Friday, December 30, 2011

Unusual out-of-cycle Microsoft Patch

This one shouldn't affect most people, but system admins would be well advised to take a look at this seriously.  For Microsoft to issue an out-of-cycle patch on a Thursday is very unusual, so there may be some serious side-effects they're not disclosing.  Even if you don't think you're running an ASP.NET server you might be, as many modern services actually run a web server inside your machine.

None of my systems (XP Pro , Windows 7 Pro, Windows Server 2008 R2) required a reboot.

Microsoft releases out-of-band security update to plug .NET hole | ZDNet

MS11-100, released today, is a rare out-of-band security update—one delivered on a Thursday, several weeks ahead of the next regularly scheduled Patch Tuesday release. ...

The four patched vulnerabilities affect the Microsoft .NET Framework on every supported version of Windows, including Windows XP SP3, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 and 2008 R2. Exploits against unpatched systems could allow an attacker to “take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands.”
...
Typically, an out-of-band update indicates that the risk of “in the wild” exploits is high, so this update demands immediate attention.
Microsoft delivers rare out-of-band patch for ASP.NET issue - SC Magazine US
Microsoft engineers on Thursday gave IT administrators a late Christmas present: a fix for an unpatched and publicly known vulnerability affecting the software giant's ASP.NET web application framework.

One day after disclosing the flaw, which affects ASP.NET versions 1.1 and later on all supported versions of the .NET Framework, Microsoft released an emergency patch, which also addresses three other bugs, all of which were privately reported.


"An attacker who successfully exploited this vulnerability could take
any action in the context of an existing account on the ASP.NET site,
including executing arbitrary commands," the bulletin from Micrsoft
said.


What makes the previously unpatched bug particularly worrisome is
that it enables attackers to use limited means to launch a devastating
denial-of-service (DoS) attack against web servers. According to
Microsoft, "a single, specially crafted ~100kb HTTP request can consume
100 percent of one CPU core for between 90 to 110 seconds."


Friday, December 16, 2011

Adobe Reader 9.4.7 patch is out

This patch fixes an in-the-wild exploit.  Adobe Reader X has the same vulnerability but in its default configuration has protections which prevent the exploit from working.  If you have AR9, PATCH NOW.  If you have AR X, make sure your settings are configured properly.  Foxit Software has issued a press release claiming their software is not affected by this flaw.

Adobe - Security Bulletins: APSB11-30 - Security updates available for Adobe Reader and Acrobat
There have been reports of two critical vulnerabilities being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows. These vulnerabilities (CVE-2011-2462, referenced in Security Advisory APSA11-04, and CVE-2011-4369) could cause a crash and potentially allow an attacker to take control of the affected system.

While these vulnerabilities exist in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh, there is no immediate risk to users of Adobe Reader and Acrobat X for Windows (with Protected Mode/Protected View enabled), Adobe Reader and Acrobat X or earlier versions for Macintosh, and Adobe Reader 9.x for UNIX based on the current exploits and historical attack patterns.

Today's updates address these vulnerabilities in Adobe Reader and Acrobat 9.x for Windows. Adobe recommends users of Adobe Reader 9.4.6 and earlier 9.x versions for Windows update to Adobe Reader 9.4.7. Adobe recommends users of Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows update to Adobe Acrobat 9.4.7.
FOXIT® READER SAFE FROM LATEST “ZERO-DAY” (CVE-2011-2462) VULNERABILITY - Foxit Software
FREMONT, Calif. - December 14, 2011 - Foxit® Corporation, a leading provider of solutions for reading, editing, creating, organizing, and securing PDF documents, today announced that the Foxit Reader is not vulnerable to the latest zero-day (CVE-2011-2462) vulnerability. Users who are concerned about this much publicized issue should feel safe in downloading the Foxit Reader to meet their PDF reader requirements.

If you have either Adobe Reader or Foxit Reader, I recommend you disable all javascript and multimedia operations and (in Adobe Reader) disable AR's ability to call other programs.

December Windows Update - PATCH NOW! Also, Java updates are out.

The December Windows Updates were released on Tuesday, and one of them is rated PATCH NOW! by SANS as it is actively being exploited already.  The patches are widely documented both on user-friendly blogs and Microsoft's Technet blog.
ISC Diary | December 2011 Microsoft Black Tuesday Summary
Security Updates for Microsoft Windows, Java — Krebs on Security
Microsoft today issued software updates to patch at least 19 security holes in Windows, including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software.

The most talked-about vulnerability fixed in December’s patch batch is a critical flaw in all supported versions of Windows that’s been exploited for at least the past two months (and probably much longer) by the Duqu Trojan, a sophisticated information-stealer that experts say was an espionage tool constructed to extract sensitive data from industrial control systems.

The other two critical updates fix bugs in ActiveX and Windows Media Player. The remaining patches address less severe but still dangerous security holes in Windows, Microsoft Office and Microsoft Publisher. A more detailed breakdown of this month’s updates is available here. Patches are available via Windows Update.

Thirteen patches from Microsoft, including Duqu fix - SC Magazine US

Microsoft on Tuesday pushed out 13 patches, one fewer than anticipated, to address 19 security vulnerabilities, including a bug that allows the data-stealing Duqu trojan to spread.

Duqu, the so-called "son of Stuxnet" trojan, contains a dropper program that exploits the vulnerability, located in the Windows kernel, Microsoft revealed in early November. The software giant subsequently issued a workaround, and the issue now is corrected with bulletin MS11-087, rated "critical."

“The most important patch this month is the TrueType font parsing issue, which is the zero-day vulnerability exploited as part of the Duqu targeted attacks,” said Joshua Talbot, security intelligence manager of Symantec Security Response. “The Duqu malware didn't actually incorporate an exploit for this issue in its code, but the vulnerability was used by malicious email attachments to load Duqu onto targeted systems.”

Tuesday's other high-priority patch is MS11-092, also rated critical, which remedies a vulnerability in Windows Media that could permit remote code execution. The third and final critical fix, MS11-090, involves an ActiveX issue.

The security update also included a patch -- MS11-099 -- for three Internet Explorer (IE) vulnerabilities. A cumulative patch for the popular web browser typically ranks higher on Microsoft's deployment priority chart, but not this month.


The December bulletins are released - MSRC - Site Home - TechNet Blogs
13 Dec 2011 10:19 AM

Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, three of which are rated Critical in severity, and 10 Important.

These bulletins will increase protection by addressing 19 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these critical updates:

    MS11-092 – Windows Media: Vulnerability In Windows Media Could Allow Remote Code Execution
    MS11-087 – Windows: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
In other security news, Oracle has released security updates to both active versions of Java and the JRE. If you have Java installed, you need to update from 6u29 or 7u1 to 6u30 or 7u2.  You may have to update manually as the "Update" button on any Java 6u29 installation that I tested was not returning update 6u30 as I write this.  The installers can be downloaded from here: Java SE Downloads. Again the updates are widely documented on user-friendly blogs (and also in the extremely user-hostile Oracle release notes).
ISC Diary | Java 6u30 released
Oracle have released Java 6 Update 30 (6u30) today. The fixes are mostly of functional nature. As far as we can tell from the release notes, no gaping security craters had to be leveled out this time .. for a change. Two security related fixes are still noteworthy for developers, one affects the use of SSL (TLS_DH_anon_WITH_AES_128_CBC_SHA), the other is about the use of secure cookies in HTTPS when the applet gets invoked via JavaScript.  The full release information and list of fixes are available on Oracle's web site.
Oracle updates Java, Adobe patches ColdFusion - SC Magazine US
Oracle on Monday released an update to its Java software, fixing several security flaws.

The update, Java 6 Update 30 (6u30), contains mostly performance and stability fixes and is largely void of “gaping security craters .. for a change,” Daniel Wesemann, a handler for the SANS Internet Storm Center, wrote in a blog post Monday. It does, however, contain security fixes that impact developers, he said.

The update, for example, clears up an issue that caused Java 6 Update 29 to break SSL connectivity. Another problem involves secure cookies being sometimes dropped.

Security Updates for Microsoft Windows, Java — Krebs on Security
In other patch news, Oracle has released yet another update to its Java software. Oracle released updates to Java versions 6 and 7, but only the Java 6 Update 30 includes security fixes. It appears from a close examination of Oracle’s unbelievably labyrinthine security advisories that Update 30 addresses at least six separate security issues. Anyone who wants to read more about the specific details of the flaws fixed in this update without having wade through countless advisories can do so by clicking this link. While none of the flaws look especially bad, if you are using Java it’s time to either update it or dump it (I continually urge readers to do the latter). Updates are available from the Java console (available through the Windows Control Panel).
Oracle Java - 6u30-relnotes
Oracle Java - 7u2-relnotes

Friday, December 9, 2011

Download.com IS STILL NOT safe to use

This is a revision of my earlier post titled "Download.com may be safe to use again"
They have taken what appears to be corrective steps. A blog posting by them claims they have removed any toolbar bundles from open-source software and that they have removed the requirement that you have to be a "registered member") in other words "give them your email address") to download files directly without using their "download manager". However, the fact that they have not committed to never bundle toolbars is troublesome, so if you have a choice, download your freeware from another source if possible. And ALWAYS use the "direct download" option -- if you find it among the clutter of their download page.

A note from Sean regarding the Download.com Installer | The Download Blog - Download.com
... we are removing the registration requirement to use the Direct Download Link on our site. This allows you, the user, to download the Installer without using the download manager.

EDIT Fri 09 Dec 2011 08:57 AM MST: Sean lies. As of this morning the open-source application Evince is still being bundled with a downloader when you download it from CNet. When I clicked the download button at CNet I got a file called cnet_evince-2_32_0_msi.exe.

I submitted that file to VirusTotal and it reported the following:
File name: cnet_evince-2_32_0_msi.exe
Submission date: 2011-12-09 13:24:56 (UTC)
Result: 2/ 43 (4.7%)
  • DrWeb 5.0.2.03300 2011.12.09 Adware.InstallCore.8
  • NOD32 6691 2011.12.07 a variant of Win32/InstallCore.D

Thursday, December 8, 2011

Update to Foxit Reader 5.1.3

If you use the Foxit Reader instead of Adobe's bloated, insecure PDF reader, you should update.
Foxit Reader Unspecified Memory Corruption Vulnerability - Secunia.com
Description:
A vulnerability has been reported in Foxit Reader, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error. No further information is currently available.

The vulnerability is reported in versions 5.1.0.1021 and prior.

Solution:
Update to version 5.1.3.
Foxit Reader - Building the Most Secure PDF Reader - Foxit Software
Fixed an issue when opening certain PDF files.

SUMMARY
Foxit Reader 5.1.3 fixed an issue when opening certain PDF files. This issue was caused by the cross-border assignment of an array which may result in memory corruption vulnerabilities.

Affected Versions
Foxit Reader 5.1.0.1021 and earlier.

Fixed in Version
Foxit Reader 5.1.3

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 5.1.3
  • Click here to download the updated version now.

According to the Foxit Software Announcement, there are also several other useful fixes in this update:
Maintenance Release - Foxit® Reader 5.1.3 - Foxit Software
Maintenance Release - Foxit® Reader 5.1.3
... Foxit Reader 5.1.3 fixes an issue of Foxit Reader when opening certain PDF files. This issue was caused by the cross-border assignment of an array which may result in memory corruption vulnerabilities or potential memory corruption vulnerabilities.

Other product modifications include:

  • Fixed an issue when right-clicking an opened PDF file in an internet browser after changing the UI language.
  • Fixed an issue where the paper size in the Preview Area of Print Dialogue Box cannot be updated accordingly if users choose the Xerox® Printer.
  • Fixed an issue when switching the interface language.
  • Fixed an issue where the Paper Drawer cannot be changed to Cassette when printing.

Download.com may be safe to use again

revised and reposted on Fri 09 Dec 2011 at 09:10 AM MST
They have taken what appears to be corrective steps. A blog posting by them claims they have removed any toolbar bundles from open-source software and that they have removed the requirement that you have to be a "registered member") in other words "give them your email address") to download files directly without using their "download manager". However, the fact that they have not committed to never bundle toolbars is troublesome, so if you have a choice, download your freeware from another source if possible. And ALWAYS use the "direct download" option -- if you find it among the clutter of their download page.

A note from Sean regarding the Download.com Installer | The Download Blog - Download.com
... we are removing the registration requirement to use the Direct Download Link on our site. This allows you, the user, to download the Installer without using the download manager.

Wednesday, December 7, 2011

Avoid Download.com - some downloads include malware toolbars

Apparently the change started this summer.  I usually choose to download from other sources, and since I have scripting disabled when I browse, even when I chose to get software from CNet's site I never saw this.  But other bloggers are reporting this, and it has been confirmed.  DO NOT USE DOWNLOAD.COM to get any downloads until this is corrected.  If you need to know where to get something that tells you to get it from download.com, email me and I'll find an alternate source.

Download.com Bundling Toolbars, Trojans? — Krebs on Security
It wasn’t long ago that I felt comfortable recommending CNET‘s download.com as a reputable and trustworthy place to download software. I’d like to take back that advice: CNET increasingly is bundling invasive and annoying browser toolbars with software on its site, even some open-source titles whose distribution licenses prohibit such activity.

Although this change started this summer, I only first became aware of it after reading a mailing list posting on Monday by Gordon “Fyodor” Lyon, the software developer behind the ever useful and free Nmap network security scanner. Lyon is upset because download.com, which has long hosted his free software for download without any “extras,” recently began distributing Nmap and many other titles with a “download installer” that bundles in browser toolbars like the Babylon toolbar.


CNET’s own installer is detected by many antivirus products as a Trojan horse, even though the company prefaces each download with the assurance that “CNET hosts this file and has scanned it to ensure it is virus and spyware free.” CNET also has long touted download.com’s zero tolerance policy toward all bundled adware.

Lyon said he found his software was bundled with the StartNow Toolbar, which is apparently powered by Microsoft‘s “Bing decision engine.” When I grabbed a copy of the Nmap installer from download.com and ran it on a test Windows XP machine, CNET’s installer offered the Babylon Toolbar, which is a translation toolbar that many Internet users have found challenging to remove.



This has also been reported by other security bloggers:

Be very careful reading PDFs on the web or in email this week.

I've seen a lot of stories about this yesterday and today.  Apparently there is a flaw in Adobe Reader that is being exploited right now.   Adobe is expected to release a patch next week, but for now, I recommend using an alternate PDF reader.  The lightest-weight alternative is Sumatra PDF, which I use, but I also use Foxit Reader. If you use Foxit Reader, be sure to disable Javascript.

The last link below, at GFI.com, includes some examples of typical PDF malware, so if you would like to see what they would look like please visit that site.

Attackers Hit New Adobe Reader, Acrobat Flaw — Krebs on Security
Malicious hackers are targeting a previously unknown security hole in Adobe Reader and Acrobat to compromise Microsoft Windows machines, Adobe warned today.

Adobe says attackers are taking advantage of a newly discovered critical flaw that exists in Adobe Reader X (10.1.1) and earlier versions for Windows and Mac systems, and Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, as well as Adobe Acrobat X (10.1.1) and earlier for Windows and Mac machines. A security bulletin warns of reports that the vulnerability is being actively exploited in “limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.”

Adobe said it plans to ship an emergency update to address the vulnerability in Reader 9.x and Acrobat 9.x on Windows no later than the week of Dec. 12. Citing protections built into newer versions of its software, however, Adobe said it would not fix the flaw in Reader X or Acrobat X versions for Windows, Mac, or UNIX versions until Jan. 10, 2012, the date of its next scheduled quarterly security update. Adobe’s Brad Arkin explains more about the company’s reasoning behind this decision in a blog post published along with the advisory.

If you are using Adobe Reader or Acrobat, take a moment to make sure you have the latest version. It also never hurts to consider one of several free PDF reader alternatives to Adobe, including Foxit, PDF-Xchange Viewer, Nitro PDF and Sumatra PDF.


Adobe PDF Reader zero-day under attack | ZDNet

By | December 6, 2011, 12:49pm PST

Summary: According to a warning from Adobe, the attacks have been observed in the wild against Windows users running Adobe Reader version 9.4.6. An emergency fix is coming next week.

Unknown hackers are exploiting a zero-day vulnerability in Adobe’s PDF Reader software to launch “limited, targeted attacks” against high-value Windows users.

According to a warning from Adobe, the attacks have been observed in the wild against Windows users running Adobe Reader version 9.4.6.  Details on the attacks and targets are not known at this time.

The company plans to ship an emergency patch for Adobe Reader and Acrobat 9.x for Windows “no later than the week of December 12, 2011.”

The vulnerability is also present in Adobe’s newer Reader X software but because there are anti-exploitation roadblocks in that version, the company is in no rush to release Reader X updates to thwart this wave of attacks.

Adobe Security Advisories: APSA11-04 - Security Advisory for Adobe Reader and Acrobat
A critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.
PDF Malware is Back in Season
Avid readers of the GFI Labs blog can attest that they’re no strangers to this kind of attack: one receives an email purporting to have come from a legitimate company with an attached Adobe .PDF file claiming that it’s either a receipt, a document, or a ticket. Claims of what the attachment is supposed to be varies, but what remains consistent is that the email always instructs recipients to open it and / or save it on their computer. What happens more often is that systems get infected and users are left wondering what happened.

Thursday, December 1, 2011

Patch Java NOW if you haven't already

Folks, this looks like a bad one to have out in the wild.  If you don't run Firefox with NoScript, you have Java enabled in your browser, and have not patched, you are at risk regardless of whether you run Windows or OS X.

Public Java Exploit Amps Up Threat Level — Krebs on Security

An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit
exploit framework. Metasploit researchers say the Java attack tool has
been tested to successfully deliver payloads on a variety of platforms,
including the latest Windows, Mac and Linux systems.

...

Metasploit also posted the results of testing the exploit against a
variety of browsers and platforms, and found that it worked almost
seamlessly to compromise systems across the board, from the latest
64-bit Windows 7 machines to Mac OS X and even Linux systems.

...

The exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version
that is patched against this and 19 other security threats. If you are
using a vulnerable version of Java, it’s time to update. Not sure
whether you have Java or what version you may be running? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button. Apple issued its own update to fix this flaw and other Java bugs earlier this month.

... At the risk of sounding like a broken record, I’ll repeat my advice from earlier this week: If you don’t need Java, get rid of it.
Most people who have it won’t miss it. For those who need Java for the
occasional site or service, disconnecting it from the browser plugins
and temporarily reconnecting when needed is one way to minimize issues
with this powerful program. Leaving the Java plugin installed in a
secondary browser that is only used for sites or services that require
Java is another alternative.


Tuesday, November 15, 2011

Patches galore: Windows Updates, Flash Player, Firefox, iTunes, and Apple updates

Just lost a long post with lots of links, but if you haven't done Windows Updates, or updated Flash Player this month, you need to update both ASAP as there are exploits either in the wild or imminent for both. Search older posts here for pertinent download links.

If you run Firefox, update to either 8.0 or 3.6.24 as both have security fixes. Thunderbird is now also at version 8 with security fixes.

Adobe's "Black Tuesday" patch did not include Flash Player, but the Shockwave Player was updated.

Update iTunes and Apple OS X and iOS devices also if you have them.

Thursday, November 3, 2011

Recent App Updates: Foxit Reader, WinAmp, MS Office 2007 SP3

If you use these apps, you should probably update them.  The Enterprise version of Foxit Reader has not been updated yet, so rolling the update out will be problematic for system admins.  I prefer VLC to WinAmp but many still use WinAmp.

Foxit Reader
Foxit Reader 5.1.0
27 October 2011

The free Foxit PDF Reader has been updated to to Version 5.1.0.1021. This version contains new features including social network integration, Read Out Loud, a cleaner interface, enhanced text rendering, and improved startup time. It also contains other improvements and bug fixes.
Winamp media player
Winamp 5.622
27 October 2011

The free Winamp media player has been updated to to Version 5.622. This update has a range of bug fixes as well as updated codecs.
2007 Microsoft Office suite Service Pack 3 (SP3)
Microsoft Office 2007 SP3
26 October 2011

Microsoft has released Service Pack 3 (SP3) for the Office 2007 suite. This Service Pack is also available via Windows Update.

Friday, October 28, 2011

QuickTime 7.7.1 available

Unpatched QuickTIme is one of the primary ways by which Windows gets infected, so if you use QuickTime instead of my preferred media player VLC, you should patch.  Apple's security bulletin is here:

About the security content of QuickTime 7.7.1

QuickTime 7.7.1

  • QuickTime

    Available for: Windows 7, Vista, XP SP2 or later

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution


Thursday, October 20, 2011

More info on why you should update Java JRE ASAP

If you have Java installed (XP users check "Add/Remove Programs", Vista/Windows 7 users check "Programs and Features") you either need to uninstall it or update it. Two articles which are 'less user-hostile (most people say "more user-friendly") that the links I posted earlier are here:

Critical Java Update Fixes 20 Flaws — Krebs on Security

Oracle Corp. released a critical update to plug at least 20 security holes in versions of its ubiquitous Java software. Nearly all of the Java vulnerabilities can be exploited remotely to compromise vulnerable systems with little or no help from users.

If you use Java, take some time to update the program now.

That, IMHO, should read "If you have Java installed,  update the program now.

Java update plugs 20 critical security holes | ZDNet
Summary: The patch, which provides a fix for the SSL Beast attack, comes at a time when anti-malware vendors are reporting an “unprecedented wave” of exploits against vulnerabilities in Java.

Oracle has shipped a critical Java update to fix at least 20 security vulnerabilities, some serious enough to cause remote code execution attacks.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” the company warned in an advisory.

According to Oracle, 19 of the 20 vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Links to the Java downloads are in yesterday's blog entry Oracle releases BEAST-patched version of Java.

Wednesday, October 19, 2011

Oracle releases BEAST-patched version of Java

System Admins have another patch to roll out.  This one is IMHO not critical high-priority for internal computers which do little on the Internet, but it should be rolled out to your heavier Internet-using computers, especially roaming laptops as they would probably be more susceptible to the MITM attacks that BEAST requires.

Oracle updates Java to stop SSL-chewing BEAST • The Register
Firefox developers said Tuesday that they have no plans to keep the browser from working with the Java software framework now that Oracle has released a patch that prevents it from being used to decrypt sensitive web traffic.

In a blog post published in late September and updated on Tuesday, Mozilla recommends that Firefox users update their Java plug-in to lower their chances of falling victim to attacks that silently decrypt data protected by the SSL, or secure sockets layer, protocol used by millions of websites. Firefox developers had said previously that they were seriously considering disabling the Java plug-in as a way of preventing the exploit.

Short for Browser Exploit Against SSL/TLS, BEAST was first demonstrated late last month at a security conference in Argentina, where researchers Juliano Rizzo and Thai Duong used the attack to recover an encrypted authentication cookie used to access a PayPal user account in less than two minutes. Oracle has more about the Java update here.


Oracle's bulletin is here:
Oracle Java Critical Patch Update - October 2011
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 20 new security fixes across Java SE, of which 6 are applicable to JRockit.

Download Java from here: Java SE Downloads. You probably want Java JRE 6u29 as JRE 7u1 is primarily for developers.

Thursday, October 13, 2011

iTunes, Windows, iOS, OS X, and Safari all updated this week

It's going to be a busy week for sysadmins.  On Tuesday Microsoft issued the monthly update set and Apple updated iTunes.  Both patch sets fix critical flaws, and I haven't seen any reports of problems so business admins should roll out the patch sets ASAP.  Anyone who is still using IE needs to patch ASAP as all current versions of IE have a vulnerability which allows "drive-by" infection.  See the last article below.

In addition, Apple iOS, Safari 5.1.1, OS X Lion v10.7.2, iWork 09, and Apple TV 4.4 were also patched. I HAVE SEEN REPORTS OF BUGS WITH THE iOS 5 UPDATE SO HOLD OFF ON UPDATING YOUR iDevice.

Critical Security Updates from Microsoft, Apple — Krebs on Security
Microsoft and Apple today released security updates to fix a slew of critical security problems in their software. Microsoft’s patch batch fixes at least 23 vulnerabilities in Windows and other Microsoft products. Apple’s update addresses more than 75 security flaws in the Windows versions of iTunes.
Microsoft Fixes 23 Vulnerabilities Including Critical IE Flaws

Microsoft issued its monthly security bulletins today, which include two updates rated as “critical” and which could allow remote code execution. The first, MS11-078, is for a vulnerability in .NET Framework and Microsoft Silverlight. The second critical fix is for MS11-081, a cumulative security update for Internet Explorer. There were six other updates issued that were ranked as “important.”

Microsoft also issued guidance for prioritization of patching. Click on the image below for a full-size chart.

Assessing the risk of the October 2011 security updates - Security Research & Defense - Site Home - TechNet Blogs
Today we released eight security bulletins. Two have a maximum severity rating of Critical with the other six having a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
Apple slaps another security band-aid on iTunes | ZDNet
Apple has shipped iTunes 10.5 to fix mountains of security problems that expose Windows users to dangerous hacker attacks.

The security patch, available for Windows 7, Windows Vista and Windows XP SP2, fixes a total of 79 documented vulnerabilities.  The most serious of these flaws could allow remote code execution attacks via booby-trapped image or movie files.

US-CERT Current Activity: Apple Releases Multiple Security Updates
added October 12, 2011 at 04:11 pm

Apple has released security updates for Apple iOS, Safari 5.1.1, OS X Lion v10.7.2, iWork 09, and Apple TV 4.4 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, and bypass security restrictions.
ISC Diary | Apple iTunes 10.5

Apple released iTunes 10.5 for Windows and Mac OS X. For those following Apple this comes as no big surprise as there are functionality changes expected due to the imminent release of a new iPhone model. What is however a bit surprising is that they also released an impressive list of fixed vulnerabilities in the windows version of iTunes.

Even more interesting is that that list also mentions that  e.g. "For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006" or "For OS X Lion systems, this issue is addressed in OS X Lion v10.7.2". And those are respectively a security update and an OS update that are not yet released at the time of writing.

ISC Diary | Microsoft Black Tuesday Overview October 2011

Overview of the October 2011 Microsoft patches and their status.

Internet Explorer 9 haunted by 'critical' security vulnerabilities | ZDNet

By Ryan Naraine | October 11, 2011, 12:03pm PDT



Summary: Microsoft
fixes drive-by download flaws in the latest version of its dominant
Internet Explorer browser and warns that exploits could emerge within 30
days.

Microsoft’s shiny new Internet Explorer 9 browser contains critical security vulnerabilities that expose users to drive-by download attacks, the company warned today.

The IE warning highlights this month’s batch of security patches from Microsoft where the company shipped eight security bulletins (two critical, six important) to cover gaping holes in Internet Explorer, .NET Framework & Silverlight, Microsoft Windows, Microsoft Forefront UAG and Microsoft Host Integration Server.follow Ryan Naraine on twitter

According to Microsoft, the IE vulnerabilities could be exploited if a user simply surfs to a maliciously rigged website.

The IE update (MS11-081),
available for all users or Microsoft Windows and all versions of
Internet Explorer, covers at least eight documented security holes in
the world’s most widely used browser.


The most severe vulnerabilities could
allow remote code execution if a user views a specially crafted Web page
using Internet Explorer. An attacker who successfully exploited any of
these vulnerabilities could gain the same user rights as the local user.
Users whose accounts are configured to have fewer user rights on the
system could be less impacted than users who operate with administrative
user rights.


Monday, October 3, 2011

99.8% of Commercial Exploits caused by failure to patch

PATCH YOUR SYSTEMS!

According to Danish security company CSIS, most Windows infections by commercial malware are the result of failure to patch a few vulnerable apps:  Java JRE (37%), Adobe Reader/Acrobat (32%), Adobe Flash (16%), Internet Explorer (10%), Windows Help (3%), and Apple Quicktime (2%).  MSIE and Windows Help are patched automatically by Windows Update (which home users should have enabled and which business sysadmins should be managing), but the other applications all need to be updated separately.

That said, I do NOT enable automatic patching of those applications on my business systems for several reasons.  First, patches have been known to break things, and an automatically-applied patch that shuts down tens or hundreds of computers on a business network can be very expensive in downtime.  Second, the malware authors have taken advantage of automatic-patching prompts by simulating them (see notes 1 and 2 below).  Home and small-business users should use the Secunia Online Software Inspector to scan their systems to see what needs patching and then patch.  Secunia also offers the Secunia Personal Software Inspector (PSI) (for home users only), but since this monitors your system and reports back to Secunia, for privacy reasons I do not recommend using it.

As of this blog post, Java JRE is at version 6.0.27 (a.k.a. 6u27), Adobe Reader at 9.4.6 or 10.1.1 (8.3.1 is also safe, but ARv8.x will not be patched after next month), Adobe Flash Player is at 10.3.183.10 (both for IE and Firefox), and Apple QuickTime is at version 7.70.80.  Subscribe to this blog page or check back here frequently as I will be posting the latest version numbers of these apps every time they're updated.

Java, Adobe vulns blamed for Windows malware mayhem • The Register
"99.8 per cent of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages"
  1. Flashback Mac Trojan poses as Adobe Flash update, opens backdoor | Naked Security
  2. Fake Java Update uses your PC in DDoS Offensive - MalwareCity : Computer Security Blog
    Updated Mon 03 Oct 2011 09:46 MST: correct Adobe version from 10.0.1 to 10.1.1

Wednesday, September 21, 2011

Adobe Flash Player updated again to plug zero-day attacks

Once again the Adobe Flash Player needs to be updated.  As of this writing the MSI installer for the plugin version is NOT available (the ActiveX MSI is), but one hopes it will available soon.  Although the ZDNet story only says "Windows and Mac users", the Adobe Security Bulletin also mentions Linux and Solaris and Android users are vulnerable and need to update.

Adobe to rush out Flash Player patch to thwart zero-day attacks | ZDNet
[ UPDATE: The update is live. Here's a link with more details]

Adobe is planning to rush out a critical Flash Player patch later today (September 21, 2011) to fix security holes that are being used in targeted zero-day attacks.

According to Adobe, the Flash Player update will address critical security issues in the product as well as an importantuniversal cross-site scripting issue that is reportedly being exploited in the wild in targeted attacks.

The company is expected to fix at least 16 documented vulnerabilities, some critical enough to expose Windows and Mac users to code execution attacks via Flash files hosted on Web pages.
Adobe - Security Bulletins: APSB11-26 - Security updates available for Adobe Flash Player
Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for Android. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

There are reports that one of these vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. This universal cross-site scripting issue could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website.
...
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page,
or right-click on content running in Flash Player and select "About
Adobe (or Macromedia) Flash Player" from the menu.  If you use multiple
browsers, perform the check for each browser you have installed on your
system.

Tuesday, September 20, 2011

Re-release of Diginotar SSL fix for XP, Windows 2003 Server

If you are still running XP and you apply updates manually, download and re-install KB2616676 manually - re-running Windows Update will NOT apply this patch.  A reboot is required.

Microsoft fixes SSL 'kill switch' blooper
Microsoft re-released an update today for Windows XP to correct a snafu that left users vulnerable to potential "man-in-the-middle" attacks for most of last week.

Monday's update addressed a gaffe introduced last week when Microsoft blocked six additional root certificates issued by DigiNotar that were cross-signed by a pair of other certificate authorities (CAs).
ISC Diary | MS Security Advisory Update - Fraudulent DigiNotar Certificates
Microsoft re-released Microsoft Security Advisory (2607712) regarding fraudulent DigiNotar Root CA. "Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store."[1]

The update is available for all supported version of Windows here and via automatic updates.

[1] http://technet.microsoft.com/en-us/security/advisory/2607712
[2] http://support.microsoft.com/kb/2616676
[3] http://blogs.technet.com/b/msrc/archive/2011/09/19/cumulative-non-security-update-protects-from-fraudulent-certificates.aspx

Microsoft Security Advisory: Fraudulent digital certificates could allow spoofing
We have finished the investigation into an issue with update 2616676 for all Windows XP-based and Windows Server 2003-based systems.

Before September 19, 2011, the versions of update 2616676 for Windows XP and for Windows Server 2003 contained only the latest six digital certificates cross-signed by GTE and Entrust. These versions of the update did not contain the digital certificates that were included in update 2607712 or 2524375. Update 2616676 also incorrectly proceeded update 2607712. Therefore, before September 19, 2011 if you installed updated 2616676 and had not already installed update 2607712 or update 2524375, your system would not have been protected from the use of fraudulent digital certificates as described in security advisory 2607712.

On September 19, 2011, we rereleased update 2616676 to address this issue. If you are running Windows XP or Windows Server 2003 and you have not applied updates 2524375, 2607712, and 2616676, you should install cumulative update 2616676.

Wednesday, September 14, 2011

Adobe AND Microsoft Patch Tuesday - SysAdmins have work this week

If you are a system admin, you are going to have a busy week.  Adobe patched Acrobat and Adobe Reader (versions 8, 9, and 10) and Microsoft patched Microsoft Office 2003 and later -- Office 2000 users are no longer supported and should switch to LibreOffice instead.  If you are still using Adobe Reader 8, please note that support for it ends on November 3, 2011, so it might be time to replace it with Sumatra PDF or Foxit Reader (I use both and only load Adobe Reader in a VirtualBox virtual machine for difficult PDFs).

The Office patches are important because everyone either receives Office documents as attachments to emails or downloads them from websites, and the vulnerabilities, if unpatched, will allow remote code to be executed on your computer.  All of the reported vulnerabilities have limited effect if you run as a non-admin user, so this is just another reminder that running this way is a Good Thing.

The last link below is Microsoft's official blog entry on this month's updates.

Adobe, Windows Security Patches — Krebs on Security
If you use Windows or Adobe Reader/Acrobat, it’s patch time. Microsoft released five updates to fix at least 15 security vulnerabilities, and Adobe issued a quarterly update to eliminate 13 security flaws in its PDF Reader and Acrobat products.

The Microsoft patches, available via Windows Update and Automatic Update, address security holes in Excel, Office, Windows Server and SharePoint. None of the flaws earned Redmond’s most dire “critical” rating, but it’s a mistake to let too much time go by before installing these updates.

Adobe’s patches for Reader and Acrobat correct critical vulnerabilities in the programs that could be exploited by attackers just by convincing users to open a booby-trapped file. Updates are available for Adobe Reader X (10.1) and earlier versions for Windows, Macintosh, Adobe Reader 9.4.2 and earlier versions for UNIX, and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh.

Acrobat users should check out the Adobe security advisory. Heads up for users of older versions of Reader and Acrobat: support for Adobe Reader 8.x and Acrobat 8.x for Windows and Macintosh will end on November 3, 2011.

MS Patch Tuesday warning: Opening legitimate .doc, .txt files brings code execution risk | ZDNet
Microsoft today warned that innocuous documents, including legitimate rich text format files (.rtf), text files (.txt), or Word documents (.doc) could be used in code execution attacks against Windows users.
Microsoft, Adobe release scheduled security patches - SC Magazine US
Light Patch Tuesday fixes 15 vulnerabilities
In today's Patch Tuesday, Microsoft delivers 5 security bulletins (all rated "important") that address 15 vulnerabilities affecting Windows, Microsoft Office and Microsoft Server Software.

In addition to that, Microsoft has also released updated security advisory and has added six more DigiNotar root certificates to its Windows Untrusted Certificate Store.
More on DigiNotar Certificates, and September Bulletins - MSRC - Site Home - TechNet Blogs

Apple catches up with Microsoft and Mozilla - 3 weeks late

If you are running OS X 10.5 a.k.a. Leopard this won't help you, so see How to: Disable DigiNotar security certificate.

Apple strikes stolen SSL certificates from OS X
Apple had to issue a Mac OS X update because Safari, unlike Chrome and Firefox, relies on the operating system to tell it which certificates have been revoked or banned. The browser then either blocks access to sites that don't have a matching certificate in Mac OS X's Keychain, or warns users before they continue to a site with a revoked certificate.

"An attacker with a privileged network position may intercept user credentials or other sensitive information," Apple said in the advisory accompanying the update.

The small update removes DigiNotar from the list of trusted root certificates in Mac OS X, and reconfigures settings to not trust any certificate linked to the company.

Users running Mac OS X 10.7, aka Lion, and 10.6, known as Snow Leopard, can retrieve the update by selecting Software Update from the Mac menu.

Mac OS X 10.5, or Leopard, will not be updated.

Apple strikes stolen SSL certificates from OS X
Apple today released an update to Mac OS X that blocks Safari users from reaching sites secured with certificates stolen from a Dutch company last summer.

The update follows others by Microsoft, Google, Mozilla and Opera Software, which have already blocked or permanently barred the use of all certificates issued by DigiNotar, a certificate authority, or CA, that acknowledged its servers were breached and unauthorized SSL (secure socket layer) certificates obtained by one or more attackers.

Apple's update came just days after a security researcher criticized the company for "dragging its feet." In March, Apple took a month to block nine certificates stolen from U.S.-based Comodo, three weeks longer than Microsoft.

Tuesday, September 6, 2011

Emergency Windows and Mozilla updates issued

Dutch certificate authority Diginotar was compromised recently, and as a result Microsoft has issued an out-of-cycle WIndows Update to remove them from the Trusted Certificates list.  If you use Internet Explorer (or Safari on Windows) as your preferred browser you need to apply this ASAP as one of the certificates that was spoofed is for *.google.com.   Firefox and Thunderbird have also been updated to version 6.0.2 to correct the same hack.  Chrome users whose browsers are current are protected, but if you use Firefox please check to see that you are running the latest version ASAP. 

Mac OS X and iOS (iPod, iPad, iPhone) users are especially at risk from this hack, as Apple has not issued a patch for it yet.  Technically-minded OS X/iOS users should search Google for instructions on how to remove Diginotar as a root authority from their browsers.

Google, Mozilla and Microsoft ban the DigiNotar Certificate Authority in their browsers | ZDNet

With the DigiNotar saga continuing, it’s time to summarize some of the current events surrounding it.

According to multiple blog posts, Google, Mozilla and Microsoft have already banned the DigiNotar Certificate Authority in their browsers. This preemptive move comes as a direct response to the mess that DigiNotar created by issuing over 200 rogue certificates for legitimate web sites and services — see a complete list of the affected sites and services.

Earlier this week, Google reported of attempted man-in-the-middle attacks executed against Google users, and most recently, TrendMicro offered insights into a large scale spying operation launched against Iranian web users.

Microsoft Security Advisory (2607712): Fraudulent Digital Certificates Could Allow Spoofing
Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store. A fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

Microsoft is continuing to investigate this issue. Based on preliminary investigation, Microsoft is providing an update for all supported releases of Microsoft Windows that revokes the trust of the following DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store
Protecting yourself from attacks that leverage fraudulent DigiNotar digital certificates - Security Research & Defense - Site Home - TechNet Blogs

Last week, we released Security Advisory 2607712, notifying customers that fraudulent digital certificates had been issued by certificate authority DigiNotar. We’d like to follow up on that notification in this blog post by explaining more about the potential risks and actions you can take to protect yourself from any potential attacks that would leverage those fraudulent certificates.

ISC Diary | Microsoft Releases Diginotar Related Patch and Advisory
Microsoft updates Security Advisory 2607712 - MSRC - Site Home - TechNet Blogs

Today we’re updating Security Advisory 2607712,
to announce that based on our investigation, we’ve deemed all DigiNotar
certificates to be untrustworthy and have moved them to the Untrusted
Certificate Store. Additionally, we have extended our support with this
update so all customers using Windows XP, Windows Server 2003, and all
Windows supported third-party applications are protected.

Today’s
update, deployed via Automatic Update, applies to all supported
releases of Microsoft Windows, and revokes the trust of the following
DigiNotar root certificates by placing them into the Microsoft Untrusted
Certificate Store:

Tuesday, August 16, 2011

Mozilla Security Updates

The Mozilla group has been busy, issuing updates with security fixes to Firefox 3.6, Thunderbird, and Firefox 5 (upgrading it to 6).  I foresee a busy couple of weeks ahead.

One comment -- Mozilla is shooting itself in the foot as far as corporate deployment by not providing us with MSI installers that we can script.  Upgrading computers one at a time is very expensive.

ISC Diary | Firefox 3.6.20 Corrects Several Critical Vulnerabilities
Earlier this afternoon, the Mozilla Foundation released an update for their Firefox web browser to correct a number of security issues. Most of the issues corrected in this release are listed at a critical severity. As such, organizations should consider pushing the updated web browser in the near future.

More information concerning the issues is available at www.mozilla.org/security/announce/2011/mfsa2011-30.html


ISC Diary | Firefox version 6 is out
For those of you just getting used to Firefox 5, version 6 is out. A few changes including security ones. the release notes are here: http://www.mozilla.com/en-US/firefox/6.0/releasenotes/
Firefox 6 patches 10 dangerous security holes | ZDNet
By Ryan Naraine | August 16, 2011, 4:00pm PDT

Summary: The vulnerabilities are serious enough to allow an attacker to launch harmful code and install software, requiring no user interaction beyond normal browsing.

Mozilla has shipped a critical Firefox update to fix at least 10 security vulnerabilities, some serious enough to expose web surfers to drive-by download attacks.

According to an advisory from the open-source group, 8 of the 10 vulnerabilities are rated “critical,” meaning that they can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.


ISC Diary | Thunderbird 6 is out, Stability and security fixes. http://www.mozilla.org/en-US/thunderbird/6.0/releasenotes/
Thunderbird 6 is also out, Stability and security fixes. http://www.mozilla.org/en-US/thunderbird/6.0/releasenotes/

Wednesday, August 10, 2011

August Windows Updates critical, require reboot

It has been too long since I posted here.  Microsoft's July update cycle was a small one with only one critical patch affecting Windows Vista/7 users, so I didn't bother blogging about it. However, the August patch set is much larger -- two critical patches including one for Internet Explorer which Microsoft says is likely to be exploited soon. The updates for M$ Windows and Microsoft Office require a reboot. Combine that with a surprise release of new versions of Adobe Flash Player and Adobe Shockwave Player and system admins are going to be busy this week.

July updates:
ISC Diary | Microsoft July 2011 Black Tuesday Overview
Overview of the July 2011 Microsoft patches and their status.

Microsoft warns of critical security hole in Bluetooth stack | ZDNet
Microsoft today shipped four security bulletins with patches for 22 serious security flaws and called special attention to a vulnerability in the Windows Bluetooth stack that could allow hackers to remotely take control of an affected computer.

The vulnerability, fixed with MS11-053, headlines a batch of updates that include fixes for gaping holes in the Windows kernel and security problems in the Windows Client/Server Run-time Subsystem.
Microsoft Fixes Scary Bluetooth Flaw, 21 Others — Krebs on Security
Microsoft today released updates to fix at least 22 security flaws in its Windows operating systems and other software. The sole critical patch from this month’s batch addresses an unusual Bluetooth vulnerability that could let nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network.

Adobe Patches:
Microsoft Security Bulletin Summary for July 2011

ISC Diary | Adobe August 2011 Black Tuesday Overview
Although none of us seems to have seen any warning, Adobe has released 5 bulletins today.

These update Adobe products to the following versions:

* Adobe Shockwave Player 11.6.1.629
* Flash Media Server 4.0.3 (or 3.5.7 if you are using 3.x)
* Adobe Flash Player
o Android 10.3.186.3
o Windows, OS X, Solaris, Linux 10.3.183.5
* Adobe Air 2.7.1
* Photoshop version is not changed by the update.
* Robohelp version is not changed, but version 9.0.1.262 is not vulnerable.

August updates:
ISC Diary | Microsoft August 2011 Black Tuesday Overview
Multiple vulnerabilities in Internet Explorer allow random code execution with the rights of the logged on user and information leaks. Replaces MS11-050.
Assessing the risk of the August security updates - Security Research & Defense - Site Home - TechNet Blogs
Today we released 13 security bulletins. Two have a maximum severity rating of Critical, nine have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
Microsoft expecting exploits for critical IE vulnerabilities | ZDNet
By Ryan Naraine | August 9, 2011, 12:11pm PDT

Microsoft today warned that multiple gaping security holes in its Internet Explorer browser could expose millions of Web surfers to hacker attacks via rigged web pages.

As part of this months’ Patch Tuesday release, Microsoft shipped a “critical” IE bulletin (MS11-057) with fixes for total of 7 security flaws. Two of the vulnerabilities were publicly discussed prior to the availability of the patch.

The company expects to see reliable exploits developed within the next 30 days.

Because these vulnerabilities expose IE and Windows users to drive-by download attacks without any user action beyond surfing to a booby-trapped web site, Microsoft is strongly recommending that all Windows users apply the patch immediately.

The IE update is rated “critical” for Internet Explorer 6 on Windows clients, and for Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9; and Important for Internet Explorer 6 on Windows servers.
Microsoft Security Bulletin Summary for August 2011
This bulletin summary lists security bulletins released for August 2011.

Apple QuickTime 7.7

I should have blogged this when it first was announced, but today was the first day that I was able to download QT 7.7 from Apple's manual download site.  Previous to this you had to update your existing QT using Apple Software Update, and that didn't work for network managers.

Apple QuickTime flaws haunt Windows users | ZDNet
By Ryan Naraine | August 3, 2011, 7:21pm PDT

Apple has shipped a high-priority QuickTime update to fix at least 14 security holes that expose computer users to hacker attacks.

The QuickTime 7.7 update, available for both Windows and Mac OS X,
addresses flaws that could be exploited via rigged image, audio and
movie files.


According to an advisory from Apple, some of the flaws could lead to
remote code execution attacks if a user is tricked into clicking on a
booby-trapped web site or into opening a special media file.

Wednesday, June 29, 2011

Microsoft Office 2010 Service Pack 1 available

Microsoft delivers Office 2010 Service Pack 1 | ZDNet
SP1 consists of cumulative and public updates to date for the various point products that are part of Office 2010 and SharePoint 2010. Products that will get fixes and updates include Office 2010 suites, Project 2010, Visio 2010, Office 2010 servers, Office Web Apps, Search Server 2010, SharePoint 2010 Products and FAST Search Server 2010 for SharePoint. Microsoft is planning to update all 40 SKU languages for Office when SP1 ships.

Mozilla updates Thunderbird and Firefox, Apple Java and OS X Security updates

Mozilla has consolidated their Thunderbird and Firefox websites under mozilla.org and has upgraded both Firefox and Thunderbird to version 5.0. Apple has issued security updates to OS X and its version of Java.  I'm running Firefox 5 without issues on several systems, although my main system still has 3.6.18 because of the large number of extensions I use there.

ISC Diary | Update: Thunderbird 5.0 released. https://www.mozilla.org/en-US/thunderbird/
Update: Thunderbird 5.0 released. https://www.mozilla.org/en-US/thunderbird/


US-CERT: Mozilla Releases Firefox 5 and 3.6.18
added June 22, 2011 at 09:02 am
The Mozilla Foundation has released Firefox 5 and Firefox 3.6.18 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, violate the same origin policy, or perform a cross-site scripting attack.

US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories for Firefox 5 and Firefox 3.6.18 and apply any necessary updates to help mitigate the risks.


US-CERT: Apple Releases Java Updates for Mac OS X 10.5 and OS X 10.6
added June 29, 2011 at 08:24 am
Apple has released Java for Mac OS X 10.5 Update 10 and Java for Mac OS X 10.6 Update 5 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Apple articles HT4739 and HT4738 and apply any necessary updates to help mitigate the risks.
US-CERT: Apple Releases Security Updates to Address Multiple Vulnerabilities
added June 24, 2011 at 08:04 am
Apple has released Mac OS X 10.6.8 and Security Update 2011-004 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, disclose sensitive information, or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Apple Support Article HT4723 and apply any necessary updates to help mitigate the risks.

Wednesday, June 15, 2011

Patch City: Microsoft and Adobe have simultaneous huge Patch Tuesdays

System admins will be very busy this week as Microsoft's Patch Tuesday is a big one affecting many products and requiring a reboot, while Adobe rolled out simultaneous patches to Adobe Reader (8.3, 9.4.5, and 10.1.0), Flash Player (10.3.181.26, the second patch in a week), and Shockwave Player (11.6.0.626).  Combine that with last week's must-install patch to Java (6.0.26) and any system admin is going to be grumpy.

Information Week and ZDNet both had articles on which patches are most important to roll out, and ISC has some useful summary and/or link pages.  I am currently testing all but expect to roll them out later this week.

Links to all the various bulletins follow below.

How To Prioritize Microsoft Patch Bonanza -- InformationWeek
On Tuesday, Microsoft released 16 security bulletins, addressing 34 vulnerabilities in its products, including Internet Explorer, Microsoft Excel, and .Net. In addition, Adobe also released patches for Acrobat, Reader, ColdFusion, LifeCycle, and Blazem, while last week, Oracle pushed a major Java security update.

While Microsoft and Adobe previewed their patches last week, IT administrators now have their work cut out for them, as they must quickly determine which patches to test and deploy first. Where should they start?
MS Patch Tuesday: Gaping holes haunt Internet Explorer browser | ZDNet
There is plenty of work this month of June for IT administrators - Microsoft’s June Patch Tuesday addresses 34 vulnerabilities in 16 distinct bulletins. Nine of the bulletins carry a maximum severity of “critical”, while the remaining seven are rated as “Important” only.

Plus there are the critical fixes from Adobe Reader and Oracle for Java.

No doubt IT Administrators will have to pick and choose where to act first.
ISC Diary | Adobe releases patches

ISC Diary | Microsoft June 2011 Black Tuesday Overview

Tuesday, June 7, 2011

Oracle Java 6 update 26 patches 17 security flaws

Another day, another program to patch.

ISC Diary | Oracle Releases Java Version 1.6.0.26 http://java.com/en/download/manual.jsp
Oracle Releases Java Version 1.6.0.26 http://java.com/en/download/manual.jsp
Java Patch Plugs 17 Security Holes — Krebs on Security
Oracle today released an update to its ubiquitous Java software that fixes at least 17 security vulnerabilities in the program.

The company is advising users to apply this update as soon as possible; it looks like most — if not all — of the vulnerabilities addressed by this new version may be exploited remotely without authentication.

Monday, June 6, 2011

VLC 1.1.10

A new version of the free multimedia player VLC was released today to fix some security issues.

VideoLAN - VLC: Official site - Free multimedia solutions for all OS!
VLC 1.1.10
2011-06-06

VideoLAN and the VLC development team present VLC 1.1.10, a minor release of the 1.1 branch.
This release, 2 months after 1.1.9, was necessary because some security issues were found, and the VLC development team cares about security.
... See the release notes for more information on 1.1.10.

Another Flash Player Patch

On Sunday Adobe released an update to Flash Player to combat a 0-day -- an exploit previously unknown which is "in the wild".  This may also affect Adobe Reader 9 and 10, so watch this space for updates for those programs in the next few days.

ISC Diary | Adobe releases Flash Player patch on a Sunday to combat latest 0day
Adobe releases Flash Player patch on a Sunday to combat latest 0day
http://www.adobe.com/support/security/bulletins/apsb11-13.html
Flash Player Patch Fixes Zero-Day Flaw — Krebs on Security
Adobe released an emergency security update today to fix a vulnerability that the company warned is being actively exploited in targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

The vulnerability — a cross-site scripting bug that could be used to take actions on a user’s behalf on any Web site or Webmail provider, exists in Flash Player version 10.3.181.16 and earlier for Windows, Macintosh, Linux and Solaris. Adobe recommends users update to version 10.3.181.22 (on Internet Explorer, the latest, patched version is 10.3.181.23). To find out what version of Flash you have, go here.

Google appears to have already pushed out an update that fixes this flaw in Chrome. Adobe says it will ship an update to fix this flaw on Android sometime this week.

Friday, May 13, 2011

New version of Adobe Flash Player released

This has much better privacy controls, comes with a new Control Panel applet (in Windows), and includes some security fixes.  Download it and install it soon, the Bad Guys will be sure to take advantage of security holes in the older versions soon.

Adobe Flash Player 10.3 released (new Privacy Controls) - Security | DSLReports Forums
Adobe Flash Player 10.3.181.14 released May 12, 2011

Download here (especially for offline installation to multiple computers): Adobe Flash Player Downloads. Don't forget you need different versions for IE and Firefox/Opera.  User-friendly write-up with userful links and advice here:

Critical Flash Player Update Plugs 11 Holes — Krebs on Security
Adobe has released another batch of security updates for its ubiquitous Flash Player software. This “critical” patch fixes at least 11 vulnerabilities, including one that reports suggest is being exploited in targeted email attacks.
...

The vulnerabilities exist in Flash versions 10.2.159.1 and earlier for Windows, Mac, Linux and Solaris. To learn which version of Flash you have, visit this link. The new version for most platforms is 10.3.181.14; Android users should upgrade to Flash Player 10.3.185.21 available by browsing to the Android Marketplace on an Android phone; Google appears to have updated Chrome users automatically with this version of Flash back on May 6 (Chrome versions 11.0.696.68 and later have the newest Flash version).

Remember that if you use Internet Explorer
in addition to other browsers, you will need to apply this update
twice: Once to install the Flash Active X plugin for IE, and again to
update other browsers, such as Firefox and Opera. Updates are available by browsing with the appropriate browser to the Flash Player Download Center.
Bear in mind that updating via the Download Center involves installing
Adobe’s Download Manager, which may try to foist additional software.
If you’d prefer to update manually, the direct installers for Windows
should be available at this link. If you run into problems installing this update, you’ll want to uninstall previous versions of Flash Player and then try again.


Wednesday, May 11, 2011

Another reason to abandon debit cards

If you shop at Michael's and have used your debit card there, I recommend you pay close attention to your bank account, or maybe even request a new debit card number by "losing" your debit card.

Breach at Michaels Stores Extends Nationwide — Krebs on Security
Earlier this month, arts & crafts chain Michaels Stores disclosed that crooks had tampered with some point-of-sale devices at store registers in the Chicago area in a scheme to steal credit and debit card numbers and associated PINs. But new information on the investigation shows that many Michaels stores across the country have discovered compromised payment terminals.
...

It also is not clear yet how the fraudsters compromised the POS
devices, or whether the devices were tampered with in-place, or were
replaced with pre-compromised look-alikes.  But investigators say the
fraudsters have used the stolen data to create counterfeit cards that
are used in tandem with stolen PINs to withdraw funds from ATMs.

Detective Jeff Stolzenburg of the Libertyville
Police Department just north of Chicago, said most of the fraudulent
withdrawals have taken place at cash machines in Las Vegas and other
parts of the West. Stolzenburg estimates that actual card losses from
the fraud are now in the millions of dollars, and said that the
investigation has since been turned over to the U.S. Secret Service.