Pittsburgh Tech Guy

Microsoft on Monday issued an emergency fix for all supported versions of its Windows operating system, plugging a hole that essentially allowed hackers unfettered access to victims' computers.

The "critical" vulnerability, denoting Microsoft's highest level of threat, would have allowed hackers to take "complete control of the affected system," the company wrote in an online security bulletin posted Monday. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The flaw affects all users of Windows Vista, Windows 7, Windows 8 and 8.1 and Windows RT, representing two out of every three of the 1.5 billion PCs running Windows around the world. Microsoft decided not to wait until its regularly scheduled monthly security update, known as "Patch Tuesday," to issue a fix. The company last issued an emergency patch like this in November 2014.

Microsoft said a hacker could attack unsuspecting Windows users by convincing them to open a specially crafted document or visit a compromised Web page because the vulnerability affected OpenType, a widely used format for computer fonts co-developed by Microsoft and Adobe.

Computer security researchers found the flaw by looking over a collection of emails leaked online after cyberattackers breached the systems of Italian surveillance firm Hacking Team earlier this month. Microsoft credited security company FireEye's Genwei Jiang and Mateusz Jurczyk, part of Google's Project Zero security squad, for finding the flaw and reporting it.

The emergency fix comes at a sensitive time for Microsoft, which is just a week away from releasing the next big overhaul of its operating system, called Windows 10. Microsoft has touted the software upgrade as more secure than past versions of Windows. That's thanks to new technology such as Device Guard, a software tool aimed at preventing the sort of attack today's patch aims to avert, and Windows Hello, a new biometric security system that lets users add face, iris or fingerprint recognition to their computer for an added layer of protection.

Despite that, the security flaw patched today was found in even the latest test version of Windows 10, widely considered to be the final iteration of the software that will go out to the public and to device manufacturers.

Windows 10 will be available as a free upgrade for all Windows 7 and Windows 8.1 users on Wednesday, July 29.

Microsoft says a majority of Windows users have automatic updating enabled and will not need to make any extra effort to protect their machines. People who have have automatic updating turned off should download the patch from Microsoft's security bulletin page.

The company says it has no evidence the flaw had been used to attack Windows, but confirmed such an attack could be exploited "consistently."

Most people said goodbye to Windows XP a long time ago. But if, for whatever reason, you're still running the out-of-date operating system, you really need to upgrade. Microsoft on Tuesday finally stopped providing antimalware signatures for Windows XP.

PCs running Windows XP have not been truly protected for more than a year. Microsoft on April 8, 2014 officially ended support for XP, meaning it stopped rolling out security updates for the aging OS. At that time, Redmond also stopped letting those on Windows XP download its Security Essentials tool, which guards against viruses, spyware, and other malicious software.

The software giant did, however, throw a bone to XP users who already had Microsoft Security Essentials installed, promising to keep it updated for a "limited time" to give people some more time to transition to a newer and fully supported OS. That time has now come and gone.

On Tuesday, Microsoft officially stopped providing updates to Microsoft Security Essentials for XP. Worse yet, XP users can no longer use Microsoft's Malicious Software Removal tool, so if your PC gets infected with malware — and it probably will — you're on your own.

For the tech-savvy, this is a non-issue. You've said goodbye to XP, which first launched in 2001, and embraced a more modern OS, like Windows 7 or Windows 8.

Microsoft has been pleading with customers to upgrade to a new OS for years, so you can't say you weren't warned about this. If you're still on XP, perhaps now is a good time to finally upgrade. Windows 10 arrives on July 29.

Mozilla announced on Monday that it has blocked all versions of the Adobe Flash plugin in Firefox, even the most recent version of the plugin, 18.0.0.203. Mozilla’s Mark Schmidt added via Twitter that the plugin will remain blocked until Adobe releases a version of Flash that’s not “actively exploited by publicly known vulnerabilities.”

The news arrives after several zero-day vulnerabilities in Flash Player were discovered last week. According to a report from FireEye Labs, several hacking groups were found using the first Flash vulnerability, CVE-2015-5119, in a large number of attacks. A second zero-day vulnerability was also discovered, CVE-2015-5122, in leaked data provided by Italian security company The HackingTeam.

“The vulnerability is triggered by freeing a TextLine object within the valueOf function of a custom class when setting the TextLine’s opaqueBackground,” FireEye said regarding CVE-2015-5122. “Once the TextLine object is freed, a Vector object is allocated in its place. Returning from valueOf will overwrite the length field of Vector object with a value of 106. (Initial length is 98).”

“Exploitation continues by finding the corrupted Vector object by its length, which will be greater than 100. This enables the object to change an adjacent Vector object’s length to 0x40000000,” the company added.

Once the exploit achieves this goal, it scans for Kernel32.dll in the machine’s memory to locate the ExportTable and drum up the VirtualProtect address. Once VirtualProtect marks the exploiter’s payload class as READ_WRITE_EXECUTE, the payload can be uploaded to the machine.

Alex Stamos, Facebook’s chief security officer, stated via Twitter on Sunday that it’s time to retire Adobe Flash. “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once,” he said.

The call to end Flash has been around for years. The late Steve Jobs even wrote a long letter in 2010 regarding why Apple wouldn't allow Flash on its products.

“Flash was created during the PC era—for PCs and mice. Flash is a successful business for Adobe, and we can understand why they want to push it beyond PCs,” Jobs wrote at the time. “But the mobile era is about low-power devices, touch interfaces, and open web standards—all areas where Flash falls short.”

Internet giants like Facebook and YouTube are already working to move away from Adobe Flash and support video based on HTML5. Stamos pointed out on Twitter that “compatibility with all modern browsers needs work.” Most of the browsers we use now, including Microsoft's new Edge browser for Windows 10, support HTML5 video.

Hackers seemingly attack Flash vulnerabilities because Adobe’s platform is used on almost every website on the Internet. With HTML5 gaining momentum, Adobe may end up retiring the Flash platform in the near future after all. Is retirement overdue?

Helmed by 25-year-old Marcin Kleczynski, who founded the company in 2008 while still a college freshman, San Jose-based Malwarebytes has quickly emerged as one of the most popular purveyors of anti-malware solutions. Its flagship malware-fighting tool is available both as a free download limited to only on-demand scans and as a $25/year three-PC package offering real-time protection. Sounds like a fairly uncomplicated product strategy, right? Only until you consider the millions running so-called “cracked” copies of the software and the amnesty that the company is now offering these pirates.

Turns out the company is giving away free replacement keys to any Malwarebytes Anti-Malware Premium user whose existing key has been found to have a problem. The Malwarebytes Amnesty program’s FAQ page describes it as being aimed at those “inconvenienced by piracy or abuse.”

All such users need to do is to tell the company how they came to possess their existing key when confronted by a popup saying there’s an issue with their license key. Those who say they are unsure where they got it from or that they downloaded it from the Internet will get a 12-month license. As for those who say they purchased it, they will get a free lifetime license.

It’s no surprise, then, that some paying customers are feeling short-changed. This is what one such customer had to say on the Malwarebytes forum: “This is insane. MB [Malwarebytes], if you are handing out free lifetime licenses to pirates, then I would like my money back as well.”

And this is what Kleczynski said in response: “When I started Malwarebytes, I absolutely had no idea how successful we would be today. I am extremely grateful for all of the support from everyone and how fast we've grown. That being said, I picked a very insecure license key algorithm and as such, generating a pirated key was, and is, very simple.”

The problem is the algorithm that he chose as a callow youth has been used to churn out millions of keys, and Kleczynski says it has resulted in an absolute mess. With there being every possibility that pirated keys may clash with legitimate ones, the company is moving to an entirely new licensing regime.

“The first stage of this program is to collect data from our users. What keys are still alive, and who are they used by. If you are a true pirate, the furthest you will get is a year's worth of Malwarebytes. I wish we could handle each of the keys manually and determine if they are legitimate, but there are tens of millions of them and so we've automated the process a bit to cut them down. After that cut down, which is when a user selects an option, we will be going through the uses manually.”

By far, the most common way to get malware on your computer is by unintentionally installing it while installing another program.  Solution?  Simple, never select the recommended installation.   In almost all cases, the program you are installing will also install something else.  Most likely something you do not want or need and in the worse cases, a program that is essentially malware.  Some of the programs you will see is the Ask Toolbar or McAfee Security Scan.  There are many others, but those are the common ones.  One  way to avoid all the pain is to select a Custom Installation.  Sometimes it will be labeled advanced or something of the like.  Select this and you should see a list of everything that is to be installed.  They will all have a checkmark next to it.  You will typically see the program you actually want listed first and then others afterwards.  Simply uncheck all the programs that you do not want or recognize and proceed.  This is probably the simplest way to avoid installing unwanted programs.