Friday, December 30, 2011

Unusual out-of-cycle Microsoft Patch

This one shouldn't affect most people, but system admins would be well advised to take a look at this seriously.  For Microsoft to issue an out-of-cycle patch on a Thursday is very unusual, so there may be some serious side-effects they're not disclosing.  Even if you don't think you're running an ASP.NET server you might be, as many modern services actually run a web server inside your machine.

None of my systems (XP Pro , Windows 7 Pro, Windows Server 2008 R2) required a reboot.

Microsoft releases out-of-band security update to plug .NET hole | ZDNet

MS11-100, released today, is a rare out-of-band security update—one delivered on a Thursday, several weeks ahead of the next regularly scheduled Patch Tuesday release. ...

The four patched vulnerabilities affect the Microsoft .NET Framework on every supported version of Windows, including Windows XP SP3, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 and 2008 R2. Exploits against unpatched systems could allow an attacker to “take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands.”
...
Typically, an out-of-band update indicates that the risk of “in the wild” exploits is high, so this update demands immediate attention.
Microsoft delivers rare out-of-band patch for ASP.NET issue - SC Magazine US
Microsoft engineers on Thursday gave IT administrators a late Christmas present: a fix for an unpatched and publicly known vulnerability affecting the software giant's ASP.NET web application framework.

One day after disclosing the flaw, which affects ASP.NET versions 1.1 and later on all supported versions of the .NET Framework, Microsoft released an emergency patch, which also addresses three other bugs, all of which were privately reported.


"An attacker who successfully exploited this vulnerability could take
any action in the context of an existing account on the ASP.NET site,
including executing arbitrary commands," the bulletin from Micrsoft
said.


What makes the previously unpatched bug particularly worrisome is
that it enables attackers to use limited means to launch a devastating
denial-of-service (DoS) attack against web servers. According to
Microsoft, "a single, specially crafted ~100kb HTTP request can consume
100 percent of one CPU core for between 90 to 110 seconds."


Friday, December 16, 2011

Adobe Reader 9.4.7 patch is out

This patch fixes an in-the-wild exploit.  Adobe Reader X has the same vulnerability but in its default configuration has protections which prevent the exploit from working.  If you have AR9, PATCH NOW.  If you have AR X, make sure your settings are configured properly.  Foxit Software has issued a press release claiming their software is not affected by this flaw.

Adobe - Security Bulletins: APSB11-30 - Security updates available for Adobe Reader and Acrobat
There have been reports of two critical vulnerabilities being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows. These vulnerabilities (CVE-2011-2462, referenced in Security Advisory APSA11-04, and CVE-2011-4369) could cause a crash and potentially allow an attacker to take control of the affected system.

While these vulnerabilities exist in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh, there is no immediate risk to users of Adobe Reader and Acrobat X for Windows (with Protected Mode/Protected View enabled), Adobe Reader and Acrobat X or earlier versions for Macintosh, and Adobe Reader 9.x for UNIX based on the current exploits and historical attack patterns.

Today's updates address these vulnerabilities in Adobe Reader and Acrobat 9.x for Windows. Adobe recommends users of Adobe Reader 9.4.6 and earlier 9.x versions for Windows update to Adobe Reader 9.4.7. Adobe recommends users of Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows update to Adobe Acrobat 9.4.7.
FOXIT® READER SAFE FROM LATEST “ZERO-DAY” (CVE-2011-2462) VULNERABILITY - Foxit Software
FREMONT, Calif. - December 14, 2011 - Foxit® Corporation, a leading provider of solutions for reading, editing, creating, organizing, and securing PDF documents, today announced that the Foxit Reader is not vulnerable to the latest zero-day (CVE-2011-2462) vulnerability. Users who are concerned about this much publicized issue should feel safe in downloading the Foxit Reader to meet their PDF reader requirements.

If you have either Adobe Reader or Foxit Reader, I recommend you disable all javascript and multimedia operations and (in Adobe Reader) disable AR's ability to call other programs.

December Windows Update - PATCH NOW! Also, Java updates are out.

The December Windows Updates were released on Tuesday, and one of them is rated PATCH NOW! by SANS as it is actively being exploited already.  The patches are widely documented both on user-friendly blogs and Microsoft's Technet blog.
ISC Diary | December 2011 Microsoft Black Tuesday Summary
Security Updates for Microsoft Windows, Java — Krebs on Security
Microsoft today issued software updates to patch at least 19 security holes in Windows, including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software.

The most talked-about vulnerability fixed in December’s patch batch is a critical flaw in all supported versions of Windows that’s been exploited for at least the past two months (and probably much longer) by the Duqu Trojan, a sophisticated information-stealer that experts say was an espionage tool constructed to extract sensitive data from industrial control systems.

The other two critical updates fix bugs in ActiveX and Windows Media Player. The remaining patches address less severe but still dangerous security holes in Windows, Microsoft Office and Microsoft Publisher. A more detailed breakdown of this month’s updates is available here. Patches are available via Windows Update.

Thirteen patches from Microsoft, including Duqu fix - SC Magazine US

Microsoft on Tuesday pushed out 13 patches, one fewer than anticipated, to address 19 security vulnerabilities, including a bug that allows the data-stealing Duqu trojan to spread.

Duqu, the so-called "son of Stuxnet" trojan, contains a dropper program that exploits the vulnerability, located in the Windows kernel, Microsoft revealed in early November. The software giant subsequently issued a workaround, and the issue now is corrected with bulletin MS11-087, rated "critical."

“The most important patch this month is the TrueType font parsing issue, which is the zero-day vulnerability exploited as part of the Duqu targeted attacks,” said Joshua Talbot, security intelligence manager of Symantec Security Response. “The Duqu malware didn't actually incorporate an exploit for this issue in its code, but the vulnerability was used by malicious email attachments to load Duqu onto targeted systems.”

Tuesday's other high-priority patch is MS11-092, also rated critical, which remedies a vulnerability in Windows Media that could permit remote code execution. The third and final critical fix, MS11-090, involves an ActiveX issue.

The security update also included a patch -- MS11-099 -- for three Internet Explorer (IE) vulnerabilities. A cumulative patch for the popular web browser typically ranks higher on Microsoft's deployment priority chart, but not this month.


The December bulletins are released - MSRC - Site Home - TechNet Blogs
13 Dec 2011 10:19 AM

Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, three of which are rated Critical in severity, and 10 Important.

These bulletins will increase protection by addressing 19 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these critical updates:

    MS11-092 – Windows Media: Vulnerability In Windows Media Could Allow Remote Code Execution
    MS11-087 – Windows: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
In other security news, Oracle has released security updates to both active versions of Java and the JRE. If you have Java installed, you need to update from 6u29 or 7u1 to 6u30 or 7u2.  You may have to update manually as the "Update" button on any Java 6u29 installation that I tested was not returning update 6u30 as I write this.  The installers can be downloaded from here: Java SE Downloads. Again the updates are widely documented on user-friendly blogs (and also in the extremely user-hostile Oracle release notes).
ISC Diary | Java 6u30 released
Oracle have released Java 6 Update 30 (6u30) today. The fixes are mostly of functional nature. As far as we can tell from the release notes, no gaping security craters had to be leveled out this time .. for a change. Two security related fixes are still noteworthy for developers, one affects the use of SSL (TLS_DH_anon_WITH_AES_128_CBC_SHA), the other is about the use of secure cookies in HTTPS when the applet gets invoked via JavaScript.  The full release information and list of fixes are available on Oracle's web site.
Oracle updates Java, Adobe patches ColdFusion - SC Magazine US
Oracle on Monday released an update to its Java software, fixing several security flaws.

The update, Java 6 Update 30 (6u30), contains mostly performance and stability fixes and is largely void of “gaping security craters .. for a change,” Daniel Wesemann, a handler for the SANS Internet Storm Center, wrote in a blog post Monday. It does, however, contain security fixes that impact developers, he said.

The update, for example, clears up an issue that caused Java 6 Update 29 to break SSL connectivity. Another problem involves secure cookies being sometimes dropped.

Security Updates for Microsoft Windows, Java — Krebs on Security
In other patch news, Oracle has released yet another update to its Java software. Oracle released updates to Java versions 6 and 7, but only the Java 6 Update 30 includes security fixes. It appears from a close examination of Oracle’s unbelievably labyrinthine security advisories that Update 30 addresses at least six separate security issues. Anyone who wants to read more about the specific details of the flaws fixed in this update without having wade through countless advisories can do so by clicking this link. While none of the flaws look especially bad, if you are using Java it’s time to either update it or dump it (I continually urge readers to do the latter). Updates are available from the Java console (available through the Windows Control Panel).
Oracle Java - 6u30-relnotes
Oracle Java - 7u2-relnotes

Friday, December 9, 2011

Download.com IS STILL NOT safe to use

This is a revision of my earlier post titled "Download.com may be safe to use again"
They have taken what appears to be corrective steps. A blog posting by them claims they have removed any toolbar bundles from open-source software and that they have removed the requirement that you have to be a "registered member") in other words "give them your email address") to download files directly without using their "download manager". However, the fact that they have not committed to never bundle toolbars is troublesome, so if you have a choice, download your freeware from another source if possible. And ALWAYS use the "direct download" option -- if you find it among the clutter of their download page.

A note from Sean regarding the Download.com Installer | The Download Blog - Download.com
... we are removing the registration requirement to use the Direct Download Link on our site. This allows you, the user, to download the Installer without using the download manager.

EDIT Fri 09 Dec 2011 08:57 AM MST: Sean lies. As of this morning the open-source application Evince is still being bundled with a downloader when you download it from CNet. When I clicked the download button at CNet I got a file called cnet_evince-2_32_0_msi.exe.

I submitted that file to VirusTotal and it reported the following:
File name: cnet_evince-2_32_0_msi.exe
Submission date: 2011-12-09 13:24:56 (UTC)
Result: 2/ 43 (4.7%)
  • DrWeb 5.0.2.03300 2011.12.09 Adware.InstallCore.8
  • NOD32 6691 2011.12.07 a variant of Win32/InstallCore.D

Thursday, December 8, 2011

Update to Foxit Reader 5.1.3

If you use the Foxit Reader instead of Adobe's bloated, insecure PDF reader, you should update.
Foxit Reader Unspecified Memory Corruption Vulnerability - Secunia.com
Description:
A vulnerability has been reported in Foxit Reader, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error. No further information is currently available.

The vulnerability is reported in versions 5.1.0.1021 and prior.

Solution:
Update to version 5.1.3.
Foxit Reader - Building the Most Secure PDF Reader - Foxit Software
Fixed an issue when opening certain PDF files.

SUMMARY
Foxit Reader 5.1.3 fixed an issue when opening certain PDF files. This issue was caused by the cross-border assignment of an array which may result in memory corruption vulnerabilities.

Affected Versions
Foxit Reader 5.1.0.1021 and earlier.

Fixed in Version
Foxit Reader 5.1.3

SOLUTION
Please do one of the followings:

  • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 5.1.3
  • Click here to download the updated version now.

According to the Foxit Software Announcement, there are also several other useful fixes in this update:
Maintenance Release - Foxit® Reader 5.1.3 - Foxit Software
Maintenance Release - Foxit® Reader 5.1.3
... Foxit Reader 5.1.3 fixes an issue of Foxit Reader when opening certain PDF files. This issue was caused by the cross-border assignment of an array which may result in memory corruption vulnerabilities or potential memory corruption vulnerabilities.

Other product modifications include:

  • Fixed an issue when right-clicking an opened PDF file in an internet browser after changing the UI language.
  • Fixed an issue where the paper size in the Preview Area of Print Dialogue Box cannot be updated accordingly if users choose the Xerox® Printer.
  • Fixed an issue when switching the interface language.
  • Fixed an issue where the Paper Drawer cannot be changed to Cassette when printing.

Download.com may be safe to use again

revised and reposted on Fri 09 Dec 2011 at 09:10 AM MST
They have taken what appears to be corrective steps. A blog posting by them claims they have removed any toolbar bundles from open-source software and that they have removed the requirement that you have to be a "registered member") in other words "give them your email address") to download files directly without using their "download manager". However, the fact that they have not committed to never bundle toolbars is troublesome, so if you have a choice, download your freeware from another source if possible. And ALWAYS use the "direct download" option -- if you find it among the clutter of their download page.

A note from Sean regarding the Download.com Installer | The Download Blog - Download.com
... we are removing the registration requirement to use the Direct Download Link on our site. This allows you, the user, to download the Installer without using the download manager.

Wednesday, December 7, 2011

Avoid Download.com - some downloads include malware toolbars

Apparently the change started this summer.  I usually choose to download from other sources, and since I have scripting disabled when I browse, even when I chose to get software from CNet's site I never saw this.  But other bloggers are reporting this, and it has been confirmed.  DO NOT USE DOWNLOAD.COM to get any downloads until this is corrected.  If you need to know where to get something that tells you to get it from download.com, email me and I'll find an alternate source.

Download.com Bundling Toolbars, Trojans? — Krebs on Security
It wasn’t long ago that I felt comfortable recommending CNET‘s download.com as a reputable and trustworthy place to download software. I’d like to take back that advice: CNET increasingly is bundling invasive and annoying browser toolbars with software on its site, even some open-source titles whose distribution licenses prohibit such activity.

Although this change started this summer, I only first became aware of it after reading a mailing list posting on Monday by Gordon “Fyodor” Lyon, the software developer behind the ever useful and free Nmap network security scanner. Lyon is upset because download.com, which has long hosted his free software for download without any “extras,” recently began distributing Nmap and many other titles with a “download installer” that bundles in browser toolbars like the Babylon toolbar.


CNET’s own installer is detected by many antivirus products as a Trojan horse, even though the company prefaces each download with the assurance that “CNET hosts this file and has scanned it to ensure it is virus and spyware free.” CNET also has long touted download.com’s zero tolerance policy toward all bundled adware.

Lyon said he found his software was bundled with the StartNow Toolbar, which is apparently powered by Microsoft‘s “Bing decision engine.” When I grabbed a copy of the Nmap installer from download.com and ran it on a test Windows XP machine, CNET’s installer offered the Babylon Toolbar, which is a translation toolbar that many Internet users have found challenging to remove.



This has also been reported by other security bloggers:

Be very careful reading PDFs on the web or in email this week.

I've seen a lot of stories about this yesterday and today.  Apparently there is a flaw in Adobe Reader that is being exploited right now.   Adobe is expected to release a patch next week, but for now, I recommend using an alternate PDF reader.  The lightest-weight alternative is Sumatra PDF, which I use, but I also use Foxit Reader. If you use Foxit Reader, be sure to disable Javascript.

The last link below, at GFI.com, includes some examples of typical PDF malware, so if you would like to see what they would look like please visit that site.

Attackers Hit New Adobe Reader, Acrobat Flaw — Krebs on Security
Malicious hackers are targeting a previously unknown security hole in Adobe Reader and Acrobat to compromise Microsoft Windows machines, Adobe warned today.

Adobe says attackers are taking advantage of a newly discovered critical flaw that exists in Adobe Reader X (10.1.1) and earlier versions for Windows and Mac systems, and Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, as well as Adobe Acrobat X (10.1.1) and earlier for Windows and Mac machines. A security bulletin warns of reports that the vulnerability is being actively exploited in “limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.”

Adobe said it plans to ship an emergency update to address the vulnerability in Reader 9.x and Acrobat 9.x on Windows no later than the week of Dec. 12. Citing protections built into newer versions of its software, however, Adobe said it would not fix the flaw in Reader X or Acrobat X versions for Windows, Mac, or UNIX versions until Jan. 10, 2012, the date of its next scheduled quarterly security update. Adobe’s Brad Arkin explains more about the company’s reasoning behind this decision in a blog post published along with the advisory.

If you are using Adobe Reader or Acrobat, take a moment to make sure you have the latest version. It also never hurts to consider one of several free PDF reader alternatives to Adobe, including Foxit, PDF-Xchange Viewer, Nitro PDF and Sumatra PDF.


Adobe PDF Reader zero-day under attack | ZDNet

By | December 6, 2011, 12:49pm PST

Summary: According to a warning from Adobe, the attacks have been observed in the wild against Windows users running Adobe Reader version 9.4.6. An emergency fix is coming next week.

Unknown hackers are exploiting a zero-day vulnerability in Adobe’s PDF Reader software to launch “limited, targeted attacks” against high-value Windows users.

According to a warning from Adobe, the attacks have been observed in the wild against Windows users running Adobe Reader version 9.4.6.  Details on the attacks and targets are not known at this time.

The company plans to ship an emergency patch for Adobe Reader and Acrobat 9.x for Windows “no later than the week of December 12, 2011.”

The vulnerability is also present in Adobe’s newer Reader X software but because there are anti-exploitation roadblocks in that version, the company is in no rush to release Reader X updates to thwart this wave of attacks.

Adobe Security Advisories: APSA11-04 - Security Advisory for Adobe Reader and Acrobat
A critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.
PDF Malware is Back in Season
Avid readers of the GFI Labs blog can attest that they’re no strangers to this kind of attack: one receives an email purporting to have come from a legitimate company with an attached Adobe .PDF file claiming that it’s either a receipt, a document, or a ticket. Claims of what the attachment is supposed to be varies, but what remains consistent is that the email always instructs recipients to open it and / or save it on their computer. What happens more often is that systems get infected and users are left wondering what happened.

Thursday, December 1, 2011

Patch Java NOW if you haven't already

Folks, this looks like a bad one to have out in the wild.  If you don't run Firefox with NoScript, you have Java enabled in your browser, and have not patched, you are at risk regardless of whether you run Windows or OS X.

Public Java Exploit Amps Up Threat Level — Krebs on Security

An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit
exploit framework. Metasploit researchers say the Java attack tool has
been tested to successfully deliver payloads on a variety of platforms,
including the latest Windows, Mac and Linux systems.

...

Metasploit also posted the results of testing the exploit against a
variety of browsers and platforms, and found that it worked almost
seamlessly to compromise systems across the board, from the latest
64-bit Windows 7 machines to Mac OS X and even Linux systems.

...

The exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version
that is patched against this and 19 other security threats. If you are
using a vulnerable version of Java, it’s time to update. Not sure
whether you have Java or what version you may be running? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button. Apple issued its own update to fix this flaw and other Java bugs earlier this month.

... At the risk of sounding like a broken record, I’ll repeat my advice from earlier this week: If you don’t need Java, get rid of it.
Most people who have it won’t miss it. For those who need Java for the
occasional site or service, disconnecting it from the browser plugins
and temporarily reconnecting when needed is one way to minimize issues
with this powerful program. Leaving the Java plugin installed in a
secondary browser that is only used for sites or services that require
Java is another alternative.