We've been hard at work designing a new look for Pat Dahnke and her sites.
This site is built using an Interchange store. Pat will be able to upload her pictures for each of the items and create the descriptions to go with them.
We enjoyed working with Pat on this new design at her ranch in Hempstead, Texas. Many nights over the camp fire rounded out the rough edges of the final design.
Sunday, July 3, 2011
Tuesday, April 12, 2011
Firefox 4 Improves Speed and Security
Firefox 4 Improves Speed and Security
from WatchGuard Security Center by Corey Nachreiner
For any Firefox fans out there, Mozilla has released version 4, which you can download now. Firefox 4 contains a number of improvements, but the most relevant to this blog are its security updates.
One of Firefox 4′s new features is called Content Security Policy (CSP). This feature helps to prevent Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks. In the past, extensions like NoScript could try to prevent XSS attacks, by just preventing one site (or domain) from injecting script into another site (or domain). However, this basic XSS detection often results in false positives, as some developers actually design sites to work that way. Mozilla’s new CSP feature takes a more active approach. Web servers share special headers telling the browser what sort of content or scripts to expect. Mozilla won’t processes any content that the server didn’t specify, thus potentially avoiding injected scripts. That said, for all this to work the web sites we visit need to start supporting CSP headers.
Another new feature is Firefox’s support of the Strict-Transport-Security header. When you go to sites like gmail.com, you really want to visit the HTTPS version of the site. However, if you don’t bother typing the full URL into your browser, you may accidentally visit the normal HTTP site first, before being redirected to the HTTPS version. This little transition could provide attackers with what they need to exploit a Man-in-the-Middle attack (MitM). The Strict-Transport-Security header — which Firefox 4 supports — allows a web site to specify that it will only allows HTTPS connections, thus preventing the scenario mentioned above.
Firefox 4 contains many other old and new security features which you can read about on Mozilla’s site, or in this SANS ISC handlers diary post.
Besides the security improvements I mentioned above, Firefox 4 is also a lot faster. Browsers like Chrome and Safari have done a lot to make the browsing experience much faster, mostly by improving JavaScript rendering. Firefox 4 includes similar improvements, making it three times faster than Firefox 3.x, and on par with the fastest browsers on the market.
If you use Firefox, I highly recommend you download version 4 for its security and performance improvements. Don’t forget to also grab the latest version of NoScript, which I never browse without. – Corey Nachreiner, CISSP (@SecAdept on Twitter)
Prepare for a Record Breaking Microsoft Patch Day Tomorrow
Prepare for a Record Breaking Microsoft Patch Day Tomorrow
from WatchGuard Security Center by Corey Nachreiner
I don’t know about you, but I really don’t like hearing “record breaking” and “Microsoft Patch Day” in the same sentence. Unfortunately, April’s Black Tuesday will be just that — a record breaking patch day.
According to their Advanced Notification page, Microsoft plans to release an unprecedented 17 Security Bulletins tomorrow. The bulletins will fix security flaws in Windows, Office, and Internet Explorer (IE), as well as some issues in some of Microsoft’s Server and Developer software. Microsoft rates more than half the bulletins (nine) as Critical, which typically means attackers can leverage them to execute code on your computer, and gain control of it.
The quicker you can apply Microsoft’s patches the better. Attackers often take advantage of the “vulnerability window,” which is the period of time between when an attacker learns about a vulnerability and when you patch that vulnerability. Often, attackers and security researchers will reverse engineer Microsoft’s patches to learn more about the underlying vulnerabilities they fix. In fact, it’s not uncommon for exploit code to surface shortly after patch day. For this reason, I recommend you prepare your staff for a deluge of patches tomorrow, and try your best to test and apply them quickly, despite their great number.
I’ll know more about these bulletins tomorrow, and will publish alerts about them here. — Corey Nachreiner, CISSP
Monday, February 14, 2011
Monday, January 17, 2011
Windows zero day and small Snow Leopard update start off the new year
Windows zero day and small Snow Leopard update start off the new year
from WatchGuard Security Center by Corey Nachreiner
A fresh new year has begun and we already have security vulnerabilities in two of the most popular operating systems; Windows and OS X. Let’s start with the more worrisome one – Windows.
According to a recent Microsoft Security Advisory, the Graphics Rendering Engine that ships with most versions of Windows (one of the components that helps display graphics on your screen) suffers from a zero day vulnerability. Specifically, a flaw in how the Graphics Rendering engine parses specially crafted thumbnail images could result in a buffer overflow. By enticing you to preview a thumbnail image, perhaps hosted on a website or sent within an email, an attacker could exploit this flaw to execute code on your computer, with your privileges. If you’re a local administrator, the attacker gets the keys to your castle.
Microsoft doesn’t have a patch for this vulnerability, but they do describe a workaround that will mitigate some attacks. See the “Mitigating Factors and Suggested Actions” section of their advisory for more details. Unfortunately, they don’t say whether or not attackers are exploiting this zero day in the wild. Though Patch Day is coming up next week, I doubt Microsoft will get this fix out by then, so be sure to be careful handling thumbnail images.
Next up is Apple. Late yesterday, Apple released a security update for OS X 10.6.x (Snow Leopard). The update only seems to fix one marginally severe vulnerability. Apple’s alert doesn’t describe the flaw in much technical detail. They only say that a format string flaw in PackageKit could allow an attacker to execute code on your Mac. In order to exploit this flaw, the attacker would need to deliver a malicious package via Apple’s Software Update, which means he would need to complete a Man-in-the-Middle attack to gain control of where Software Update gets its package from. In short, attackers will have a hard time leveraging this flaw without local access to your network. Nonetheless, Snow Leopard users should download the 10.6.6 update or let Software Update do it for them.
In summary, if you’re a Windows user, be careful with thumbnails, and look for updates next Tuesday, and if you’re a Snow Leopard user, upgrade as soon as you can.
– Corey Nachreiner, CISSP
Thursday, November 11, 2010
HIGH: Two MS Office Security Bulletins Fix 7 - Seven Vunerabilities
Broadcast - Articles
TWO OFFICE SECURITY BULLETINS FIX SEVEN VULNERABILITIES
SEVERITY: HIGH
9 November, 2010
SUMMARY:
* These vulnerabilities affect: Most current versions of
Microsoft Office, and the components that ship with it
* How an attacker exploits it: Typically by enticing one of your
users to open a malicious Office document
* Impact: In the worst case, an attacker executes code on your
user's computer, gaining complete control of it
* What to do: Install Microsoft Office updates as soon as
possible, or let Microsoft's automatic update do it for you
---------------------------------------------------------------
This is a summary, for the complete alert, see Watchguard's web page:
https://www.watchguard.com/archive/showhtml.asp?pack=120268
--------------------------------------------------------------
STATUS:
Microsoft has released Office updates to fix these vulnerabilities.
REFERENCES:
* MS Security Bulletin MS10-087
http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx
* MS Security Bulletin MS10-088
http://www.microsoft.com/technet/security/bulletin/MS10-088.mspx
This alert was researched and written by Corey Nachreiner, CISSP.
Subscribe to:
Posts (Atom)