Tuesday, February 23, 2010

Adobe Security Bulletin: UNINSTALL Adobe Download Manager

Well, Adobe has issued a bulletin telling everyone who has the Adobe Download Manager to UNINSTALL it and any related services.

Adobe - Security Bulletins: APSB10-08 Security update available for Adobe Download Manager
A critical vulnerability has been identified in the Adobe Download Manager. This vulnerability (CVE-2010-0189) could potentially allow an attacker to download and install unauthorized software onto a user's system.

Users, who have downloaded Adobe Reader for Windows from http://get.adobe.com/reader/ or Adobe Flash Player for Windows from http://get.adobe.com/flashplayer/ prior to the release of this Security Bulletin on February 23, 2010, can verify they are not vulnerable to this Adobe Download Manager issue by following the instructions in the Solution section below.

Affected software versions
Adobe Download Manager on Windows (prior to February 23, 2010)

Solution
Users, who have downloaded Adobe Reader for Windows from http://get.adobe.com/reader/ or Adobe Flash Player for Windows from http://get.adobe.com/flashplayer/ prior to the release of this Security Bulletin on February 23, 2010, can verify they are not vulnerable to this Adobe Download Manager issue by following the instructions below:
  • Ensure that the C:\Program Files\NOS\ folder and its contents ("NOS files") are not present on your system. (If the folder is present, follow the steps below to remove).
  • Click "Start" > "Run" and type "services.msc". Ensure that "getPlus(R) Helper" is not present in the list of services.


If the NOS files are found, the Adobe Download Manager issue can be mitigated by:
  • Navigating to Start > Control Panel > Add or Remove Programs > Adobe Download Manager, and selecting Remove to remove the Adobe Download Manager from your system.
OR
  • Clicking "Start" > "Run" and typing "services.msc". Then deleting "getPlus(R) Helper" from the list of services.
  • Then delete the C:\Program Files\NOS\ folder and its contents.


This issue is resolved as of February 23, 2010, and no action is required for future downloads of Adobe Reader from http://get.adobe.com/reader/ or Adobe Flash Player from http://get.adobe.com/flashplayer/.

Severity rating

Adobe categorizes this as a critical update. Users can remove potentially vulnerable installations of the Adobe Download Manager using the instructions in the Solution section above.

Wednesday, February 17, 2010

Disconcerting news about the Adobe Download Manager

I have been uninstalling this whenever I see it, so it's good to see that my suspicious nature has paid off.

Security Updates for Adobe Reader, Acrobat — Krebs on Security
Update, 4:06 p.m. ET: If you decide to do without Adobe Reader and uninstall it, you might want to nix the Adobe Download Manager as well. Researcher Aviv Raff points to some nifty work he’s done which shows that Adobe’s Download Manager — which ships with all new versions of Flash and Reader — can be forced to reinstall an application that’s been removed, such as Reader. According to Raff, a Web site could hijack the Adobe Download manager to download and install any of the following:
  • Adobe Flash 10
  • Adobe Reader 9.3
  • Adobe Reader 8.2
  • Adobe Air 1.5.3
  • ARH tool – allows silent installation of Adobe Air applications
  • Google Toolbar 6.3
  • McAfee Security Scan Plus
  • New York Times Reader (via Adobe Air)
  • Fanbase (via Adobe Air)
  • Acrobat.com desktop shortcut
Raff writes: “So, even if you use an alternative PDF reader, an attacker can force you to download and install Adobe Reader, and then exploit the (yet to be patched, but now known) vulnerability. The attacker can also exploit 0-day vulnerabilities in any of the other products mentioned above.” Read more on his findings at this link here.
Note: According to Aviv Raff, Firefox users should disable or uninstall the Adobe Download Manager extension in addition to uninstalling the Adobe Download Manager program. Of course, if you're constitutionally paranoid like me ;-) you won't have either installed [grin].

Tuesday, February 16, 2010

Security updates available for Adobe Reader

If you use Adobe Reader (I don't, I use the also-free Foxit Reader in an attempt to reduce my attack surface ;-)), you should patch NOW. Here are links to several pages about the new Adobe Reader patches:

Adobe - Security Bulletins: APSB10-07 Security updates available for Adobe Reader and Acrobat
A critical vulnerability has been identified in Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh. As described in Security Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1. (For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3.1, Adobe has provided the Adobe Reader 8.2.1 update.) Adobe recommends users of Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.1. Adobe recommends users of Acrobat 8.2 and earlier versions for Windows and Macintosh update to Acrobat 8.2.1.

ZDNet reported this also, with a very unflattering headline:

Zero Day | ZDNet.com: Adobe plugs more gaping holes in PDF Reader
Adobe today released an out-of-band security update to patch a pair of gaping holes that expose hundreds of millions of computer users to remote code execution attacks.

The vulnerabilities are rated “critical” and affect Adobe Reader and Adobe Acrobat on all platforms — Windows, Mac and Linux.

This PDF Reader/Acrobat update falls outside of the company’s scheduled quarterly patch cycle. It is not yet clear why Adobe opted for an out-of-band patch but the presence of Microsoft’s security research team as a flaw-finder on this bulletin suggests Redmond may have pressured Adobe to rush out a fix.

Adobe insists there are no active attacks or exploit code publicly available.

There is also a clear connection to a patch released last week for Adobe Flash Player. That Flash patch covered a hole (CVE-2010-0186) that could subvert the domain sandbox and make unauthorized cross-domain requests.

In today’s Reader/Acrobat bulletin, the same vulnerability is referenced as affecting Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh.

A related story on ZDnet's Security blog today claims that Malicious PDF files comprised 80 percent of all exploits for 2009
A newly released report shows that based on more than a trillion Web requests processed in 2009, the use of malicious PDF files exploiting flaws in Adobe Reader/Adobe Acrobat not only outpaced the use of Flash exploits, but also, grew to 80% of all exploits the company encountered throughout the year.

Thursday, February 11, 2010

Adobe's Patch Thursday: update for Flash Player, planned update for Adobe Readers 8-9

Even more reason to get patching:

Adobe - Security Bulletins: APSB10-06 Security update available for Adobe Flash Player
A critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests.

Adobe recommends users of Adobe Flash Player 10.0.42.34 and earlier versions update to Adobe Flash Player 10.0.45.2. Adobe recommends users of Adobe AIR version 1.5.3.1920 and earlier versions update to Adobe AIR 1.5.3.1930.
Adobe - Security Bulletins: APSB10-07 Security Advisory for Adobe Reader and Acrobat
Adobe is planning to release an update for Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh to resolve critical security issues, including the Flash Player issue described in Security Bulletin APSB10-06. Adobe expects to make these updates available on February 16, 2010.

Tuesday, February 9, 2010

Mega-patch Tuesday has 13 patches, many critical

At least SANS doesn't give any its worst "PATCH NOW" rating.  But many are rated "Critical".  I have patched all my systems and am waiting for a day or so of feedback on the blogs before patching business client systems. Home users should patch today or tomorrow, don't wait!

ZDNet has a good, user-friendly write-up on three or four it considers the most critical:
Patch Tuesday: Microsoft plugs critical Windows worm holes | Zero Day | ZDNet.com
Microsoft today released 13 security bulletins with fixes for 26 vulnerabilities affecting Windows and Office users and warned customers to pay special attention to a slew of flaws that can be trivially exploited by malware miscreants.

The company urged customers to prioritize and deploy four updates because of the “critical” severity rating and the fact that “consistent exploit code” is likely within the next 30 days.

Here’s the skinny on the three updates that should be applied immediately:

* MS10-013: Addresses a Critical vulnerability in DirectShow, should be at the top of your list for testing and deployment. This issue is Critical on all supported versions of Windows except Itanium based server products and has an Exploitability Index rating of 1. To exploit the vulnerability, an attacker could host a malicious AVI file on a website and convince a user to visit the site, or send the file via email and convince the a user to open it.

* MS10-006: This is also rated Critical on all versions of Windows, except Windows Vista and Windows Server 2008, and addresses 2 vulnerabilities in SMB Client. One of the vulnerabilities has an Exploitability Index rating of 1. In the simplest scenario, a system connecting to a network file share is an SMB Client. The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it. An attacker could also try to perform a man-in-the-middle attack by responding to SMB requests from clients. From our analysis of this issue, we expect attempts to exploit it would be more likely to result in a Denial of Service than in Remote Code Execution.

* MS10-007: Fixes a Critical vulnerability in Windows Shell Handler that affects Windows 2000, Windows XP, and Windows Server 2003. The attack vector is through a specially crafted link that appears to the ShellExecute API to be a valid link. This issue has not been publicly exposed but we give it an Exploitability Index rating of 1, so we urge customers on affected platforms to install it as soon as possible.

A fourth bulletin — MS10-008 — includes ActiveX Kill Bits for Internet Explorer and should also be treated with the utmost priority because it exposes surfers to malicious code execution attacks.

Eleven of 13 bulletins affect the Windows operating system while two affect older versions of Microsoft Office.

Microsoft's Official Bulletin: Microsoft Security Bulletin Summary for February 2010

SANS summary: February 2010 Black Tuesday Overview

Update: Brian Krebs also has a good user-friendly write-up on today's patches: 13 Ways to Protect Your Windows PC — Krebs on Security
Microsoft today released a baker’s dozen of software updates to fix twice as many vulnerabilities in its various Windows operating systems and other software. Translation: If you use any supported version of Windows, it’s time once again to update your PC.

Update 2 Thu 11 Feb 2010 11:51 AM MST: I'm seeing multiple reports of BSODs installing some of these patches on Windows XP systems. Reports are here:
Update 3Thu 11 Feb 2010 20:25: Microsoft has withdrawn MS10-015 pending further testing. See here:
The Microsoft Security Response Center (MSRC) : Restart issues after installing MS10-015

Thursday, February 4, 2010

IE users - malicious or hacked websites can read any file on your system

The IE flaw I blogged on last week has now been released.

Microsoft warns of new IE data-leakage vulnerability | Zero Day | ZDNet.com
Microsoft today issued a security advisory to acknowledge an information disclosure hole in its Internet Explorer browser and warned that an attacker could exploit the flaw to access files with an already known filename and location.

The vulnerability was first discussed at this week’s Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies. Microsoft says the risk is highest for IE users running Windows XP or who have disabled the browser’s Protected Mode feature.

Medina’s presentation demonstrated how an attacker can read every file of an IE user’s filesystem. The attack scenario leveraged different design features of Internet Explorer that can be combined to do serious damage.

Microsoft has acknowledged the problem and issued a MSRC Security Bulletin, Security Advisory 980088 and a FixIt for the problem, which tells me (a) it's serious and (b) they expect exploitation soon.  The MSKB article also includes .reg files for those who would rather use registry files instead of MS's FixIt. The MSRC Security Bulletin includes a link which downloads the FixIt. Home users should probably use the FixIt. Business users should alert their IT staff to this problem.

This comes on the heels of Krebs-On-Security's disclosure of a years-old way to crash IE6: Another Way to Ditch IE6
This past week, I was reminded of a conversation I had with an ethical hacker I met at the annual Defcon security conference in Las Vegas a couple of years back who showed me what remains the shortest, most elegant and reliable trick I’ve seen to crash the Internet Explorer 6 Web browser.

If you’re curious and have IE6 lying around, type or cut and paste the following into the address bar (that last character is a zero):

ms-its:%F0:

or just click this link with IE6.

I've tested the Krebs link, and it does crash IE6, at least on my Windows-2000 test machine.

The best solution to this for Windows users is to just avoid the use of IE and use Firefox, Chrome, or the Iron Browser instead.