Non-admin accounts, Software Restriction Policies, etc etc etc etc
McRAT ensures its persistence by writing a copy of itself as a DLL and making registry modifications
Lather, rinse, repeat.
A new Java zero-day vulnerability is being exploited by attackers, and until it is patched everyone should disable Java in their browser. The vulnerability targets browsers that have the latest version of the Java plugin installed – Java v1.6 Update 41 and Java v1.7 Update 15 – malware researchers FireEye reported on Thursday …
Non-admin accounts are a good start, but can still be an issue if the 'virus' is persistent and updates from a server. The next local privilege exploit can then be used to fully own the machine.
Software restriction has worked great for me in larger businesses with AD and well defined use policies, but outside of that in the small business arena and standalone computer market it doesn't really exist in an easy to manage fashion.
Erm so that you can install something with over 900 vulnerabilities in the kernel alone, and that has to have bolts ons like 'SEL' to even approach the inbuilt security in Windows, and that you have to run an 'experimental' file system on to even get proper ACLs? No thanks...
The number of known exploits is irrelevant as Linux is developed publicly and openly admits its faults; NTKRNL is developed in secret and no one knows how many exploits it has.
GNU/Linux also does not usually have too many services enabled by default, so is harder to exploit. Windows however sacrifices security and needs to be heavily locked down, often requiring third party software at extra cost.
As for experimental file systems, ext4 is no experiment. There are others, we give you choice, unlike other OSs.
Disagree with the AC, and agree with most of your post but
"Windows however sacrifices security and needs to be heavily locked down, often requiring third party software at extra cost"
Microsoft changed to a everything off by default stance' a few years ago. In 2012 you can even disable the GUI if/when you don't need it, and back on for occasional admin that's a shit in the CLI.
As Linux improves in accessibility and compatibility MS improves on security it seems. Best of both worlds on both platforms if you ask me.
If you need 3rd party tools to lock down Windows you don't - you need to fire your admin.
ext4 doesn't give you full ACLs like Windows. You need NFS4.1 for that....
The number of vulnerabilities is relevant. Its much easier to attack something with 900 known attack methods than something with say 100 known attack methods. The chances of an known exploit being exposed are much higher.
This can be seen in the fact that Linux based servers are far more likely to be hacked than Windows ones (even allowing for market share): http://www.zone-h.org/news/id/4737
People I know working for Microsoft tend to tell that while there is more Linux on the internet there is more Windows on the intranet.
And the mostly used webserver is of course Apache.
From your link about 2010 stats.
"But we should not speak only about the Linux servers, the Windows Servers are also in the stats, (not) surprisingly still hacked by the same flaws like in year 2000 and early. Every year we also recorded a high number of the webdav and shares misconfiguration attacks. For webdav there are tons of the updates, for shares too, administrators just need to put their hands on it and update and/or change the configuration."
I do not know why do I even bother.
ACLs have been possible just installing the required tools for years.
And yes Windows since the days of NT 4 has have had much more security ACLs and granular controls than any other operating system in the world. It did not stop things like blaster, and certainly does not stop people using Java to exploit bugs in the underlying OS, and will not prevent the millions of holes IE still has.
I do not like Windows, and I do not like Java, they have in common that they are designed to make your life easier, and do not seem to be succeeding much at it.
Windows since the days of NT 4 has have had much more security ACLs and granular controls than any other operating system in the world
Complete nonsense. While Windows of the NT heritage does offer decently granular security controls, they are by no means "much more [granular] than [in] any other operating system in the world". Many "big iron" OSes, for minicomputers and mainframes, offer security subsystems that can be configured in far more exacting ways, with a stunning array of eclectic rules, than anything available in Windows. Then there are OSes which were written to meet much tighter security criteria, such as Orange Book A-level security.
Perhaps more importantly, "more granular" isn't even a valid metric, except in the most general sense. If, say, ACF2 lets you restrict signon for a particular group of users to specific days of the week, is that "more granular" than Windows restricting it to particular times of day? (ACF2 can do the latter as well - this is just an example of why "granular" isn't one-dimensional.)
In Chrome at least, Java has a pernicious habit of re-enabling itself after every bloody update, something I only find out after some site requests permission to run an applet. It's bloody annoying to have to poll the settings to make sure all the plugins I want disabled are disabled. Fix it, Google.
This post has been deleted by its author
"There's quite a difference between running an application on Java to having a Java applet plugin enabled in your browser. Over time as OSes get more and more secure the hackers turn to something less secure. PDFs, Flash and now Java."
Of course there's a difference. Thats not lost on me. Hackers /now/ turning to Flash, PDFs and Java? They turned to all of these in the 90s and have been there ever since.
This post has been deleted by its author
This post has been deleted by its author
No problem with the person or 50% of his posts but if he insists on posting absurd commentary as fact then no doubt he will reminded about it - hardly 'Eadon abuse'. Yeah he gets a hard time but i would expect that too if I was posting his comments. Anyway getting publically blasted by Trevor Pott is far closer to 'abuse' than the comments eadon gets.
@AC22:16
OK. Have thought on your comment about he who I shall not mention, and I concede your point - there is quite a bit of that hereabouts. Therefore I have deleted my original post and posted an edited version below:
Edited version "Another one? This is like Java all through the nineties and noughties. Never ending."
Never let it be said that I do not listen to criticism. I am even big enough to say 'Sorry if it offended' to you know who.
I think that advice is wrong, just because an applet is signed it doesn't mean it's not malware. 'Very High' should be the minimum (prompt before running both signed and unsigned applets), but I don't trust Java enough now to not screw up somewhere there.
"and until it is patched everyone should disable Java in their browser."
The vast majority of users have no need to enable Java in their browser, ever. Any installer or update that re-enables the browser support without getting the user's permission first is IMHO performing an unauthorised modification and is therefore probably in breach of the law in several countries.
"A nice series of switches on the status or toolbar with enable/disable switches for Java, Javascript, Flash and other "inline" plugins which you may have installed (Office)."
Yes, more useless cruft encumbering the screen is exactly what we need, because obvously 2 clicks to access the list of enabled plugins is FAR too much effort. I mean, you need it almost once a month, come on, we seriously can't be expected to add these 2 clicks a month to our all-too-busy schedule of refreshing El Reg's comment pages!
"Not possible in Denmark. Most government/public service, bank etc... websites require it for authentication"
I did not know this. So how does the Danish government handle exploit issues, since they are forcing people to use it?
Personally I have found 1 website that requires it that I use semi-regularly.
I run disabled by default at all other times.
thumbs up for the information.
This post has been deleted by its author
Much as I hate to rain in your parade, my reading of the blog concurs with the AC above. The attack vector and payload are two discrete objects. In theory the attack could, if it was sophisticated enough to pick up the OS flavour, download a custom package and execute that.
With Linux there are greater obstacles to overcome, for example a Linux user is unlikely to be running as root whereas in Windows that is much more likely.
Don't let that stop you hating Microsoft though... They do deserve stick for some of the crap they have pulled, just not this....
...is that Java is installed on umpty-thousand million computers and appliances worldwide.
I can live with Java not being on my computer but when I hear about Java being used in my car to program the brakes or that it's running my washing machine; do I have to now worry about people hacking into my laundry to put a red sock into my whites and Mossad hacking into my car's braking system.
And all I want are whiter whites and my car to make a significant difference to road traffic safety.
> What sort of internet connectivity does your washing machine have?
I reckon it's only a matter of years (few of them, too) before your washing machine has its own IPv6 adress. A better question would be "what kind of java-enabled web browser does your washing macine have?". Appart from designer prototype I can't imagine anyone browsing the web from their washing machine in the foreseeable future. Laundry rooms have a distinct tendency of being a tad less cosy than bedrooms, living rooms, or even offices (the last one my be debatable...). Maybe that will change and laundry-room-web-browsing will be all the rage, but every time I ask my crystal ball about laundry-room web-browsing I feel like the abyss is gazing into me. Brrrrr
Java has extensive exceptions handling. Just because some programmers are shit and do:
try
{
// do something here
}
catch (Exception e)
{
e.printStackTrace();
System.err.println("Something went wrong");
}
Doesn't make Java bad. It's better than some sort of C++ address violation error and the details of a memory address.
> Doesn't make Java bad.
It very much does make Java an internal-use only, hack-prone, quick-and-dirty piece of (somewhat useful) shit.
In the case of Java there was too much emphasis put on the "whatever you type will work" angle and not enough on the "whatever you type won't cause an exploit" angle. In my book, that makes it a useful in-house dirty-hack-that just works language, but verily makes it a VERY bad language to be included as a browser plugin on a machine allowed to reach (and be reached) by the Wild Wild Net.
Yes, Java has extensive exceptions handling.
The language designers were so proud of it they made you put it in there twice, or three times, or four times. Each with its own finally. In every method.
If for some reason you tire of this unreadable unmaintainable mess you make every exception throwable up back to the main class where you do System.err.println("Something went wrong");
This is why no single piece software should be installed on 90% of machines...
When IE was the dominant browser, it made a great target for hackers. Now that there is diversity in browsers, they simply move to something else where there is no diversity.
The sooner there are 3 or more implementations of something each with a decent level of market share, it becomes a far less attractive target for hackers. And if there is an unpatched 0day vulnerability it's much easier for users to switch to another implementation, even if only temporarily.
All these Oracle Sievemaster Java fans like to make noise by pointing out that Android phones supposedly run Java applications.
Android uses the Java programming language and the Android API. Java source code is compiled to run on Dalvic. They had the good sense to boot the Java API and Java Virtual Machine to the curb.
So, there is/was something wrong with Java. Developers aren't really blind fans of google/Android too. That excuse works with Apple but not Android.
Does oracle do anything to fix the problem? No. They just broke sun.com domain by buying it and nothing else.
That is what I talk about.
I am no expert on security at all. But would it, perhaps, be an interesting topic to discuss how those vulnerabilities are found. Adobe, Windows and I suppose Java are closed source (not sure about Java now). So how are those vulnerabilities found. Just trial and error or are those attackers so damned educated that they read the binary code (like we did a long time ago).