AskWoody

How secure is your browser?

Catalin Cimpanu (who’s rapidly become one of my favorite security writers), in BleepingComputer’s Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs

Google’s automatic fuzzer, named Comato, finds more bugs in Edge than in Internet Explorer. Chrome’s best, of course, followed by Firefox.

US government is banning, bad-mouthing Kaspersky. But why?

Some much needed common sense posted by Vess Bontchev, on Medium.

He knows whereof he speaks.

(Graham Cluley has a great response to McAfee’s advertising campaign.)

A roundup of ongoing problems with this month’s Windows and .NET patches

It’s a long, sad list.

That said, I don’t see any show-stoppers. Do you?

Computerworld Woody on Windows.

Experian will hand out your details to anybody

This is unbelievable, but it’s from Brian Krebs, so it must be real.

The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions. As I have noted in countless stories published here previously, the problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

It’s mind-boggling. Read it, please.

Curious about Windows 10 S? Mary Branscombe has an in-depth report

Most of you scoff at Windows 10 S. (For good reason, in my opinion.) But many of you don’t know the main details.

Check out this article from Windows guru Mary Branscombe.

September 2017 Group B Security-only patches for Windows 7/8.1

UPDATE: The Group B Knowledge Base topic, AKB2000003, has been updated for September.

NOTE: Be aware that there have been problems reported with the IE11 Cumulative Update. Please read the discussion here and the following replies before installing.

NOTE: We are still on MS-DEFCON 2. It is advisable to WAIT until MS-DEFCON 3-5 before installing the patches.

Undocumented Surface Pro 4 updates suddenly documented

I’ve given up trying to keep track of Surface Pro 4 updates. I figure the machine – like all Surface Pro’s before – is a buggy mess. Microsoft throws fixed firmware/driver updates for it out through Windows Update like manure on mushrooms.

My last tirade about undocumented Surface Pro 4 updates appeared on Sept. 2, when Windows Central reported eight previously unknown and undocumented firmware and driver updates.

Now, thanks to a post from Paul Thurrott, I see there are four more previously undocumented Surface Pro 4 updates, supposedly released on Sept. 14, which have just been documented on the official Surface Pro 4 update site. A week late.

Part of me is galled that so many people are buying machines that are so obviously buggy. Part of me is galled that Microsoft patches those machines — the firmware and drivers for heaven’s sake — without documenting them. All of me is galled that some companies, with data protection responsibilities, allow that to happen.

Is your CCleaner safe? New evidence suggests maybe not

CCleaner is back in the headlines. After the initial report that the CCleaner installer included malware, Avast/Piriform/CCleaner claimed that installing the latest version of CCleaner — version 5.34 — would knock out the infection.

Now Cisco’s Talos Group says that isn’t the case. For machines on some domains — samsung.com, vmware.com, cisco.com, linksys.com, and a couple dozen more — there’s a secondary infection that isn’t so easy to scrub.

Martin Brinkmann at ghacks.net has a good overview.

For those of us who have railed against registry cleaners for many years (“It’s like sweeping off a spot in a Target parking lot in Anacortes”), the brouhaha comes as a welcome vindication. Yes, I know CCleaner does more than registry cleaning. Mumble mumble.

UPDATE: Catalin Cimpanu at Bleepingcomputer digs into the code. Signs point to this being the handiwork of Axiom, which has been linked to the “Chinese Intelligence Apparatus.”

UPDATE: Avast confirms the Talos Group report.

UPDATE: Kevin Beaumonth (@GossiTheDog) has a scary conclusion:

The CCleaner hack is the biggest single remote code execution attack possibly ever. They had huge amounts of access,  it is incredible.

They were directly behind firewalls at governments, banks, Fortune 500 etc and pulled it off for a month without any detection. Crazy.