Thursday, November 4, 2010

Firefox, Thunderbird patched; Adobe Flash patch due today, other stuff

More patching: Firefox has been patched to plug a 0-day flaw that was being exploited "in the wild", and Mozilla Thunderbird has been patched to fix the same bug (which was not exploitable in TBird).  Adobe's Flash Player and Adobe Reader 9 both have a vulnerability that is also currently being exploited; Adobe is supposed to issue a patch for the Flash player today (November 4, 2010) but Reader won't be patched for another 11 days.  Adobe Reader 8 apparently doesn't have the vulnerability. 

Also, I have been lax about updating this blog, so I have included several older items that have been sitting in my outbox that will affect some of you.  Many vulnerabilities are being found these days in various unusual media players like the Real Player and the Shockwave Player, so if you don't need them I recommend uninstalling them rather than fighting to keep them updated.

Mozilla plugs Firefox drive-by-download zero-day | ZDNet
By Ryan Naraine | October 28, 2010, 10:54am PDT
Mozilla has quickly rushed out a Firefox security patch to provide cover for a zero-day flaw that was being exploited in drive-by malware downloads. ... The patch, rated “critical,” fixes a buffer overflow issue that was under attack at the Nobel Peace Prize web site. ... The vulnerability is fixed in Firefox 3.6.12, Firefox 3.5.15, Thunderbird 3.1.6, Thunderbird 3.0.10 and SeaMonkey 2.0.10.  According to malware hunters tracking the threat, Firefox users who surfed to the Nobel Peace Prize site were silently infected with Belmoo, a Windows Trojan that gives the attacker complete control of the machine.
Adobe under attack: New PDF, Flash zero-day | ZDNet
By Ryan Naraine | October 28, 2010, 12:11pm PDT
Adobe’s security response team is scrambling to respond to new zero-day attacks against a computer hijack vulnerability in two of its most widely deployed products: Flash Player and Adobe PDF Reader.

The flaw, which is currently being exploited in the wild with booby-trapped PDF documents, affects Windows, Mac, Linux and Solaris users. The zero-day attacks are currently targeted Windows users.
Koobface Worm Targets Java on Mac OS X — Krebs on Security
A new version of the infamous Koobface worm designed to attack Mac OS X computers is spreading through Facebook and other social networking sites, security experts warn.

Security software maker Intego says this Mac OS X version of the Koobface worm is being served as part of a multi-platform attack that uses a malicious Java applet to attack users. According to Intego, the applet includes a prompt to install the malicious software:
'Highly critical' flaws hit RealPlayer | ZDNet
By Ryan Naraine | October 18, 2010, 10:54am PDT
Multiple “highly critical” security holes in RealNetworks’ RealPlayer software could expose millions of computer users to remote code execution attacks.

According to an advisory from Secunia, these flaws can be exploited by malicious people to compromise a user’s system.

This RealNetworks security notice details seven different vulnerabilities affecting Windows RealPlayer SP 1.1.4 and and RealPlayer Enterprise 2.1.2.

RealPlayer users are strongly encouraged to apply the available security patches.
Adobe Shockwave Player "Shockwave Settings" Use-After-Free Vulnerability

Juha-Matti reports that an odd Shockwave vulnerability has been identified (http://secunia.com/advisories/42112/.) I call it "odd" because it's not the typical "download crafted flash file and it executes code." The victim has to open the Shockwave settings window while having the malicious website open. It's a new hurdle, but I'm not sure that it's insurmountable.

Zero Day readers, why aren't you patching Flash Player? | ZDNet
Adobe’s plan to rush out a fix for the latest Flash Player zero-day vulnerability got me thinking about patch adoption rates among ZDNet Zero Day readers.

According to our statistics counter, the majority of you (security-savvy readers?) are very tardy in applying Flash Player updates.

New 0-day flaw in IE 6, 7, and 8 not likely to be fixed

This hit the blogs and tech news sites yesterday.  In one of Microsoft's write-ups, they point out that running as a "Limited User" (an account that doesn't have administrator privileges) is one way to avoid this exploit.  Firefox and Chrome are also not subject to this problem.  The Symantec article has the best technical details.

Vulnerability in Internet Explorer Could Allow Remote Code Execution (CVE-2010-3962)

Microsoft has announced a vulnerability in all currently-supported versions of Internet Explorer (6 through 8) that could allow the execution of arbitrary code (advisory 2458511- http://blogs.technet.com/b/msrc/archive/2010/11/02/microsoft-releases-security-advisory-2458511.aspx.) This would likely be leveraged in a drive-by-exploit scenario. They state that DEP (Data Execution Prevention) and Protected Mode are mitigating factors.

Microsoft Warns of Attacks on Zero-Day IE Bug — Krebs on Security
Microsoft Corp. today warned Internet Explorer users that attackers are exploiting a previously unknown security hole in the browser to install malicious software. The company is urging users who haven’t already done so to upgrade to IE8, which includes technology that makes the vulnerability more difficult to exploit.
Microsoft warns of new IE zero-day attacks | ZDNet
Microsoft has raised an alarm for a new round of targeted malware attacks against a zero-day vulnerability in its dominant Internet Explorer browser.

The vulnerability affects all supported versions of Internet Explorer and can be exploited to launch remote code execution (drive by download) attacks, Microsoft said in an advisory.
Microsoft Security Advisory (2458511): Vulnerability in Internet Explorer Could Allow Remote Code Execution
Microsoft is investigating new, public reports of a vulnerability in all supported versions of Internet Explorer. The main impact of the vulnerability is remote code execution. This advisory contains workarounds and mitigations for this issue.

The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

At this time, we are aware of targeted attacks attempting to use this vulnerability. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Microsoft Releases Security Advisory 2458511 - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs
Today we released Security Advisory 2458511 to address a new vulnerability that could impact Internet Explorer users if they visit a website hosting malicious code. As of now, the impact of this vulnerability is extremely limited and we are not aware of any affected customers. The exploit code was discovered on a single website which is no longer hosting the malicious code. ... The Security Advisory also details a workaround that customers can apply that will protect all affected versions of IE from this issue. We are working to put have a Microsoft Fix it in place for easy implementation of the workaround. Our Security Research & Defense team has also provided a detailed write up on how the workaround protects against the vulnerability.
New IE Zero-Day used in Targeted Attacks | Symantec Connect
One such case started few days ago when we received information about a possible exploitation using older versions of Internet Explorer as targets. Hackers had sent emails to a select group of individuals within targeted organizations. Within the email, the perpetrators added a link to a specific page hosted on an otherwise legitimate website. The hackers had gotten access to the website account and uploaded content without the owners knowing. Here is what the email looked like: