Remove programs. No trace of ver. 5.

Tentative conclusion: there were some traces of ver. 5 somewhere and Secunia PSI online scan assume that ver. was actually in place. Who knows, maybe there was/is a vulnerable Reader exe/dll somewhere on the PC.

Anyway, from now on I'll do the updates thru the particular individual plug-in / app. itself instead of innocently clicking on the DL URL's provided by Secunia. I.e. let Secunia raise the suspicion flag on an app. but let the app. itself decide if it's out of date or not.

Anyway, no harm done yet, AFAIK.

David H

I finally tried DL and install Secunia's PSI (instead of the online scan). It's much faster than the online scan, but you still need to be connected to web site to get database of app signatures.

I configured it not to load when Windows starts, so therefore I only do scans "on demand" instead of "regularly"/automatically.

It, like the online scan, does still alert on "harmless junk". In any case, figuring out which junk is harmless, which is potentially harmful, and how to remove it when standard uninstall methods still leave junk is still rather more or less a PITA. This is especially true for Sun Java JRE's and for Adobe (Macromedia) Flash Player. I suppose this difficulty is somewhat understandable since, like MS IE, both JRE and Flash might be considered to be either part of the OS and/or an 'alternate' OS.

FWIW,

DAvid H

Updating third-party software: The Good, the Bad and the Ugly
Published: 2008-02-14,
Last Updated: 2008-02-14 23:34:51 UTC
by Raul Siles (Version: 1)

http://isc.sans.org/diary.html?storyid=3988&rss

David H

Tools for updating third-party software
Published: 2008-02-14,
Last Updated: 2008-02-15 00:39:10 UTC
by Raul Siles (Version: 1)

Last week we pointed out multiple vulnerabilities in commonly used client software. Several readers replied to my request asking for tools used to update third-party software, and the most recommended tool for Windows is Secunia PSI (Personal Software Inspector), still in Release Candidate (RC-1) state, for personal use only (they also have a commercial version).

Other options are UpdateStar (Windows), SUMo - Software Update Monitor (Windows), VersionTracker [Pro] (Mac and Windows), RadarSync (Windows), UDC - UpdateChecker (Windows), Belarc Advisor (Windows), and App Update Widget (Mac). For Linux you are pretty much tied to the software package manager of the distribution you like to use. I strongly encourage you to evaluate the best tool that meets your needs.

http://isc.sans.org/diary.html?storyid=3982&rss David H

Hundreds of thousands of SQL injections
Published: 2008-04-24,
Last Updated: 2008-04-25 13:47:50 UTC
by donald smith (Version: 2)
1 comment(s)

Hundreds of thousands of SQL injections UPDATE.
It is recommend that you [IT admin person, sys admin, etc.] block access to hxxp:/www.nihaorr1.com and the IP it resolves to 219DOT153DOT46DOT28 at the edge or border of your network.

1.js is the file they are currently injecting. That could change and has been [SQL] injected into thousands of legitimate websites. Visitors to this website are “treated” to 8 different exploits for many windows based applications including AIM, RealPlayer, and iTunes. DO NOT visit sites that link to this site as you are very likely to get infected. Trendmicro named the malware toj_agent.KAQ it watches for passwords and passes them back to contoller’s ip.
http://isc.sans.org/diary.html?storyid=4331&rss


The infection on the legitimate sites is a short string of Javascript that redirects to the bad guys web site containing the exploit payloads. Therefore it is likely that some users with good AV, good FW, plus Firefox AND NoScript could be infected, i.e. such a user would have whitelisted (jscript enabled) the legitimate site. Oops, on the second stage of the attack, NoScript probably would block the payloads since Javascript would be blocked from the bad guys web site by default setting of NoScript in the user's Firefox. Of course, if the bad guys web site had an attractive appearance it probably could succeed with social engineering to tempt a few NoScript users to enable Javascript to fully view the bad guys web site.

This is probably a good strategy for the hackers since Microsoft Windows update default state is AUTOMATIC UPDATE. So 3rd party apps are probably a juicier target for exploits. So it's probably worth checking to make sure that as many of your third party plugins as possible do check automatically for updates. Don't forget too that Microsoft Office and Open Office are also among the possible plugins that could be attacked, it's not just multimedia and instant messaging plugins that your browsers could fire up.

DH

The infection on the legitimate sites is a short string of Javascript that redirects to the bad guys web site containing the exploit payloads.

Department of Homeland Security website hacked!
Infected by massive attack sweeping the net
By Dan Goodin → More by this author
Published Friday 25th April 2008 18:57 GMT

The sophisticated mass infection that's injecting attack code into hundreds of thousands of reputable web pages is growing and even infiltrated the website of the Department of Homeland Security.

While so-called SQL injections are nothing new, this latest attack, which we we reported earlier, is notable for its ability to infect huge numbers of pages using only a single string of text.
http://www.theregister.co.uk/2008/04/25/mass_web_attack_grows/

DH

hxxp:/www.nihaorr1.com
Would it help or hurt to put an entry in the HOSTS file directing that address (with T's, of course) to 127.0.0.1?

Would it help or hurt to put an entry in the HOSTS file directing that address (with T's, of course) to 127.0.0.1?

Some anti-malware programs do this. I think that the discussion of this in the article probably referred to IT staff doing it on a server or router at the office gateway.

I think putting a lot of entries in hosts file (as some anti-malware might do) could cause a network performance hit.

I personally don't bother with it.

Currently I am mainly relying on the extra levels of protection provided by the Firefox extensions:

NoScript
Finjan Safe Browsing
FireKeeper intrusion detection
McAfee SiteAdvisor

and on occasional scans of my 3rd party apps by Secunia PSI.

PSI does scan a pretty decent list of apps.

I haven't tried OpenDNS yet. Perhaps its default configuration (i.e. no software installed, just networking DNS configuration) might even protect you since I think they block malware sites via DNS. It's a free service. Their parental control (small download, I think, free) software uses domain evaluation criteria already "built in" to their DNS database.

DH

I haven't tried OpenDNS yet. Perhaps its default configuration (i.e. no software installed, just networking DNS configuration) might even protect you since I think they block malware sites via DNS. It's a free service. Their parental control (small download, I think, free) software uses domain evaluation criteria already "built in" to their DNS database.I found it rather hard to navigate the OpenDNS site to set up the optional/advanced features. I also seemed like the server went down while I was using it for DNS resolution. So I'm holding off on switching over to it.

However, did find it useful in the past to have alternate DNS, while diagnosing a network (router configuration) problem.

It does block phishing sites blocked by Phishtank. Phishtank also has a Firefox add on that does the same thing I think. Perhaps the add on might not perform as fast as the OpenDNS, don't know.

DH

The infection on the legitimate sites is a short string of Javascript that redirects to the bad guys web site containing the exploit payloads. Therefore it is likely that some users with good AV, good FW, plus Firefox AND NoScript could be infected, i.e. such a user would have whitelisted (jscript enabled) the legitimate site. Oops, on the second stage of the attack, NoScript probably would block the payloads since Javascript would be blocked from the bad guys web site by default setting of NoScript in the user's Firefox. Of course, if the bad guys web site had an attractive appearance it probably could succeed with social engineering to tempt a few NoScript users to enable Javascript to fully view the bad guys web site.

This is probably a good strategy for the hackers since Microsoft Windows update default state is AUTOMATIC UPDATE. So 3rd party apps are probably a juicier target for exploits. So it's probably worth checking to make sure that as many of your third party plugins as possible do check automatically for updates. Don't forget too that Microsoft Office and Open Office are also among the possible plugins that could be attacked, it's not just multimedia and instant messaging plugins that your browsers could fire up.

DH

Microsoft Blames Poor Coding Practices For Massive SQL Injection Attack

By Thomas Claburn
InformationWeek Mon Apr 28, 4:20 PM ET

Microsoft on Friday found itself trying to clarify that it has nothing to do with the poor coding practices that have enabled a massive SQL injection attack to affect Web sites using Microsoft IIS Web Server and Microsoft SQL Server.
ADVERTISEMENT

"The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net, or Microsoft SQL technologies," said Bill Sisk, a communications manager at Microsoft, in a blog post. "SQL injection attacks enable malicious users to execute commands in an application's database."

Sisk said that to defend against SQL injection attacks, developers should follow secure coding practices.

SQL injection attacks involve insufficiently filtered code submitted to SQL databases through user input mechanisms.

On Friday, U.S. CERT issued a warning about SQL injection attacks that have compromised a large number of legitimate Web sites. Affected Web sites contain injected JavaScript that attempts to exploit several known vulnerabilities. U.S. CERT recommends disabling JavaScript and ActiveX.

Because otherwise legitimate Web sites deliver this attack, SAN Internet Storm Center handler Donald Smith observes that the concept of a "trusted" or "legitimate" site is no longer meaningful. The attack has reportedly affected the Web sites of the United Nations and the U.S. Department of Homeland Security, to name a few.

As I understand it, it's the concept of "garbage in, garbage out". I.e. hacker puts garbage into SQL database (because database programmers do insufficient error checking on user input) and you and I then retrieve the garbage. In this case the garbage is a statement of Javascript coding which redirects me and you to the bad guys web site where additional javascript causes multiple exploits to be run/played on my and your computer.

So actually it's a three stage attack, but apparently it works pretty well. The first stage of the attack only needs to happen one time on each database (SQL) to be infected. The second stage would happen on the web page front end of the database server (which would normally be whitelisted as a trusted site either in Internet Explorer "trusted sites" or in Firefox Noscript "allowed" sites list). So normally the only place to block the attack is at the 3rd or 4th stage. Namely block scripting at the 3rd stage coming from the bad guy web site. Or have all plugins patched on the user's PC at the 4th stage. Hopefully some of the exploits at the 3rd stage might be caught by anti-virus scanning of files in the browser cache, but since anti-virus misses a significant percent of exploits these days, anti-virus should NOT be relied on. The last line of defense would be having a firewall that ought to block the payload in the exploit from "phoning home" to divulge private data. However, if the payload is smart enough to use another program already marked as safe by the firewall, to "phone home" then it may be that having scripting blocked by the browser on non-whitelisted sites would be the most effective defense. NoScript makes such blocking and whitelisting less of a PITA, more likely to be used, therefore at least somewhat effective as compared to a powerful but perhaps never used other inconvenient tool whatever it might be.

DH



DH

The Battle for Your Browser
By Larry Seltzer
2008-04-30

Attackers are doing a drive-by on your browser, but the defenses against such attacks are good and getting better.

Windows users have to look at the Internet as a source of unending attacks. You can defend yourself with some software and some common sense, and the defenses are set to get even better.

There are two basic popular types of malware infection these days: the Trojan horse program marketed through links in an e-mail and drive-by browser hijackings. I have a hard time getting my hands around how effective one or the other is.

The drive-by method uses a bag of JavaScript that throws a stream of attacks at the browser, one after another, hoping one will compromise it. At almost all times these attacks are patched vulnerabilities, meaning that you're basically safe from them if you keep your browser and other software up to date. Some of that software, like Flash, Acrobat and RealPlayer, are more likely to linger in old, unpatched versions, so you need to be assiduous.

A big part of the consideration for vulnerability exploits is, if they happen to execute, how much damage can they do? Microsoft has done a lot of work in this area over the last few years, aiming to restrict the ability of exploits to do much damage if they get through initial defenses.

One of my favorite Microsoft bloggers, Robert Hensing, who works in the Security Vulnerability Research and Defense group, argues that these second-level defenses are good and getting better.

The active defenses on by default in Vista are pretty good: IE Protected Mode, ASLR (Address Space Layout Randomization) and DEP (Data Execution Protection) are all examples of this. But applications have to be set up to use ASLR and DEP, and both Microsoft and ISVs have been slow to do so. These techniques are so good at rooting out bugs as well as exploits that they would be too disruptive to turn on in a blanket fashion.

Basically one might even summarize that last sentence by saying that almost all software is crap.

DH