I have to say that for a story like this, a picture truly does say 1,000 words. And in the case of companies like Avast that have historically offered a good free antivirus program, just know that there’s no such thing as free and that there is always a price to pay. In this case, your browsing freedom is being spied on.
As the article’s summary states:
Avast is harvesting users’ browser histories on the pretext that the data has been ‘de-identified,’ thus protecting your privacy. But the data, which is being sold to third parties, can be linked back to people’s real identities, exposing every click and search they’ve made.
Check out the full article written by Michael Kan here for the full scoop!
According to Microsoft’s security update guide, a spoofing vulnerability that utilizes the Crypt32.dll file can be used to control a machine at will.
As stated within the emergency bulletin:
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
Good news is that Microsoft has already released a patch to close the loophole so make sure you take care of this ASAP!
At last, the time has come. Today marks the last day of free security updates for the legacy OS. For those of you that still plan on using it for the foreseeable future, it may be in your best interests to bit the bullet and spend the extra $50-60 for an additional year of coverage.
For more info on the extended security updates (ESUs), head to Microsoft’s site and check out their FAQ sheet here…