Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Patch Tuesday: Microsoft raises alert for dangerous IE, Windows flaws
ZDnet ^ | 12 Jun 2012 | Ryan Naraine

Posted on 06/13/2012 9:39:00 PM PDT by OldEarlGray

Summary: Microsoft expects to see exploit code targeting at least one of the vulnerabilities within the next 30 days.

Microsoft today warned that cyber-criminals could soon aim exploits at critical security flaws in Internet Explorer browser and Windows to hijack and take complete control of vulnerable machines.

The warning comes as part of this month’s Patch Tuesday where Microsoft released 7 bulletins with fixes for at least 26 documented vulnerabilities affecting the Windows ecosystem.

The company is urging users to pay special attention to MS12-037 and MS12-036, which provides cover for “remote code execution” vulnerabilities that could be used in worm attacks and drive-by downloads without any user interaction.

MS12-037, which affects all supported versions of the IE browser, fixes 13 vulnerabilities that expose users to computer hijack attacks if a user simply surfed to a rigged web site. Microsoft expects to see exploit code targeting at least one of the vulnerabilities within the next 30 days.follow Ryan Naraine on twitter

The company warned that information on one of the browser flaw is already publicly available which means that hackers have already gotten a head start on preparing attacks. [ Exploit code published for RDP worm hole; Does Microsoft have a leak? ]

The second high-priority bulletin is MS12-036, which covers a dangerous flaw in the way Microsoft implements the Remote Desktop Protocol (RDP) in Windows. “Attack vectors for this issue include maliciously crafted websites and e-mail,” the company warned.

This is the second major RPD flaw haunting Windows in the space of a few months.

According to Marc Maiffret, CTO at BeyondTrust, the Internet Explorer and RDP issues present the “more immediate exploitable threats.”

“Given the value of Remote Code Execution on RDP there will surely be a lot of folks trying to weaponize that vulnerability. Only time will tell if people are successful with this RDP flaw where they were not with the one in March,” Maiffret added.

Windows users and administrators will also want to treat the MS12-038 bulletin with the highest possible priority. From the bulletin:

This security update resolves one privately reported vulnerability in the Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also be used by Windows .NET Framework applications to bypass Code Access Security (CAS) restrictions.

Microsoft also expects to see exploit code for this vulnerability within the next 30 days.

In addition to the security bulletins, Redmond’s security response team is also releasing an automatic updater feature for Windows Vista and Windows 7 untrusted certificates.

The new automatic updater feature provides a mechanism that allows Windows to specifically flag certificates as untrusted.

With this new feature, Windows will check daily for updated information about certificates that are no longer trustworthy. In the past, movement of certificates to the untrusted store required a manual update. This new automatic update mechanism, which relies on a list of untrusted certificates known as a Disallowed Certificate Trust List (CTL), is detailed on the PKI blog. We encourage all customers to install this new feature immediately.

In August, Microsoft is also planning to release a change to how Windows manages certificates that have RSA keys of less than 1024 bits in length. “Once this key length update is released, we will treat all of these certificates as invalid, even if they are currently valid and signed by a trusted certificate authority,” Microsoft explained.

These changes follow the incredible discovery that attackers with nation-state backing hacked the Windows Update utility to spoof certificates and spread the Flame malware within Windows networks


TOPICS:
KEYWORDS: cyberwarfare; internetexplorer; microsoft; msie; patch; patchtuesday; windows; zeroday
Navigation: use the links below to view more comments.
first 1-5051-78 next last
"These changes follow the incredible discovery that attackers with nation-state backing hacked the Windows Update utility to spoof certificates and spread the Flame malware within Windows networks"

Hmm. Let us ask the good Lutheran question: "What does this mean?"

Anybody? Anybody? Buuuuhler?
1 posted on 06/13/2012 9:39:07 PM PDT by OldEarlGray
[ Post Reply | Private Reply | View Replies]

To: Travis McGee; CodeToad

“All your base classes are belong to us, hahaha” ping.


2 posted on 06/13/2012 9:41:20 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sterilized with Tea)
[ Post Reply | Private Reply | To 1 | View Replies]

To: OldEarlGray

That means that your next automatic “Windows Update” could come all the way from North Korea.


3 posted on 06/13/2012 9:44:13 PM PDT by Revolting cat! (Let us prey!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: OldEarlGray

It means you should be using Firefox.


4 posted on 06/13/2012 9:44:51 PM PDT by bossmechanic (If all else fails, hit it with a hammer)
[ Post Reply | Private Reply | To 1 | View Replies]

To: OldEarlGray
to hijack and take complete control of vulnerable machines.

Wouldn't you notice if your computer was hijacked?
And wouldn't you then just unplug it?

5 posted on 06/13/2012 9:45:43 PM PDT by Lancey Howard
[ Post Reply | Private Reply | To 1 | View Replies]

To: bossmechanic

>>it means you should be using firefox.

The compromise of(or the ability to spoof/fake) Microsoft’s signing certificates is much more than just a browser issue.


6 posted on 06/13/2012 9:50:21 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sterilized with Tea)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Lancey Howard

>>Wouldn’t you notice if your computer was hijacked?

Not if the attacker is operating “low and slow”.

This has been a topic of discussion here at Microsoft’s TechEd all week.


7 posted on 06/13/2012 9:56:06 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sterilized with Tea)
[ Post Reply | Private Reply | To 5 | View Replies]

To: OldEarlGray

I never do auto updates, I want to see what it is


8 posted on 06/13/2012 9:56:16 PM PDT by markman46 (engage brain before using keyboard!!!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: OldEarlGray
HUH? How could anybody be caught out with a cert key less than 1024 bits??

I haven't allowed anything shorter than 2048 bits to be generated in our shop in a couple of years. It's not hard -- just specify the number when making the key.

How tough is that? WTF?

9 posted on 06/13/2012 9:57:37 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Revolting cat!

Say hello to the WU Man in the Middle.


10 posted on 06/13/2012 9:58:37 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sterilized with Tea)
[ Post Reply | Private Reply | To 3 | View Replies]

To: OldEarlGray

Queue the apple evangelics 1...2...3...


11 posted on 06/13/2012 10:01:05 PM PDT by Carolina_Thor (It's always better to be thought a fool, than to open your mouth and remove all doubt.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Carolina_Thor

Naw, it’s the EUNUCHS boys we’re expecting!


12 posted on 06/13/2012 10:02:12 PM PDT by Revolting cat! (Let us prey!)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Revolting cat!

And Lie-Nooks!


13 posted on 06/13/2012 10:04:13 PM PDT by Revolting cat! (Let us prey!)
[ Post Reply | Private Reply | To 12 | View Replies]

To: dayglored

Some shops have development tools that are more than just a couple of years old.

Dunno how many bits those dlls were signed with, but I’d expect good FR SA folks might want to inventory their legacy software artifacts post haste.


14 posted on 06/13/2012 10:06:20 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sterilized with Tea)
[ Post Reply | Private Reply | To 9 | View Replies]

To: OldEarlGray
Malware can be a thing of the past of you familiarize yourself with and use a program called "Sandboxie".

It's cheap and it works. I started using it after I got sick and tired of having to clean up malware. A lot of times, you sit around wondering if you are infected and don't even know it. Are you? anyway, I got sick of it and I won't use a web browser anymore unless it runs in a sandbox. I highly encourage people to investigate and use this. There is a 30 day free trial... just google the program name.

This is no substitute for keeping your PC patched up to date, but it takes all the worry out of using email or web browsers.

15 posted on 06/13/2012 10:32:51 PM PDT by FunkyZero (... I've got a Grand Piano to prop up my mortal remains)
[ Post Reply | Private Reply | To 1 | View Replies]

To: bossmechanic
Are the "Microsoft" assemblies listed here real...



...or are they, something else?

Personally, I don't find it disturbing at all that centrifuges under the control of insane religious tyrant thugs had an "accident"; and if that's what it takes to keep our wives and daughters from being forced to wear a burkha, then by all means - CHARLIE MIKE and blow up some more shyte.

But, folks should know that at least one of the [foreign born] security presenters here at MS TechED was quacking all indignantly about that incident -- whilst lamenting the demise of the Anonymice.
16 posted on 06/13/2012 10:35:51 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 4 | View Replies]

To: FunkyZero

You don’t have to use a web browser to be infected with malware.


17 posted on 06/13/2012 10:39:09 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 15 | View Replies]

To: OldEarlGray
Web browsing is how 90% of PC's get infected. The other 10% come from email (normally running in a web browser as well).

Also, if you actually looked at the program, you would see that ANY executable program can be ran sandboxed, not just web browsers.

18 posted on 06/13/2012 10:46:34 PM PDT by FunkyZero (... I've got a Grand Piano to prop up my mortal remains)
[ Post Reply | Private Reply | To 17 | View Replies]

To: FunkyZero

>>This is no substitute for keeping your PC patched up to date

Keeping your PC patched up to date is important but that’s not enough.

How many folks are reading this whilst [needlessly] logged in using a UserID that has Administrative privileges [by default] assigned to it?

Or without a firewall and up to date virus protection?

Or without the most recent OS security patches applied by the Automated Updated Utility, that’s signed by Microsoft... or not?


19 posted on 06/13/2012 11:00:38 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 15 | View Replies]

To: FunkyZero

Baloney.

SQL injection uses neither “Web Browsing” nor “Email”.

If I want a sandbox, I’ll use a VM.


20 posted on 06/13/2012 11:08:43 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 18 | View Replies]

To: markman46

>>I never do auto updates, I want to see what it is

Ok.

“Microsoft” Update notifies you that security patches need to be applied. What will you do?


21 posted on 06/13/2012 11:18:46 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 8 | View Replies]

To: OldEarlGray
What exactly is your argument? I didn't tell anyone that patches were all they need to do. That's why I suggest Sandboxie, it's an affordable solution for the home user and it's very easy to get familiar with while providing near unequaled methods of protection.

I offered the home user a very useful program that can prevent infection of their PC when used properly.

Home users read the news, email and download music. Some, but fewer, use the PC for creating and managing files of various form. for those who meddle with pirated software.. well, they get what they deserve.the use of a sandbox program can prevent malicious software from escaping and altering system files, registry keys or anything else for that matter. When a sandbox is used properly, your PC stays clean. Period. You can launch a virus on PURPOSE in a sandbox and then laugh at it because it cannot do any damage unless you release it manually.

I am currently logged in with an administrator account while reading this... and I have no worries because this browser runs in a sandbox. It cannot call external programs without my interaction. The point is, your everyday user has no interest in a deep understanding of what is happening, they simply don't want to deal with an infection. A sandbox will all but prevent that when used properly. This is good, sound advice for the everyday user.

I've been in this business for over 20 years and this is one of the most useful applications of it's kid that I have ever seen. Nothing else even compares in value and performance. It does what it says and it does it well. Only on one occasion did a MS patch break the program, and they released a fix for that rather quickly on the sandboxie website.

I'm having a hard time understanding why you would baulk at someone recommending a simple and effective solution to preventing machine infections.

22 posted on 06/13/2012 11:20:29 PM PDT by FunkyZero (... I've got a Grand Piano to prop up my mortal remains)
[ Post Reply | Private Reply | To 19 | View Replies]

To: FunkyZero

What I’m balking at, Wiley, is your laughably pretentious assertion that 100% of cyber attacks exploit either a web browser or an email.

Oh and, were the assemblies in your Sandie Box built with a tool like, say, Microsoft Visual Studio - and signed with a certificate?

Did you read the article between downloading “Music” into your sandboxie?

I’ve got a couple thousand files on my iPod. Never needed a SandBoxie for that. NO SALE.


23 posted on 06/13/2012 11:40:19 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 22 | View Replies]

To: OldEarlGray
Keeping your PC patched up to date is important but that’s not enough.

I agree with and appreciate your point. But..

The time when most all computer users had a minimal level of technical knowledge is long gone. It seems to me a bit like requiring all motorists to be quasi-mechanics in order to be safe drivers.

Something is out-of-whack in this scenario.

24 posted on 06/14/2012 1:35:11 AM PDT by D-fendr (Deus non alligatur sacramentis sed nos alligamur.)
[ Post Reply | Private Reply | To 19 | View Replies]

To: bossmechanic

It means you should be using Firefox.


Amen Brother!

I HATE Microsoft Internet Explorer and never use it....ever!

However, we are a UPS shipper and have been so for many, many years. We use the online UPS system only.

A month ago I tried using the UPS World Ship program and quickly found out that their system was based upon all Microsoft programs and SQL databases....including Internet Explorer.

We have switched back to the internet system needless to say.


25 posted on 06/14/2012 4:00:34 AM PDT by DH (Once the tainted finger of government touches anything the rot begins)
[ Post Reply | Private Reply | To 4 | View Replies]

To: rdb3; Calvinist_Dark_Lord; Salo; JosephW; Only1choice____Freedom; amigatec; stylin_geek; ...

26 posted on 06/14/2012 4:25:49 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: rdb3; Calvinist_Dark_Lord; Salo; JosephW; Only1choice____Freedom; amigatec; stylin_geek; ...

27 posted on 06/14/2012 4:26:41 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: FunkyZero
I have been using Sandboxie for several years. It is a great program, especially for ‘exploring’ the web.

I did find it conflicted with AVG and a couple of other anti-virus programs. Those programs started incorporating a variant sandboxing capability that messed up Sandboxie. Solution: MS Essentials, it works compatibly with Sandboxie.

http://www.sandboxie.com

==

I also recently added another program that my bank website recommends. It is Rapport. It basically creates a ‘tunnel’ between your computer and any specified website (banking or other password websites).

http://www.trusteer.com/product/trusteer-rapport

==

I also use an add-on/extension that works with Firefox and IE. The pay versions work with additional browsers. It is Keyscrambler. It encrypts most of what you type into your browser.

http://www.keyscrambler.com

==

I also recently installed DoNotTrack Plus. It blocks many of the tracking cookies various websites put on one’s computer. It works with both Firefox and IE.

http://donottrackplus.com/howitworks.php

28 posted on 06/14/2012 5:01:17 AM PDT by TomGuy
[ Post Reply | Private Reply | To 15 | View Replies]

To: OldEarlGray
No sale, eh?

Besides "code Red" (10+ years ago), what percentage of virus/trojan/exploits in total have been problematic that were NOT user invoked?

Well, I'll tell ya, ELMER... next to nothing. With very few and isolated exceptions, exploits are EXECUTED by the user either on purpose inadvertently... be it from opening files that are infected or by viewing "specifically crafted" web content. I never said exploits were carried via music files, I told you that's what many home users are doing with their computers and MANY of them acquire said music through unscrupulous means (websites run and built by people of questionable character). Personally, I don't download music. I have no use for it.

I can't give you an exact number, but I can tell you from experience that if home users did nothing more than run their browser in a sandbox and use it properly, nearly all exploits to date would be rendered ineffective.

Personally, I just think you're full of yourself and like to argue. You laugh off a very effective application because theoretically, there is a POTENTIAL that it is not 100% effective or that it could possibly have bugs in the code. That's not very sound thinking and I've got some news for you sparky; ALL code has bugs in it. I've had to fire people in the past with such a mindset and attitude. Now goodbye to you, go nitpick somewhere else.

29 posted on 06/14/2012 5:11:48 AM PDT by FunkyZero (... I've got a Grand Piano to prop up my mortal remains)
[ Post Reply | Private Reply | To 23 | View Replies]

To: TomGuy

Have you switched completely away from avg to ms essentials entirely?
After being an avg user for many years, I am considering doing that.
Any issues in the transition?
Thanks.


30 posted on 06/14/2012 5:16:58 AM PDT by Repeal The 17th (We have met the enemy and he is us.)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Repeal The 17th

When I bought a new Win7 laptop and later a Win7 desktop, I went with Essentials, due to a recommendation from

http://windowssecrets.com/

AVG and AVAST! conflicted with Sandboxie on my old XP, so I went with Essentials the last year before the XP died.

Sadly, both AVG and AVAST! grew into bloatware. AVG made the XP so sluggish. AVAST! 6 (IIRC) added its own sandbox that was rather clumsy and interfered with Sandboxie.

==

In addition to MS Essentials, I frequently do scans with SuperAntiSpyware to clean out tracking elements.

http://www.superantispyware.com/


31 posted on 06/14/2012 5:29:06 AM PDT by TomGuy
[ Post Reply | Private Reply | To 30 | View Replies]

To: TomGuy

Thanks, I might also make that transition.

AVG started out great and grew to unnessesary size.

My latest beef w/ avg is that it installs a firefox add-on with out asking me if I want to or not;
and the add-on is uninstallable without making fairly extensive registry edits.

Those are both two big no-nos from my perspective as a user.


32 posted on 06/14/2012 6:25:09 AM PDT by Repeal The 17th (We have met the enemy and he is us.)
[ Post Reply | Private Reply | To 31 | View Replies]

To: bossmechanic
It means you should be using Firefox.
Really?

Mozilla Firefox/Thunderbird/SeaMonkey Use-After-Free Remote Code Execution Vulnerability
2012-06-08
http://www.securityfocus.com/bid/53792

Mozilla Firefox, SeaMonkey, and Thunderbird CVE-2012-1947 Heap Buffer Overflow Vulnerability
2012-06-07
http://www.securityfocus.com/bid/53791

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-1939 Memory Corruption Vulnerability
2012-06-07
http://www.securityfocus.com/bid/53797

Mozilla Firefox, SeaMonkey, and Thunderbird CVE-2012-1941 Heap Buffer Overflow Vulnerability
2012-06-07
http://www.securityfocus.com/bid/53793

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-1937 Memory Corruption Vulnerability
2012-06-07
http://www.securityfocus.com/bid/53800

Mozilla Firefox/Thunderbird/SeaMonkey CSP's Inline-Script Blocking Feature Security Bypass Weakness
2012-06-07
http://www.securityfocus.com/bid/53801

Mozilla Firefox/Thunderbird/SeaMonkey '.lnk' Files Information Disclosure Vulnerability
2012-06-07
http://www.securityfocus.com/bid/53799

Mozilla Firefox, SeaMonkey, and Thunderbird CVE-2012-1940 Use After Free Vulnerability
2012-06-07
http://www.securityfocus.com/bid/53794

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-1938 Memory Corruption Vulnerability
2012-06-07
http://www.securityfocus.com/bid/53796

Mozilla Firefox/SeaMonkey/Thunderbird NSS Parsing Multiple Denial of Service Vulnerabilities
2012-06-06
http://www.securityfocus.com/bid/53798

Multiple Browsers WebGL Implementation Linux NVIDIA Driver 'glBufferData()' Security Vulnerability
2012-06-06
http://www.securityfocus.com/bid/53808

Mozilla Firefox SeaMonkey and Thunderbird CVE-2012-1943 Local Privilege Escalation Vulnerability
2012-06-05
http://www.securityfocus.com/bid/53807

Mozilla Firefox SeaMonkey and Thunderbird CVE-2012-1942 Local Privilege Escalation Vulnerability
2012-06-05
http://www.securityfocus.com/bid/53803

Mozilla Firefox/Thunderbird/Seamonkey CVE-2012-0477 Cross Site Scripting Vulnerability
2012-06-04
http://www.securityfocus.com/bid/53229

Google Chrome prior to 10.0.648.127 Multiple Security Vulnerabilities
2012-06-04
http://www.securityfocus.com/bid/46785

OpenType Sanitizer Off By One Remote Code Execution Vulnerability
2012-06-04
http://www.securityfocus.com/bid/53222

Mozilla Firefox/Thunderbird/Seamonkey CVE-2012-0474 Cross Site Scripting Vulnerability
2012-06-04
http://www.securityfocus.com/bid/53228

Mozilla Firefox/SeaMonkey/Thunderbird Site Identity Spoofing Vulnerability
2012-06-04
http://www.securityfocus.com/bid/53224

Mozilla Firefox/Thunderbird/Seamonkey CVE-2012-0475 Security Bypass Vulnerability
2012-06-04
http://www.securityfocus.com/bid/53230

Mozilla Firefox/SeaMonkey/Thunderbird CVE-2012-0478 Denial of Service Vulnerability
2012-06-04
http://www.securityfocus.com/bid/53227

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-0467 Memory Corruption Vulnerability
2012-06-04
http://www.securityfocus.com/bid/53223

Mozilla Firefox/Thunderbird/SeaMonkey IDBKeyRange Use-After-Free Vulnerability
2012-06-04
http://www.securityfocus.com/bid/53220

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-0473 Out of Bounds Memory Corruption Vulnerability
2012-06-04
http://www.securityfocus.com/bid/53231

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-0468 Memory Corruption Vulnerability
2012-06-04
http://www.securityfocus.com/bid/53221

Mozilla Firefox, SeaMonkey, and Thunderbird CVE-2012-0470 Heap Buffer Overflow Vulnerability
2012-06-04
http://www.securityfocus.com/bid/53225

Mozilla Firefox/Thunderbird/Seamonkey CVE-2012-0471 Cross Site Scripting Vulnerability
2012-06-04
http://www.securityfocus.com/bid/53219

Mozilla Firefox/Thunderbird/SeaMonkey 'cairo-dwrite' CVE-2012-0472 Memory Corruption Vulnerability
2012-06-04
http://www.securityfocus.com/bid/53218

SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability
2012-05-30
http://www.securityfocus.com/bid/49778

Mozilla Firefox/SeaMonkey/Thunderbird CVE-2012-0458 Security Bypass Vulnerability
2012-05-22
http://www.securityfocus.com/bid/52460

Mozilla Firefox/Thunderbird/SeaMonkey nsDOMAttribute Use After Free Memory Corruption Vulnerability
2012-05-14
http://www.securityfocus.com/bid/51755


33 posted on 06/14/2012 6:26:08 AM PDT by cartan
[ Post Reply | Private Reply | To 4 | View Replies]

To: dayglored
HUH? How could anybody be caught out with a cert key less than 1024 bits??

I remember when people who used 1024-bit keys were considered hopelessly paranoid. In real life it really wasn't all that long ago. In internet time, it was ages of course. I wouldn't be suprised at all by legacy installations that still had smaller keys. It still takes quite a bit of computational power to crack 768-bit keys. I don't believe even 512-bit keys can be cracked in anything approaching real-time, though they are within easy reach of someone with a bit of spare change, time, and a high-value target. Marking 768-bit keys as completely invalid is a bit excessive IMO. A warning for small keys would be sufficient for most of the few remaining organizations using them to have incentive to update to more secure keys.

34 posted on 06/14/2012 6:28:47 AM PDT by zeugma (Those of us who work for a living are outnumbered by those who vote for a living.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: OldEarlGray

Ping


35 posted on 06/14/2012 6:55:42 AM PDT by PoloSec ( Believe the Gospel: how that Christ died for our sins, was buried and rose again)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TomGuy

I’m getting ready to try Keyscrambler on my Win 7 PC. Any words of wisdom/experience before I install?


36 posted on 06/14/2012 7:23:50 AM PDT by Clara Lou
[ Post Reply | Private Reply | To 28 | View Replies]

To: markman46

How do you determine what is and is not a valid update from the list?


37 posted on 06/14/2012 7:47:13 AM PDT by Excellence (9/11 was an act of faith.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: OldEarlGray

I don’t always apply them.as I have time I check what is being asked to be applied,take my time. but then this is a home computer not a work computer.


38 posted on 06/14/2012 9:06:42 AM PDT by markman46 (engage brain before using keyboard!!!)
[ Post Reply | Private Reply | To 21 | View Replies]

To: OldEarlGray

OK I have a windows 7 vm, windows 7 on a laptop and windows 7 on a netbook. i used firefox on all of them and don’t read email on them, email is all done on either and OS/2 computer or a linux box. am I save enough?


39 posted on 06/14/2012 9:22:54 AM PDT by markman46 (engage brain before using keyboard!!!)
[ Post Reply | Private Reply | To 21 | View Replies]

To: FunkyZero

Evidently you still haven’t read the article.

Tell the class Wiley, how will your freeware sandboxie deal with certificates of trust, that appear to be signed by MicroSoft - whose signing can no longer be trusted?

Oops.

Oh and - how do we know your freeware “solution” isn’t itself a vector for malware?

The game Wiley, is Trust.

Do we Trust that the folks who compromised the trustability of MS’ certificate are operating under the direction of a calibrated moral compass which directs their behavior in alignment with the purpose for American governance that is specified in our Declaration of Independence — “TO SECURE THESE RIGHTS” — or not?


40 posted on 06/14/2012 9:47:44 AM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 29 | View Replies]

To: markman46

Do you want to be totally safe for free with minimal skill and little fuss? Boot your Windows PC from a Linux demo CD to browse the web or check your webmail. Yeah, it will be kind of slow. Just don’t mount your hard drive while running Linux. If you must download a file, use a memory stick to save it.


41 posted on 06/14/2012 11:36:03 AM PDT by TexasRepublic (Socialism is the gospel of envy and the religion of thieves)
[ Post Reply | Private Reply | To 39 | View Replies]

To: Excellence

how does anyone determine which update are vaild or not??? I guess I wonder just how invaild updates would get into the microsoft update server in the first place


42 posted on 06/14/2012 11:38:23 AM PDT by markman46 (engage brain before using keyboard!!!)
[ Post Reply | Private Reply | To 37 | View Replies]

To: markman46

[OK I have a windows 7 vm, windows 7 on a laptop and windows 7 on a netbook... am I save enough?]

If you/we were, would MS have re-engineered the process between bios-boot and OS load for Windoze 8?

Horses out. Check.
Barndoor closed. Check.
Same Ol’ MS, the geniuses who thought enabling Email with VB Script was a good idea. Check.


43 posted on 06/14/2012 12:00:11 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 39 | View Replies]

To: D-fendr

>>Something is out-of-whack in this scenario.

You mean like how the McSheeple may not be able to change the pads on their Hundai’s disc brake, or identify a suspicious process in a task list on the PC they use to surf por err “download music” with, but at least they can tell us who’s winning American Idol and Dancing with the Starz in between commercials for Viagra and sleeping pills -— that kind of out-of-whack?


44 posted on 06/14/2012 12:10:46 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 24 | View Replies]

To: markman46
[I guess I wonder just how invaild updates would get into the microsoft update server in the first place]

en.wikipedia.org/wiki/Flame_(malware)



45 posted on 06/14/2012 12:28:32 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 42 | View Replies]

To: FunkyZero

What percentage of Stuxnet was installed via neither WebBrowser nor Email?

Does your freeware prevent Sand from getting in the Boxies of folks who play with their funky “musical” thumbdrives whilst doing their chores at the local nuclear facility?

I’ve never needed a VM to download music files. But then, all of the music on my devices was obtained via legitimate methods and sources. Why are your experience and prophylactic requirements so different?


46 posted on 06/14/2012 12:46:39 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 29 | View Replies]

To: PoloSec

Reply


47 posted on 06/14/2012 12:50:39 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 35 | View Replies]

To: FunkyZero
[Web browsing is how 90% of PC's get infected. The other 10% come from email (normally running in a web browser as well). ]

Meanwhile, in USB-enabled, non-mathimaticaly impaired reality land:

Flame can also move the target information–along with a copy of itself–onto a USB memory stick plugged into an infected machine, wait for an unwitting user to plug that storage device into an Internet-connected PC, infect the networked machine, copy the target data from the USB drive to the networked computer and finally siphon it to a faraway server.

http://www.forbes.com/sites/andygreenberg/2012/06/12/to-spy-on-offline-computers-flame-malware-was-designed-to-turn-humans-into-data-mules/

 

 


48 posted on 06/14/2012 1:05:19 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 18 | View Replies]

To: OldEarlGray
that kind of out-of-whack?

Yeah, that is an accurate description. Internet devices have become like more appliances, but still require a fair level of technical knowledge to operate securely. And the security risk affects others. Or to paraphrase you: a lot of idiots are out there oblivious to risk.

So it's out-of-wack in my opinion. Two obvious possible solutions are to either make them not require the skill level or not allow their use by those without the skill level.

The second I think is impractical and the first still doesn't seem to be happening.

A third option would be to secure them on a different level not involving the user. Government would love to do that, with a high price and low effectiveness. Some have suggested ISPs. Or maybe some type of secure internet neighborhood, the equivalent of a gated community.

I dunno the answer.

Thanks for your reply.

49 posted on 06/14/2012 1:20:08 PM PDT by D-fendr (Deus non alligatur sacramentis sed nos alligamur.)
[ Post Reply | Private Reply | To 44 | View Replies]

To: D-fendr

>>Some have suggested ISPs.

Aye, isn’t that the emperor strolling down the internet in his clouded (fancy ISP) underwear?


50 posted on 06/14/2012 1:35:13 PM PDT by OldEarlGray (The POTUS is FUBAR until the White Hut is sanitized with American Tea)
[ Post Reply | Private Reply | To 49 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-78 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson