Home Tags Internet Explorer

Tag: Internet Explorer

Microsoft Security Updates March 2016

Microsoft releases thirteen bulletins this month, patching a total of 44 vulnerabilities. More than half of the critical vulnerabilities fixed this month support the web browsers, Internet Explorer and Microsoft Edge.
Vulnerabilities rated critical also exist in Opentype font parsing kernel components, Windows Media Player, and the Windows PDF library. Microsoft reports that none of these vulnerabilities have been publicly disclosed or exploited in the wild. Most everyone running a Windows system that installs these updates will have to reboot that system.

A variety of OS, kernel driver, web browser, and entertainment and productivity applications are affected. Internet Explorer Microsoft Edge Microsoft Mail Library Loading Validation Windows Adobe Type Manager Library OpenType Font Parsing (in the past, atmfd.dll) Windows Media Microsoft Office Windows OLE supporting applications like Microsoft Office (Asycfilt.dll, Ole32.dll, Oleaut32.dll, Olepro32.dll) Windows Security Authority (seclogon.dll) Multiple Drivers (KMD) .Net Framework Microsoft is patching yet another dll sideloading vulnerability, a fairly common problem. Microsoft has been addressing dll pre/side-load problems since Win2k SP4! But this one appears to be a bit of a corner case, requiring the use of Microsoft Mail, and a malicious OLE document be opened for editing on the target’s system. We are anticipating that more than a couple of these vulnerabilities will be attacked in the wild.
In the meantime, we are prioritizing other packages, like Adobe and their updates.

ThreatTrack Vipre Antivirus 2016

ByNeil J. Rubenking Vipre has been a name to conjure with in the antivirus business for quite some time.

The product has changed over the years, bouncing from company to company and, at one point, incorporating spyware protection from the well-regarded CounterSpy. Perhaps all that moving around wasn't the best for its health.

The current incarnation, ThreatTrack Vipre Antivirus 2016, isn't your best choice for comprehensive protection.
It did improve its antiphishing and malicious URL blocking scores significantly over the tests we ran on last year's edition, but it fared poorly in tests by independent antivirus labs. You have plenty of purchase options with Vipre. You can pick one, three, five, or 10 licenses and subscribe for one, two, three, or four years.

There's a discount for more licenses and longer subscriptions, of course. Protecting a single PC for one year costs $39.99, while a 10-license four-year subscription goes for $269.99, quite a bit less than what you'd pay for 40 single licenses (almost $1,600!). Installation is simple, if not precisely quick. You fire up the installer, copy and paste your license key, and click a button labeled Agree & Continue.

That's it.

The installer checks for program updates, performs the installation, downloads the latest virus definitions, and runs a scan for active malware. You don't have to do a thing, except perhaps get some coffee or a snack.
I found the full installation process took about 10 minutes. Vipre's main window retains the look introduced with the previous edition.

Buttons let you launch or schedule a scan.

A status panel reports on the latest scans and updates.

A couple of links let you manage your account or the program's settings.
It's very slick and simple. So-So Malware BlockingA full system scan with Vipre took 46 minutes, just a little longer than the current average.

Clearly the program performs some kind of optimization during that first scan, as a repeat scan completed in just five minutes.

AVG AntiVirus Free (2016) took 27 minutes for an initial scan on this system and two minutes for a repeat scan.

F-Secure Anti-Virus 2016 cut the time even more, with a 15-minute first scan and just over one minute to repeat the scan. Of course, speed means little unless it's coupled with accuracy. My hands-on malware blocking test starts when I open a folder that contains a few dozen known malware samples.
Vipre immediately leapt into the fray, eliminating 79 percent of the samples on sight. When I launched the surviving samples, it detected a few, but didn't completely prevent installation of executable files.
It managed 86 percent detection and an overall score of 8.1 points in this test. Two products share the top overall score.

Avast Pro Antivirus 2016 detected 100 percent of these same samples, and Bitdefender Antivirus Plus 2016 detected 93 percent.

Because Avast didn't completely prevent installation of malware traces, it earned 9.3 points, the same as Bitdefender.
Vipre's score puts it well below the median for this test. Of necessity, my samples in that hands-on test get used for many months. However, in my malicious URL blocking test the samples (provided by MRG-Effitas) are as new as I can manage, typically no more than a day or two old.

The test is simple enough.
I take the sample URLs and launch each in a browser protected by the product under testing.
I note whether it steers the browser away from the dangerous URL, eliminates the executable payload during download, or sits idly, doing nothing to prevent the download.
I continue until I have data for 100 malware-hosting URLs. When I tested Vipre's previous edition, it blocked just 38 percent, all of them during the download process.

This time around, Vipre's Search Guard and new Edge Protection components stepped up to raise the protection level impressively.

Between the two components, Vipre blocked access to 84 percent of the malware-hosting URLs.

Edge Protection did most of the work, though Search Guard (the one place you can still see Vipre's old snake icon) lent a hand. Vipre's 84 percent protection rate is pretty darn good; only five products have done better.

At the top of the heap are McAfee AntiVirus Plus (2016) and Symantec Norton Security Premium, each of which managed 91 percent protection. See How We Test Malware Blocking Improved Phishing Detection Malware-hosting websites are definitely dangerous, but you can also get into serious trouble by voluntarily entering your login credentials on a fraudulent website.
Imagine if a phishing site snagged your Amazon password, or the credentials for your online banking! Last year Vipre tanked this test.

This year's results are much, much better. To start my antiphishing test, I visit a number of sites that track these frauds.
Specifically, I scrape URLs that have been reported as fraudulent but not yet classified and blacklisted.
I open each URL simultaneously in a browser protected by the product under test and by antiphishing veteran Norton.
I also try each URL against the native protection of Chrome, Firefox, and Internet Explorer.

There's a lot of variation in the types of phishing URLs, and in their cleverness, so I report the difference between the detection rate of the various products, rather than hard numbers. Vipre's detection rate was just 6 percentage points behind Norton's, the same score managed by BullGuard Antivirus (2016).
Vipre also handily beat all three browsers. Roughly two-thirds of current products failed to beat at least one of the browsers, and half of those performed worse than all three browsers. See How We Test Antiphishing Sad Lab Results Vipre's scores in my own tests ranged from so-so malware blocking to excellent phishing protection.
It didn't fare as well with the independent testing labs.
ICSA Labs does certify Vipre for malware detection and cleaning, and West Coast Labs certifies it for detection.
It managed VB100 certification in eight of the last 10 tests by Virus Bulletin.

But the scores go downhill from there. In the latest three-part test by AV-Test Institute, Vipre earned 3 points for protection, 3 for performance, and 6 points for usability.

This last figure means that Vipre avoided screwing up by identifying valid apps and URLs as malicious.

But with 6 points possible in the important protection category, a score of 3 points is pretty bad.

Avira Antivirus 2015, Bitdefender, and Kaspersky Anti-Virus (2016) all managed a perfect 18 points in this same test. Vipre's one success with AV-Test involved avoiding false positives, but in tests by AV-Comparatives false positives proved problematic.

This lab tags products with Standard certification as long as they meet all essential capabilities.

Better products can earn Advanced or Advanced+ certification, while those that don't make the grade just rank as Tested.

And whatever the basic rating, enough false positives can drag it down. I follow five tests out of the many performed by this lab.
In latest instances of those tests, Vipre earned Advanced once and Standard twice, but failed the other two tests, both times due to false positives.

That looks especially bad compared with Bitdefender and Kaspersky, which took Advanced+ ratings in all five. See How We Interpret Antivirus Lab Tests Bonus FeaturesThe Email and Privacy settings pages demonstrate that Vipre offers a number of features above and beyond the basics of antivirus.
It checks your incoming and outgoing email for malware, quarantining any problems it finds.

And it quarantines phishing messages—but not spam; antispam is reserved for the Vipre suite.

The email protection works with desktop clients only, not Web-based email, and if your email client uses non-default ports you'll need some technical skills to make it work. Vipre's Social Watch component scans your Facebook page for malicious links. Naturally you have to log in to Facebook in order for it to work. You can stay logged in and set it to scan every so often, or log out for privacy.  When you enable the secure file eraser feature, it adds an item to the right-click menu for files and folders.

After you confirm that you want a particular file or folder gone forever, it overwrites the file's data before deletion, to prevent forensic recovery of sensitive data.
I'm just as happy that it doesn't let you configure this feature, since most users aren't remotely qualified to select between the available algorithms. As you browse the Web and use your computer, you leave behind a trail of clues that a nosy person could use to reconstruct your activities.
If that bothers you, the history cleaner component can help.
It will wipe out browsing traces for many popular browsers, recent file lists for popular applications, and a number of Windows-based traces.

There's a checkbox to show only programs that you actually have installed, but in my testing it did not seem to work.
I definitely don't have Safari, Opera, or ICQ in the test system, yet they remained visible even when I checked the box. Some Ups, Some Downs ThreatTrack Vipre Antivirus 2016 performed significantly better than the 2015 edition in some areas.
It scored quite a bit better in my antiphishing and malicious URL blocking tests, probably thanks to the new Edge Protection.
Its score in my hands-on malware-blocking test was so-so, much the same as last year, but if I see top scores from the labs, I give them more weight than my own test. Unfortunately, Vipre's labs scores aren't good at all. Antivirus is a big field, and I've identified a number of Editors' Choice products.

Bitdefender Antivirus Plus and Kaspersky Anti-Virus routinely take top honors from all of the independent labs. McAfee AntiVirus Plus does well in lab tests and my own tests, and one subscription protects all of your Windows, Mac OS, and mobile devices.

And Webroot SecureAnywhere Antivirus remains the tiniest antivirus around, with an especial focus on ransomware.

Any one of these will be a better choice for your system's antivirus protection.

2016: Bad USB sticks, evil webpages, booby-trapped font files still menace...

So update your software – now! Patch Tuesday Microsoft has published the March edition of its monthly security updates, addressing security flaws in Internet Explorer, Edge and Windows, while Adobe has issued updates for Digital Editions, Acrobat and Reader. Microsoft posted 13 bulletins this month: MS16-023 A cumulative update for Internet Explorer addressing 13 CVE-listed vulnerabilities, including remote code execution flaws.
Visiting a booby-trapped webpage using IE can trigger the execution of malicious code and malware on the system. MS16-024 A cumulative update for Microsoft Edge that addresses 10 CVE-listed memory corruption vulnerabilities and one information disclosure flaw. MS16-025 An update for a single remote code execution vulnerability in Windows.

This flaw only affects Windows Vista, Server 2008 and Server Core. "A remote code execution vulnerability exists when Microsoft Windows fails to properly validate input before loading certain libraries," says Redmond. "An attacker who successfully exploited this vulnerability could take complete control of an affected system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." MS16-026 Two CVE-listed vulnerabilities in Windows, one causing denial of service and another allowing remote code execution.
If an attacker convinces "a user to open a specially crafted document, or to visit a webpage that contains specially crafted embedded OpenType fonts," then malicious code will execute on their system. MS16-027 Two CVE-listed vulnerabilities in Windows Media Parsing, both potentially allowing remote code execution.
Visiting a webpage with a booby-trapped video embedded in it can exploit the bug to hijack the PC. MS16-028 Two flaws in the Windows PDF Library that allow for remote code execution if you open a maliciously crafted document. MS16-029 An update for Office addressing two memory corruption flaws and one security feature bypass vulnerability. Opening a document laced with bad code will trigger the bugs. MS16-030 An update for two remote code execution vulnerabilities in Windows OLE. "An attacker must convince a user to open either a specially crafted file or a program from either a webpage or an email message," noted Microsoft.

After that, code execution is possible. MS16-031 An elevation of privilege vulnerability in Windows: applications can abuse handles in memory to gain administrator-level access. MS16-032 An elevation of privilege vulnerability in the Windows Secondary Logon Service: again, applications can abuse handles in memory to gain administrator-level access. MS16-033 An update to address a flaw in the Windows USB Mass Storage Class Driver that could allow attackers to gain elevation of privilege with a specially-crafted USB drive. MS16-034 A collection of four elevation of privilege flaws in the Windows Kernel-Mode Drivers: applications can exploit these to execute malicious code at the kernel level. MS16-035 A fix for one security feature bypass flaw in the .NET framework. Adobe, meanwhile, has issued two updates for its products: Digital Editions for Windows, OS X, iOS and Android has been updated to patch a remote code execution vulnerability. Acrobat and Reader for Windows and OS X have been updated to address three CVE-listed remote code execution flaws. Users should also expect an update for unspecified vulnerabilities in Flash Player "in the coming days." ® Sponsored: 2016 global cybersecurity assurance report card

It’s 2016, so why is the world still falling for Office...

In the late 1990s, Microsoft Office macros were a favorite vehicle for surreptitiously installing malware on the computers of unsuspecting targets. Microsoft eventually disabled the automated scripts by default, a setting that forced attackers to look for new infection methods. Remotely exploiting security bugs in Internet Explorer, Adobe Flash, and other widely used software soon came into favor.Over the past two years, Office Macros have made a dramatic comeback that has reached almost a fevered pitch in the past few months.

Booby-trapped Excel macros, for instance, were one of the means by which Ukrainian power authorities were infected in the weeks or months leading up to December's hacker-caused outage that affected 225,000 people. "Locky," a particularly aggressive strain of crypto ransomware that appeared out of nowhere two weeks ago, also relies on Word macros.

The return of the macro-delivered malware seemed to begin in late 2014 with the advent of a then-new banking trojan called Dridex. The return of the macro may have been a reaction to security improvements that Adobe, Microsoft, and Oracle have made to their software. Not only were the companies patching dangerous bugs more quickly, but in many cases, they fortified their code with defenses that caused exploits to simply crash the application rather than force it to execute malicious code.
Streamlined update mechanisms and greater end user awareness about the importance of installing security patches right away may also have made code-execution exploits to fall out of favor. The renewed embrace of the macro is also consistent with the modus operandi attackers have exhibited for years. What's the point of burning a highly valuable zero-day vulnerability when a run-of-the-mill social engineering ploy and an easy-to-write visual basic script accomplishes the same thing? Enlarge Phishme.com New dogs learn old tricks The new era of macro-delivered infections poses challenges that didn't exist in the late 1990s.

Back then, getting targets to open a poisoned Office document was usually enough to compromise their computer. Now that macros are disabled by default, the attacker has to create a ruse that convinces the mark to enable macros.

A favorite ploy is to present a document with blurred, obscured, or misformed text, along with the promise that allowing a macro to run will cause that document to be displayed correctly. Judging from the success of Dridex and Locky, it appears the ruse works well. The resurgence underscores some sad truisms in the world of security.

First, old tricks work wonders and often provide attackers with a useful fallback when countermeasures and security improvements threaten the spread of malicious applications.
Second, human gullibility and error are a constant.
Sadly, that's true not only for inebriated people surfing porn in the wee hours, but also end users who clearly should know better—such as those inside the Ukrainian power authority, who were infected with malware known as BlackEnergy. (In fairness, accountants and other types of professionals often rely on macros to do their jobs.) Readers who receive documents in e-mail should think twice about opening them at all.

They should think doubly hard before ever enabling a macro. (In the 10 or so years since Microsoft disabled macros by default, I've never once enabled one, and there has never been a bad outcome.) Unfortunately, there are no readily available patches for the kind of ineptitude that make these types of attacks possible. Or as Ron White put it, you can't fix stupid.

Expect them to remain a core part of the malware scene for the foreseeable future.

Malvertising campaigns are becoming harder to detect

Jerome Segura, a senior security researcher with Malwarebytes, was recently stumped by a cyber attack he was studying.
It seemed to keep vanishing. Segura often studies malvertising, which involves seeding ad networks with harmful online advertisements that then appear on websites, potentially delivering malware to a person's computer. It's a particularly insidious type of attack, since a person merely has to view an advertisement to become infected if their computer has a software vulnerability.  "We knew there was something different that malvertisers were doing," said Segura in a phone interview Thursday. The problem was they couldn't replicate the attack by viewing the malicious ad.
It's almost as if the attackers knew they were being watched. Cyber attackers often profile machines -- known as fingerprinting -- in order to attack ones that are being used by security researchers. Machines on certain IP addresses or VPN networks or those running virtual machines won't be attacked. Segura couldn't get another look at the attack until he went home and used his home computer rather than the ones in Malwarebytes' lab. The suspicious advertisement contained a one-by-one pixel GIF image.

That's not usual, as pixels are used for tracking purposes, but this one actually contained JavaScript. The JavaScript exploits an information leakage vulnerability (CVE-2013-7331) in older unpatched versions of Internet Explorer, Segura said.

The vulnerability can be used to parse a computer's file system and figure out if it's running certain AV programs. If a computer checked out, its user was redirected by the advertisement to a server running the Angler exploit kit, Segura said. It is not unusual for cyber attackers to do some quick reconnaissance on potential victims.

But Segura said this time around, the attackers are also taking other steps that make it very difficult for ad networks and security researchers to detect bad behavior. The malicious ad, including the one-by-one pixel, was also delivered over SSL/TLS, which makes it harder to detect potentially malicious behavior, Segura said. The malicious ad was carried by Google's DoubleClick and dozens of other ad networks.
It appears the attackers had set up fake domains and even LinkedIn profiles months before to appear they were legitimate before supplying their malicious advertisement to the online advertising companies. "It shows you how deceptive they can be and how many fake advertisers are out there," he said. Segura said he has been in touch with DoubleClick and other online advertising companies, but the malvertising ad is still running in some places. The automated nature of online advertising and the labyrinth of relationships between companies has made filtering malicious ads difficult, he said. "What criminals have figured out is it's easier to infiltrate a third partner that works with Google but doesn't necessarily have the same security screening and tight guidelines," Segura said. Malwarebytes posted a writeup of its research on its blog.

It’s official: Older versions of IE are now at risk

Microsoft this week made good on a 2014 promise and withheld security updates from users of older versions of the company's Internet Explorer (IE) browser.All Windows users still running IE7 or IE8...

Microsoft fixes 36 flaws in IE, Edge, Office, Windows, .Net Framework

Microsoft released its second batch of security updates for this year, addressing a total of 36 flaws in Internet Explorer, Edge, Office, Windows and .Net Framework.The patches are covered in 12 se...

Fixes for Flash flaws in IE and Edge browsers in Microsoft’s...

Fixes for critical flaws in Adobe Flash running on Microsoft's Internet Explorer and Edge web browsers are among a slew of "important" security updates in Microsoft's latest Patch Tuesday.  This month's package isn't as bad as the one before it when there were a lot of serious vulnerabilities to deal with, but it will still top many a sys admins daily to-do list. Microsoft notes that all versions of Windows are affected, and says that users of Windows Vista and later, including Windows 10, need to get patching immediately.  Wolfgang Kandek, chief technology officer at security firm Qualys, noted that after a busy January, things had more-or-less returned to normal. "We are back to normal numbers on Patch Tuesday. After a light start with nine bulletins in January we are getting 12 bulletins (five critical) in February, which is in line with the average count for last year of 12.25 a month. Actually it is 13, but the last one this month, MS16-022, is more of a packaging change," he said. He continued: "It concerns Adobe Flash, a software package where updating has already been handled by Microsoft for the last three-and-a-half years in the Internet Explorer 10 and 11 browsers. "The highest priority item is MS16-022, which contains fixes for 22 vulnerabilities for Adobe Flash, all of them rated as 'critical' and capable of handing the attacker complete control over the target machine." The Flash update was also singled out by Tyler Reguly, manager of software development at Tripwire, who said that this is "one of the best changes" that February has to offer. In case you missed it, no one likes Flash these days". He added: "One of the best changes this month is that Adobe Flash Player, embedded in Microsoft IE and Edge, has finally received its own bulletin. Previously, Microsoft updated the same Knowledge Base on a month-by-month basis with no defining elements," he said. "This is a welcome change and hopefully bodes well for other areas where Microsoft continues to do this." A large chunk of the Microsoft fixes provide protection against remote code execution (RCE) threats. One of these applies to Windows Journal, which has piqued the interested of Craig Young, a security researcher at Tripwire. "Today marks the 12th RCE bug Microsoft is patching in Windows Journal in just 10 months. This is particularly interesting because Windows Journal vulnerabilities were basically unheard of before 2015," he said. "While the increased scrutiny of Windows Journal may be an indication of Microsoft's successes in the tablet space, it is important to remember that the flaw is not limited to tablets. "In fact, every piece of software installed on a computer adds to the potential attack surface even if that software is not frequently used," he said.

Don’t touch that PDF or webpage until your Windows PC is...

Microsoft has patched 41 CVE-listed security vulnerabilities in its software this month. The second Patch Tuesday monthly update of the year brings with it fixes for security flaws in both Internet Explorer and Edge that could allow remote-code-execution attacks simply by visiting a webpage. Also fixed are remote-code-execution holes in the Windows PDF Viewer and Microsoft Office. The full list is as follows: MS16-009 A cumulative update for Internet Explorer 9 through 11. The update includes fixes for 13 CVE-listed issues, including remote-code-execution flaws and information disclosure vulnerabilities. As with all IE updates, the fixes are considered a lower risk for Windows Server installations. MS16-011 An update for the Edge browser in Windows 10 comprising six fixes for CVE-listed issues, four of which are remote-code-execution vulnerabilities. MS16-012 A fix for two remote-code-execution vulnerabilities in Windows PDF Library and Reader for Windows 8.1, Server 2012 and Windows 10. MS16-013 A memory-corruption vulnerability in Windows Journal potentially allowing remote code execution in Windows Vista, Server 2008, Windows 7, Windows 8.1, Server 2012 and Windows 10. MS16-014 Five security holes in Windows, including two remote-code-execution holes and a denial-of-service condition in Windows DLL Loading. Also fixed were an elevation-of-privilege error in Windows and a Kerberos security bypass flaw. MS16-015 Six memory-corruption vulnerabilities in Office, each of which could allow for remote code execution. The update covers Office 2007, 2010, 2013, 2013 RT, and Office 2016 as well as Office for Mac 2011 and 2016. MS16-016 One elevation-of-privilege flaw in WebDAV for Windows Vista, Server 2008, Windows 7, Server 2008 R2, Windows 8.1, Server 2012, Windows RT 8.1 and Windows 10. MS16-017 An elevation-of-privilege flaw in Remote Desktop Protocol that could allow an attacker to log in to systems that have enabled Remote Desktop, which is turned off by default. The issue affects Windows 7, Windows 8.1, Server 2012 and Windows 10. MS16-018 An elevation-of-privilege flaw in the Win32k component for Windows Vista, Server 2008 and 2008 R2, Windows 7, Windows 8.1 and 8.1 RT, Server 2012 and 2012, and Windows 10. MS16-019 Updates for a denial-of-service flaw in .NET Framework and an information disclosure hole in Windows Forms. The fix covers Windows Vista, Server 2008 and 2008 R2, Windows 7, Windows 8.1 and 8.1 RT, Server 2012 and 2012 R2, and Windows 10. MS16-020 A fix for one denial-of-service vulnerability in Windows Server 2012 R2. Other versions of Windows and Windows Server are not affected. MS16-021 A denial-of-service vulnerability in the Network Policy Server Radius Implementation on Windows Server 2008, Server 2008 R2 and Server 2012. After installing the Microsoft updates, users and administrators would be wise to install monthly fixes issued Tuesday by Adobe for Flash Player. The updates cover a total of 22 CVE-listed flaws for Flash, all of which could potentially be targeted for remote-code-execution attacks. The Flash Player update also affects versions for OS X and Linux boxes. ® Sponsored: Building secure multi-factor authentication

Sophos Home

Some antivirus vendors pitch their products directly to consumers, some focus instead on big-business protection, and some do both. For quite a while, antivirus giant Sophos has stayed on the business side of the market. With the recent release of the free Sophos Home, consumers can now enjoy the same level of antivirus protection as the Fortune 500 on up to 10 Windows and Mac OS devices. As it comes from a business orientation, Sophos Home includes some sophisticated management features not typically found in consumer-side free antivirus products. To get started with the product, you create a free account, which gives you access to an online dashboard. You can log in to the dashboard from any PC or Mac to install the software directly, or send a link to install Sophos on another device. McAfee AntiVirus Plus (2016) is one of the very few competitors to offer this kind of remote management. The installer notes that getting the product installed can take up to 15 minutes, which seemed unusually long to me. But indeed, it did take almost precisely that long. After installation, it downloaded updated antivirus definitions and launched a full scan. The scan took 37 minutes, just slightly less than the current average. A repeat scan wasn't significantly faster. Simple InterfaceWhether you install Sophos on a Mac or a Windows box, its main window exhibits a pleasant simplicity. A large banner across the top displays your security status, with a button to view any pending alerts and another button to open the online dashboard. You can click to launch a full scan, which displays its progress right in the main window. And there are on/off switches for Automatic Virus Protection, Web Protection, and Potentially Unwanted App Detection.  There's one little problem with the Sophos Home user interface: every time you open it, you have to respond to a User Account Control prompt. That's not quite as bad as ESET Smart Security 9, which requires a UAC response every time you respond to a firewall program control popup, but it still seems unnecessary. Labs Love ItThe independent antivirus testing labs don't specifically include Sophos Home in their testing, but Sophos Cloud Endpoint Protection comes under scrutiny by all of the labs that I follow. According to Sophos, the free consumer product "uses the same award-winning technology from Sophos that protects millions of business people worldwide," which makes sense. Why would the company develop a separate technology for the free product? Both ICSA Labs and West Coast Labs certify Sophos both for malware detection and malware removal. Looking at results from Virus Bulletin, it appears that Sophos stopped participating some months ago. However, Sophos did participate in four of the most recent 12 tests and earned VB100 certification each time. Bitdefender Internet Security 2016 and ESET took VB100 in all 12 of those 12 tests. AV-Test Institute evaluates antivirus products from three different angles, protection, performance, and usability. In the all-important protection test, Sophos earned 6 of 6 possible points, and it managed 5 points for performance. Its 5.5 point score for usability indicates that to some small degree it flagged valid programs or websites as malicious. Sophos earned 16.5 of 18 possible points, which is quite good. However, several products earned a perfect 18 in the latest test, among them Bitdefender, Kaspersky Internet Security (2016), and Symantec Norton Security Premium. The researchers at AV-Comparatives perform a dazzling variety of tests; I closely track five of those tests. Sophos participated in four of these. It earned the top rating, Advanced+, in the performance test, and managed Advanced in the file detection, zero-day detection, and real-world dynamic tests. Dennis Technology Labs aims to replicate the user's actual experience as closely as possible.  Every day, researchers locate real-world malicious URLs that host drive-by downloads and other attacks, using site-ripping tools to capture the entire website. For testing, they use a playback system to expose each product to exactly the same attack. Products can receive certification at five levels: AAA, AA, A, B, and C. Sophos earned the best possible rating, AAA, with excellent detection and no false positives. Test results for the antivirus technology shared by Sophos Home and the Endpoint Protection product are very good. However, Kaspersky and Bitdefender in particular have done even better. See How We Interpret Antivirus Lab Tests Accurate AntiphishingThe Web Protection component in Sophos Home watches incoming HTML data and blocks access to dangerous websites of all kinds, including phishing sites. In testing, it proved quite accurate. For this test, I gather a collection of URLs that have been very recently reported as fraudulent, so recently that they haven't yet been analyzed and blacklisted. I launch each URL simultaneously in five browsers. One browser is protected by the product under testing, naturally, and another by Norton, which has consistently proven to be an antiphishing whiz. The other three rely on the fraud protection built into Chrome, Firefox, and Internet Explorer. Out of more than 30 recent products, only one, Bitdefender, has outperformed Norton in this test. More than two-thirds of the products earned a detection rate lower than at least one of the browsers, and half of those failed to beat any of the browsers. I'm happy to say that Sophos isn't among this losing crowd. The Web Protection component's phishing detection rate came in just 4 percentage points below Norton's; only a handful of competitors have done better. And Sophos beat out the built-in protection of all three browsers, by varying amounts. See How We Test Antiphishing Effective Malicious URL BlockingIn addition to antiphishing, Web Protection naturally covers fending off websites that host malware or spyware, or that are known to be dangerous. Here again, Sophos turned in an excellent performance. For this test, I use a feed of newly discovered malware-hosting URLs supplied by MRG-Effitas. The test is quite simple. I try to launch each URL in turn, discarding any that result in an error message. For the ones that are still live, I note whether the antivirus prevents all access to the URL, catches and eliminates the malware payload during download, or completely misses the attack event. Out of 100 active malicious URLs, Sophos protected against 90 percent, almost all of them by completely blocking access to the URL. It identified several different kinds of problems. For some, it reported Malicious Content, identifying the detected malware. Others it blocked with a message that spyware was found. And it flagged quite a few as High Risk, also identifying malware found on the site. Only two recent products have scored better in this test. Norton and McAfee both managed 91 percent protection, edging out Sophos by a single percentage point. Less Impressive Malware BlockingI saved reporting on my own hands-on malware blocking test for last, because the results aren't as stellar as the other tests. This test starts when I open a folder containing my current collection of malware samples. Like many of its competitors, Sophos started checking these samples the moment I opened the folder. The transient popups that Sophos uses to report threat detection deserve a mention. Many products display a transient notification near the bottom right of the desktop. Some incorporate multiple detection events into a single notification, others stack up notifications so you can view them one by one. Sophos displays a modern-looking transient banner near the top right of the screen. If there are multiple events, it displays as many as three banners, one below the other. And if there are more than three the new ones take their place as the older ones fade out. It's different, but it works. Over the course of several minutes, Sophos detected and eliminated 61 percent of the samples. That's not bad, but many competitors wiped out even more of these samples on sight. AVG AntiVirus Free (2016) and Panda Free Antivirus (2016) eliminated more than 80 percent of the samples at this stage. Next, I launched the surviving samples one at a time, noting whether Sophos detected the attack and using a hand-coded tool to verify how thoroughly it blocked those that were detected. Sophos missed roughly a third of the survivors. Another third managed to plant one or more executable files on the test system despite the product's attempt at protection. With 86 percent detection and an overall score of 7.9 points, Sophos doesn't look good in this test. Most of the time my hands-on results jibe with results from the labs. When they don't, I give the labs more weight. They have dozens of experts working on antivirus analysis, after all. See How We Test Malware Blocking Remote ManagementI mentioned earlier that you install Sophos Home on a Windows or Mac OS device by logging in to the Home Dashboard. Once you've installed protection on a device or two, you can use the dashboard to remotely monitor and control your installations. The dashboard's summary page lists all of your devices, along with the number of alerts, threats cleaned, and websites blocked. It also reports the time of the latest update. Below this you get a list of all recent alerts. For alerts involving detection of a Potentially Unwanted Application (PUA), you can remotely choose to ignore the detection or ask Sophos to clean up. Clicking on a particular device in the dashboard gives you more remote control abilities. You can trigger a scan, or remove Sophos from the device. And you can toggle the on/off status of the same three components featured on the local product's main page: Automatic Virus Protection, Potentially Unwanted App Detection, and Web Protection. A Choice to ConsiderSophos Home uses the same technology that gets rave reviews in the service's business-focused Cloud Endpoint Protection. It gets very good ratings from the independent testing labs, and it earned high scores in my hands-on antiphishing and malicious URL blocking tests. I did find its performance in my hands-on malware-blocking test unimpressive, though. Three free antivirus products have earned the title of Editors' Choice, Avast Free Antivirus 2016, AVG AntiVirus Free (2016), and Panda Free Antivirus (2016). If you're looking for free antivirus protection, these are definitely worth consideration. But since it costs nothing to try a free antivirus, consider giving Sophos Home a whirl, too. You may find that its simple interface and remote management suit your needs.

WordPress Hacks Silently Deliver Ransomware To Visitors

If you're a gamer (or anyone else), this is not a screen you want to see.Bromium LabsIt's still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users. In the past four days, researchers from three separate security firms have reported that a large number of legitimate WordPress sites have been hacked to silently redirect visitors to a series of malicious sites.

The attack sites host code from the Nuclear exploit kit that's available for sale in black markets across the Internet. People who visit the WordPress sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer can then find their computers infected with the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them. "WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit." According to a Monday blog post published by website security firm Sucuri, the compromised WordPress sites he observed have been hacked to include encrypted code at the end of all legitimate JavaScript files.

The encrypted content is different from site to site, but once decrypted, it looks similar to that shown in the image below: EnlargeSucuri To prevent detection by researchers visiting the compromised site, the code takes pains to infect only first-time visitors.

To further conceal the attack, the code redirects end users through a series of sites before delivering the final, malicious payload. Sucuri said Google's Safe Browsing mechanism—which browser makers use to help users avoid malicious websites—had blacklisted some of the Internet domains used in the ruse.

A post published Thursday by Heimdal Security, however, listed a different domain, leaving open the possibility that the attackers are regularly refreshing as old ones get flagged. Heimdal Security also warned that antivirus programs may do little to protect end users.

During the latest leg of the campaign, for instance, the exploit code was detected by just two of the 66 leading AV packages, while the payload it delivered was also limited (the blog post didn't provide specifics). Driveby attacks not just on porn sites anymore The attacks are the latest reminder that people can be exposed to potent malware attacks even when visiting legitimate websites they know and trust.

The best defense against such driveby attacks is to install security updates as soon as they become available. Other measures include running Microsoft's Enhanced Mitigation Experience Toolkit on any Windows-based computers and using the 64-bit version of Google's Chrome browser if possible. It's not yet clear how the WordPress sites are getting infected in the first place.
It's possible that administrators are failing to lock down the login credentials that allow the site content to be changed.
It's also feasible that attackers are exploiting an unknown vulnerability in the CMS, one of the plugins it uses, or the operating system they run on. Once a system is infected, however, the website malware installs a variety of backdoors on the webserver, a feature that's causing many hacked sites to be repeatedly reinfected.

As Sucuri researcher Denis Sinegubko wrote: The malware tries to infect all accessible .js files.

This means that if you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination.
It’s not enough to clean just one site (e.g. the one you care about) or all but one (e.g. you don’t care about a test or backup site) in such situations – an abandoned site will be the source of the reinfection.
In other words, you either need to isolate every site or clean/update/protect all of them at the same time! People running WordPress sites should take time to make sure their servers are fully patched and locked down with a strong password and two-factor authentication.

This post will be updated if researchers uncover a cause of this ongoing hack campaign. Until then, admins and end users alike should stay vigilant for signs one of their systems is being targeted and follow the usual best practices listed earlier.

IObit Advanced SystemCare Ultimate 9

When your formerly speedy PC starts to stutter and drag, you may be inclined to pin the blame on your antivirus. Hey, it's an easy target, right? Chances are good, though, that any slowdown is due to things like over-filled hard drives or too many programs running in the background. IObit's Advanced SystemCare Ultimate 9 has the answer for you—it combines antivirus protection with a full suite of system tune-up tools. At $29.99 per year for three licenses, it costs a less than many competing standalone antivirus products. Unfortunately, the core antivirus protection didn't hold up in my testing.  IObit's main window reports your current security status and features three extra-large glowing icons that launch a Quick, Full, or Custom Scan. Tested on my standard clean virtual machine, the full scan took 26 minutes, which is good, given that the current average is almost 40 minutes. Some antivirus products actively avoid rescanning known good files, making repeat scans very fast. AVG AntiVirus (2016) and Total Defense Anti-Virus (2015) zoomed through a repeat scan in about one minute. IObit doesn't seem to attempt this kind of scan optimization. Easy StartWhen you launch IObit's installer, you see a simple screen with one big button that simultaneously accepts the product license and launches the installer. The install process completed. To finish the process, I updated antivirus definitions and activated the product to enable real-time protection. After I finished activation, the program presented me with a big screen full of additional features and settings, most of which were flagged as enabled. Clicking a link activated the features that weren't enabled by default: Surfing Protection, Registry Deep Clean, and Secure File Deletion. I noticed that even though I activated the program, it still displayed an advertisement across the bottom, offering me an 80 percent discount on IObit's Drive Booster 3 Pro, along with "super gifts." This kind of internal advertising is found throughout the program. The Action Center notifies you about security problems, but also touts special deals on other IObit products. An Exclusive Offers button on the scan-complete screen likewise takes you to an advertising page. Some users may find these elements annoying. Mediocre Malware ProtectionIObit uses Bitdefender's antivirus engine, so, in a perfect world, its lab-test scores would track precisely with the excellent scores attained by Bitdefender Antivirus Plus 2016. However, the independent labs state very clearly that test results apply only to the actual product that was tested. None of the labs include IObit in testing, so the only test results I can rely on are my own. My own testing shows that IObit's protection doesn't track with Bitdefender's at all. To start my malware-blocking test, I open a folder containing my current set of malware samples. The minimal file access that occurs when Windows Explorer checks a file's name, size, and creation date is enough to trigger real-time protection in many antivirus products, including IObit. After a few minutes, it had eliminated 75 percent of the samples. Bitdefender wiped out 79 percent at this point, but the set of samples caught on sight by the two products didn't completely match. IObit missed some that Bitdefender caught, and caught one that Bitdefender missed. When I continued the test by launching the samples that weren't wiped out immediately, the two products diverged further. Some of the samples IObit caught after launch managed to install executable traces on the test system, a problem that didn't happen with Bitdefender. Overall, IObit detected 82 percent of the samples and scored 7.9 of 10 possible points. Bitdefender detected 93 percent and managed 9.3 points. That's the top score among products tested using this same set of samples. Bitdefender shares that top score with Avast Pro Antivirus 2016. Tested using my previous malware collection, Webroot SecureAnywhere Antivirus (2015) managed a perfect 10 points. In order to precisely compare how thoroughly different antivirus products fend off malware attacks, I necessarily use the same set of thoroughly analyzed samples for quite a while. My malicious URL blocking test, on the other hand, always uses the very latest malware-hosting URLs, supplied in a daily feed by MRG-Effitas. I load URL after URL, noting whether the antivirus keeps the browser from reaching the URL, wipes out the payload during download, or sits idly twiddling its thumbs. I continue until I've captured data for 100 active malware-hosting URLs. Throughout this test, IObit teetered back and forth, almost evenly balanced between wiping out downloads and completely missing all detection. I began to think that its Surfing Protection component wasn't designed for this sort of test. Near the end, though, that component did kick in to block precisely one URL at the browser level. IObit's overall score of 50 percent protection is a little better than the current average, but nowhere near Bitdefender's 74 percent protection. Top scorers in this test are McAfee AntiVirus Plus (2016) and Symantec Norton Security Premium, each with 91 percent protecton. See How We Test Malware Blocking Poor Protection Against PhishingThe Surfing Protection browser add-in serves to block both malware-hosting URLs and other types of dangerous URLs. That includes phishing sites, those nasty frauds that masquerade as PayPal, your bank, or some other secure site, attempting to steal your login credentials. Given that this component blocked access to just one in 100 malware-hosting URLs, it couldn't fare worse in the antiphishing test unless it earned a big fat zero. It actually scored better than that, but still failed to impress. For this test, I gather URLs that have been reported as fraudulent, but that haven't yet been verified and blacklisted. I launch each URL on five test systems, each protected in a different way. One system uses the product under testing, of course, and another uses Norton, a long-time antiphishing winner. The other three rely on protection built into Chrome, Firefox, and Internet Explorer. Since the nature of current phishing sites varies from day to day, I report results as the difference between the detection rate of the product and of the other four test systems. IObit's detection rate was a full 76 percent lower than Norton's, which puts it in the bottom quarter of recent products, score-wise. Kaspersky Anti-Virus (2016) came very close to tying with Norton, while Bitdefender is the only recent product that actual outperformed Norton in this test. All three browsers handily beat IObit, despite Chrome having an apparent bad day. The lesson is clear—don't turn off your browser's fraud protection, because IObit won't take its place. See How We Test Antiphishing Clean and OptimizeAntivirus is just part of what you get with this product. IObit's full-scale system tune-up utility, similar to Iolo System Mechanic 14, is included in Advanced SystemCare Ultimate. Note, though, that while you can use the Iolo product on any number of computers, cleanup with IObit is limited to the three licenses that come as part of your subscription. Once you get past the Antivirus page, the rest of this product is devoted to system cleanup and optimization. The Clean and Optimize page lets you launch a scan to clean up unwanted junk that may be slowing your system, among other things. Just half of these modules are enabled by default, probably because those not enabled can take a long time to finish. I was mildly surprised to find Spyware Removal and Security Defense in this collection (the latter says it will prevent spyware installation). I would think those belong with the antivirus. The components that are enabled by default sweep your system for spyware, boost your Internet speed, fix broken shortcuts, eliminate junk files and Registry items, and sweep away activity traces that could compromise your privacy. Running a scan using just these components took just a couple of minutes. On completion, it offered a summary of found problems with the option to dig in for detail and even exempt certain items from cleanup. Most users will probably just click the big Fix button. Before making any changes, IObit creates a rollback record. That way if by some mischance the cleanup causes trouble, you can undo its changes using the Rescue Center. As with the antivirus scan, the final page offered an Exclusive Offer button, encouraging me to buy more IObit products. The components not checked by default serve to defrag the Registry and hard drives, check for drive errors, optimize system settings for speed, and fix Windows vulnerabilities. I started a scan using all of the components, and was pleasantly surprised to find that it took just a few minutes more. The process of fixing found problems took about 30 minutes this time, since it included installing a few Windows updates and partially defragging the hard drive. But that's really quite a reasonable time to perform those deeper optimizations. Speed UpApparently speeding up your system isn't quite the same as optimizing it, so IObit offers a separate Speed Up page with four choices: Turbo Boost, Startup Accelerate, Deep Optimization, and App/Toolbar Cleaner. Turbo Boost is something you'll use sparingly, for times when you really need every ounce of performance. It terminates unnecessary applications and services and sweeps the system to release RAM that's allocated but not in use. Note that IObit maintains a tiny desktop widget that reports RAM and CPU usage—you can click its broom icon to sweep for RAM that can be released. By default, Turbo Boost operates in Work Mode. You can configure it to use Game Mode, which terminates even more services. Economy Mode aims to minimize power consumption so you can keep using a laptop whose battery is low. The Startup Accelerate component simply lists the programs that launch at system startup and lets you manage them. On the basic Startup Accelerate page, I couldn't figure out what to do. The two items listed just had Ignore in the Action column, and when I clicked it for one, that item vanished. Clicking the link for advanced configuration made things clearer. In this mode, I found I could set each item to enabled, disabled, or delayed, much like the similar feature in Norton. Its Deep Optimization list displayed Windows features, including Intelligent Disk Accelerate and Fast Startup, but reported them already optimized. Other tabs listed add-ins that launch with various browsers and non-essential Windows services. When I clicked for details under Deep Optimization, IObit offered a laundry list of settings to speed hard drive access, network connections, and overall system speed. Finally, the App/Toolbar Cleaner didn't show a thing, because it didn't find any suspicious browser apps or plugins. Avast and Panda Antivirus Pro 2016 offer similar toolbar clean-up tools. Toolbox and Action CenterYou may be a bit overwhelmed the first time you open IObit's Toolbox page. This page sports more than two dozen icons representing various types of utilities from IObit. Some are not currently installed, but can be downloaded (represented by a down-arrow icon overlay). Some of those must be purchased separately. Others are, those with no icon overlay, are already present, but may require payment for Pro features. To help you deal with icon overload, IObit now includes the option to put your favorite tools at the top. The only one of the toolbox items that's related to antivirus protection is a button for IObit Malware Fighter. Given this product's abysmal performance in our testing, I can't imagine why you'd choose to install it. As noted earlier, the Action Center tab touts a "VIP exclusive offer" to purchase other IObit products at drastically slashed prices. If you're not interested, just click the link to hide these offers. You'll also find IObit's software updater list in the Action Center. On my test system, Chrome, Firefox, and Java all needed update. IObit handled them as automatically as possible, though finalizing the Java update did require my participation. Given that Java and browsers are subject to extreme scrutiny by malefactors seeking security holes, keeping them up to date is very important. Not the Antivirus You're Looking ForIObit Advanced SystemCare Ultimate 9 uses Bitdefender's antivirus engine, yet its test results don't come close to Bitdefender's. The independent antivirus labs don't include it in testing. And where Bitdefender is the only current product that has beaten Norton in our antiphishing test, IObit scored near the bottom. As an antivirus, this product doesn't impress. Our Editors' Choice picks for commercial antivirus protection are Webroot SecureAnywhere Antivirus, Kaspersky Anti-Virus, and Bitdefender Antivirus Plus. All three cost $10 more than IObit, but that's a well-spent 10 bucks, as they offer much, much better protection. If you want antivirus plus system optimization, choose one of these products and add a top-rated tune-up product.