Security Garden

Thursday, November 20, 2014

Fake Tech Support Scams

Tweet This

Fake Tech Support Scam

Although not all of the fake tech support callers misrepresent that they are calling on behalf of Microsoft, claiming to represent Microsoft or Windows is most commonly used in such calls.  Scammers also claim to represent other vendors such as Dell, McAfee and Norton.

Two operations working out of the state of Florida have conned tens of thousands of consumers out of more than $120 million through their deceptions.  The FTC and state of Florida obtained a federal court orders to shut down those two operations for deceptively marketing computer software and tech support services. The court orders have additionally placed a temporary freeze on the defendants’ assets and have placed the businesses under the control of a court-appointed receiver.

As welcome as the FTC action is, fake tech support scams have been harassing people since early in 2009 and this is not the end of it.  As I recommended over two years ago:
Should you receive an unsolicited telephone all from someone purporting to be from Microsoft (or any other vendor), the best advice is to just hang up! Microsoft does not make this type telephone call.
There are also people who try to keep these cybercriminals on the telephone in order to not only waste their time but also to keep them tied up so they are not calling someone else who may not realize the caller is a scammer.  Microsoft recently published an online form to Report a technical support scam.  By supplying as much of the information as possible requested on the form, you will be assisting both Microsoft and law enforcement agencies in stopping these cybercriminals.  


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, November 18, 2014

Microsoft Out-of-Band Critical Security Update

Tweet This

One of the security updates that was delayed in the regular patch cycle last week has been released.

MS14-068 is a critical update that addresses a vulnerability in Kerbeos that could allow elevation of privilege.  Microsoft is aware of limited, targeted attacks that attempt to exploit this vulnerability.

As described in the security bulletin:
"An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only."


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, November 14, 2014

Pale Moon Version 25.1.0 Released with Security Updaters

Tweet This

Pale Moon
Pale Moon has released version 25.1.0 to address current incompatibilities with websites.  The version includes security updates and introduces new features.

Security fixes:
  • Fixed several memory security hazards CVE-2014-1574 and CVE-2014-1575
  • Fixed CVE-2014-1581.
  • Fixed bug 1069584: Bail if a cairo surface is in an invalid state.
  • Made sure to initialize surfaces for draw targets.
  • Fixed bug 1074280: Use AsContainerLayer() in order to avoid a bad cast.
  • Fixed several problems in the HTML parser (multiple vulnerabilities).
  • Improved security of XHR by filtering out types of requests that can potentially be abused.

New Features and Improvements:

  • New feature: multi-line flexbox support.
    Pale Moon now supports more advanced multi-line and multi-column flex elements. This will allow websites to use these elements for easier responsive design of web pages and ordering/layout of multiple elements. This should address layout issues on several recently-updated websites (e.g. the MSN home page).
  • New feature: added support for collapsed flex element items.
    Previously, flex elements that would be "collapsed" through CSS would be hidden, but still take up their flex space.
  • Enhanced feature: Content Security Policy (CSP)
    Pale Moon now fully supports the CSP 1.0 specification allowing websites to set restrictions on content to prevent XSS (Cross-site scripting) attacks. Previously, the implementation in Pale Moon was partial, and did not support a number of features, resulting in some websites not rendering properly because Pale Moon was being too strict in enforcing the policy. This should address issues on websites enforcing CSP (e.g. the Dropbox web interface and FaceBook galleries).
  • New feature: added support for iframes with inline content.
    This added HTML5 feature makes it possible for web designers to specify the content of iframes in-line, instead of having to link to an external source. This allows for more dynamic use of iframe elements.
  • Updated the Firefox Compatibility mode version to 31.9.
    With the improvements in rendering, HTML5 support and overall feature set in this version, the Firefox Compatibility mode (as presented in the UserAgent string) has been bumped to prevent websites from complaining about "using a too old/unsupported version of Firefox" (e.g. Google websites) while offering those sites a Firefox Compatibility version that is in line with the "expected" feature set of the browser. You may still run into some websites that don't like Pale Moon's user agent and require a manual override as outlined in the FAQ.
  • Pale Moon no longer builds the so-called "media navigator" by default.
    This module provides access to the user's webcam and microphone. Although it can be used for other purposes, in practice this is only used for WebRTC and, in fact, its support (GetUserMedia) is often mistaken for actually supporting WebRTC in a browser (causing errors since Pale Moon does not support WebRTC). No longer including these features reduces input complexity and overhead for a feature not actively used. This also circumvents privacy concerns/confusion like CVE-2014-1586.
  • Improved tab handling on lightweight themes (personas) some more to enhance contrast on certain themes and to make the tab hover effect slightly more distinct.
 Additional Fixes are documented in the Release Notes.

Minimum system Requirements (Windows):
  • Windows Vista/Windows 7/Windows 8/Server 2008 or later
  • A processor with SSE2 support
  • 256 MB of free RAM (512 MB or more recommended)
  • At least 150 MB of free (uncompressed) disk space
Pale Moon includes both 32- and 64-bit versions:


To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...