Apple Mac OS X and Adobe Shockwave (NOT Flash) Player patches

Apple patches 13 Mac OS X vulnerabilities | ZDNet

By Ryan Naraine | August 24, 2010, 2:19pm PDT
Apple has shipped a new Mac OS X security update to fix 13 documented vulnerabilities, some serious enough to expose users to remote code execution attacks.

The patch includes fixes for security holes in several open-source components, including ClamAV and PHP.

Here’s a quick look at the vulnerabilities and affected components.

Critical security holes in Adobe Shockwave | ZDNet

By Ryan Naraine | August 24, 2010, 2:40pm PDT

Adobe has shipped a Shockwave Player update to fix 20 security holes, some serious enough to lead to system takeover attacks.

The vulnerabilities, rated “critical,” affect Shockwave Player 11.5.7.609 and earlier versions for Windows and Macintosh.

From Adobe’s advisory:

Critical vulnerabilities have been
identified in Adobe Shockwave Player 11.5.7.609 and earlier versions on
the Windows and Macintosh operating systems. The vulnerabilities could
allow an attacker, who successfully exploits these vulnerabilities, to
run malicious code on the affected system.

Users of Adobe
Shockwave Player 11.5.7.609 and earlier versions should immediately
upgrade to version 11.5.8.612 using this link: http://get.adobe.com/shockwave/.

Sure Happy It's Thursday: Google Chrome, VLC 1.1.3, old Java being exploited

The patch treadmill rolls along.  Google Chrome was patched just recently, and here it is again.  Ditto for VLC.  I was glad to read the Microsoft blog entry as that may explain how some of my out-of-date home users were infected recently.

US-CERT Current Activity: Google Releases Chrome 5.0.375.127

added August 20, 2010 at 08:47 am

Google has released Chrome 5.0.375.127 for Windows, Mac, and Linux to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or conduct spoofing attacks.

US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and apply any necessary updates to help mitigate the risks.

US-CERT Current Activity: VideoLAN Releases a Security Advisory for VLC Media Player

added August 20, 2010 at 10:47 am

VideoLAN has released a security advisory to address a vulnerability in VLC Media Player. This vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. The updated release also addresses additional issues that could result in a denial-of-service attack.

US-CERT encourages users and administrators to review VideoLAN security advisory VideoLAN-SA-1004 and apply any necessary updates or workarounds to help mitigate the risks.

Sunbelt Blog: Microsoft: drive-by Trojan preying on out-of-date Java installations

A piece by Marian Radu on Microsoft’s Technet Blog is warning that users who have failed to update the Java Runtime Environment (JRE) on their machines are vulnerable to drive-by downloads by a Trojan called Unruy. That Trojan has been associated with rogue security products. Radu said the vulnerability (which was patched in March) is being actively exploited.

Browsers running JRE versions up to version 6 update 18 are vulnerable. The current JRE version today is version 6, update 21.

Microsoft Technet blog piece here: “Unruy downloader uses CVE-2010-0094 Java vulnerability”

Users can easily check their version of Java and download necessary updates here: http://www.java.com/en/download/manual.jsp

Adobe Issues Acrobat, Reader Security Patches

Well, Adobe shipped an "emergency" set of patches for Adobe Reader 8.x and 9.x.  If you are updating manually you can get them here: Adobe.com - New downloads.  So far they appear to be working fine on all the systems where I have installed them.

Adobe ships critical PDF Reader patch | ZDNet

Adobe has shipped a security bulletin with patches for two critical vulnerabilities in its PDF Reader and Acrobat software products.
The flaws fixed in this out-of-cycle patch affects Adobe Reader 9.3.3 and earlier versions for Windows, Mac and UNIX; and Adobe Acrobat 9.3.3 and earlier versions for Windows and Mac.
Adobe’s advisory spells out the severity:

These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Today’s patch comes on the heels of Black Hat conference presentation where researcher Charlie Miller provided details of an exploitable vulnerability in Adobe’s PDF Reader software.  Miller’s presentation did not include technical details of the flaw but attendees were able to piece together clues to determine that the flaw could lead to code execution attacks with rigged PDF files.

Adobe confirmed that this update fixes that Black Hat vulnerability.  Google’s Tavis Ormandy is credited with reporting the flaw.  Miller was not credited in Adobe’s advisory.

The update also incorporates patches from the Adobe Flash Player Security Bulletin APSB10-16.

Adobe Issues Acrobat, Reader Security Patches — Krebs on Security

Adobe Systems Inc. today issued software updates to fix at least two security vulnerabilities in its widely-used Acrobat and PDF Reader products. Updates are available for Windows, Mac and UNIX versions of these programs.  ... 

Today’s update is an out-of-cycle release for Adobe, which recently moved to a quarterly patch release schedule. The company said the update addresses a vulnerability that was demonstrated at the Black Hat security conference in Las Vegas last month. The release notes also reference a flaw detailed by researcher Didier Stevens back in March. Adobe said it is not aware of any active attacks that are exploiting either of these bugs.

More information on these patches, such as updating older versions of Acrobat and Reader, is available in the Adobe security advisory.

This week's reminder links: Chrome, QuickTime, more

No details are provided on what has been patched.  If you use the Google Chrome browser, it should auto-update.&nbsp. One of the Chrome alternatives (which don't feed your surfing life to Google), Iron Browser isn't keeping up -- their newest version is dated late June, but ChromePlus was just updated today (13 Aug 2010) and can be downloaded [HERE].

US-CERT Current Activity: Google Releases Chrome 5.0.375.126

added August 11, 2010 at 08:12 am

Google has released Chrome 5.0.375.126 for Linux, Mac, and Windows. Chrome 5.0.375.126 contains an updated version of the Flash plugin which addresses multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and apply any necessary updates to help mitigate the risks.

ChromePlus Release Notes (1.4.1.0)

V1.4.1.0 for Windows (based on Chromium 5.0.375.126)
Release Notes:(13 Aug 2010)

---

QuickTime Security Updates

Last Updated: 2010-08-13 00:15:28 UTC
by Guy Bruneau (Version: 1)
QuickTime 7.6.7 is now available and address CVE-2010-1799. The update is available for Windows 7, Vista, XP SP2 or later. "Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution". The update can be downloaded here.

US-CERT Current Activity: Apple Releases QuickTime 7.6.7

added August 13, 2010 at 08:08 am
Apple has released QuickTime 7.6.7 for Windows to address a vulnerability. This vulnerability is due to a stack buffer overflow that exists in QuickTime error logging. By convincing a user to open a specially crafted movie file, a remote attacker may be able to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Apple article HT4290 and update to QuickTime 7.6.7 to help mitigate the risks.

Critical Apple QuickTime flaw dings Windows OS | ZDNet

Apple has shipped QuickTime 7.6.7 to fix a critical vulnerability that exposes Windows users to malicious hacker attacks.

The update, available for Windows XP SP3 and later, Windows Vista and Windows 7, corrects a flaw that could be exploited to launch remote code execution attacks.

According to Apple’s advisory, the flaw could be exploited with a maliciously crafted movie file.

Record Patch Tuesday, and Adobe Flash is updated again

I have applied the Windows Update patches and Flash updates to my systems and I haven't seen any issues, but I don't use Microsoft Office and there are critical patches to Office this month.  According to Brian Krebs, the Office patch is very important: "... a patch that fixes at least four vulnerabilities in Microsoft Office, the most severe of which could lead to users infecting their PCs with malware simply by opening or viewing a specially-crafted e-mail.  SANS rated many of the patches "Critical" but none are rated "PATCH NOW", so business users should probably hold off a day or two until the electronic dust settles.  However, if you use a Microsoft email program (Outlook, Outlook Express, or Windows Mail), you should consider patching soon.

Note that if you use Firefox or Chrome or Safari on Windows, you need to patch Flash twice, once for Internet Explorer and once for your other browsers.

Critical Updates for Windows, Flash Player — Krebs on Security

Microsoft issued a record number of software updates today, releasing 14 update bundles to plug at least 34 security holes in its Windows operating system and other software. More than a third of flaws earned a “critical” severity rating, Microsoft’s most serious. Separately, Adobe released an update for its Flash Player that fixes a half-dozen security bugs.

... The software giant also urged customers to quickly deploy a patch that fixes at least four vulnerabilities in Microsoft Office, the most severe of which could lead to users infecting their PCs with malware simply by opening or viewing a specially-crafted e-mail.

More details on the rest of this month’s updates are available here. Just a quick note about this patch batch for consumers: It might not hurt to wait a day or two before applying the Microsoft updates. Given the sheer number of vulnerabilities addressed in this release, there is a good chance that one or more of them may turn out to cause problems for some customers. Also, there don’t appear to be any online threats actively exploiting any of these flaws at the moment.

In other news, Adobe released a patch for its ubiquitous Flash Player that fixes at least six flaws in Flash. The newest version brings Flash to v. 10.1.82.76. If you’d like to know what version of Flash you are currently using, browse to this link.

SANS: August 2010 Microsoft Black Tuesday Summary

Overview of the Aug 2010 Microsoft Patches and their status.

Update:  Microsoft also released an advisory for an unpatched privilege escalation vulnerability

Update 2: Exploit code apparently exists for MS10-048, but it is not being seen in the wild at present.

US-CERT Current Activity: Microsoft Releases August Security Bulletin

added August 10, 2010 at 01:25 pm
Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, Office, and Silverlight as part of the Microsoft Security Bulletin Summary for August 2010. These vulnerabilities may allow an attacker to execute arbitrary code or operate with elevated privileges.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.

August 2010 Security Bulletin Release - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs

Hello all. As part of our usual cycle of monthly updates, today Microsoft is releasing 14 security bulletins, addressing 34 vulnerabilities. Eight of those bulletins have a Critical severity rating, and we consider four of those to be high-priority deployments:

• MS10-052
  This bulletin resolves a privately reported vulnerability in
  Microsoft's MPEG Layer-3 audio codecs. The vulnerability could allow
  remote code execution if a user opens a specially crafted media file or
  receives specially crafted streaming content from a Web site. An
  attacker who successfully exploited this vulnerability could gain the
  same user rights as the logged-on user.

• MS10-055
  This bulletin resolves a privately reported vulnerability in Cinepak
  Codec, which is used by Windows Media Player to support the .avi
  audiovisual format. The vulnerability could allow remote code execution
  if a user opens a specially crafted media file, or receives specially
  crafted streaming content from a Web site. An attacker who successfully
  exploited this vulnerability could gain the same user rights as the
  logged-on user.

• MS10-056
  This bulletin resolves four privately reported vulnerabilities in
  Microsoft Office. The most severe vulnerabilities could allow remote
  code execution if a user opens or previews a specially crafted RTF
  e-mail message. An attacker who successfully exploited any of these
  vulnerabilities could gain the same user rights as the local user.
  Windows Vista and Windows 7 are less exploitable due to additional heap
  mitigation mechanisms in those operating systems.

• MS10-060
  This bulletin resolves two privately reported vulnerabilities, both of
  which could allow remote code execution, in Microsoft .NET Framework and
  Microsoft Silverlight.

Currently none of the vulnerabilities addressed has been observed under exploit in the wild.

Foxit Fix for “Jailbreak” PDF Flaw — Krebs on Security

Foxit Fix for “Jailbreak” PDF Flaw — Krebs on Security

One of the more interesting developments over the past week has been the debut of jailbreakme.com, a Web site that allows Apple customers to jailbreak their devices merely by visiting the site with their iPhone, iPad or iTouch. Researchers soon learned that the page leverages two previously unknown security vulnerabilities in the PDF reader functionality built into Apple’s iOS4.

Adobe was quick to issue a statement saying that the flaws were in Apple’s software and did not exist in its products. Interestingly, though, this same attack does appear to affect Foxit Reader, a free PDF reader that I often recommend as an alternative to Adobe.

According to an advisory Foxit issued last week, Foxit Reader version 4.1.1.0805
“fixes the crash issue caused by the new iPhone/iPad jailbreak program
which can be exploited to inject arbitrary code into a system and
execute it there.” If you use Foxit, you grab the update from within the
application (“Help,” then “Check for Updates Now”) or from this link.

Foxit Releases Foxit Reader 4.1.1.0805

Foxit Software moved a little faster on this than Adobe did ...

US-CERT Current Activity: Foxit Releases Foxit Reader 4.1.1.0805

added August 6, 2010 at 10:31 am
Foxit has released Foxit Reader 4.1.1.0805 to address a vulnerability associated with the improper rendering of PDF documents. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the security release notes for Foxit Reader 4.1.1.0805 and apply any necessary updates to help mitigate the risks. Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#275247.

Foxit Software

Security Release – Foxit Reader 4.1.1.0805

Fremont CA, August 6, 2010 – Foxit Corporation, a leading provider of solutions for reading, editing, creating, organizing, securing PDF documents and eReader devices, announces an upcoming security patch for its popular Foxit Reader. The upcoming Foxit Reader enhances PDF document security that is currently being used to compromise Apple iPhone/iPad devices.

Vulnerability Fixed

Foxit Reader fixes the crash issue caused by the new iPhone/iPad jailbreak program which can be exploited to inject arbitrary code into a system and execute it there.

For more information, please visit this page.

Another MONDO Patch Tuesday coming ... batten down the hatches.

Looks like SysAdmins are going to be busy little pupplies this coming week.  Not only will we have to patch Adobe Reader, Microsoft has announced another record-tying Patch Tuesday.

Microsoft readies record 14 fixes, eight critical - SC Magazine US

Microsoft on Thursday announced that next week it plans to deliver a record 14 patches to resolve 34 vulnerabilities across its product line.

The 34 flaws expected to be fixed, which ties a record with the number of holes plugged in June's update, reside in Windows, Office, Internet Explorer, SQL Server and Silverlight, according to the advance notification. Eight of the 14 bulletins earned a "critical" rating, while the others are designated as "important."

Of the critical bulletins, seven impact Windows.

August 2010 Bulletin Release Advance Notification - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs

Today we're releasing our advance notification for the June security bulletin release, which is scheduled for Tuesday, August 10. This month's release is composed of 14 bulletins addressing 34 vulnerabilities in Windows, Microsoft Office, Internet Explorer, SQL, and Silverlight. Eight of the bulletins carry a Critical severity rating, and six are rated Important.

US-CERT Current Activit: Microsoft Releases Advance Notification for August Security Bulletin

added August 5, 2010 at 01:39 pm

Microsoft has issued a Security Bulletin Advance Notification indicating that its August release will contain 14 bulletins. Eight bulletins will have the severity rating of critical and will be for Microsoft Windows, Internet Explorer, Office, and Silverlight. The remaining six bulletins will have the severity rating of important and will be for Microsoft Windows and Office. Release of these bulletins is scheduled for Tuesday, August 10, 2010.

MS Patch Tuesday heads-up: 14 bulletins, 34 vulnerabilities | ZDNet

Microsoft is planning a very busy Patch Tuesday this month: 14 bulletins with patches for 34 vulnerabilities in Windows, Microsoft Office, Internet Explorer, SQL and Silverlight.

According to Microsoft’s advance notice for the August batch of patches, eight of the bulletins carry a “critical” severity rating. The other six are rated “important.”

A critical bulletin typically covers vulnerabilities that could be exploited to launch remote code execution or drive-by-download attacks.

All versions of Windows are affected by the patches this month — from Windows XP SP3 through Windows 7 and Windows Server 2008 R2.

The patches will ship on August 10, 2010.

Is it time to dump Adobe Reader in favour of an alternate PDF reader?

Patching Adobe products is just getting OLD (not to mention expensive). FWIW I use both the Foxit Reader and the Sumatra PDF viewer rather than Adobe Reader on Windows.

Adobe confirms critical flaw in Reader and Acrobat - SC Magazine US

The vulnerability affects the current version of the software, Adobe Reader 9.3.3, and earlier versions for Windows, Macintosh and UNIX, Adobe said. It also affects Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh. There are no reports of the bug being exploited in the wild.

Adobe - Security Bulletins: APSB10-17 - Security Advisory for Adobe Reader and Acrobat

Adobe is planning to release updates for Adobe Reader 9.3.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 for Windows and Macintosh, and Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh to resolve critical security issues, including CVE-2010-2862 which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. Adobe expects to make these updates available during the week of August 16, 2010.

Sunbelt Blog: Living with the iPhone .pdf vulnerability

Apple is working on a fix for the much-publicized .pdf vulnerability in the iPhone – and might be putting the finishing touches on one – but it looks like it might be a while before it is available.

This isn’t a small problem. There could be nearly 100 million vulnerable iPhones and iPod Touches out there at this point.

Adobe Acrobat Font Parsing Integer Overflow Vulnerability

PDFs containing specially crafted TrueType fonts can trigger this vulnerability.

Adobe readies emergency fix for critical PDF Reader security hole | ZDNet

On the heels of a Black Hack conference presentation where researcher Charlie Miller (left) provided details of an exploitable vulnerability in Adobe’s PDF Reader software, the company plans to ship an out-of-band patch to ward off malicious hacker attacks.

Patch NOW! Microsoft Out-of-Band Patch on Monday!

SANS gave this their ultimate "PATCH NOW" rating.  I have patched and only noticed one minor issue with an icon in one user's "Quick Launch" taskbar area on XP Pro.

As attacks escalate, Microsoft ships emergency Windows patch | ZDNet

Microsoft has rushed out and emergency patch for all supported versions of Windows to cover a gaping — and under attack — security flaw in the way shortcuts are displayed by the operating system.

The out-of-band update, rated “critical,” comes less than 20 days after the discovery of a sophisticated malware attack that combined the Windows zero-day flaw with security problems in SCADA systems and used stolen signed drivers to bypass security software.

Copycat attackers also added exploits for the Windows vulnerability into malware families, putting pressure on Redmond to release today’s emergency fix.

SANS: Microsoft Out-of-Band bulletin addresses LNK/Shortcut vulnerability

As announced on Friday, Microsoft released an out-of-band bulletin to address the recent Shortcut/LNK exploits. As confirmed in Microsoft's announcement, various malware is now attempting to exploit this vulnerability. The vulnerability is rather easy to exploit in particular given the tools available to craft necessary shortcuts.

US-CERT Current Activity: Microsoft Releases Out-of-Band Security Bulletin to Address Shortcut Vulnerability

added August 2, 2010 at 01:55 pm

Microsoft has released security bulletin MS10-046 to address a critical vulnerability affecting Microsoft Windows. This vulnerability is due to the failure of Microsoft Windows to properly obtain icons for shortcut files. By convincing a user to display a specially crafted shortcut file, a remote attacker may be able to execute arbitrary code.

US-CERT strongly encourages users and administrators to review Microsoft security bulletin MS10-046 and apply any necessary updates to mitigate the risks.

Additional information regarding this vulnerability can be found in the following:

• Microsoft Security Bulletin MS10-046
• Microsoft Security Advisory 2286198
• US-CERT Current Activity Entry "Microsoft Windows .LNK Vulnerability"
• US-CERT Vulnerability Note VU#940193

Patch for Critical Windows Flaw Available — Krebs on Security

Microsoft today released an emergency security update to fix a critical flaw present in all supported versions of Windows. The patch comes as virus writers are starting to ramp up attacks that leverage the vulnerability.

There are a couple of things you should know before installing this
update. If you took advantage of the “FixIt” tool that Microsoft shipped
last month to blunt the threat from this flaw, you should take a moment
now to undo that fix. To do that, visit this link,
then click the image below the “Disable Workaround” heading, and follow
the prompts. You will need to reboot the system before installing the
official fix released today, which is available from Windows Update.
...
You will need to reboot after installing the patch. After I applied this
patch and rebooted the system, Windows Explorer stalled, leaving
Windows unresponsive. After a forced restart (powering the system off
and then on again), my 64-bit Windows 7 system booted into Windows
normally.

When this vulnerability was initially disclosed, it was only being used in targeted attacks online. However, as Microsoft warned and others have confirmed,
this vulnerability is now showing up in more mainstream attacks. Please
take a moment to apply this update today if you can, particularly if
your Windows system is not already protected with the FixIt tool
mentioned above.