Friday, December 10, 2010

More December Security Patches: QuickTime, Firefox, and a huge Patch Tuesday coming

The second week in December is starting with a bunch of patching.  So far this week, we have QuickTime, Firefox, and Thunderbird with security updates, and next Tuesday promises to be another record Patch Tuesday with patches for IE among other things.  (Updated Fri 10 Dec 2010  18:31 MST)

Apple QuickTime Patch Fixes 15 Flaws — Krebs on Security
Apple this week issued an update that plugs at least 15 security holes in its QuickTime media player.  The patch – which brings QuickTime to version 7.6.9 — quashes several critical bugs that could be exploited to install malicious software were a user to load a poisoned media file. Updates are available for both Mac and Windows versions of the program.

More links:

Mozilla Firefox 3.6.13, Thunderbird 3.1.7

The Mozilla Foundation has released Firefox 3.6.13 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, operate with elevated privileges, spoof the location bar, or operate with elevated privileges.

More links:
Update Fri 10 Dec 2010 18:31 MST:


MS Patch Tuesday heads-up: 17 bulletins, 40 vulnerabilities | ZDNet
The December batch of patches will cover security holes in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange, according to an advance notice posted Thursday.

Of the 17, Microsoft said two bulletins will be rated “critical,” the company’s highest severity rating.  Of the remainder, 14 will be rated “important.”
More links:


And for a final note, if you use CCleaner, you should update to version 3.01. It has lots of improvements. Get a portable version from the CCleaner - Builds page.

Piriform Blog - CCleaner v3.01
Change log:
  • Improved application startup time and INI loading speeds.
  • Removed need to reboot for Index.dat cleaning.
  • Improved cookie cleaning in Firefox 4.0 Beta 7.
  • Improved Chromium based browser detection and cleaning.
  • Added support for Adobe Reader 10 and Acronis True Image.
  • Improved cleaning for 7-Zip, Adobe Reader 9.0, Microsoft Silverlight Isolated Storage, WinPatrol and Microsoft Management Console.
Posted by at No comments:

Security Updates notes for November, 2010

It has been a busy month, and I have not been keeping up with timely posting here.  I will try to keep this a little more current from now on. 

We'll start with November's Patch Tuesday and go forward from there.  The final article linked below is definitely something anyone who uses open WiFi hotspots in Starbucks and other places should read.  Also, if you use Flash Player or Adobe Reader, both have had critical patches in the last month.  If your systems haven't been updated, you need to patch them NOW.  Foxit Reader has also had an update.  IE 6 and 7 have an unpatched flaw which is being exploited "in the wild", so avoid using IE if you possibly can.

November Patch Tuesday: Critical security holes in Microsoft Office | ZDNet
By Ryan Naraine | November 9, 2010, 10:43am PST
Microsoft has shipped a patch for to fix several critical security holes affecting its Office productivity suite and warned that hackers can use RTF (Rich Text Format) e-mails to launch code execution attacks.

The MS10-087 bulletin, which is considered a high-priority update, patches a total of 5 documented vulnerabilities affecting all currently supported Microsoft Office products.

It is rated critical for Office 2007 and Office 2010 because of a preview pane vector in Microsoft Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF file, the company explained.
More links:
Mac OS X security flaw publicized after Apple fails to patch | ZDNet
By Ryan Naraine | November 10, 2010, 12:23pm PST
Penetration testing specialists Core Security has publicly released information on a serious security vulnerability in Apple’s Mac OS X and criticized the computer maker for delaying the release of a patch.

The vulnerability, which only affects Apple Mac OS X v10.5, could allow hackers to take complete control of a vulnerable machine via malicious PDF files.

In an advisory, Core Security said Apple claims it already has a patch prepared for this issue but failed to release the fix despite several promises.

Apple did not give any reasons for skipping the patch release.
More links:
Flash Update Plugs 18 Security Holes — Krebs on Security
[ASF: November 4th, 2010]
Adobe on Thursday released an update to its Flash Player software that fixes at least 18 security vulnerabilities, including one that is being exploited in targeted attacks.
More links:

Critical Updates for Adobe Reader, Acrobat — Krebs on Security
[ASF: November 16th, 2010]
Adobe on Tuesday issued a critical update to patch at least two security holes in its PDF Reader and Acrobat software, including one flaw that was publicly disclosed earlier this month.
More links: In a related story: Adobe launches 'sandboxed' Reader X. I am not using Adobe Reader (any version) so I haven't tested it yet. Reviews of the "sandbox" are generally positive but the sandboxing is not complete so I expect it will help but not totally prevent attacks.
By Gregg Keizer, Computerworld - November 18, 2010 02:01 PM ET
Adobe today released Reader X, the next version of its popular software that includes a "sandbox" designed to protect users from PDF attacks.

Reader X on Windows features Protected Mode, a technology that isolates system processes, preventing or at least hindering malware from escaping the application to wreak havoc on the computer.

The new version is also available for Mac OS X and Android, but those editions lack the sandbox.
More links:

Apple patches critical 'drive-by' Safari bugs
By Gregg Keizer, Computerworld - November 18, 2010 02:01 PM ET
Apple today patched 27 vulnerabilities in Safari for Mac OS X and Windows, 85% of them critical bugs that could be exploited to hijack Macs or PCs.


Internet Explorer 0-day Malware Infects Amnesty International Hong Kong Website Visitors | CyberInsecure.com
Visitors to Amnesty International’s Hong Kong website are being bombarded with a host of lethal exploits, including one that attacks an unpatched vulnerability in Microsoft’s Internet Explorer browser, researchers at security firm Websense said.

The injected IE attack code resides directly on the pages of amnesty.org.hk, an indication that the perpetrators were able to penetrate deep into the website’s security defenses. The code exploits a vulnerability disclosed last week that gives attackers complete control over machines running default versions of IE 6 and 7. Version 8 isn’t vulnerable, thanks to security protections built into the browser.


Firesheep Exposes Need For Encryption -- InformationWeek
Using Facebook, Twitter, Yelp, Flickr, or other Web services on an open WiFi network could lead to lead to account hijacking.
By Thomas Claburn InformationWeek
October 29, 2010 02:22 PM

An open-source Firefox extension called Firesheep has shined a spotlight on just how insecure it is to use unprotected WiFi networks.

It's widely known that unprotected WiFi networks make sensitive data readily available for anyone with the technical skill necessary to find it ...

Firesheep, which allows anyone to scan unprotected WiFi networks for users who are logged into Facebook, Twitter, Google, Amazon, and a variety of other Web 2.0 services and to impersonate those users by hijacking their session cookie.

"On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy," wrote Firesheep creator Eric Butler in a blog post. "This is a widely known problem that has been talked about to death, yet very popular Web sites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the Web as HTTPS or SSL."


Posted by at No comments:

Thursday, November 4, 2010

Firefox, Thunderbird patched; Adobe Flash patch due today, other stuff

More patching: Firefox has been patched to plug a 0-day flaw that was being exploited "in the wild", and Mozilla Thunderbird has been patched to fix the same bug (which was not exploitable in TBird).  Adobe's Flash Player and Adobe Reader 9 both have a vulnerability that is also currently being exploited; Adobe is supposed to issue a patch for the Flash player today (November 4, 2010) but Reader won't be patched for another 11 days.  Adobe Reader 8 apparently doesn't have the vulnerability. 

Also, I have been lax about updating this blog, so I have included several older items that have been sitting in my outbox that will affect some of you.  Many vulnerabilities are being found these days in various unusual media players like the Real Player and the Shockwave Player, so if you don't need them I recommend uninstalling them rather than fighting to keep them updated.

Mozilla plugs Firefox drive-by-download zero-day | ZDNet
By Ryan Naraine | October 28, 2010, 10:54am PDT
Mozilla has quickly rushed out a Firefox security patch to provide cover for a zero-day flaw that was being exploited in drive-by malware downloads. ... The patch, rated “critical,” fixes a buffer overflow issue that was under attack at the Nobel Peace Prize web site. ... The vulnerability is fixed in Firefox 3.6.12, Firefox 3.5.15, Thunderbird 3.1.6, Thunderbird 3.0.10 and SeaMonkey 2.0.10.  According to malware hunters tracking the threat, Firefox users who surfed to the Nobel Peace Prize site were silently infected with Belmoo, a Windows Trojan that gives the attacker complete control of the machine.
Adobe under attack: New PDF, Flash zero-day | ZDNet
By Ryan Naraine | October 28, 2010, 12:11pm PDT
Adobe’s security response team is scrambling to respond to new zero-day attacks against a computer hijack vulnerability in two of its most widely deployed products: Flash Player and Adobe PDF Reader.

The flaw, which is currently being exploited in the wild with booby-trapped PDF documents, affects Windows, Mac, Linux and Solaris users. The zero-day attacks are currently targeted Windows users.
Koobface Worm Targets Java on Mac OS X — Krebs on Security
A new version of the infamous Koobface worm designed to attack Mac OS X computers is spreading through Facebook and other social networking sites, security experts warn.

Security software maker Intego says this Mac OS X version of the Koobface worm is being served as part of a multi-platform attack that uses a malicious Java applet to attack users. According to Intego, the applet includes a prompt to install the malicious software:
'Highly critical' flaws hit RealPlayer | ZDNet
By Ryan Naraine | October 18, 2010, 10:54am PDT
Multiple “highly critical” security holes in RealNetworks’ RealPlayer software could expose millions of computer users to remote code execution attacks.

According to an advisory from Secunia, these flaws can be exploited by malicious people to compromise a user’s system.

This RealNetworks security notice details seven different vulnerabilities affecting Windows RealPlayer SP 1.1.4 and and RealPlayer Enterprise 2.1.2.

RealPlayer users are strongly encouraged to apply the available security patches.
Adobe Shockwave Player "Shockwave Settings" Use-After-Free Vulnerability

Juha-Matti reports that an odd Shockwave vulnerability has been identified (http://secunia.com/advisories/42112/.) I call it "odd" because it's not the typical "download crafted flash file and it executes code." The victim has to open the Shockwave settings window while having the malicious website open. It's a new hurdle, but I'm not sure that it's insurmountable.

Zero Day readers, why aren't you patching Flash Player? | ZDNet
Adobe’s plan to rush out a fix for the latest Flash Player zero-day vulnerability got me thinking about patch adoption rates among ZDNet Zero Day readers.

According to our statistics counter, the majority of you (security-savvy readers?) are very tardy in applying Flash Player updates.
Posted by at No comments:

New 0-day flaw in IE 6, 7, and 8 not likely to be fixed

This hit the blogs and tech news sites yesterday.  In one of Microsoft's write-ups, they point out that running as a "Limited User" (an account that doesn't have administrator privileges) is one way to avoid this exploit.  Firefox and Chrome are also not subject to this problem.  The Symantec article has the best technical details.

Vulnerability in Internet Explorer Could Allow Remote Code Execution (CVE-2010-3962)

Microsoft has announced a vulnerability in all currently-supported versions of Internet Explorer (6 through 8) that could allow the execution of arbitrary code (advisory 2458511- http://blogs.technet.com/b/msrc/archive/2010/11/02/microsoft-releases-security-advisory-2458511.aspx.) This would likely be leveraged in a drive-by-exploit scenario. They state that DEP (Data Execution Prevention) and Protected Mode are mitigating factors.

Microsoft Warns of Attacks on Zero-Day IE Bug — Krebs on Security
Microsoft Corp. today warned Internet Explorer users that attackers are exploiting a previously unknown security hole in the browser to install malicious software. The company is urging users who haven’t already done so to upgrade to IE8, which includes technology that makes the vulnerability more difficult to exploit.
Microsoft warns of new IE zero-day attacks | ZDNet
Microsoft has raised an alarm for a new round of targeted malware attacks against a zero-day vulnerability in its dominant Internet Explorer browser.

The vulnerability affects all supported versions of Internet Explorer and can be exploited to launch remote code execution (drive by download) attacks, Microsoft said in an advisory.
Microsoft Security Advisory (2458511): Vulnerability in Internet Explorer Could Allow Remote Code Execution
Microsoft is investigating new, public reports of a vulnerability in all supported versions of Internet Explorer. The main impact of the vulnerability is remote code execution. This advisory contains workarounds and mitigations for this issue.

The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

At this time, we are aware of targeted attacks attempting to use this vulnerability. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Microsoft Releases Security Advisory 2458511 - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs
Today we released Security Advisory 2458511 to address a new vulnerability that could impact Internet Explorer users if they visit a website hosting malicious code. As of now, the impact of this vulnerability is extremely limited and we are not aware of any affected customers. The exploit code was discovered on a single website which is no longer hosting the malicious code. ... The Security Advisory also details a workaround that customers can apply that will protect all affected versions of IE from this issue. We are working to put have a Microsoft Fix it in place for easy implementation of the workaround. Our Security Research & Defense team has also provided a detailed write up on how the workaround protects against the vulnerability.
New IE Zero-Day used in Targeted Attacks | Symantec Connect
One such case started few days ago when we received information about a possible exploitation using older versions of Internet Explorer as targets. Hackers had sent emails to a select group of individuals within targeted organizations. Within the email, the perpetrators added a link to a specific page hosted on an otherwise legitimate website. The hackers had gotten access to the website account and uploaded content without the owners knowing. Here is what the email looked like:
Posted by at No comments:

Thursday, October 21, 2010

Firefox, Thunderbird, Chrome, and Real Player patches released

Time for another round of patching, boys and girls.  Mozilla has patched both Firefox and Thunderbird, and Chrome has some more updates (although Chrome automatically updates itself silently).  If you have the Real Player installed, it, too, needs patching.

SANS: Firefox 3.6.11 and 3.5.14 released Thunderbird 3.1.4 and 3.0.9 released
Firefox 3.6.11 and 3.5.14 released, includes security updates (http://www.mozilla.com/firefox/3.6.11/releasenotes/)
Thunderbird 3.1.4 and 3.0.9 released, includes security patches (http://www.mozillamessaging.com/thunderbird/3.1.5/releasenotes/)
Mozilla releases Firefox 3.6.11 to address 12 flaws - SC Magazine US
Mozilla on Tuesday released an updated version of its Firefox web browser to shore up a dozen vulnerabilities.

Firefox 3.6.11 fixes eight “critical” flaws that could result in a remote attacker installing malicious software on victim machines.
Mozilla Releases Firefox 3.6.11: US-CERT Current Activity
added October 20, 2010 at 08:57 am
The Mozilla Foundation has released Firefox 3.6.11 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, or cause a denial-of-service condition. The Mozilla Foundation has also released Firefox 3.5.14 to address these same vulnerabilities. Some of these vulnerabilities also affect Thunderbird and SeaMonkey and are addressed in Thunderbird 3.1.5 and 3.0.9 and SeaMonkey 2.0.9.

US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories released on October 19, 2010 and apply any necessary updates to help mitigate the risks.

Firefox dirty dozen: Mozilla patches 'critical' browser flaws | ZDNet
Mozilla has released Firefox 3.6.11 with patches for a dozen security holes, some serious enough to launch attacks if a user simply surfs to a booby-trapped website.

In all, the open-source released nine bulletins documenting 12 security vulnerabilities. Five of the bulletins are rated “critical,” meaning that those vulnerabilities can be exploited to run attacker code and install software, requiring no user interaction beyond normal browsing.

RealNetworks Releases Security Update for RealPlayer Vulnerabilities: US-CERT Current Activity
added October 18, 2010 at 08:08 am
RealNetworks has issued a Security Update to address multiple vulnerabilities affecting RealPlayer. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the RealNetworks security advisory and apply any necessary updates to help mitigate the risks.
Critical RealPlayer Update — Krebs on Security

Real Networks Inc. has released a new version of RealPlayer that fixes at least seven critical vulnerabilities that could be used to compromise host systems remotely if left unpatched.

I’ve never hidden my distaste for this program, mainly due to its history of unnecessarily tracking users, installing oodles of third party software, and serving obnoxious pop-ups. But I realize that many people keep this software installed because a handful of sites still only offer streaming in the RealPlayer format. If you or someone you look after has this program installed, please update it.


Google Releases Chrome 7.0.517.41: US-CERT Current Activity
added October 20, 2010 at 11:47 am
Google has released Chrome 7.0.517.41 for Linux, Mac, and Windows to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, conduct URL spoofing, or bypass security restrictions.

US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and apply any necessary updates to help mitigate the risks.
Google plugs 'high risk' Chrome browser holes | ZDNet

By Ryan Naraine | October 20, 2010, 1:11pm PDT

Google has shipped another Chrome browser update to fix multiple security security vulnerabilities.

Some of these security holes can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user’s system, according to this Secunia advisory.  Secunia rates this a “highly critical” update.

Posted by at No comments:

Tuesday, October 12, 2010

More discussion of today's patches

It's looking like there really are some PATCH NOW! patches in today's set of fixes for Microsoft Windows.  Also, Oracle released a major patch for the Java Runtime Engine (JRE), taking it to 6u22.  If you have Java installed, you should patch that as well.  Get your Java patch here: Java Downloads for All Operating Systems.  Here are links to two stories with "user-friendly" discussions of why you need to patch:

Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser | ZDNet
Microsoft dropped its largest ever batch of security patches today to cover a record 49 security vulnerabilities, including several browser flaws that could expose Internet Explorer users to drive-by malware downloads.

The Internet Explorer bulletin (MS10-071) fixes a total of 12 vulnerabilities and because of the risk of zero-click drive-by download attacks, Microsoft is urging Windows users to apply this patch immediately.

Windows users should also pay special attention to MS10-076, which covers a serious flaw in the way the operating system handles embedded OpenType (EOT) fonts. This update is rated “critical” for all versions of Windows (including Windows 7 and Windows Server 2008) and can be exploited to launch remote code execution attacks if a computer user simply surfs to a booby trapped Web site.
Microsoft Plugs a Record 49 Security Holes — Krebs on Security
Microsoft today issued 16 update bundles to fix a record-breaking 49 separate security vulnerabilities in computers powered by its Windows operating systems and other software.

“Microsoft has broken several of its own Patch Tuesday records this year, but this month far surpasses them all,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Perhaps most notable this month is the number of vulnerabilities that facilitate remote code execution. By our count, 35 of the issues fall into this category. These are bugs that could allow an attacker to run any command they wish on vulnerable machines.”

McAfee notes that today’s release exceeds the previous record of 34 vulnerabilities fixed in one go, which was first set in October 2009, and again in June and August of this year.

... Update, 3:58 p.m. ET: Several readers have pointed out that Microsoft took the momentous step today of adding detection for the infamous ZeuS Trojan to its Malicious Software Removal Tool. The MSRT is offered alongside Windows updates and if approved will scan host computers once a month for a variety of the most prevalent threats. It will be interesting to chart the impact of this welcome move by Microsoft.
Java Update Clobbers 29 Security Flaws — Krebs on Security
Oracle today released a critical update to its widely-installed Java software, fixing at least 29 security vulnerabilities in the program.

... Be aware that Java’s updater may by default also include free “extras”
that you may not want, such as the Yahoo! Toolbar or whatever other
moneymaker they decide to bundle with their software this time around,
so be sure to de-select that check box during installation if you don’t
want the add-ons.

Posted by at No comments:

Biggest PATCH TUESDAY ever -- some rated PATCH NOW

Today was Microsoft's biggest Patch Tuesday in a long time, possible ever.  SANS (first link below) rates several of these PATCH NOW!, their highest rating.  Anyone who runs as administrator on XP should probably patch ASAP.  I'm patching my work systems and home systems now and will report if I have any problems over the next day or so.

SANS: October 2010 Microsoft Black Tuesday Summary

Microsoft blog about it: Assessing the risk of the October security updates - Security Research & Defense - Site Home - TechNet Blogs
Posted by at No comments:

Tuesday, October 5, 2010

Reader, Acrobat Patches Plug 23 Security Holes

Finally the active 0-day exploit is being patched.  Brian Krebs has the most consumer-friendly write-up on it.

Reader, Acrobat Patches Plug 23 Security Holes — Krebs on Security
A new security update from Adobe plugs at least 23 security holes in its PDF Reader and Acrobat software, including two vulnerabilities that attackers are actively exploiting to break into computers.

Adobe is urging Reader and Acrobat users of versions 9.3.4 and earlier for Windows, Mac and UNIX systems to upgrade to version 9.4 (Adobe says those who can’t upgrade to the 9.x version should instead apply the version 8.2.5 update).

Adobe says one of the 23 flaws fixed by this new version being actively exploited. A second zero-day flaw corrected by today’s update — a critical vulnerability in Adobe Flash player that the company fixed in a separate update last month for the stand-alone Flash player — also exists in Adobe Acrobat and Reader, although Adobe says it is not aware of any attacks exploiting this flaw in those products yet.
...
If you use Adobe Reader or Acrobat, please take a moment to update this software. The current version of Reader is available here, and other products and versions are available from this page.

Adobe ships another mega-patch for PDF Reader | ZDNet
Adobe has slapped another band-aid on its heavily targeted PDF Reader/Acrobat product line, warning that hackers are already exploiting some of these vulnerabilities to launch malware attacks.

Adobe updates: http://www.adobe.com/support/security/bulletins/apsb10-21.html
Adobe updates: http://www.adobe.com/support/security/bulletins/apsb10-21.html

Posted by at No comments:

Friday, October 1, 2010

XP Users should stop using IE **ASAP**

If you are still running Windows XP, it's really time to stop using Internet Explorer (except for Windows Update) and switch to Firefox or Google Chrome.  There is an active zero-day active that Microsoft has acknowledged in a Security Advisory that affects all XP+IE users without warning when they click a malicious link. People whose firewall blocks Windows file sharing at the network perimeter are less vulnerable to this attack. Home users who want to continue using IE and who have some technical expertise should consider using the Microsoft FixIt linked to from the Security Advisory. However, using the FixIt requires installing a separate patch first, and business users should be aware that the FixIt may adversely affect applications running on their work networks.

IE, Windows XP Users Vulnerable To DLL Hijacking -- InformationWeek
Clicking a link to a remote shared folder on a web page will open this share in Windows Explorer without a warning for 67% of all Internet Explorer users on Windows XP, according to Acros Security.

By Mathew J. Schwartz
InformationWeek
September 30, 2010 04:45 PM

Internet Explorer and Windows XP users are at high risk from attacks that use DLL hijacking -- aka binary planting -- techniques to remotely exploit PCs, according to studies conducted by Slovenian security company Acros Security. Furthermore, many such attacks, which have already been seen in the wild, will succeed without users even being aware of what's happening.
...

As part of those tests, it found that clicking on a remote shared folder link when using IE and Windows XP -- which about 67% of all Windows users are still on -- would open the remote shared folder without warning, enabling the attack. The same was true for clicking on any remote shared folder link that arrived via email to an Outlook, Windows Mail and Windows Live Mail client.

Interestingly, however, unlike IE, "We found no way to launch Windows Explorer via a hyperlink from Firefox, Chrome or Opera, while Safari does open a remote shared folder when the web page containing the link comes from a local drive" -- for example, if attackers email an HTML file, said Kolsek.


Posted by at No comments:

Tuesday, September 21, 2010

Adobe patches Flash Player zero-day

The US-CERT article and the ZDNet article linked below both have more information.  I have patched my systems without problems.  If you watch online videos or don't have an adblocker, you should update ASAP as the vulnerability this fixes is being exploited as I type.

Adobe released Flash Player 10.1.85.3. Download it at http://www.adobe.com/support/flashplayer/downloads.html
Adobe released Flash Player 10.1.85.3. Download it at http://www.adobe.com/support/flashplayer/downloads.html
Adobe patches Flash Player zero-day | ZDNet

By Ryan Naraine | September 20, 2010, 10:29pm PDT

Adobe has shipped another Flash Player update to fix a critical vulnerability that was being exploited in live malware attacks.

The flaw, which surfaced last week as a zero-day attack against Windows systems, allows remote code execution via rigged Flash files.

According to Adobe, the vulnerability affects Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux and Solaris.   It also affects Flash Player 10.1.92.10 for Android.

The security hole also allows code execution on Adobe Reader but that product will not be patched until the week of October 4, 2010.

US-CERT Current Activity: Adobe Releases Security Advisory for Flash Player
added September 14, 2010 at 10:35 am | updated September 20, 2010 at 03:15 pm
Adobe has released a security advisory to alert users of a vulnerability affecting Adobe Flash Player. This vulnerability affects Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

Update:
Adobe has released a security update to address this vulnerability.
Users and administrators are encouraged to review Adobe security
bulletin APSB10-22 and apply any necessary updates to help mitigate the risks.
Posted by at No comments:

Thursday, September 16, 2010

Patch Tuesday recap, QuickTime 7.6.8, Firefox 3.6.10

I have already patched all my computers without issue.  These stories all have more technical details and links for those who want to know more.

Patch Tuesday recap: Exploits expected for Windows security holes | ZDNet
Microsoft has shipped nine security bulletins with patches for at least 11 documented vulnerabilities in Windows and Microsoft office and is urging customers to pay special attention to two “critical” issues that can be remotely exploited to take complete control of an unpatched computer.

The two vulnerabilities, patched with MS10-061 and MS10-062, can be remotely attacked via booby-trapped print requests or maliciously rigged MPEG files.

Microsoft expects to see exploit code posted publicly for these vulnerabilities within the next 30 days, raising the likelihood that attacks will be seen in the wild very soon.

One of the flaws — in  the Windows Print Spooler Service — has already been exploited during the sophisticated Stuxnet zero-day worm attack.


Apple patches zero-day QuickTime flaw with 7.6.8 release - SC Magazine US
Apple on Wednesday released a new version of QuickTime to plug two vulnerabilities, including a zero-day flaw that is being actively exploited simply by tricking a victim into visiting a web page.

Version 7.6.8 closes the flaw, publicly revealed in late August by Spanish researcher Ruben Santamarta and affecting versions 6 and 7 of QuickTime. Santamarta, who works for Madrid-based security firm Wintercore, said the flaw is able to bypass two built-in Windows security features: Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). He successfully tested the exploit on Windows 7, Vista and XP machines.


US-CERT Current Activity: Apple Releases QuickTime 7.6.8
added September 16, 2010 at 12:00 am | updated September 16, 2010 at 09:09 am
Apple has released QuickTime 7.6.8 to address two vulnerabilities affecting earlier versions of QuickTime for Windows.

The first vulnerability is due to improper input validation in the QuickTime ActiveX control. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

The second vulnerability is due to a path searching issue related to insecure loading of dynamic link libraries (DLLs). Exploitation of this vulnerability may allow an attacker to execute arbitrary code. Additional information regarding this class of vulnerabilities can be found in the US-CERT Current Activity entry titled "Insecure Loading of Dynamic Link Libraries in Windows Applications" and in the US-CERT Vulnerability Note VU#707943.

US-CERT encourages users and administrators to review Apple article HT4339 and apply any necessary updates to help mitigate the risks.

Apple QuickTime flaws puts Windows users at risk | ZDNet
Apple has released a critical QuickTime media player update to fix a pair of gaping security holes that expose Windows users to code execution attacks.

The QuickTime 7.6.8 update, available for Windows 7, Windows Vista and Windows XP users, patches vulnerabilities that could be exploited in drive-by downloads (via rigged Web sites) and via booby-trapped image files.

US-CERT Current Activity: Mozilla Releases Firefox 3.5.13 and 3.6.10
added September 16, 2010 at 09:09 am
The Mozilla Foundation has released Firefox 3.5.13 and 3.6.10 to address a stability issue affecting some users.

US-CERT encourages users and administrators to review the release notes for Firefox 3.5.13 and Firefox 3.6.10 and apply any necessary updates to mitigate the issue.
Posted by at No comments:

Wednesday, September 15, 2010

It's Patch Tuesday! Security Links of the Week

I am going to start accumulating links for weekly posts.  Here's the first set:

  • "Patch Tuesday" includes two CRITICAL patches rated "PATCH NOW" by SANS
    SANS issued the unusual "PATCH NOW" recommendation for two of this month's "Patch Tuesday" patches.  One is rated "Critical" for Windows XP by Microsoft, and the other affects IIS (Microsoft's web-server software).  If you are running XP on a Windows network with "Administrator" rights, you should run Windows Update ASAP. See the SANS page here: September 2010 Microsoft Black Tuesday Summary

  • Microsoft Patch Tuesday – September 2010 | eEye IT Security Blog
    Well, our friends in Redmond have been busy these past few months. Not only did they release 15 security bulletins in August, but they followed up with an additional 9 bulletins this month.

    From this month’s bulletins, administrators should pay particular notice to MS10-061, MS10-063 and MS10-068.  Note that MS10-061 is being used in the wild as part of a variant of the Stuxnet worm currently targeting SCADA devices.  Take a look at this nifty flowchart to help understand configurations that are remotely vulnerable to MS10-061.
  • US-CERT Current Activity: Microsoft Releases September Security Bulletin
    added September 14, 2010 at 01:53 pm
    Microsoft has released updates to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for September 2010. These vulnerabilities may allow an attacker to execute arbitrary code or operate with elevated privileges.

    US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.

  • McAfee Security Insights Blog » Blog Archive » The Usibility of Passwords
    I just came across a must read for everyone. (Cyber Son #1 came across this great article, BTW) It is called The Usability of Passwords. What I like is that it very thoroughly breaks down what people generally use for passwords, all of the ways in which passwords are stolen and then what the usual suggestions for a “safe “password might be.

  • CloudUSB - CloudUSB Computer
    Keep your data and your programs in your pocket; use them on every computer you find without worrying about letting around some unwanted logs and this without giving away your data security or privacy!

  • Adobe - Security Advisories: APSA10-02 - Security Advisory for Adobe Reader and Acrobat
    A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

    Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability.

  • US-CERT Current Activity: Google Releases Chrome 6.0.472.59
    added September 15, 2010 at 08:18 am
    Google has released Chrome 6.0.472.59 for Linux, Mac, and Windows to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code.  US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and apply any necessary updates to help mitigate the risks.
Posted by at No comments:

Tuesday, September 14, 2010

Yet Again Another Adobe Vulnerability. Sigh.

I'm seeing reports of this everywhere.  Adobe Flash Player and Adobe Reader 9.3.4 and earlier versions are both subject to 0-day exploits which are "in the wild".  Supposedly the Flash flaw will be fixed in two weeks, the Adobe Reader flaw in four weeks.  That's a long time to go with active exploits.  No word on whether or not this affects other PDF readers.

Adobe Flash v10.1.82.76 and earlier vulnerability in-the-wild
Adobe has released an advisory for Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android, as well as Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. CVE-2010-2884 has been assigned to the issue, which has an impact of crashing Flash or arbitrary code execution on some affected platforms. There is currently no patch, Adobe has indicated that it should be released in late September and/or early October. There are indications that this previously unknown vulnerability is currently being exploited in the wild by malicious web sites attacking browsers. YYAAAV Yes, Yet Again Another Adobe Vulnerability. Sigh.

Keep an eye out for this one folks. It will take a bit for the anti-virus, IDS/IPS and other vendors to catch up and detect the malware that exploits the vulnerability. Although by that point the box affected may well be compromised as most detect after the exploit has already taken place. Since the vendor has released the advisory after being notified that exploits are already occurring against Windows boxes it is recommended to explore workarounds for mitigation, detection of already compromised hosts, and cleanup.

Adobe PSIRT blog: http://blogs.adobe.com/psirt/2010/09/security-advisory-for-adobe-flash-player-apsa10-03.html

Adobe advisory: http://www.adobe.com/support/security/advisories/apsa10-03.html


Adobe Warns of Attacks on New Flash Flaw — Krebs on Security
Adobe Systems Inc. warned Monday that attackers are exploiting a previously unknown security hole in its Flash Player, multimedia software that is installed on most computers.

Adobe said a critical vulnerability exists in Adobe Flash Player versions 10.1.82.76 and earlier, for Windows, Mac, Linux, Solaris, UNIX and Android operating systems. In a security advisory, Adobe warned that the flaw could cause Flash to crash and potentially allow an attacker to seize complete control over an affected system.

Worse still, there are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player. Adobe’s advisory states that while the latest versions of Adobe Acrobat and Reader also contain the vulnerable Flash components, the company is not aware of attacks against the Flash flaw in those programs.


Adobe Flash Player zero-day under attack | ZDNet
The zero-day hacker attacks against Adobe’s software products are coming fast and furious.

Less than a week after the discovery of a sophisticated malware attack against an unpatched security hole in Adobe Reader/Acrobat, the company has issued a new warning for in-the-wild attacks against a zero-day flaw in its ubiquitous Flash Player.

Adobe says the vulnerability affects Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Android.

It also affects Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX; and Adobe Acrobat 9.3.4 and earlier versions for Windows and Mac.
US-CERT Current Activity: Adobe Releases Security Advisory for Vulnerability in Reader and Acrobat
added September 13, 2010 at 08:30 am
Adobe has released a security advisory to address a vulnerability in Adobe Reader and Acrobat. Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. The advisory indicates that this vulnerability is being actively exploited.

US-CERT encourages users and administrators to review Adobe security advisory APSA10-02
and consider implementing the suggested workaround of utilizing
Microsoft's Enhanced Mitigation Toolkit (EMET) to help prevent this
vulnerability from being exploited. Additional information on EMET can
be found on the Microsoft Security Research and Defense blog.

US-CERT will provide additional information as it becomes available.
Posted by at No comments:

Thursday, September 9, 2010

Quicktime 0-day drive-by exploit "in the wild"

Unless you absolutely have to have QuickTime (iTunes requires it), you're better off without it.  The VLC media player will play QuickTime media so you don't really need it.

Active exploits targeting Apple QuickTime 0-day - SC Magazine US
Attackers are now actively exploiting a recently published zero-day vulnerability in Apple QuickTime, security firm Websense disclosed Tuesday.

The flaw, details of which were revealed last week by Spanish researcher Ruben Santamarta, affects versions 6 and 7 of QuickTime and can be exploited simply by tricking a victim into visiting a malicious web page.

Santamarta, who works for Madrid-based security firm Wintercore, said in his post that the flaw is able to bypass two built-in Windows security features: Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). He successfully tested the exploit on Windows 7, Vista and XP machines.

... A Websense spokesman told SCMagazineUS.com later Wednesday that exploits taking advantage of the flaw are not currently widespread but "definitely present."

An Apple spokesperson did not respond Wednesday to a request for comment.

Posted by at No comments:

More SysAdmin fun: patch Safari, Chrome, Firefox, Opera, and Thunderbird

If you use Safari, you should patch, although Windows users who don't use Safari but have had it installed by Apple without knowing they did should just uninstall it. Google has patched Chrome, Opera has been patched, and Mozilla has patched Firefox and Thunderbird to fix the Windows DLL-loading issue that has been made public recently. It's going to be a busy week for sysadmins ...

Apple plugs drive-by download flaws in Safari browser | ZDNet
Apple has shipped Safari 5.0.2 and Safari 4.1.2 with patches for three gaping holes that expose Web surfers to drive-by download attacks.

The browse-and-you’re-hacked vulnerabilities affect both Windows and Mac users, Apple warned in an advisory. One of the three vulnerabilities is the DLL load hijacking issue that haunts hundreds of Windows applications.

Two of the three vulnerabilities affect WebKit, the open-source rendering engine that powers Apple’s Safari and iTunes software products.

US-CERT Current Activity: Apple Releases Safari 5.0.2 and 4.1.2

added September 8, 2010 at 08:34 am
Apple has released Safari 5.0.2 and 4.1.2 to address multiple vulnerabilities in the Safari and WebKit packages. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Apple article HT4333 and apply any necessary updates to help mitigate the risks.


Mozilla Firefox 3.6.9 Release Notes
What’s New in Firefox 3.6.9
Firefox 3.6.9 fixes the following issues found in previous versions of Firefox 3.6:
  • Introduced support for the X-FRAME-OPTIONS HTTP response header. Site owners can use this to mitigate clickjacking attacks by ensuring that their content is not embedded into other sites.
  • Fixed several security issues.
  • Fixed several stability issues.
Please see the complete list of changes  in this version. You may also be interested in the Firefox 3.6.8 release notes for a list of changes in the previous version.


US-CERT Current Activity: Mozilla Releases Firefox 3.6.9
added September 8, 2010 at 08:34 am
The Mozilla Foundation has released Firefox 3.6.9 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, leverage cross-site scripting attacks, or cause a denial-of-service condition. The Mozilla Foundation has also released Firefox 3.5.12 to address these same vulnerabilities. Some of these vulnerabilities also affect Thunderbird and SeaMonkey.

US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories released on September 7, 2010 and apply any necessary updates to help mitigate the risks.

Mozilla patches DLL load hijacking vulnerability | ZDNet
Mozilla has joined Apple in being among the first to fix the DLL load hijacking attack vector that continues to haunt hundreds of Windows applications. The open-source group released Firefox 3.6.9 with patches for a total of 15 vulnerabilities (11 rated critical), including the publicly known DLL load hijacking flaw that exposes Windows users to remote code execution attacks.

The majority of the 15 vulnerabilities in this Firefox patch batch could be exploited to launch drive-by download attacks from booby-trapped Web sites.

According to Firefox, the DLL load hijacking issue only affects Windows XP users:

Mozilla fixes Firefox's DLL load hijacking bug

By Gregg Keizer, Computerworld
September 08, 2010 07:30 AM ET
Mozilla on Tuesday patched 15 vulnerabilities in Firefox, 11 of them labeled critical.

One of yesterday's patches addressed a problem found in scores of Windows applications, making Firefox one of the first browsers to be patched against the DLL load hijacking bug that went public three weeks ago.

Nearly three-quarters of the vulnerabilities in Firefox 3.6 were rated "critical," Mozilla's highest threat ranking, representing bugs that hackers may be able to use to compromise a system running Firefox, then plant other malware on the machine.


SANS: Mozilla Thunderbird updated to version 3.1.3
Release Notes
Posted by at No comments:

iTunes and Chrome both patched

More fun for system administrators: patch your iTunes and Chrome installations.

Apple patches 13 iTunes security holes | ZDNet
By Ryan Naraine | September 2, 2010, 8:38am PDT

Apple has shipped a new version of its iTunes media player to fix 13 security flaws that cold be exploited to launch attacks against Windows machines.

The patches in the new iTunes 10 covers vulnerabilities in WebKit, the open-source web browser engine.The WebKit vulnerabilities, already patched in Safari, expose Windows users to remote code execution attacks via maliciously crafted Web sites.

The iTunes 10 update is available Windows 7, Windows Vista and Windows XP SP2 or later.


Google Chrome celebrates 2nd birthday with security patches | ZDNet
By Ryan Naraine | September 2, 2010, 10:22am PDT
Google’s Chrome browser is two years old today and the company celebrated the milestone with a new version chock-filled with feature enhancements and security fixes.

The Google Chrome 6.0, available in stable and beta channels for Windows, Mac, and Linux, patches a total of 15 documented security vunerabilities.

As part of its policy of paying researchers for details on serious security problems, Google shelled out more than $4,300 in bounties.

Here’s the skinny on the latest batch of Google Chrome patches: ....

Note: Originally posted Sept 2nd to a different blog in error
Posted by at No comments:

Adobe Reader 0-day PDF exploit in the wild

I've seen multiple reports of this, all referring to Adobe Reader 9.3.4 and Adobe Reader 8.2.4 (the latest versions).   I've seen no mention of whether or not this affects Foxit Reader or other PDF readers.  FWIW on my home machine, where I do most of my "surfing", I use Foxit Reader as my default PDF reader and SumatraPDF when opening PDFs directly from web links.

Computer Security Research - McAfee Labs Blog
Just after Adobe released their Out of Band patch for CVE-2010-2862, We discovered a malware exploiting a new 0-day vulnerability in the wild. Similar to the iOS PDF jailbreak vulnerability and CVE-2010-2862, this 0day vulnerability also occurs while Adobe Reader is parsing TrueType Fonts. We’ve analyzed and confirmed that the vulnerability affects the latest Adobe Reader (v9.3.4).
New Adobe PDF zero-day under attack | ZDNet

By Ryan Naraine | September 8, 2010, 10:28am PDT

Adobe today sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild.

Details on the vulnerability are not yet public but the sudden warning from Adobe is a sure sign that rigged PDF documents are being used by malicious hackers to take complete control of machines with the latest versions of Adobe Reader/Acrobat installed.

Here’s Adobe’s warning:

A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system.There are reports that this vulnerability is being actively exploited in the wild.

Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability.

Adobe Acrobat/Reader 0-day in Wild, Adobe Issues Advisory
We just received word that there is a report of a 0-day exploit for Adobe Acrobat/Reader being exploited in the wild. Secunia has a brief write up and here is the link to the original advisory.  The exploit was discovered in a phishing attempt with the subject of "David Leadbetter's One Point Lesson".  Adobe has issued an advisory and references CVE-2010-2883 (which just shows as reserved at this point with no details).  It does effect the latest version of Acrobat/Reader and Adobe is investigation a patch. More to come on that.

The exploit in the wild I'm aware of causes a crash in Acrobat/Reader and then tries to open a decoy file. So the good news is that, as of right now, it's a "loud exploit". Early VirusTotal scans also had partial coverage under various forms of "Suspicious PDF" categories. At this point, standard precautions apply (don't open PDFs from strangers) and this can probably only really be used in a phishing style scenario. Will update this dairy as needed with developments.
Attackers Exploiting New Acrobat/Reader Flaw — Krebs on Security
Adobe warned today that hackers appear to be exploiting a previously unknown security hole in its PDF Reader and Acrobat programs.

In an advisory published Wednesday, Adobe said a critical vulnerability exists in Acrobat and Reader versions 9.3.4 and earlier, and that there are reports that this critical
vulnerability is being actively exploited in the wild. The company says
its in the process of evaluating the schedule for an update to plug the
security hole.

Meanwhile, an evil PDF file going around that leverages the new
exploit currently is detected only by about 25 percent of the anti-virus
programs out there (the Virustotal scan results from today are here, and yes it’s a safe PDF).

Adobe’s
advisory doesn’t discuss possible mitigating factors, although turning
off Javascript in Reader is always a good first step. Acrobat JavaScript
can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).


Posted by at No comments:

Wednesday, September 1, 2010

RealPlayer haunted by 'critical' security holes

If you have Real Player (AOL often installs it), you need to patch it.  The ZDNet article below has the best explanation I have seen.

US-CERT Current Activity: RealNetworks Releases Update to Address Vulnerabilities in RealPlayer
added August 31, 2010 at 08:23 am
RealNetworks, Inc. has released an update for RealPlayer to address multiple vulnerabilities. These vulnerabilities may allow a remote, unauthenticated attacker to execute arbitrary code or obtain sensitive information. US-CERT encourages users and administrators to review the RealNetworks, Inc. security advisory for these vulnerabilities and apply any necessary updates to help mitigate the risks.

RealPlayer haunted by 'critical' security holes | ZDNet

By Ryan Naraine | September 1, 2010, 11:47am PDT

If you still have the RealPlayer software on your machine, now might be a good time to uninstall it. If you really need to keep it (why?), it’s definitely time to apply the latest update to avoid malicious hacker attacks.

RealNetworks has shipped a critical update to address multiple vulnerabilities, some serious enough to allow a remote, unauthenticated attacker to execute arbitrary code or obtain sensitive information.
Posted by at No comments:

Microsoft DLL Path vulnerability "in the wild"

This has been getting a lot of play in the trade press over the past week or so.  It's a complicated issue, and there is no simple patch.  The Microsoft "Fixit" isn't just a one-click fix like most of their "Fixits", either.  The Krebs on Security article below has a good but technical discussion of the problem.

FWIW I haven't patched any of my personal computers, but I never browse the Internet with "Administrator" rights and I never execute files directly from remote servers.  If you are a home user and do not work using a "Limited User" account, you should read the Krebs article and decide if you should patch.  Several applications that I use, including the VLC media player, have already patched themselves to fix this.

US-CERT Current Activity: Insecure Loading of Dynamic Link Libraries in Windows Applications
added August 25, 2010 at 12:01 pm | updated September 1, 2010 at 10:27 am
US-CERT is aware of a class of vulnerabilities related to how some Windows applications may load external dynamic link libraries (DLLs). When an application loads a DLL without specifying a fully qualified path name, Windows will attempt to locate the DLL by searching a defined set of directories. If an application does not securely load DLL files, an attacker may be able to cause the affected application to load an arbitrary library.

By convincing a user to open a file from a location that is under an attacker's control, such as a USB drive or network share, a remote attacker may be able to exploit this vulnerability. Exploitation of this vulnerability may result in the execution of arbitrary code.

Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#707943. US-CERT encourages users and administrators to review the vulnerability note and consider implementing the following workarounds until fixes are released by affected vendors
  • disable loading libraries from WebDAV and remote network shares
  • disable the WebClient service
  • block outgoing SMB traffic
Update: Microsoft has released Fix it tool 50522 to assist users in setting the registry key value introduced with Microsoft support article 2264107 to help reduce the risks posed by the DLL loading behavior described in VU#707943. Users and administrators are encouraged to review Microsoft support article 2264107, the Microsoft Security Research & Defense TechNet blog entry, and to consider using the Fix it tool to help reduce the risks. Users should be aware that setting the registry key value as described in the support article or via the Fix it tool may reduce the functionality of some third-party applications.


MS Fix Shores Up Security for Windows Users — Krebs on Security
Microsoft has released a point-and-click tool to help protect Windows users from a broad category of security threats that stem from a mix of insecure default behaviors in Windows and poorly written third-party applications.

My explanation of the reason that this is a big deal may seem a bit geeky and esoteric, but it’s a good idea for people to have a basic understanding of the threat because a number of examples of how to exploit the situation have already been posted online.  Readers who’d prefer to skip the diagnosis and go straight to the treatment can click here.

... vulnerable apps include Windows Live Mail, Windows Movie Maker, Microsoft Office Powerpoint 2007, Skype, Opera, Mediaplayer Classic and uTorrent, to name just a few.
Posted by at No comments:

Tuesday, August 24, 2010

Apple Mac OS X and Adobe Shockwave (NOT Flash) Player patches

Apple patches 13 Mac OS X vulnerabilities | ZDNet
By Ryan Naraine | August 24, 2010, 2:19pm PDT
Apple has shipped a new Mac OS X security update to fix 13 documented vulnerabilities, some serious enough to expose users to remote code execution attacks.

The patch includes fixes for security holes in several open-source components, including ClamAV and PHP.

Here’s a quick look at the vulnerabilities and affected components.

Critical security holes in Adobe Shockwave | ZDNet

By Ryan Naraine | August 24, 2010, 2:40pm PDT

Adobe has shipped a Shockwave Player update to fix 20 security holes, some serious enough to lead to system takeover attacks.


The vulnerabilities, rated “critical,” affect Shockwave Player 11.5.7.609 and earlier versions for Windows and Macintosh.

From Adobe’s advisory:


Critical vulnerabilities have been
identified in Adobe Shockwave Player 11.5.7.609 and earlier versions on
the Windows and Macintosh operating systems. The vulnerabilities could
allow an attacker, who successfully exploits these vulnerabilities, to
run malicious code on the affected system.


Users of Adobe
Shockwave Player 11.5.7.609 and earlier versions should immediately
upgrade to version 11.5.8.612 using this link: http://get.adobe.com/shockwave/.

Posted by at No comments:

Friday, August 20, 2010

Sure Happy It's Thursday: Google Chrome, VLC 1.1.3, old Java being exploited

The patch treadmill rolls along.  Google Chrome was patched just recently, and here it is again.  Ditto for VLC.  I was glad to read the Microsoft blog entry as that may explain how some of my out-of-date home users were infected recently.

US-CERT Current Activity: Google Releases Chrome 5.0.375.127
added August 20, 2010 at 08:47 am

Google has released Chrome 5.0.375.127 for Windows, Mac, and Linux to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or conduct spoofing attacks.

US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and apply any necessary updates to help mitigate the risks.
US-CERT Current Activity: VideoLAN Releases a Security Advisory for VLC Media Player
added August 20, 2010 at 10:47 am

VideoLAN has released a security advisory to address a vulnerability in VLC Media Player. This vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. The updated release also addresses additional issues that could result in a denial-of-service attack.

US-CERT encourages users and administrators to review VideoLAN security advisory VideoLAN-SA-1004 and apply any necessary updates or workarounds to help mitigate the risks.

Sunbelt Blog: Microsoft: drive-by Trojan preying on out-of-date Java installations
A piece by Marian Radu on Microsoft’s Technet Blog is warning that users who have failed to update the Java Runtime Environment (JRE) on their machines are vulnerable to drive-by downloads by a Trojan called Unruy. That Trojan has been associated with rogue security products. Radu said the vulnerability (which was patched in March) is being actively exploited.

Browsers running JRE versions up to version 6 update 18 are vulnerable. The current JRE version today is version 6, update 21.

Microsoft Technet blog piece here: “Unruy downloader uses CVE-2010-0094 Java vulnerability”

Users can easily check their version of Java and download necessary updates here: http://www.java.com/en/download/manual.jsp
Posted by at No comments:

Thursday, August 19, 2010

Adobe Issues Acrobat, Reader Security Patches

Well, Adobe shipped an "emergency" set of patches for Adobe Reader 8.x and 9.x.  If you are updating manually you can get them here: Adobe.com - New downloads.  So far they appear to be working fine on all the systems where I have installed them.

Adobe ships critical PDF Reader patch | ZDNet
Adobe has shipped a security bulletin with patches for two critical vulnerabilities in its PDF Reader and Acrobat software products.
The flaws fixed in this out-of-cycle patch affects Adobe Reader 9.3.3 and earlier versions for Windows, Mac and UNIX; and Adobe Acrobat 9.3.3 and earlier versions for Windows and Mac.
Adobe’s advisory spells out the severity:

These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Today’s patch comes on the heels of Black Hat conference presentation where researcher Charlie Miller provided details of an exploitable vulnerability in Adobe’s PDF Reader software.  Miller’s presentation did not include technical details of the flaw but attendees were able to piece together clues to determine that the flaw could lead to code execution attacks with rigged PDF files.

Adobe confirmed that this update fixes that Black Hat vulnerability.  Google’s Tavis Ormandy is credited with reporting the flaw.  Miller was not credited in Adobe’s advisory.

The update also incorporates patches from the Adobe Flash Player Security Bulletin APSB10-16.

Adobe Issues Acrobat, Reader Security Patches — Krebs on Security
Adobe Systems Inc. today issued software updates to fix at least two security vulnerabilities in its widely-used Acrobat and PDF Reader products. Updates are available for Windows, Mac and UNIX versions of these programs.  ... 

Today’s update is an out-of-cycle release for Adobe, which recently moved to a quarterly patch release schedule. The company said the update addresses a vulnerability that was demonstrated at the Black Hat security conference in Las Vegas last month. The release notes also reference a flaw detailed by researcher Didier Stevens back in March. Adobe said it is not aware of any active attacks that are exploiting either of these bugs.

More information on these patches, such as updating older versions of Acrobat and Reader, is available in the Adobe security advisory.

Posted by at No comments:

Friday, August 13, 2010

This week's reminder links: Chrome, QuickTime, more

No details are provided on what has been patched.  If you use the Google Chrome browser, it should auto-update.&nbsp. One of the Chrome alternatives (which don't feed your surfing life to Google), Iron Browser isn't keeping up -- their newest version is dated late June, but ChromePlus was just updated today (13 Aug 2010) and can be downloaded [HERE].

US-CERT Current Activity: Google Releases Chrome 5.0.375.126
added August 11, 2010 at 08:12 am

Google has released Chrome 5.0.375.126 for Linux, Mac, and Windows. Chrome 5.0.375.126 contains an updated version of the Flash plugin which addresses multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and apply any necessary updates to help mitigate the risks.

ChromePlus Release Notes (1.4.1.0)
V1.4.1.0 for Windows (based on Chromium 5.0.375.126)
Release Notes:(13 Aug 2010)

QuickTime Security Updates
Last Updated: 2010-08-13 00:15:28 UTC
by Guy Bruneau (Version: 1)
QuickTime 7.6.7 is now available and address CVE-2010-1799. The update is available for Windows 7, Vista, XP SP2 or later. "Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution". The update can be downloaded here.

US-CERT Current Activity: Apple Releases QuickTime 7.6.7
added August 13, 2010 at 08:08 am
 Apple has released QuickTime 7.6.7 for Windows to address a vulnerability. This vulnerability is due to a stack buffer overflow that exists in QuickTime error logging. By convincing a user to open a specially crafted movie file, a remote attacker may be able to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Apple article HT4290 and update to QuickTime 7.6.7 to help mitigate the risks.

Critical Apple QuickTime flaw dings Windows OS | ZDNet
Apple has shipped QuickTime 7.6.7 to fix a critical vulnerability that exposes Windows users to malicious hacker attacks.

The update, available for Windows XP SP3 and later, Windows Vista and Windows 7, corrects a flaw that could be exploited to launch remote code execution attacks.

According to Apple’s advisory, the flaw could be exploited with a maliciously crafted movie file.
Posted by at No comments:

Wednesday, August 11, 2010

Record Patch Tuesday, and Adobe Flash is updated again

I have applied the Windows Update patches and Flash updates to my systems and I haven't seen any issues, but I don't use Microsoft Office and there are critical patches to Office this month.  According to Brian Krebs, the Office patch is very important: "... a patch that fixes at least four vulnerabilities in Microsoft Office, the most severe of which could lead to users infecting their PCs with malware simply by opening or viewing a specially-crafted e-mailSANS rated many of the patches "Critical" but none are rated "PATCH NOW", so business users should probably hold off a day or two until the electronic dust settles.  However, if you use a Microsoft email program (Outlook, Outlook Express, or Windows Mail), you should consider patching soon.

Note that if you use Firefox or Chrome or Safari on Windows, you need to patch Flash twice, once for Internet Explorer and once for your other browsers.

Critical Updates for Windows, Flash Player — Krebs on Security
Microsoft issued a record number of software updates today, releasing 14 update bundles to plug at least 34 security holes in its Windows operating system and other software. More than a third of flaws earned a “critical” severity rating, Microsoft’s most serious. Separately, Adobe released an update for its Flash Player that fixes a half-dozen security bugs.

... The software giant also urged customers to quickly deploy a patch that fixes at least four vulnerabilities in Microsoft Office, the most severe of which could lead to users infecting their PCs with malware simply by opening or viewing a specially-crafted e-mail.

More details on the rest of this month’s updates are available here. Just a quick note about this patch batch for consumers: It might not hurt to wait a day or two before applying the Microsoft updates. Given the sheer number of vulnerabilities addressed in this release, there is a good chance that one or more of them may turn out to cause problems for some customers. Also, there don’t appear to be any online threats actively exploiting any of these flaws at the moment.

In other news, Adobe released a patch for its ubiquitous Flash Player that fixes at least six flaws in Flash. The newest version brings Flash to v. 10.1.82.76. If you’d like to know what version of Flash you are currently using, browse to this link.

SANS: August 2010 Microsoft Black Tuesday Summary
Overview of the Aug 2010 Microsoft Patches and their status.

Update:  Microsoft also released an advisory for an unpatched privilege escalation vulnerability

Update 2: Exploit code apparently exists for MS10-048, but it is not being seen in the wild at present.


US-CERT Current Activity: Microsoft Releases August Security Bulletin
added August 10, 2010 at 01:25 pm
 Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, Office, and Silverlight as part of the Microsoft Security Bulletin Summary for August 2010. These vulnerabilities may allow an attacker to execute arbitrary code or operate with elevated privileges.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.

August 2010 Security Bulletin Release - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs
Hello all. As part of our usual cycle of monthly updates, today Microsoft is releasing 14 security bulletins, addressing 34 vulnerabilities. Eight of those bulletins have a Critical severity rating, and we consider four of those to be high-priority deployments:
  • MS10-052
    This bulletin resolves a privately reported vulnerability in
    Microsoft's MPEG Layer-3 audio codecs. The vulnerability could allow
    remote code execution if a user opens a specially crafted media file or
    receives specially crafted streaming content from a Web site. An
    attacker who successfully exploited this vulnerability could gain the
    same user rights as the logged-on user.

  • MS10-055
    This bulletin resolves a privately reported vulnerability in Cinepak
    Codec, which is used by Windows Media Player to support the .avi
    audiovisual format. The vulnerability could allow remote code execution
    if a user opens a specially crafted media file, or receives specially
    crafted streaming content from a Web site. An attacker who successfully
    exploited this vulnerability could gain the same user rights as the
    logged-on user.

  • MS10-056
    This bulletin resolves four privately reported vulnerabilities in
    Microsoft Office. The most severe vulnerabilities could allow remote
    code execution if a user opens or previews a specially crafted RTF
    e-mail message. An attacker who successfully exploited any of these
    vulnerabilities could gain the same user rights as the local user.
    Windows Vista and Windows 7 are less exploitable due to additional heap
    mitigation mechanisms in those operating systems.

  • MS10-060
    This bulletin resolves two privately reported vulnerabilities, both of
    which could allow remote code execution, in Microsoft .NET Framework and
    Microsoft Silverlight.

Currently none of the vulnerabilities addressed has been observed under exploit in the wild.

Posted by at No comments:
Subscribe to: Posts (Atom)