Wednesday, September 21, 2011

Adobe Flash Player updated again to plug zero-day attacks

Once again the Adobe Flash Player needs to be updated.  As of this writing the MSI installer for the plugin version is NOT available (the ActiveX MSI is), but one hopes it will available soon.  Although the ZDNet story only says "Windows and Mac users", the Adobe Security Bulletin also mentions Linux and Solaris and Android users are vulnerable and need to update.

Adobe to rush out Flash Player patch to thwart zero-day attacks | ZDNet
[ UPDATE: The update is live. Here's a link with more details]

Adobe is planning to rush out a critical Flash Player patch later today (September 21, 2011) to fix security holes that are being used in targeted zero-day attacks.

According to Adobe, the Flash Player update will address critical security issues in the product as well as an importantuniversal cross-site scripting issue that is reportedly being exploited in the wild in targeted attacks.

The company is expected to fix at least 16 documented vulnerabilities, some critical enough to expose Windows and Mac users to code execution attacks via Flash files hosted on Web pages.
Adobe - Security Bulletins: APSB11-26 - Security updates available for Adobe Flash Player
Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for Android. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

There are reports that one of these vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. This universal cross-site scripting issue could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website.
...
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page,
or right-click on content running in Flash Player and select "About
Adobe (or Macromedia) Flash Player" from the menu.  If you use multiple
browsers, perform the check for each browser you have installed on your
system.

Tuesday, September 20, 2011

Re-release of Diginotar SSL fix for XP, Windows 2003 Server

If you are still running XP and you apply updates manually, download and re-install KB2616676 manually - re-running Windows Update will NOT apply this patch.  A reboot is required.

Microsoft fixes SSL 'kill switch' blooper
Microsoft re-released an update today for Windows XP to correct a snafu that left users vulnerable to potential "man-in-the-middle" attacks for most of last week.

Monday's update addressed a gaffe introduced last week when Microsoft blocked six additional root certificates issued by DigiNotar that were cross-signed by a pair of other certificate authorities (CAs).
ISC Diary | MS Security Advisory Update - Fraudulent DigiNotar Certificates
Microsoft re-released Microsoft Security Advisory (2607712) regarding fraudulent DigiNotar Root CA. "Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store."[1]

The update is available for all supported version of Windows here and via automatic updates.

[1] http://technet.microsoft.com/en-us/security/advisory/2607712
[2] http://support.microsoft.com/kb/2616676
[3] http://blogs.technet.com/b/msrc/archive/2011/09/19/cumulative-non-security-update-protects-from-fraudulent-certificates.aspx

Microsoft Security Advisory: Fraudulent digital certificates could allow spoofing
We have finished the investigation into an issue with update 2616676 for all Windows XP-based and Windows Server 2003-based systems.

Before September 19, 2011, the versions of update 2616676 for Windows XP and for Windows Server 2003 contained only the latest six digital certificates cross-signed by GTE and Entrust. These versions of the update did not contain the digital certificates that were included in update 2607712 or 2524375. Update 2616676 also incorrectly proceeded update 2607712. Therefore, before September 19, 2011 if you installed updated 2616676 and had not already installed update 2607712 or update 2524375, your system would not have been protected from the use of fraudulent digital certificates as described in security advisory 2607712.

On September 19, 2011, we rereleased update 2616676 to address this issue. If you are running Windows XP or Windows Server 2003 and you have not applied updates 2524375, 2607712, and 2616676, you should install cumulative update 2616676.

Wednesday, September 14, 2011

Adobe AND Microsoft Patch Tuesday - SysAdmins have work this week

If you are a system admin, you are going to have a busy week.  Adobe patched Acrobat and Adobe Reader (versions 8, 9, and 10) and Microsoft patched Microsoft Office 2003 and later -- Office 2000 users are no longer supported and should switch to LibreOffice instead.  If you are still using Adobe Reader 8, please note that support for it ends on November 3, 2011, so it might be time to replace it with Sumatra PDF or Foxit Reader (I use both and only load Adobe Reader in a VirtualBox virtual machine for difficult PDFs).

The Office patches are important because everyone either receives Office documents as attachments to emails or downloads them from websites, and the vulnerabilities, if unpatched, will allow remote code to be executed on your computer.  All of the reported vulnerabilities have limited effect if you run as a non-admin user, so this is just another reminder that running this way is a Good Thing.

The last link below is Microsoft's official blog entry on this month's updates.

Adobe, Windows Security Patches — Krebs on Security
If you use Windows or Adobe Reader/Acrobat, it’s patch time. Microsoft released five updates to fix at least 15 security vulnerabilities, and Adobe issued a quarterly update to eliminate 13 security flaws in its PDF Reader and Acrobat products.

The Microsoft patches, available via Windows Update and Automatic Update, address security holes in Excel, Office, Windows Server and SharePoint. None of the flaws earned Redmond’s most dire “critical” rating, but it’s a mistake to let too much time go by before installing these updates.

Adobe’s patches for Reader and Acrobat correct critical vulnerabilities in the programs that could be exploited by attackers just by convincing users to open a booby-trapped file. Updates are available for Adobe Reader X (10.1) and earlier versions for Windows, Macintosh, Adobe Reader 9.4.2 and earlier versions for UNIX, and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh.

Acrobat users should check out the Adobe security advisory. Heads up for users of older versions of Reader and Acrobat: support for Adobe Reader 8.x and Acrobat 8.x for Windows and Macintosh will end on November 3, 2011.

MS Patch Tuesday warning: Opening legitimate .doc, .txt files brings code execution risk | ZDNet
Microsoft today warned that innocuous documents, including legitimate rich text format files (.rtf), text files (.txt), or Word documents (.doc) could be used in code execution attacks against Windows users.
Microsoft, Adobe release scheduled security patches - SC Magazine US
Light Patch Tuesday fixes 15 vulnerabilities
In today's Patch Tuesday, Microsoft delivers 5 security bulletins (all rated "important") that address 15 vulnerabilities affecting Windows, Microsoft Office and Microsoft Server Software.

In addition to that, Microsoft has also released updated security advisory and has added six more DigiNotar root certificates to its Windows Untrusted Certificate Store.
More on DigiNotar Certificates, and September Bulletins - MSRC - Site Home - TechNet Blogs

Apple catches up with Microsoft and Mozilla - 3 weeks late

If you are running OS X 10.5 a.k.a. Leopard this won't help you, so see How to: Disable DigiNotar security certificate.

Apple strikes stolen SSL certificates from OS X
Apple had to issue a Mac OS X update because Safari, unlike Chrome and Firefox, relies on the operating system to tell it which certificates have been revoked or banned. The browser then either blocks access to sites that don't have a matching certificate in Mac OS X's Keychain, or warns users before they continue to a site with a revoked certificate.

"An attacker with a privileged network position may intercept user credentials or other sensitive information," Apple said in the advisory accompanying the update.

The small update removes DigiNotar from the list of trusted root certificates in Mac OS X, and reconfigures settings to not trust any certificate linked to the company.

Users running Mac OS X 10.7, aka Lion, and 10.6, known as Snow Leopard, can retrieve the update by selecting Software Update from the Mac menu.

Mac OS X 10.5, or Leopard, will not be updated.

Apple strikes stolen SSL certificates from OS X
Apple today released an update to Mac OS X that blocks Safari users from reaching sites secured with certificates stolen from a Dutch company last summer.

The update follows others by Microsoft, Google, Mozilla and Opera Software, which have already blocked or permanently barred the use of all certificates issued by DigiNotar, a certificate authority, or CA, that acknowledged its servers were breached and unauthorized SSL (secure socket layer) certificates obtained by one or more attackers.

Apple's update came just days after a security researcher criticized the company for "dragging its feet." In March, Apple took a month to block nine certificates stolen from U.S.-based Comodo, three weeks longer than Microsoft.

Tuesday, September 6, 2011

Emergency Windows and Mozilla updates issued

Dutch certificate authority Diginotar was compromised recently, and as a result Microsoft has issued an out-of-cycle WIndows Update to remove them from the Trusted Certificates list.  If you use Internet Explorer (or Safari on Windows) as your preferred browser you need to apply this ASAP as one of the certificates that was spoofed is for *.google.com.   Firefox and Thunderbird have also been updated to version 6.0.2 to correct the same hack.  Chrome users whose browsers are current are protected, but if you use Firefox please check to see that you are running the latest version ASAP. 

Mac OS X and iOS (iPod, iPad, iPhone) users are especially at risk from this hack, as Apple has not issued a patch for it yet.  Technically-minded OS X/iOS users should search Google for instructions on how to remove Diginotar as a root authority from their browsers.

Google, Mozilla and Microsoft ban the DigiNotar Certificate Authority in their browsers | ZDNet

With the DigiNotar saga continuing, it’s time to summarize some of the current events surrounding it.

According to multiple blog posts, Google, Mozilla and Microsoft have already banned the DigiNotar Certificate Authority in their browsers. This preemptive move comes as a direct response to the mess that DigiNotar created by issuing over 200 rogue certificates for legitimate web sites and services — see a complete list of the affected sites and services.

Earlier this week, Google reported of attempted man-in-the-middle attacks executed against Google users, and most recently, TrendMicro offered insights into a large scale spying operation launched against Iranian web users.

Microsoft Security Advisory (2607712): Fraudulent Digital Certificates Could Allow Spoofing
Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store. A fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

Microsoft is continuing to investigate this issue. Based on preliminary investigation, Microsoft is providing an update for all supported releases of Microsoft Windows that revokes the trust of the following DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store
Protecting yourself from attacks that leverage fraudulent DigiNotar digital certificates - Security Research & Defense - Site Home - TechNet Blogs

Last week, we released Security Advisory 2607712, notifying customers that fraudulent digital certificates had been issued by certificate authority DigiNotar. We’d like to follow up on that notification in this blog post by explaining more about the potential risks and actions you can take to protect yourself from any potential attacks that would leverage those fraudulent certificates.

ISC Diary | Microsoft Releases Diginotar Related Patch and Advisory
Microsoft updates Security Advisory 2607712 - MSRC - Site Home - TechNet Blogs

Today we’re updating Security Advisory 2607712,
to announce that based on our investigation, we’ve deemed all DigiNotar
certificates to be untrustworthy and have moved them to the Untrusted
Certificate Store. Additionally, we have extended our support with this
update so all customers using Windows XP, Windows Server 2003, and all
Windows supported third-party applications are protected.

Today’s
update, deployed via Automatic Update, applies to all supported
releases of Microsoft Windows, and revokes the trust of the following
DigiNotar root certificates by placing them into the Microsoft Untrusted
Certificate Store: