Microsoft Outperforms Symantec in Antivirus Test
In the latest on-demand test from AV-Comparatives, quite a few products lost points due to false positives—erroneously identifying a valid program as malware. Symantec and Microsoft scored about the same based on detection of malware samples, but Symantec lost points due to false positives. There's more to the story than that, though.
The on-demand scanning test exposes each tested product to a collection of "samples from the last weeks/months which are/were hitting users in the field." The samples are further analyzed to classify similar files and reduce the sample set size, so "each miss is intended to represent one missed group." This particular test uses 136,610 recent samples. A product's initial score is the percentage of samples detected.
Surprisingly, Symantec's Norton AntiVirus demonstrated the lowest detection rate (before considering false positives), with 91.2 percent detection. Microsoft Security Essentials edged higher, detecting 92 percent of the samples. With 99.9 percent detection, G Data AntiVirus topped the list. Several others managed better than 99 percent.
Microsoft Fixes Critical IE Bugs in April Patch Tuesday
Windows administrators with spring fever can rejoice; Microsoft released only two critical bulletins as part of its Patch Tuesday release.
Of the nine bulletins released this month, only two are rated as critical, meaning an attacker can get control over the targeted machine remotely. All the remaining ones are rated as important, which meands the attacker generally needs some kind of access to the system before taking it over. All in all, Microsoft addressed 13 security vulnerabilities this month.
The good news is that most of the impact is on the legacy code base and not on the latest versions of Microsoft products, said Paul Henry, a security analyst with Lumension. "If your system is running the latest and greatest versions of software – as you should always do, since newest is usually the most secure – then you should be minimally impacted this month," he said.
Microsoft Passes Antivirus Test, But Just Barely
Malware in the wild must change and evolve, always developing new ways to evade security products. In a similar fashion, those testing security solutions can't just keep doing the exact same thing. With its latest report on consumer and business antivirus solutions, German lab AV-Test has introduced a few changes.
For the past several years, AV-Test has rated antivirus products on three criteria: Protection, Repair, and Usability. The Protection score relates to how well the product handles both widespread malware and zero-day attacks. Repair refers to the product's ability to wipe out active malware and remove all traces from the test system. The degree of impact on system performance feeds into the Usability score, as does the number of false detections.
A New Plan
Starting with the current report, AV-Test has pulled the Repair criterion. They'll now be reporting on repair of existing malware infestations in separate, dedicated tests. According to the report, these special tests "will be performed over a longer period of time and also focus on stand-alone cleaning utilities and rescue media." Austrian lab AV-Comparatives has recently introduced a similar test specifically looking at how well antivirus products clean up known malware.
In the new AV-Test scheme, Performance is a separate category, not part of Usability. Products can still earn up to 18 points, six apiece for Protection, Performance, and Usability. For certification, a product must earn more than 10 points.
Java Attacks Succeed Because Users Don’t Update Software
Forget zero-days. Java attacks suceed because users are running out-of-date versions of the Java plug-in in their browser.
Nearly 75 percent of end users are running a version of Java in their browser that's at least six months out of date, Charles Renert, vice president of research and development for Websense, wrote on the Websense Security Labs blog Monday. Only five percent of endpoints were running the latest version of Java Runtime Environment, 1.7.17, Websense found.
The numbers get even more distressing when looking at older versions of the Java plug-in for the browser. Two-thirds of the users had Java that was at least a year-out-of-date, and 50 percent were running a version more than two years old. Nearly 25 percent of the users actually had a version that was more than four years old. The chart above has the details—click to see a larger image (an even larger image is on the blog post).
"As you can see, Java versions are all over the map," Renert noted.
The data for this analysis came from the tens of millions of endpoints in Websense's ThreatSeeker network.
Chinese University Linked to Military Hacking Group
Researchers at Chinese universities have been collaborating on security-related papers with members of the military linked to hacking, according to Reuters.
In examining technical research papers available online, the news wire found that several were co-authored by PLA Unit 61398, a section of China's People's Liberation Army linked to hacks carried out against Western companies. The papers, from Shanghai Jiaotong University, focus on computer network security and intrusion detection.
According to Reuters, most universities in the developed world avoid working with government intelligence agencies on official papers. There's no evidence that university staff have been involved in the hacks, but the collaboration is troublesome.
In late February, a report from U.S.-based security firm Mandiant accused the Chinese military of carrying out cyber attacks on U.S. and other targets. Mandiant linked the attacks to a group known as APT1 and a building in Shanghai that houses PLA Unit 61398.
"Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors," Mandiant concluded. "We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support."
Apple Enables Two-Factor Authentication for iCloud, Apple IDs
Apple this week launched two-factor authentication for iCloud and Apple IDs.
The optional feature will require users to verify their identities beyond providing their passwords when: signing in to an Apple ID to manage an account; buying something on iTunes, the App Store, or iBooks; or getting Apple ID-related support from Apple.
"Turning on two-step verification reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account," Apple said on its support website.
If you sign up for two-factor authentication, Apple will send a four-digit code to a trusted device capable of receiving such messages (like your iPhone) every time you try to sign in to your iCloud or Apple ID account, which you will have to enter as well as your standard password.
Samsung Lockscreen Hacked in Under Three Minutes, Fast Fingers Required
Self-described mobile device enthusiast Terence Eden discovered a vulnerability affecting the Samsung version of Android where an attacker can disable the phone's lock screen using only his fast fingers and the Google Play store.
Breaking the Lockscreen
At issue is a split second when the home screen is displayed when navigating away from the emergency call section of the lock screen. Eden discovered that with some perseverance, he was able to launch apps from the homescreen and eventually take control of the device.
After seeing the vulnerability in action (see the video below) it's clear that while this is a critical flaw, it's also difficult for attackers to use it. In his demonstration, Eden used the split-second homescreen access to launch Google Play, activate the voice search feature, download a lockscreen unlocker from Google Play, and activate it.
On his blog, Eden points out that because the phone is fully functional for that brief moment from the lockscreen, attackers could do anything. "From there, you can dial any phone number (one digit at a time) and place a phone call," he writes on his blog.
South Korean Banks, TV Stations Hit by Major Cyber Attack
Early Wednesday, several major South Korean banks and television stations experienced what is being described as a network attack, bringing down computer servers and rendering some of the country's leading financial and media organizations crippled for hours.
Targets of the simultaneous attack included commercial banking firms Shinhan, Jeju, and NongHyup, along with television stations KBS, YTN, and MBS. Also, according to a Reuters report, local Internet service provider LG Uplus had its internal systems breached.
The first reports of the attack began to trickle out to the public via Twitter as various users reported difficulty accessing their Shinhan Bank and NongHyup Bank accounts via ATM. According to early reports from local English news service Voice of America, some staff at KBS reported seeing "boot file deleted" messages on their computer screens, while YTN reportedly had systems involved in on-air production directly affected. Several sources claim that the widespread systems glitch was the result of malicious code, with no particular hacker group claiming responsibility. However, according to the BBC, some affected users reported seeing skull images on their downed computer terminals.
Apple Updates 21 Bugs in OS X Mountain Lion
Apple closed a serious Java flaw in OS X Mountain Lion in a mammoth OS X update released last Thursday.
Apple closed 21 security holes in Mac OS X Mountain Lion, of which 11 were remote code execution flaws, the company said. The OS X Mountain Lion v10.8.3 update comes just a month after an earlier hefty update patched 30 outstanding issues in Java 6 in Mac OS X.
While Apple addressed non-Java bugs in this update, the most interesting patch in this update was still Java related. A bug in OS X's Core Types component could allow a malicious website to launch a Java Web Start application even if the Java plug-in was disabled, Apple said in its release notes.
"It'll be something of a surprise for anyone who was relying on Apple's newfound strictness against Java to find that turning Java off in your browser didn't necessarily have the desired effect!" Paul Ducklin, head of technology for Asia-Pacific region of Sophos, wrote on Naked Security.
Apple has enabled several features in the past to automatically disable the Java plugin in the browser if it hasn't been used recently, and the latest update disabled older version of Java if it hadn't been updated recently. This bug meant disabling Java in the browser did not make Macs any safer from attack.