Friday, March 25, 2011

VideoLAN Releases VLC Media Player 1.1.8

I use VLC in preference to Windows Media player and iTunes/QuickTime.

US-CERT: VideoLAN Releases VLC Media Player 1.1.8
added March 25, 2011 at 07:43 am

VideoLAN has released VLC Media Player 1.1.8 to address two vulnerabilities. These vulnerabilities are due to the improper handling of .AMV and .NSV files. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the release notes for VLC Media Player 1.1.8 and apply any necessary updates to help mitigate the risks.

Thursday, March 24, 2011

SSL Certificates compromised, patches needed

Wonderful news: on Wednesday, 23 March: an "out-of-cycle" Windows Update was released.  These are only rolled out when there are active attacks that can be fixed quickly.  Mozilla and Google have also rolled out patches, so if you run Firefox, please update it as well (Chrome auto-updates, while Firefox usually checks once a day).  The ZDNet ZeroDay article below has the "friendliest" write-up and the most details, including a strong suggestion that this was a state-driven attack, possibly by Iran.  On my XP Pro SP3 system a reboot was NOT required.

Microsoft Releases Security Advisory 2524375 - MSRC - Site Home - TechNet Blogs
Hello - Today we're releasing Security Advisory 2524375, to address nine fraudulent digital certificates issued by Comodo Group Inc, a root certificate authority. Comodo has since revoked the digital certificates. This is not a Microsoft security vulnerability; however, one of the certificates potentially affects Windows Live ID users via login.live.com. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against end users. We are unaware of any active attacks.

... The Microsoft mitigation will be made available through the Microsoft Download Center and the Windows Update Service. For customers who use Windows Automatic Updates, the update will occur automatically.
Firefox 3 Updates and SSL Blacklist extension
At the heals of yesterday's Firefox 4 release, we today got 3.6.16 and 3.5.18. As usual, Mozilla will provide security updates for some older browsers after the release of a new major version. If you are not planning to update to Firefox 4 soon, you should update to the newest 3.x version.

This wouldn't be worth a full diary (usually we just publish a "one liner") if it wouldn't be for one interesting change: Mozilla decided to add some new blacklisted SSL certificates.
Microsoft warns: Fraudulent digital certificates issued for high-value websites | ZDNet
Microsoft today warned that Comodo has issued nine fraudulent digital certificates to a third party whose identity could not be sufficiently validated, a scenario that could allow attackers to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web surfers.
US-CERT Current Activity: Fraudulent SSL Certificates
added March 23, 2011 at 01:54 pm
US-CERT is aware of public reports of the existence of fraudulent SSL certificates. These fraudulent SSL certificates could be used by an attacker to masquerade as a trusted website. Multiple web browser vendors have provided updates to recognize and block these fraudulent SSL certificates.

Mozilla has updated Firefox 4.0, 3.6, and 3.5. Additional information can be found in the Mozilla Security Blog.

Microsoft has released updates for various platforms in Microsoft Knowledge Base Article 2524375. Additional information can be found in Microsoft Security Advisory 2524375.

Microsoft Advisory about fraudulent SSL Certificates
Microsoft just released an advisory [1] alerting its customers that a total of 9 certificates where issued using the leaked/stolen CA certificated from Comodo.

The affected domains are according to Microsoft:

* login.live.com
* mail.google.com
* www.google.com
* login.yahoo.com (3 certificates)
* login.skype.com
* addons.mozilla.org (already known from an earlier announcement by Mozilla)
* "Global Trustee"

Tuesday, March 22, 2011

'A' patch day: Apple OS X, Adobe Reader, Adobe Flash Player all patched this week

Apple patches Pwn2Own flaw in massive Mac OS X update | ZDNet

By Ryan Naraine | March 22, 2011, 9:20am PDT

Apple has shipped another Mac OS X mega-update with fixes for 54 security vulnerabilities, including one that was used to hijack an iPhone 4 device at this year’s CanSecWest Pwn2Own hacker challenge.

The Pwn2Own vulnerability, exploited by researchers Charlie Miller (right) and Dion Blazakis, was originally billed as a flaw in MobileSafari but Apple says the issue exists in the way QuickLook handles Microsoft Office files.
Apple patches unused Pwn2Own bug, 55 others in Mac OS
Apple on Monday patched 56 vulnerabilities, most of them critical flaws that could be used to hijack machines, as part of 2011's first broad update of Mac OS X.

Among the fixes was one for a vulnerability that four-time Pwn2Own winner Charlie Miller didn't get a chance to use at the hacking contest earlier this month.

Of the 56 bugs patched in the update for Snow Leopard, 45 were accompanied by the phrase "arbitrary code execution," Apple-speak for rating the flaws as "critical." Unlike many other major software makers, like Microsoft and Oracle, Apple doesn't assign severity rankings to vulnerabilities.
Critical Security Updates for Adobe Acrobat, Flash, Reader — Krebs on Security
Adobe today released a software update to plug a critical security hole in its Flash Player, Adobe Acrobat and PDF Reader products. The patch comes a week after the software maker warned that miscreants were exploiting the Flash vulnerability to launch targeted attacks on users.

The Flash update addresses a critical vulnerability in Adobe Flash Player version 10.2.152.33 and earlier; versions (Adobe Flash Player version 10.2.154.18 and earlier versions for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems; and Adobe Flash Player 10.1.106.16 and earlier versions for Android.
Adobe - Security Bulletins: APSB11-05 - Security update available for Adobe Flash Player
Adobe - Security Bulletins: APSB11-06 - Security updates available for Adobe Reader and Acrobat

Thursday, March 17, 2011

Another Adobe Flash vulnerability being exploited now

I have seen reports of a new flaw in Adobe Flash player in many places on the 'net over the past few days.

The US CERT discussion of it is unusually detailed (for CERT) and has some good suggestions:
  • US-CERT: Adobe Releases Security Advisory for Flash Player, Reader, and Acrobat
    added March 15, 2011 at 10:29 am

    Adobe has released a security advisory to alert users of a vulnerability affecting the following products:

    • Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux, and Solaris
    • Adobe Flash Player 10.2.154.18 and earlier versions for Google Chrome users
    • Adobe Flash Player 10.1.106.16 and earlier versions for Android
    • The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh.
    Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. At this time, the vendor has not released a fix for this vulnerability. The Adobe advisory indicates that this vulnerability is being actively exploited via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.

    Adobe has indicated that it expects to release a fix for this vulnerability during the week of March 21, 2011. In the interim, users and administrators are encouraged to implement the following workarounds to help reduce the risks.
  • Disable Flash in the web browser as described in the Securing Your Web Browser document.
  • Disable Flash and 3D & Multimedia support in Adobe Reader 9 and later.
  • Disable JavaScript in Adobe Reader and Acrobat.
  • Prevent Internet Explorer from automatically opening PDF documents.
  • Disable the displaying of PDF documents in the web browser.

Wednesday, March 9, 2011

More on Patch Tuesday ... including iTunes, Flash, and Shockwave updates

A SysAdmin's work is never done.  Brian Krebs has a good write-up on this week's need for patches:

Patch Tuesday, Etc. — Krebs on Security
Microsoft has issued security updates to fix at least four security holes in its Windows operating system and other software. Not exactly a fat Patch Tuesday from Microsoft, but depending on how agile you are in updating third-party applications like Flash, iTunes and Shockwave, you may have some additional patching to do.

One of the updates from Microsoft earned a “critical” rating, meaning Redmond believes it could be exploited to break into vulnerable systems with little to no help from users. That flaw, a bug in the way Windows Media Player and Media Center process certain types of media files, could be leveraged by convincing a user to open a tainted video file. This flaw affects Windows XP, Vista and Windows 7.

Microsoft has more details on and links to the other two patches — rated “important” — at its Security Response Center blog. The updates are available through Windows Update or via Automatic Update. The software giant chose not to address an Internet Explorer vulnerability that hackers have been exploiting since late January, although the company has issued a stopgap “FixIt” tool for that flaw.

In other news, Apple has released an update to iTunes that corrects more than 50 security vulnerabilities in the Windows version of this software. That patch bundle is available from Apple Downloads or via the Apple Software Update program that now comes bundled with iTunes and other Apple software for Windows.

I’m a bit behind in reporting on important updates to Adobe’s Flash and Shockwave players that fix a load of problems with these widely-installed software packages. The Flash update bumps the player up to version 10.2.152.26, and plugs at least 13 security holes on both Windows and Mac installations. To check which version you have installed, visit this page: There is a decent chance that Adobe’s built-in updater has already prompted you to update this program. If your version is lower than 10.2.152.[32], it’s time to update.

Windows and OS X Updates this week

Windows Updates were released on Tuesday. My XP system didn't require a reboot.

Windows 7 SP1 is out, with reports of some troubles. Brian Krebs has a story on it: Before You Install Windows 7 Service Pack 1 — Krebs on Security

Apple updated Java a few days ago:
For a more user-friendly discussion, read here:

Thursday, March 3, 2011

Firefox, Thunderbird, iTunes, Adobe Reader, Adobe Flash Player, Foxit Reader all patched

In addition to Windows Updates this month, system admins have their hands full patching lots of Internet-touching software:
  • Apple plugs 57 major security holes in iTunes | ZDNet
    If you use Apple’s iTunes software — whether on Windows or Mac OS X — it’s important that you immediately apply the latest software update.

    Apple has shipped iTuens [sic] 10.2 as a highly-critical patch to cover a whopping 57 security vulnerabilities, some serious enough to allow hackers to take complete control of a vulnerable machine.
  • Adobe - Security Bulletins: APSB11-02 - Security update available for Adobe Flash Player
    Critical vulnerabilities have been identified in Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

    Adobe recommends users of Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.2.152.26.
NOTE: since this update was released, Adobe updated Flash Player again to 10.2.152.32. No security bulletin was issued for this update.
  • Adobe - Security Bulletins: APSB11-01 - Security update available for Shockwave Player
    Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.9.615 and earlier
    versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an
    attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected
    system. Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions
    update to Adobe Shockwave Player 11.5.9.620 using the instructions provided below.
  • Adobe - Security Bulletins: APSB11-03 - Security updates available for Adobe Reader and Acrobat
    Critical vulnerabilities have been identified in Adobe Reader X (10.0) for Windows and Macintosh; Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh and UNIX; and Adobe Acrobat X (10.0) and earlier versions for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.
  • US-CERT Current Activity: Mozilla Releases Updates for Firefox, Thunderbird, and SeaMonkey
    added March 1, 2011 at 02:51 pm | updated March 2, 2011 at 08:01 am

    The Mozilla Foundation has released Firefox 3.6.14 and Firefox 3.5.17 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, conduct cross-site request forgery attacks, cause a denial-of-service condition, or operate with elevated privileges.

    Some of these vulnerabilities also affect Thunderbird and SeaMonkey. The Mozilla Foundation has released Thunderbird 3.1.8 and SeaMonkey 2.0.12 to address these vulnerabilities.

    US-CERT encourages users and administrators to review the Mozilla Foundation security advisories for Firefox 3.6.14 and apply any necessary updates to help mitigate the risks.
  • Foxit Reader Security Bulletins
    Foxit PDF Reader 4.3.1.0218 fixed an unexpected termination of the Foxit Reader software that is caused by illegal accessing memory when opening some special PDF documents.