Thursday, April 15, 2010

Emergency Java patch released, PATCH NOW

There have been reports that this flaw is already being exploited on at least one popular website.

As attacks surface, Sun ships sudden Java patch | Zero Day |
In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.

The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped song lyrics Web site.

The release notes that accompanies the new Java 6 Update 20 makes no mention of the public flaw disclosure or subsequent attacks but I’ve been able to confirm that the patch does cover the vulnerability released by Google security researcher Tavis Ormandy.

Critical Java Vulnerability Exploited On |
A popular song lyrics website has been found serving attack code that tries to exploit a critical vulnerability in Oracle’s Java virtual machine, which is installed on hundreds of millions of computers worldwide.

Java Patch Targets Latest Attacks — Krebs on Security
"Oracle Corp. has shipped a new version of its Java software that nixes a feature in Java that hackers have been using to foist malicious software.

Java 6 Update 20 was released sometime in the last 24 hours, and includes some security fixes, although Oracle’s documentation on that front is somewhat opaque. Most significantly, the update removes a feature that hackers have started using to install malware.

On Wednesday, a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to plant malicious software.

If you need Java for some specific reason, then by all means install this update. However, I have found that most users can happily do without this powerful and feature-rich program, which is fast becoming a popular vehicle for launching a range of attacks. More on that in a future post. Stay tuned.

System administrators and savvy home users who download the offline patch can update their computers more quickly by running the downloaded patch with the command-line switches "/passive /norestart". This turns the install into a start-it-and-forget-it event and avoids the need to click a bunch of [OK] and [Next] buttons. Incidentally, it also bypasses the attempt to install a toolbar into your browser. If you are curious about what command-line switches are available, run the patch with the command-line switch "/?".

Wednesday, April 14, 2010

Dangerous Java flaw being exploited in the wild

Just one more reason to use DropMyRights (there is a good 3-part write-up on it here) to run any Internet-facing application like browsers, email, music players, and so forth, and why you should use Firefox with NoScript and AdBlock Plus as your primary browser. Of course, you could also run as a Limited User, which is what I do on my home computer, but business users often have software which requires administrator rights on XP. Anyway, I recommend Firefox+NoScript or disabling Java until this is fixed.

Java zero-day flaw under active attack | Zero Day |
Just days after Google researcher Tavis Ormandy released details on a dangerous new Java vulnerability, malicious hackers have pounced and are exploiting the flaw in the wild to launch drive-by download attacks.

Virus hunters have spotted the attacks on a popular song lyrics Web site. Any visitor to that Web site with the Java Plugin for Browsers installed (Internet Explorer or Firefox) will get infected with malware.

According to AVG’s Roger Thompson, the attacks are likely to spread because of the simplicity in launching a successful exploit: ....

Unpatched Java Exploit Spotted In-the-Wild — Krebs on Security
Last week, a Google security researcher detailed a little-known feature built into Java that can be used to launch third-party applications. Today, security experts unearthed evidence that a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to install malicious software.

On April 9, Google researcher Tavis Ormandy posted to the FullDisclosure mailing list that he’d discovered he could abuse a feature in Java to launch arbitrary applications on a Windows PC using a specially-crafted Web site. Ormandy said the feature had been included in every version of Java since Java 6 Update 10, and was intended as a way to make it easier for developers to distribute their applications. Along with that disclosure, Ormandy published several examples of how attackers might use this functionality in Java to load malicious applications onto a user’s system.

As of this morning,, a site that according to traffic analysis firm receives about 1.7 million visits each month, was loading code from, a Russian Web site with a history of pushing rogue anti-virus.

Quicktime, Foxit Reader patched last week

I meant to blog this last week, but it fell off the stack until this week's security blog came around on the keyboard. On top of last week's Mega Patch collection, here are two more:

Security Updates for Foxit, QuickTime/iTunes — Krebs on Security
Foxit Software has issued an update to make it easier for users to spot PDF files that may contain malicious content. Also, Apple has pushed out new versions of QuickTime and iTunes that correct nearly two dozen security problems in those programs.

Another busy week patching for system admins

Microsoft and Adobe both "celebrated" Patch Tuesday this week. If you have Adobe Reader 8 or 9 on your networks, you need to patch them as well as checking to see if Microsoft's patches are important in your network. For home users, Adobe is now enabling an automatic patching mechanism that will patch Adobe Readers silently. Network admins should consider disabling this to reduce unnecessary traffic and to prevent automatic updating software from making unexpected changes to critical production systems. All of the stories linked below include more information and links to even more info.

The Microsoft Security Response Center (MSRC) : April 2010 Security Bulletin Release
Today, as part of our monthly security update cycle, we are releasing 11 security bulletins to address 25 vulnerabilities: five rated Critical, five rated Important and one rated Moderate. This month’s release affects Windows, Microsoft Office, and Microsoft Exchange.

Microsoft patches 25 flaws with 11 patches, five critical - SC Magazine US
Microsoft on Tuesday pushed out 11 patches for 25 vulnerabilities.

Two of the fixes — MS10-020 and MS10-022 — correct previously known vulnerabilities, one a flaw in VBScript, which could permit attackers to execute remote code on victim machines, and the other a denial-of-service bug in Server Message Block, disclosed in November.

But on Tuesday the software giant identified three other patches — MS10-019, MS10-026 and MS10-027 — as the major priorities, Jerry Bryant, group manager of response communications at Microsoft, said in a blog post.

MS10-019, which resolves two vulnerabilities, affects all Windows versions and can allow an attacker to change PE (portable executable) and CAB (cabinet) files to add malicious content, without invalidating the digital signature.

SANS has awarded one of this month's patches, MS10-022, their highest rating of "PATCH NOW"* even though Microsoft only rated this patch "Important".

Microsoft April 2010 Patch Tuesday
Overview of the April 2010 Microsoft Patches and their status.
* PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.

Adobe, Microsoft Push Security Upgrades — Krebs on Security
Software giants Adobe and Microsoft today each released software updates to fix critical security flaws in their products. In addition, Adobe is rolling out a new auto-updater tool that should make it easier for hundreds of millions of Adobe Reader users to more safely run one of the most frequently attacked software applications.

Microsoft released 11 security updates that collectively fix at least 25 vulnerabilities in versions of Windows, Office, Exchange, and other Microsoft products.

Redmond said customers should install all of the relevant updates, but it called attention to a few as particularly urgent. Among those is a patch for all versions of Windows that fixes a bug which could allow attackers to fool Windows into thinking that a malicious program was created by a legitimate software vendor, said Joshua Talbot, security intelligence manager, Symantec Security Response.

Adobe - Security Bulletins: APSB10-09 - Security update available for Adobe Reader and Acrobat
Critical vulnerabilities have been identified in Adobe Reader 9.3.1 (and earlier versions) for Windows, Macintosh, and UNIX, Adobe Acrobat 9.3.1 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.1 (and earlier versions) and Adobe Acrobat 8.2.1 (and earlier versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Critical flaws haunt Adobe PDF Reader, Acrobat | Zero Day |
Adobe dropped a bumper patch for its PDF Reader and Acrobat today to fix 15 documented security holes that expose Windows, Mac and UNIX users to malicious hacker attacks.

The update is rated “critical” because of the risk of remote code execution attacks via rigged PDF files.

Security update available for Adobe Reader and Acrobat

Friday, April 2, 2010

It's Mega-Super-Hyper-Mondo Patch Week!

This is NOT an April Fool's joke.

Here's what was patched this week:
  • Internet Explorer got an emergency, out-of-cycle, patch to correct a 0-day flaw that was being exploited.
  • Firefox 3.6 got patched to correct the security flaw that was exposed in the Pwn20wn competition last week (no patch yet for flaws exposed there in IE or Safari).
  • Foxit Reader got patched to correct a flaw that allowed it to launch any EXE without warning even with scripting disabled (no patch yet for Adobe Reader).
  • Java JRE got patched to correct 27 critical vulnerabilities.
  • Apple Quicktime and iTunes each got patches to address critical vulnerabilities.
  • Apple OS X 10.6 was patched on March 29th with a mega-patch that upgraded OS X to version 10.6.3.

Each of the stories below will open in a separate window and has links to more details and the patches. The most important for Windows users is the IE patch followed by the Firefox, Java, and Foxit Reader patches.

Emergency IE update patches 10 critical security holes | Zero Day |
Microsoft today shipped a cumulative Internet Explorer update with patches for 10 security holes, including a drive-by download vulnerability that’s already being used in malware attacks.

The critical MS08-018 update patches security holes that could lead to code execution attacks on all versions of Microsoft’s flagship browser, including the newest Internet Explorer 8.

Mozilla Firefox first to patch Pwn2Own vulnerability | Zero Day |
Mozilla is the first browser vendor to fix a vulnerability exploited at this year’s CanSecWest Pwn2Own contest.

Just one week after a U.K.-based hacker known as “Nils” broke into a 64-bit Windows 7 machine with a Firefox vulnerability, the open-source group shipped Firefox 3.6.3 to plug the security hole.

Java update plugs 27 critical security holes | Zero Day |
Oracle has shipped a Critical Patch Update for Java SE and Java for Business to fix 27 security flaws that could expose users to malicious hacker attacks.

The update, available for Windows, Solaris and Linux, addresses issues that could be remotely exploitable without authentication.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” the company said in an advisory.

Affected products include:

* Java SE: JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux ...

Foxit Reader Security Update
Foxit Reader has released a security that fixes an issue that runs an embedded executable in a PDF document without asking the user's permission. The update can be launch from Foxit (select version or download it from here.

This update is related to a recent ISC diary "PDF Arbitrary Code Execution - vulnerable by design" published on the 31 March 2010.

Apple QuickTime and iTunes Security Update
QuickTime 7.6.6 addresses 16 CVEs affecting both Windows and Mac. Additional information regarding the security fixes incorporated in this version is available here. Apple has rated several CVEs can lead to an unexpected application termination or arbitrary code execution.

iTunes 9.1 addresses 7 CVEs affecting Windows and Mac. Additional information regarding the security fixes incorporated in this version is available here. Apple has rated several CVEs can lead to an unexpected application termination or arbitrary code execution including Denial of Service.

Apple plugs 88 Mac OS X security holes | Zero Day |
Apple today released one of its biggest Mac OS X security updates in recent memory, covering a whopping 88 documented vulnerabilities.

The Mac OS X v10.6.3 update, which is considered “critical,” covers flaws that could lead to remote code execution, information disclosure and denial-of-service attacks.

Apple patching frenzy: Security holes in QuickTime, iTunes, AirPort | Zero Day |
Just call it Mac OS X patchapalooza. Over the last week, Apple has shipped security patches to cover 88 vulnerabilities in the Mac operating system, 16 holes in the QuickTime media player, 7 flaws in iTunes and a security bug in the AirPort Base Station.

In the days following the release of the Mac OS X v10.6.3 update, Apple also covered remote code execution holes in QuickTime and iTunes, who software products found on millions of Mac and Windows machines.