Friday, April 29, 2011

Mozilla updates Firefox 3.6.17, 4.0.1, and Thunderbird 3.1.10

Security patches included, be sure to update when you can.

Mozilla Firefox 3.6.17 Release Notes

What’s New in Firefox 3.6.17

v.3.6.17, released April 28th, 2011
Firefox 3.6.17 fixes the following issues found in previous versions of Firefox 3.6:

Please see the complete list of changes in this version. You may also be interested in the Firefox 3.6.16 release notes for a list of changes in the previous version.

Mozilla Firefox 4.0.1 Release Notes

What’s New in Firefox 4.0.1

v.4.0.1, released April 28th, 2011

Firefox 4.0.1 fixes the following issues found in previous versions of Firefox 4:

Please see the complete list of changes in this version. You may also be interested in the Firefox 4 release notes for a list of changes in the previous version.


Mozilla Thunderbird 3.1.10 Release Notes

What's New in Thunderbird 3.1.10

v.3.1.10, released April 28th, 2011

Thunderbird 3.1.10 fixes the following issues in Thunderbird 3.1.9:



For a more detailed list of bug fixes, see the Rumbling Edge for a Thunderbird-focused list, or the complete list of changes in this version.

Thursday, April 21, 2011

Security updates available for Adobe Reader and Acrobat

I use Foxit Reader or SumatraPDF in preference to Adobe Reader, but most users have Adobe installed. Update 8:30 PM: added Krebs-on-Security blog reference info at bottom.

Adobe Reader and Acrobat Security Updates

Adobe released important security updates for Adobe Reader X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh OS. The bulletin is posted here.

[snip]
Affected software:

Adobe Reader X (10.0.1) and earlier versions for Windows
Adobe Reader X (10.0.2) and earlier versions for Macintosh
Adobe Acrobat X (10.0.2) and earlier versions for Windows and Macintosh

NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by CVE-2011-0611.
Adobe-Security Bulletins: APSB11-08 - Security update available for Adobe Reader and Acrobat
Release date: April 21,2011
Adobe Reader, Acrobat Update Nixes Zero Day — Krebs on Security
Adobe shipped updates to its PDF Reader and Acrobat products today to plug a critical security hole that attackers have been exploiting to break into computers. Fixes are available for Mac, Windows and Linux versions of these software titles.

The patch released today addresses two critical flaws. Adobe pushed out a patch for the standalone Flash Player last week, but that same vulnerable component exists in Adobe Reader and Acrobat. Initially, Adobe said it was only aware of attacks on the Flash Player but, in the the latest advisory, it acknowledged the existence of public reports that hackers have been sending out poisoned PDFs that exploit the Flash flaw. Malwaretracker.com, for example, reported that it was receiving reports of malicious PDFs attacking the Flash bug as early as Apr. 17.

The Reader/Acrobat patch also addresses another critical bug (a flaw in the CoolType library of Reader & Acrobat) that could allow attackers to install malicious software. Not much information is public about this vulnerability, except that Poland’s CERT is credited with reporting it. Adobe spokesperson Wiebke Lips said the company was not aware of any exploits in the wild targeting this bug.

Monday, April 18, 2011

Apple releases iTunes 10.2.2, includes security fix

Adobe Patches Flash Player Again

Don't forget you need different patches for Internet Explorer and Firefox/Opera.

Adobe patches latest Flash zero-day

Google Chrome users got the the update Thursday

By Gregg Keizer, Computerworld
April 15, 2011 04:26 PM ET
Adobe today patched a critical vulnerability in Flash Player that the company said criminals were already exploiting with malicious Microsoft Word and Excel documents.

On Monday, Adobe acknowledged the bug , said exploits were circulating, and promised to fix the flaw with an emergency update.

Today's update was Adobe's second rush patch in less than four weeks.

The new version, Flash Player 10.2.159.1, is available for Windows, Mac, Linux and Solaris.

Missing from that list is Android, the Google mobile operating system that also runs Flash. A fix for the same flaw will be issued to Android users no later than the week of April 25, said Adobe.

Adobe will patch the popular PDF viewer Adobe Reader that same week. The Flash vulnerability also exists in Reader and the more advanced Acrobat because both include code that renders Flash content embedded in PDF files.


Time to Patch Your Flash — Krebs on Security
If it seems like you just updated your Flash Player software to plug a security hole that attackers were using to break into computers, you’re probably not imagining things: Three weeks ago, Adobe rushed out a new version
to sew up a critical new security flaw. Today, Adobe issued a critical
Flash update to eliminate another dangerous security hole that criminals
are actively exploiting.

Friday, April 15, 2011

Apple issues massive set of patches

If you run any Apple devices (anything running OS X or iOS, such as a Mac computer, iPad, or iPhone), you will want to check your patch status.

US-CERT Current Activity: Apple Releases Security Updates
added April 15, 2011 at 09:40 am

Apple has released the following security updates:

Security Update 2011-002
addresses a vulnerability in the Certificate Trust Policy for Mac OS X
v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.7, Mac OS X Sever
v10.6.7. Exploitation of this vulnerability may allow an attacker to
intercept user credentials, or obtain sensitive information.

Safari 5.0.5
addresses two vulnerabilities affecting the WebKit package.
Exploitation of these vulnerabilities may allow an attacker to execute
arbitrary code or cause a denial-of-service condition.

iOS 4.2.7 Software Update for iPhone
addresses multiple vulnerabilities affecting the Certificate Trust
Policy, QuickLook, and WebKit Packages. Exploitation of these
vulnerabilities may allow an attacker to execute arbitrary code, cause a
denial-of-service condition, intercept user credentials, or obtain
sensitive information.

iOS 4.3.2 Software Update
addresses multiple vulnerabilities affecting the Certificate Trust
Policy, libxslt, QuickLook, and WebKit. Exploitation of these
vulnerabilities may allow an attacker to execute arbitrary code, cause a
denial-of-service condition, intercept user credentials, or obtain
sensitive information, or bypass security restrictions.

US-CERT encourages users and administrators to review Apple articles HT4608, HT4596, HT4607, and HT4606 and apply any necessary updates to help mitigate the risks.

Emergency Out-of-cycle Flash Player Patch

Of course it would come out on a Friday.  This is a "PATCH NOW" situation as this vulnerability is being exploited now.
For corporate installation, you may need to wait.  As of 19:03 MST on Fri 15 Apr 2011 the MSI installers are still the old version .  The EXEs are current, for manual installation.
Google has patched Chrome separately, since they have their own version of the Flash player.
Adobe - Security Bulletins: APSB11-07 - Security update available for Adobe Flash Player

A critical vulnerability has been identified in Adobe Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.2.156.12 and earlier versions for Android. This vulnerability (CVE-2011-0611), as referenced in Security Advisory APSA11-02, could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page, or a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment, targeting the Windows platform.

Adobe recommends users of Adobe Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.2.159.1 (Adobe Flash Player 10.2.154.27 for Chrome users). Adobe recommends users of Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux update to Adobe AIR 2.6.19140. Adobe expects to make available an update for Adobe Flash Player 10.2.156.12 and earlier versions for Android no later than the week of April 25, 2011.

US-CERT Current Activity: Google Releases Chrome 10.0.648.205
added April 15, 2011 at 08:18 am

Google has released Chrome 10.0.648.205 for Windows, Mac, Linux, and Chrome Frame to address multiple vulnerabilities including the Adobe Flash vulnerability described in Adobe Security Advisory APSA11-02. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.


Wednesday, April 13, 2011

VLC 1.1.9 released - security fixes

VideoLAN has patched their VLC player to fix some security issues. 

VideoLAN - News
VLC 1.1.9

2011-04-12

VideoLAN and the VLC development team present VLC 1.1.9, a minor release of the 1.1 branch.
This release, not long after 1.1.8, was necessary because some security issues were found, and the VLC development team cares about security.
This release also brings updated translations and a lot of small Mac OS X fixes.
Source and binaries builds for Windows and Mac are available.
See the release notes for more information on 1.1.9.

Record-Breaking Microsoft Black Tuesday

It's the biggest one since last December's record, and it patches more vulnerabilities than that one.  SANS has given several of the patches its highest rating: "PATCH NOW!". All the systems I have patched are stable, so if you're a home user, go ahead and run Microsoft Update.

Microsoft delivers monster security update for Windows, IE
Microsoft today patched a record 64 vulnerabilities in Windows, Office, Internet Explorer (IE), and other software, including 30 bugs in the Windows kernel device driver and one in IE that was exploited at the Pwn2Own hacking contest last month.

The company also delivered a long-discussed "backport" to Office 2003 and Office 2007 that brings one of the newer security features in Office 2010 to the older editions.

The 17 updates, which Microsoft dubs "bulletins," tied a record set late last year, but easily beat the October 2010 mark for the total number of flaws they fixed. Altogether, today's updates patched 64 vulnerabilities, 15 more than in October and 24 more than in the former second-place collection of December 2010.

SANS: April 2011 Microsoft Black Tuesday Summary
MS11-018: Cumulative Security Update for Internet Explorer ( Replaces MS11-003 ): ACTIVELY EXPLOITED. PATCH NOW!
MS11-026: Vulnerability in MHTML Could Allow Information Disclosure: ACTIVELY EXPLOITED. PATCH NOW!

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.


Microsoft's blog entries detailing the patches and rating the risks are here:

April 2011 Security Bulletin Release - MSRC - TechNet Blogs
... today we are releasing 17 security bulletins, nine of which are Critical, and eight rated Important.

These bulletins will increase protection by addressing 64 unique vulnerabilities in the following Microsoft products: Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, SMB, .NET Framework and GDI+.
Assessing the risk of the April security updates - Security Research & Defense - TechNet Blogs
Today we released 17 security bulletins. Nine have a maximum severity rating of Critical and eight have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Monday, April 11, 2011

New Adobe Flash Zero-Day Flaw Being Exploited

Be very careful with any documents (Word documents, Excel spreadsheets) you receive in email.  Do NOT just open them from your email program.  If you think they are legitimate, SAVE them to your hard drive, then submit them to VirusTotal for analysis by over 40 different anti-virus products.

New Adobe Flash Zero Day Being Exploited? — Krebs on Security
Attackers are exploiting a previously unknown security flaw in Adobe’s ubiquitous Flash Player software to launch targeted attacks, according to several reliable sources. The attacks come less than three weeks after Adobe issued a critical update to fix a different Flash flaw that crooks were similarly exploiting to install malicious software.

According to sources, the attacks exploit a vulnerability in fully-patched versions of Flash, and are being leveraged in targeted spear-phishing campaigns launched against select organizations and individuals that work with or for the U.S. government. Sources say the attacks so far have embedded the Flash exploit inside of Microsoft Word files made to look like important government documents.
Adobe - Security Advisories: APSA11-02 - Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat
A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform. At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.
Adobe warns of new Flash Player zero-day attack | ZDNet
Hackers are embedding malicious Flash Player files in Microsoft Word documents to launch targeted attacks against select businesses, according to a warning from Adobe.
Yet another Adobe Flash/Reader/Acrobat 0 day
Adobe released that a so far unpatched vulnerability has been used in recent targeted attacks.

Flash Player 10.2.153.1 is vulnerable, as is the flash player component used to execute flash in Adobe Reader / Acrobat. Adobe Reader X is vulnerable bu but not exploitable.

At this time, according to Adobe, the attack is performed using Flash files embedded in Word documents.

Note that Flash may be embedded in other Office document formats like Excel. Adobe is not planning on an out of band patch at this point, as Adobe Reader X is not exploitable.