Smokey's Security Weblog

veritas odium parit

Iron: Google Chrome without privacy worries

For the Google Chrome Browser lovers worrying about their privacy I found an interesting “heise Security” article, describing Iron, a private version of Google Chrome without the privacy issues.

Let’s quote a part of the article:

SRWare, a German company, has released Iron, based on Google’s Chromium code. The big difference, according to the authors on their German language-only web site, is that the features which have caused people to question the privacy of Google’s browser are all disabled.These features include Chrome’s generation of a unique ID for the installation and recording the exact time of installation, Google Suggest functions in the address bar, alternate error pages, bug reporting, updating and tracking, all of which are completely removed from Iron.Despite the installer only using the German language, that installed browser functioned in English.SRWare has made a Windows executable and the source code available to download.

Iron and Security

The current Beta of Google Chrome use conform Browserstring a dated Version (525.13) of the Rendering-Engine WebKit. Iron use the most recent WebKit-Version (525.19)

At the moment I am testing Iron, till yet no problems encountered.

How to install

Because the installer is in German language, here instruction how to install Iron:

– execute srware_iron.exe
– click “Weiter”
– activate “Ich akzeptiere die Vereinbarung” and click “Weiter”
– click “Weiter”
– click “Weiter”
– click “Weiter”
– click “Installieren”
– click “Fertigstellen”

Have fun with the program!

Article source: heise Security
Iron homepage: SRWare
Iron download: here

News/updates from Iron website

11.10.2008: Adblocker integrated in Iron

The wish of many users comes true: We integrated an Adblocker in Iron!
With a filterlist so nearly all online-advertising can be blocked. A working list can bedownloaded here and just has to be copied to the Iron folder (e.g: C:\Program Files\SRWare Iron\). Note: You must first get the latest version of Iron you can find under “Downloads”.
So Iron is the first Chromium based webbrowser worldwide which has an adblocker included.

03.10.2008: New Iron Translations: Italian, Polish and Hungarian

Included these three new languages additional to German and English in Iron,
they are available in the setup and in the portable version.

01.10.2008: “Official” Iron Portable

In the Download-Section you can find a portable Iron-package officially created by SRWare.
It can run e.g. on an USB-Stick without admin-rights.

26.09.2008: English page online

We can provide an english page for our customers outside of Germany.

Source/more/english Iron page: SRWare

 

Background info/tips from The Chromium Blog: Google Chrome, Chromium, and Google

A number of people have asked about the relationship between Google Chrome, Chromium, and Google, specifically in regards to what data is sent to Google or other providers. This is meant to provide a complete answer to that question, and as you will see below, almost all such communication can be disabled within the options of the product itself. Before getting too deep into the question though, it is helpful to have a common set of terminology.Chromium is the name we have given to the open source project and the browser source code that we released and maintain at http://www.chromium.org. One can compile this source code to get a fully working browser. Google takes this source code, and adds on the Google name and logo, an auto-updater system called GoogleUpdate, and RLZ (described later in this post), and calls this Google Chrome. As such, everything which applies to Chromium below also applies to Google Chrome, while there are some things that apply to Google Chrome (such as the auto-updater) that do not apply to Chromium.
 

 

Source/more/how-to disable (privacy related) issues and settings: The Chromium Blog

Advertisements

September 26, 2008 Posted by | Advisories, Downloads, Friends, News, Recommended External Security Related Links, Uncategorized | , , , , , , , , , , , | 1 Comment

Disclosure of Major New Web ‘Clickjacking’ 0-Day Threat Gets Defer

Details of a new major Web attack that could potentially affect millions of users won’t see the light of day next week as planned after the researchers who discovered it agreed to hold off on disclosing their find until Adobe comes up with a patch for its product.

Renowned Web security researchers Robert “RSnake” Hansen and Jeremiah Grossman late yesterday pulled their presentation “New 0-Day Browser Exploits: Clickjacking – yea, this is bad” from the upcoming OWASP USA security conference in New York, after Adobe requested that the researchers give them time to come up with a patch for one of its applications before they release their proof-of-concept code.

The pair planned to disclose flaws in the architecture of all of today’s web browsers that allow malicious websites to control the links visitors click on. Once lured to a fraudulent address, a user may think he’s clicking on a link that leads to Google – when in fact it takes him to a money transfer page, a banner add that’s part of a click-fraud scheme, or any other destination the attacker chooses.

Hansen and Grossman just days ago found that a vulnerability that can be used for so-called “clickjacking” attacks wasn’t in Adobe’s application, but in various browsers, including Microsoft’s and Mozilla’s, and affects Adobe’s application. It can even evade browser security features. While they can’t give details of the specific vulnerabilities at this time, they say this new clickjacking attack — where a bad guy lures a victim to click onto a link — could leverage other Web attacks like cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF), to attack a wider range of users.

The technique can also forge the address that appears on a status bar at the bottom of a web browser, so even those who are careful to check referring address before clicking can be tricked, Grossman says.

In the meantime, those who want to protect themselves against this vulnerability will have to disable scripting and all browser plugins. That’s not exactly a viable solution for most of us, which may give you one reason why Adobe thinks this is such a big deal.

Sources:

Dark Reading
The Register

September 20, 2008 Posted by | Advisories, Alerts, Friends, Malware, News, Recommended External Security Related Links, Uncategorized, Vulnerabilities | , , , , , , , , , , , | Leave a comment

Warning Kaspersky Internet Security 2009: BSODs under Vista x64 after update

Reported by several sources: Kaspersky Internet Security 2009 cause BSODs under Vista x64 after update AV databases (SYSTEM_SERVICE_EXCEPTION).

To all experiencing this issue:

– Boot into safe mode with network support by tapping F8 key at bootscreen

– Open Kaspersky by going to Start > Programs > Context menu of Kaspersky Internet Security/Kaspersky Anti Virus > Right click on the KAV/KIS icon and select “run as administrator”

– Update AV databases.

– Now restart and attempt to boot into normal mode.

More info: Kaspersky Lab Forum

September 19, 2008 Posted by | Advisories, Alerts, Downloads, Recommended External Security Related Links, Uncategorized | , , , , , , , | 6 Comments

Caution about Twitter pages referencing an Orkut photo album

Next case of social engineering on Twitter, reported by Christopher Boydon/FaceTime Security Labs Blogs:

Orkut users are being targeted via Twitter pages carrying infection links.

The pages linked try and get you to download an infection file straight away, or pretend you’re installing a Flash update.

Once the files are run on the end-users PC, a variety of malicious files will be installed and various types of data theft may be attempted. For example, one of the EXEs will pop open the Orkut website in what is obviously an attempt to get you to fill in your user details.

Particularly interesting is the use of Twitter to push these Orkut attacks, and also the fact that the attackers have seemingly created the majority of the profiles 17 followers – presumably to make the infection link carrying profile seem more legitimate and part of a small group or community of friends.

In some ways, then, this is a refinement of the attack noted by Kaspersky because they’re targeting a specific group of users instead of taking the “Come and get it, everybody” approach. Obviously, just because you don’t use Orkut doesn’t mean you’re safe from this – the URLs are entirely indescriminate with regards who clicks them and becomes infected, so if you see any profiles on Twitter that mention Orkut with hyperlinks that reference “Photo albums” or “galleries” (the oldest Orkut-targeted infection tactic in the book), steer well clear.

Source/full alert: FaceTime Security Labs Blogs

September 14, 2008 Posted by | Advisories, Alerts, Downloads, Malware, Recommended External Security Related Links, Uncategorized, Vulnerabilities | , , , , , , , | Leave a comment

Vision: The Great Firewall will be taken down as the Berlin Wall

Vision of GIFC – Global Internet Freedom Consortium

“Just as the Berlin Wall once fell when the East Germans came together and demanded their freedom, we, too, will give those living in closed societies the technology to take down the Great Firewall that separates them from the rest of the world.

Today, the Internet is what connects all of us around the world. We can chat with someone thousands of miles away in an instant. We can send pictures and share ideas in a heartbeat. The Internet links us all together. It gives us a chance to talk and work together and understand each other better.

But that is only true for those of us in the free world. There are certain governments around the world – such as in Mainland China, Iran, Burma and Vietnam — that actively block millions of their citizens from accessing information on the web and also stop bits and bytes from being sent out. They are creating the Dark Ages in cyberspace.

It is no coincidence that the countries that tightly censor information flow are also linked with human rights abuses, lack of democracy, corruption, and unstable business environments. As a result, these societies remain closed off from the rest of the world. And their governments continue to oppress the populace behind closed doors.

We believe the key to open up these closed societies is information freedom, and in the current age, that means Internet freedom. Only when the people have access to different sources of information can they think critically and choose wisely. Only when information is allowed to flow will there truly be human rights, freedom of expression and press, and freedom of religion and thought.

More and more people in closed societies are becoming aware of the power of our technologies and the power of information. As more and more of them are empowered by information freedom, no Firewall, no Berlin Wall, and no Iron Curtain will be able to hold them back–it’s simply a matter of time.

Now THIS is how history is made.

Our Solutions

GIFC partners have developed many anti-jamming (anti-censorship) products. Among them, the following five anti-censorship client software packages are most popular:

– UltraSurf
– FreeGate
– GTunnel
– FirePhoenix
– GPass

Download the up-to-date GIFC Anti-Censorship Tools Bundle which includes above popular client software packages.In addition, we also have the Anti-Censorship Popular Sites Ranking Service (http://ranking.edoors.com). You can visit the Ranking service site and view histograms of website rankings, based on the amount of traffic, number of pages viewed, or number of server hits through GIFC network. One can also learn of the most popular websites visited, as well as the popular sites by categories and languages.”

Source of above declaration/downloads: internetfreedom.org

September 14, 2008 Posted by | Advisories, Friends, News, Recommended External Security Related Links, Uncategorized | , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Google Chrome at risk from ‘carpet bomb’ bug

Google Inc.’s brand-new Chrome browser is just launched, and the first blended threat (so-named because it relies on multiple vulnerabilities) is already reported. This critical threat can take down your PC. Great news, isn’t?

ComputerWorld Security wrote:

Attackers can combine a months-old “carpet bomb” bug with another flaw disclosed last month to trick people running Google’s Chrome browser into downloading and launching malicious code.The attacks are possible because Google used an older version of WebKit, an open-source rendering engine that also powers Apple Inc.’s Safari, as the foundation of Chrome.”

This is different from the Safari/IE blended threat,” said Israeli researcher Raff in an interview conducted via instant messaging. “It’s a different blend with one similar component. It uses the auto-download vulnerability (aka ‘Carpet Bomb’) in combination with a [user interface] design flaw and an issue with Java that doesn’t display a warning on execution of JAR files downloaded from the Internet.”

The carpet-bomb bug — revealed by researcher Nitesh Dhanjani in early May and named for the way it could be used to dump files onto the Windows desktop — stemmed from the fact that Safari did not require a user’s permission to download a file. Attackers, Dhanjani said, could populate a malicious site with rogue code that Safari would automatically download to the desktop, where it might tempt a curious user into opening the file.

Google used a prepatch version of WebKit to build Chrome, and so the bug, which was also patched in later editions of WebKit, slipped through. According to Raff, the Chrome beta uses the older WebKit 525.13, the engine used by Safari 3.1.Chrome also contributes to the problem, said Raff, by making downloaded files appear as buttons at the bottom of the browser’s frame. “One click on this button will execute the file,” Raff said. Attackers could place malware on a malicious site, then wait for — or better yet, draw in — users running Chrome. The browser would not warn the user of the JAR file automatically downloaded from the site, and the button-style indicator in Chrome could be easily mistaken for part of the application.

Workaround

There is no vendor patch available, however, ComputerWorld advised to use following workaround:

Users can set an option in Chrome that will thwart the exploit by popping up a warning asking for a file name and location for any downloaded file. To change Chrome, select Options under the “Customize and control Google Chrome” menu; the menu is at the far right, near the top. Although not named, it looks like a small wrench. Next, click the “Minor Tweaks” tab in the Options window, then check the box that reads “Ask where to save each file before downloading.”

Additional: Google’s Chrome Browser – Security & Privacy Issues

Posted by SUMware on DSLReports:

Chrome is a security nightmare, indexes your bank accounts September 04, 2008
After playing around with Google’s brand new Chrome browser, we’ve discovered that its history search box will fetch all types of data – even text from HTTPS-protected financial sites like Washington Mutual and Capital One. With a few utterly simple keywords like balance, account and Sept., everything from balance information, account numbers and even how much you spent at Costco can be pulled up.

Chrome: Google’s biggest threat to your privacy September 4, 2008
The danger comes from one of Chrome’s niftiest features, what it calls the Omnibox. The Omnibox is, in fact, the browser’s Address Bar, but it has a feature that looks at what you type, and then auto-suggests sites that it thinks you’re about to enter. As you type, the suggestions appear.

As you type, your text is sent back to Google, which analyzes it and makes the auto-suggestions. That’s why you don’t even need to press Enter for the text to head to Google.

Sources/authors:

Full ComputerWorld article: ComputerWorld
Additional threat info: SecurityFocus
Original SUMware DSLReports thread: DSLR

September 6, 2008 Posted by | Advisories, Alerts, Malware, News, Recommended External Security Related Links, Uncategorized, Vulnerabilities | , , , , , , , , , , , , , | 1 Comment

Microsoft Security Bulletin Advance Notification for September 2008

Microsoft Security Bulletin Advance Notification issued: September 4, 2008
Microsoft Security Bulletins to be issued: September 9, 2008

This is an advance notification of security bulletins that Microsoft is intending to release on September 9, 2008.

This bulletin advance notification will be replaced with the September bulletin summary on September 9, 2008. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

The security bulletins for this month are as follows:

Bulletin Identifier: Windows Media Player Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows. For more information, see the Bulletin Affected Software section.

Bulletin Identifier: Windows Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server, Visual Studio. For more information, see the Bulletin Affected Software section.

Bulletin Identifier: Windows Media Encoder Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows. For more information, see the Bulletin Affected Software section.

Bulletin Identifier: Office Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Office. For more information, see the Bulletin Affected Software section.

Non-Security, High-Priority Updates on MU, WU, and WSUS

For information about non-security releases on Windows Update and Microsoft update, please see:

Microsoft Knowledge Base Article 894199: Description of Software Update Services and Windows Server Update Services changes in content for 2008. Includes all Windows content.

New, Revised, and Released Updates for Microsoft Products Other Than Microsoft Windows.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Full bulletin: Microsoft TechNet

September 5, 2008 Posted by | Advisories, Alerts, Friends, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , | Leave a comment