Tuesday, December 11, 2012

A busy Patch Tuesday this December

I'm back after a long hiatus, mostly for family reasons.  Should be blogging here more often.

What a busy Tuesday:  Microsoft had a BIG Patch Tuesday compounded by Adobe's Patch Tuesday and Oracle's Patch Tuesday all at once.  There are security patches for the Adobe Flash Players and Adobe AIR.  Oracle issued a security-enhancing patch for Java JRE 7.  There is an update for Java JRE 6, but it does not fix any security issues.

The SANS Diary entry for Microsoft lists many of the items, including an IE patch and a patch for Microsoft Word, as CRITICAL*, so you shouldn't delay patching past Friday if you use IE or Word.
  • * Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Articles on Microsoft's Patch Tuesday:
  • It’s That Time of Year, For the December 2012 Bulletin Release - MSRC - Site Home - TechNet Blogs
    ... today we’re releasing seven bulletins, five Critical-class and two Important-class, addressing 12 vulnerabilities in Microsoft Windows, Internet Explorer (IE), Word and Windows Server. For those who need to prioritize deployment, we recommend focusing on the following two critical updates first: ....
  • Microsoft fixes critical Windows 8, IE10 flaws for Patch Tuesday | ZDNet
    Summary: Put a pot of coffee on, it's Patch Tuesday. Microsoft today released five critical patches that fix vulnerabilities in Windows 8 devices, including Surface tablets, and Internet Explorer 10.

    Microsoft has released five critical security updates for Windows 8 and Windows RT in order to protect against a range of vulnerabilities identified in the recently released software.

    All in all, there are seven updates for Windows users, with five rated "critical" that could lead to remote code execution, while two are rated "important," which fix flaws that could result in the operating system's security features being bypassed.

  • Critical Updates for Flash Player, Microsoft Windows — Krebs on Security

    Adobe and Microsoft have each released security updates to fix critical security flaws in their software. Microsoft issued seven update bundles to fix at least 10 vulnerabilities in Windows and other software. Separately, Adobe pushed out a fix for its Flash Player and AIR software that address at least three critical vulnerabilities in these programs.

    A majority of the bugs quashed in Microsoft’s patch batch are critical security holes, meaning that malware or miscreants could exploit them to seize control over vulnerable systems with little or no help from users. Among the critical patches is an update for Internet Explorer versions 9 and 10 (Redmond says these flaws are not present in earlier versions of IE).


Articles on Adobe's Patches: (Note: the Krebs-on-Security article referenced above also discusses this)
Security updates available for Adobe Flash Player
Release date: December 11, 2012

Summary

Adobe has released security updates for Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.251 and earlier versions for Linux, Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:


  • Users of Adobe Flash Player 11.5.502.110 and earlier versions for Windows should update to Adobe Flash Player 11.5.502.135.
  • Users of Adobe Flash Player 11.5.502.110 and earlier versions for Macintosh should update to Adobe Flash Player 11.5.502.136.
  • [ .... ]
  • Users of Adobe AIR 3.5.0.600 and earlier versions for Windows should update to Adobe AIR 3.5.0.880.
  • Users of Adobe AIR 3.5.0.600 and earlier versions for Macintosh should update to Adobe AIR 3.5.0.890.

    Affected software versions


  • Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.251  and earlier versions for Linux
  • Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.600 and earlier versions for Windows and Macintosh, Android and SDK (includes AIR for iOS)

    To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page,
    or right-click on content running in Flash Player and select "About
    Adobe (or Macromedia) Flash Player" from the menu. If you use multiple
    browsers and did not select the option to 'Allow Adobe to install
    updates' (Windows and Macintosh only), perform the check for each
    browser you have installed on your system.


    To verify the version of Adobe Flash Player for Android, go
    to Settings > Applications > Manage Applications > Adobe Flash
    Player x.x.


    To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote.

Articles on Oracle's Java Patches are few as of this writing, all I have managed to find is the download page for Java.  There are links to the "Release Notes" pages for Java 6 and 7 on the download page:
  • Java SE Downloads
    Java SE 7u10
    This releases brings in key security features and bug fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release.

Friday, September 7, 2012

Uninstall or downgrade Java, update Flash Player and your PDF Reader

After a couple of busy months which kept me from updating this blog I am back. I will try to update this at least weekly from now on.

1. Uninstall Java or go back to version 6.  If you have Java installed on your computer and don't need it, UNINSTALL IT. There is an unpatched flaw in the all releases of version 7 which can be used in drive-by downloads to infect your computer just by visiting a hacked or malicious website.  Check your version number here: Verify Java Version If you must use Java for any reason, I recommend uninstalling version 7 and getting version 6u35, which does not have the same flaws.   If you have to have it for some reason, disable it in your browser except when needed.  More below, and please feel free to email me (with your browser version) if you need help disabling Java.

2. Update Flash Player (or uninstall it).  Flash Player, required for Youtube and other videos, is now at version 11.4.x for Windows (different version numbers for Mac, Linux, and Android) If you have it and are not at the current version, update it ASAP. Check your version number here: Adobe Flash Player.

3. Update your PDF Reader. My current PDF Reader is Sumatra PDF (v2.1.1(, but I also have the latest Foxit Reader (v5.4) installed.  Both were updated this summer.   If you still have Adobe Reader, you should be at version 9.5.2 or 10.1.4 as earlier versions have known "in the wild" exploits against them.

4. Do Windows Updates.  If you do not have Windows Update set to automatic, you need to update Windows. Several critical issues were fixed in the August and September Patch-Tuesday events. See these ISC pages (July and August) for more technical details or these ZDNet pages (July and August) and Krebs on Security pages (July and August) for user-friendly discussions.

5. Update Apple Remote Desktop.  Apple Remote Desktop, which many Mac users use to connect to their home or office computer while on the road, would connect insecurely without informing the remote user.



Java Runtime Engine
30 August 2012 (5 September 2012 for Apple)

More info here:Pages about the unpatched new vulnerability reported after 7u7 was released are here:NOTE 1: download the OFFLINE installer, not the ONLINE installer. The "online installer" often comes with additional installed-by-default crapware like "McAfee Security Scanner" or the Ask toolbar" while the "offline installer" does not.
NOTE 2: after you update Java, home users should go to the Control Panel and change the "Check for updates" frequency from the default (once a month) to "Daily".
NOTE 3: Even Microsoft says Update Java or kill it (an article on ZDNet).



Adobe Flash Player
21 August 2012
Adobe - Security Bulletins: APSB12-19 - Security updates available for Adobe Flash Player
Adobe has released security updates for Adobe Flash Player 11.3.300.271 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.236 and earlier versions for Linux, Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Even though Adobe has abandoned Linux a security update is available.
For more info, see these pages:


Firefox 15.0.1
7 September 2012

Mozilla has released Version 15.0.1 of the Firefox browser. This version fixes a bug with Private Browsing mode.



Your PDF reader should be one of these (more below):
  • SumatraPDF 2.1.1
  • Foxit Reader 5.4
  • Adobe Reader 9.5.2 or 10.1.4
. I have both SumatraPDF for daily use and Foxit Reader for advanced use installed on my primary systems. I do NOT have Adobe Reader installed anywhere at this time.
Sumatra PDF v2.1.1
Sumatra PDF is a very lightweight PDF reader which is my current preferred reader. Get it here:
Foxit Reader 5.4.2
7 September 2012

The free Foxit PDF Reader has been updated to Version 5.4.2.0901. This update adds support for DocuSign and Microsoft SharePoint Server, as well as a range of bug fixes.

See: Foxit Reader Security Bulletin
SUMMARY
Foxit Reader 5.4 fixed an issue where Foxit Reader may call and run malicious code in the Dynamic Link Library (DLL) file. Attackers could place the infected DLL file, whose name is the same as the system DLL in the Windows prior search path, and then enable Foxit Reader to call the malicious file.

Affected Versions
  • Foxit Reader 5.3.1.0606 and earlier.
Fixed in Version
  • Foxit Reader 5.4

Note that the Enterprise Foxit Reader has not been updated since version 5.1 and should be removed from your system. Replace it with SumatraPDF or the home-user version of Foxit Reader.

Adobe Reader 9.5.2 or 10.1.4
14 August 2012
See:
Adobe - Security Bulletins: APSB12-16 - Security update available for Adobe Reader and Acrobat
Adobe has released security updates for Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. These updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:
  • Users of Adobe Reader X (10.1.3) and earlier versions for Windows and Macintosh should update to Adobe Reader X (10.1.4).
  • For users of Adobe Reader 9.5.1 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.4), Adobe has made available the update Adobe Reader 9.5.2.
Get Adobe Reader installers and patches here: Adobe - Adobe Reader : For Windows


Apple Remote Desktop
20 August 2012
Apple Remote Desktop, which many Mac users use to connect to their home or office computer while on the road, would connect insecurely even when told to connect securely.

Apple Remote Desktop 3.6.1
When connecting to a third-party VNC server with "Encrypt all network data" set, data is not encrypted and no warning is produced. This issue is addressed by creating an SSH tunnel for the VNC connection in this configuration, and preventing the connection if the SSH tunnel cannot be created.

Thursday, June 28, 2012

Non-Microsoft patches for June

Here are some other miscellaneous security patches and notices you may want to look at.  Java was updated earlier this month, both for Windows (7u5 and 6u33) and Mac OS X.  If you have Java, please read the articles and update.  Adobe's Flash Player for Firefox was updated last week (to version 11.3.300.262), as was Adobe AIR (to version 3.3.0.3610).  Firefox was updated to version 13.0.1 and 10.0.5 ESR in conjunction with the Flash Player update.

If you run iTunes, you need to update it.

One final story got left out of my last blog post about Microsoft updates. It's the first link below. If you run IE, PATCH NOW!

There are some additional security patches which may be of minor interest.  On Monday, May 14, 2012, I posted a notice that Adobe to patch Illustrator, Photoshop, and Flash Pro CS5.x for free, Well, they have finally issued patched the last member of the three, Flash Pro.  Google's Chrome browser got patched again, but since it auto-updates you should already be using this version.  If you use WinAmp, you should patch to the latest version.  Links are below.

  • Bad guys using unpatched Internet Explorer flaw to hack Gmail accounts

    Last week, Google warned its users that “state-sponsored attacks” were under way aimed at accessing Gmail accounts. Those targeted saw a message at the top of their Gmail inboxes warning that “state-sponsored attackers may be attempting to compromise your account or computer”.

    At the time, Google was mum on the specific exploit, but on Wednesday Microsoft provided details in a security advisory, and they’re not pretty. Google also discussed the exploit in its own blog post.

    Cyberscum are taking advantage of an unpatched, zero-day flaw in Windows XP or later to run malicious code on the user’s computer. The code is planted when the user visits a poisoned website using any version of Internet Explorer. The exploit also works through Microsoft Office documents.

    This is a silent, drive-by download. If you’re attacked, you may not know it . . . unless you get that cryptic message atop your Gmail inbox.

    On Tuesday, Microsoft release some security fixes for Windows, but a patch for this flaw was not included. Don’t think your Windows PC is protected if you conscientiously updated this week. However, Microsoft has released a “Fix It For Me” item that will block the exploit. All Windows users should apply this, even if you don’t use IE or Gmail, but keep in mind it does not fix the underlying flaw in Windows. A future patch – possibly one released before the next Patch Tuesday – will be released for a true fix.

  • Apple, Oracle Ship Java Security Updates — Krebs on Security
    Wednesday, June 13th, 2012
    There must have been some rare planetary alignment yesterday, because the oddest thing happened: Apple and Oracle both shipped software updates for the same Java security flaws on the very same day.  ... The update Oracle released yesterday, Java 6 Update 33 and Java 7 Update 5, fixes at least 14 security flaws in the oft-attacked software that is installed on more than three billion devices worldwide. Apple’s Java update brings Java on the Mac to 1.6.0_33, and patches 11 of the 14 security vulnerabilities that Oracle fixed in Tuesday’s release. It’s unclear whether those other three flaws simply don’t exist in the Mac version of Java, but we’ll take progress where we can get it.
  • ISC Diary | Java 7u5 and 6u33 released
    Published: 2012-06-12,
    Oracle is releasing Java 7 update 5 and Java 6 update 33 today.

    Updated after Oracle released the vulnerability details.

    Unfortunately it's all still made to be useless to determine what the problems are with the software and perform your own risk assessments.

    Just note there are CVSS scores of 10 in there, and in the past months we saw what slacking on patching Java can do (Ref: the recent Apple Mac OS X malware), so just patch this on a rather urgent time schedule due to lack of detailed descriptions.

    Update:

    My words above were barely written or I got the notification of Apple that they are releasing Java for OS X 2012-004 and Java for Mac OS X 10.6 Update 9 today as well. This brings them in line with the updates to 1.6.0_33 above as well as implementing the deactivation of the Java browser plugin and Java Web Start if they remain unused for 35 days to Snow Leopard and deactivating the Java browser plugin and Java Web Start if they do not meet the criteria for minimum safe versions (on Both Lion and Snow Leopard.

  • Adobe fixes Flash Player for Firefox to stop crashes | Applications - InfoWorld
    June 22, 2012

    Adobe yesterday updated Flash Player to solve a weeks-long problem for users of Mozilla's Firefox browser.

    The update, Flash Player 11.3.300.262, was released Thursday and applies only to Firefox on Windows.

    Since Adobe shipped an update to Flash Player to 11.3 two weeks ago, users of Firefox, including older editions as well as the current Firefox 13, had reported crashes when trying to access Flash content.

  • Release Notes | Flash Player 11.3 AIR 3.3
    June 21, 2012. Welcome to Adobe® Flash Player® 11.3 and AIR® 3.3. This release includes bug fixes related to stability with Firefox on Windows
  • ISC Diary | Apple iTunes Security Update
    Published: 2012-06-12
    Apple announced a new update for iTunes today. Per APPLE-SA-2012-06-11-1, this update addresses a problem when importing a maliciously crafted m3u playlist within iTunes and a problem within WebKit when visiting a maliciously crafted website.

    The bulletin is available at http://support.apple.com/kb/HT5318.

  • About the security content of iTunes 10.6.3



Microsoft Updates for June: Critical PATCH NOW fix for IE, an additional manual FixIt needed

Sorry, been unable to keep this up to date in a timely fashion, which is Not Good. I hope you all have been keeping up with your patching.

Windows Updates for June, 2012, included some critical patches, and one that ISC rated PATCH NOW! to fix a soon-to-be-in-the-wild flaw in Microsoft Internet Explorer and Microsoft Office. If you have not patched any of your systems where you use IE or Office, you need to do so ASAP. In addition, Microsoft issued a separate advisory about a "browse-and-get-owned flaw that can be triggered when an Internet Explorer user on any supported version of Windows visits a specially crafted Web page. Microsoft does not have an official patch available yet for this flaw, but it has issued a FixIt tool workaround that effectively disables the vulnerable component"

Not quite one week later ZDnet published an article stating that the IE/Office vulnerability was now available to hackers. Many other security sites are reporting on these issues. Lots of useful links and technical info are below.

If you use IE for your Internet surfing, you should run Windows Update AND run the MS FixIt tool workaround ASAP.

(EDIT: Add final link to MS Blog entry about the FixIt.)
  • ISC Diary | Microsoft June 2012 Black Tuesday Update - Overview
  • Patch Tuesday: Microsoft raises alert for dangerous IE, Windows flaws | ZDNet
    By Ryan Naraine | June 12, 2012, 2:13pm PDT

    Summary: Microsoft expects to see exploit code targeting at least one of the vulnerabilities within the next 30 days.

    Microsoft today warned that cyber-criminals could soon aim exploits at critical security flaws in Internet Explorer browser and Windows to hijack and take complete control of vulnerable machines.

    The warning comes as part of this month’s Patch Tuesday where Microsoft released 7 bulletins with fixes for at least 26 documented vulnerabilities affecting the Windows ecosystem.

    The company is urging users to pay special attention to MS12-037 and MS12-036, which provides cover for “remote code execution” vulnerabilities that could be used in worm attacks and drive-by downloads without any user interaction.
  • Microsoft Patches 26 Flaws, Warns of Zero-Day Attack — Krebs on Security
    Microsoft today released updates to plug at least 26 separate security holes in its Windows operating systems and related software. At the same time, Microsoft has issued a stopgap fix for a newly-discovered flaw that attackers are actively exploiting.
    ...
    In a separate advisory published today, Microsoft warned that it is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0., 4.0, 5.0. and 6.0. This is a browse-and-get-owned flaw that can be triggered when an Internet Explorer user on any supported version of Windows visits a specially crafted Web page. Microsoft does not have an official patch available yet for this flaw, but it has issued a FixIt tool workaround that effectively disables the vulnerable component. The vulnerability was discovered by Google, which said it saw the flaw being exploited in the wild in targeted attacks.
  • Google Online Security Blog: Microsoft XML vulnerability under active exploitation
    Tuesday, June 12, 2012 12:53 PM
    Posted by Andrew Lyons, Security Engineer

    Today Microsoft issued a Security Advisory describing a vulnerability in the Microsoft XML component. We discovered this vulnerability—which is leveraged via an uninitialized variable—being actively exploited in the wild for targeted attacks, and we reported it to Microsoft on May 30th. Over the past two weeks, Microsoft has been responsive to the issue and has been working with us. These attacks are being distributed both via malicious web pages intended for Internet Explorer users and through Office documents. Users running Windows XP up to and including Windows 7 are known to be vulnerable.

    As part of the advisory, Microsoft suggests installing a Fix it solution that will prevent the exploitation of this vulnerability. We strongly recommend Internet Explorer and Microsoft Office users immediately install the Fix it while Microsoft develops and publishes a final fix as part of a future advisory.
  • Attack code published for 'critical' IE flaw; Patch your browser now | ZDNet

    By Ryan Naraine | June 18, 2012, 3:09am PDT

    Summary: Microsoft has confirmed that this flaw is being used in “limited attacks” but the company has not (yet) updated its MS12-037 bulletin to make it clear that public exploit code is now widely available.

  • ISC Diary | Microsoft Security Advisory 2719615 - MSXML - CVE-2012-1889
    Published: 2012-06-12,
    Several readers mentioned that Microsoft today issued a Security advisory regarding Microsoft XML Core Services (MSXML). This is in response to active exploitation.

    The issues affects Office 2003 and 2007 on all versions of windows. All a user has to do to fall victim is visit the wrong website using IE.

    Microsoft has issued a fixit for it in the form of an msi file (see the KB 2719615 link below).

    Alternative strategies would be to use browsers that do not support ActiveX, or disable the support in IE.

    Links:


  • Active Zero-Day Exploit Targets Internet Explorer Flaw | Blog Central
    Tuesday, June 12, 2012 at 1:02pm by Yichong Lin
  • MSXML: Fix it before fixing it - Security Research & Defense - Site Home - TechNet Blogs
    13 Jun 2012 6:30 PM

    Yesterday, Microsoft has released Security Advisory target="_blank"2719615, associated to a vulnerability in Microsoft XML Core Services. We want to share more details about the issue and explain the additional workarounds available to help you protect your computers.

Friday, June 8, 2012

Adobe Patches: Flash Player, Illustrator CS5, and Photoshop CS5 (12.0)

Today Adobe released updates to its ubiquitous Flash Player. The business versions of the patch haven't been posted to the download site yet so I haven't tested them. Home users who don't have a version of the Flash Player which updates itself should apply the patches as soon as they can since the auto-updating version fixes a number of known vulnerabilities. Adobe rates the Windows and Mac versions as Priority 2, saying "This update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for instance, within 30 days)."  I will advise you when the business versions are available so you can distribute them without needing to update each machine on your network manually.

Almost a month ago (on Monday, May 14, 2012), I posted a notice that Adobe to patch Illustrator, Photoshop, and Flash Pro CS5.x for free, Well, they have patched Illustrator and Photoshop CS5.x now. Flash Pro is not patched yet. If you have either of these products, I recommend you apply the patches as the Bad Guys have had almost a month to reverse-engineer the fixes that went in to CS6.

Critical Security Fixes for Adobe Flash Player — Krebs on Security
Adobe has released a critical update to its Flash Player software that fixes at least seven security vulnerabilities in the program. The new version also extends sandboxing protection to Mac OS X users browsing the Web with Mozilla Firefox.

The update, Flash Player 11.3, plugs at least seven security holes in Flash Player and Adobe Air. The company warns that attackers could use these flaws to crash the applications and seize control over unpatched systems. Flash updates are available for Windows, Mac, Linux and Android systems. Adobe AIR patches are available for Windows, Mac and Android platforms. See the chart below for the latest, patched versions numbers for each platform.


Adobe - Security Bulletins: APSB12-14 - Security updates available for Adobe Flash Player
Adobe released security updates for Adobe Flash Player 11.2.202.235 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.8 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.9 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe - Security Bulletins: APSB12-09 - Security bulletin for Adobe Illustrator
Adobe released security updates for Adobe Illustrator CS5 (15.0.x) and Adobe Illustrator CS5.5 (15.1) for Windows and Macintosh. These updates address vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.
Adobe - Security Bulletins: APSB12-11 Security bulletin for Adobe Photoshop
Adobe released security updates for Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) for Windows and Macintosh. These updates address vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.

Security updates to Mozilla Firefox and Thunderbird

New versions of Mozilla products Firefox, Thunderbird (email) and Seamonkey (web suite) have all been released. Technical details of the fixes to Firefox can be found here: Security Advisories for Firefox; details for Firefox ESR, the business version of Firefox, can be found here: Security Advisories for Firefox ESR. Links to update info on the other products are here: Known Vulnerabilities in Mozilla Products.  I'm not having any issues with my Firefoxes after patching, so you should apply the updates.  Please call me if you need help with any of this.

US-CERT: Mozilla Releases Multiple Updates
added Wednesday, June 6, 2012 at 11:40 am

The Mozilla Foundation has released updates for the following products to address multiple vulnerabilities:
  • Firefox 13.0
  • Firefox ESR 10.0.5
  • Thunderbird 13.0
  • Thunderbird ESR 10.0.5
  • SeaMonkey 2.10
These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, disclose sensitive information, operate with elevated privileges, or perform a cross-site scripting attack.

US-CERT encourages users and administrators to review the Mozilla Foundations Advisory for Firefox 13, Firefox ESR 10.0.5, Thunderbird 13, Thunderbird ESR 10.0.5, SeaMonkey 2.10 and apply any necessary updates to help mitigate the risk.

Emergency Patch to fix security hole in Microsoft Windows Update

This one looks like it is under control now, but if you don't have Windows Update turned on and haven't updated recently, stop reading and update NOW!  Someone very clever figured out how to distribute software that looks like it is digitally signed by Microsoft, so it would be inherently trusted by your computer and installed without asking you for permission.  Since Windows Updates for June will come out on Tuesday next week, you should get this done before then!

The first and last articles linked below are the most readable.

‘Flame’ Malware Prompts Microsoft Patch — Krebs on Security
Microsoft has issued an emergency security update to block an avenue of attack first seen in “Flame,” a newly-discovered, sophisticated malware strain that experts believe was designed to steal data specifically from computers in Iran and the Middle East.

According to Microsoft, Flame tries to blend in with legitimate Microsoft applications by cloaking itself with an older cryptography algorithm that Microsoft used to digitally sign programs.

“Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft,” the company said in a blog posting today.

Unauthorized digital certificates could allow spoofing
Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft website:  http://technet.microsoft.com/security/advisory/2718704
ISC Diary | Microsoft Emergency Bulletin: Unauthorized Certificate used in "Flame"
Published: 2012-06-04,
Last Updated: 2012-06-05 10:29:19 UTC
by Johannes Ullrich (Version: 4)

Microsoft just released an emergency bulletin, and an associated patch, notifying users of Windows that a "unauthorized digital certificates derived from a Microsoft Certificate Authority" was used to sign components of the "Flame" malware.
....
It is not clear from the bulletin, who had access to these intermediate certificates, and if they were abused by an authorized user, or if they were compromised and used by an unauthorized user. Either way: Apply the patch.

The bulletin also doesn't state if this intermediate certificate authority or certificates derived from it could be used to fake the patch. Microsoft Certificates are used to sign patches, and a compromise could lead to a sever break in the trust chain. The use of a "real" Microsoft certificate is surely going to increase the speculations as to the origin of Flame.

[1] http://technet.microsoft.com/en-us/security/advisory/2718704
[2] http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx
US-CERT: Unauthorized Microsoft Digital Certificates
added Monday, June 4, 2012 at 09:16 am | updated Tuesday, June 5, 2012 at 12:20 pm

Microsoft has released a security advisory to address the revocation of a number of unauthorized digital certificates. Maintaining these certificates within your certificate store may allow an attacker to spoof content, perform a phishing attack, or perform a man-in-the-middle attack.
....
Microsoft has provided an update to all support versions of Microsoft Windows to address this issue. Additional information can be found in Microsoft Security Advisory 2718704.

US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risk.

Update: For more information, please see US-CERT Technical Alert TA12-156A.
Flame malware used man-in-the-middle attack against Windows Update | Naked Security
by Chester Wisniewski on June 4, 2012Microsoft has released an emergency update for all versions of Windows to address a certificate flaw that was used to spread the Flame malware from machine to machine.

Of course you have to trust that your connection to Windows Update is not being attacked while you're retrieving the update that prevents you from being attacked.

This is not the first time we have seen malware abusing digital certificates, but this one is a bit more advanced than previous attacks.

6.5 million LinkedIn Passwords leaked; eHarmony, Last.FM passwords also leaked.

There has been lots of urgent security news these last few days.  I'll be posting them as several different entries to allow me to include some detail, but email notifications to my clients will go as one consolidated email.

First, for LinkedIn users, bad news: a hashed database containing 6.5 million of your passwords leaked.  Mine was among them, but it had not been "cracked" before I got it changed (it was 12 characters, MiXed CasE, with some punctuation and digits, so it would have been difficult if not impossible to match easily).  Several articles below have details.  To check if your password is among those leaked, CHANGE IT FIRST, then go to LeakedIn: Is your password safe?. Depending on your password, you will see one of the following boxes:





More info here:
Change your LinkedIn password now | Ed Bott
Published June 6, 2012

If you have a LinkedIn account, it’s time to change your password.

As my colleague Zack Whittaker at ZDNet reports, roughly 6.5 million user passwords have apparently been downloaded and made publicly available.

It now looks like LinkedIn may have handled this both quickly enough AND in the right way -- they're claiming nobody's account was hacked.  However if you use the same login (email address) and password on LinkedIn that you use on any other website, you should immediately change your passwords there as well.  I don't have that problem -- I use a password manager called  LastPass to handle all my web passwords -- I have no idea what most of them are, LastPass handles that for me.
Linkedin Blog » Taking Steps To Protect Our Members
Since we became aware of this issue, we have been taking active steps to protect our members. Our first priority was to lock down and protect the accounts associated with the decoded passwords that we believed were at the greatest risk. We’ve invalidated those passwords and contacted those members with a message that lets them know how to reset their passwords.

Going forward, as a precautionary measure, we are disabling the passwords of any other members that we believe could potentially be affected. Those members are also being contacted by LinkedIn with instructions on how to reset their passwords.
If you want to read more about this, see many recent entries on the Linkedin Blog.  Other news stories can be found at LinkedIn confirms passwords were 'compromised' | Security & Privacy - CNET News and 6.46 million LinkedIn passwords leaked online | ZDNet.

There are also MANY reports that dating site eHarmony and music site Last.fm suffered similar breaches. Using the same password in different places just puts you at risk for this kind of problem, so if you don't ready use a password manager like LastPass please PLEASE PLEASE start doing so to make your on-line life easier and safer.

Thursday, May 17, 2012

Microsoft Patch Tuesday for May, 2012: Critical Patches for soon-to-be-active exploits

Well, it has been a week+ since Patch Tuesday, and I haven't heard anything bad about any of these patches.  If you haven't run Windows Update, do so now.  Read the stories below for more technical details.  I have patched all my boxes and not had any issues.  Please let me know if you need help patching.

Microsoft patches 23 Windows flaws, warns of risk of code execution attacks | ZDNet

By | May 8, 2012, 11:53am PDT

Summary: The Patch Tuesday batch for May 2012 covers at least 23 documented vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework and Microsoft Silverlight.

Microsoft wheeled out another batch of  security patches today to fix multiple dangerous security flaws that expose billions of Windows users to remote code execution attacks.

The Patch Tuesday batch for May 2012 covers at least 23 documented vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework and Microsoft Silverlight.

The company is urging Windows users to pay special attention to MS12-034, a “critical” bulletin that patches 10 distinct security holes.  Three of these vulnerabilities have already been publicly disclosed and Microsoft expects to see working exploit code released within 30 days.

ISC Diary | Microsoft May 2012 Black Tuesday Update - Overview

Overview of the May 2012 Microsoft patches and their status.

Bulletin Management Process and the May 2012 Bulletins - MSRC - Site Home - TechNet Blogs

For Update Tuesday we’re releasing seven security bulletins – three Critical-class and four Important – addressing 23 issues in Microsoft Windows, Office, Silverlight, and the .NET Framework. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing on the following two critical updates first:

  • MS12-034 (Microsoft Office, Windows, .NET Framework, and Silverlight): This security update addresses 10 issues affecting a cross section from Microsoft Windows , Office, Silverlight, and the Microsoft .NET Framework. The maximum severity for these issues is Critical and could result in remote code execution. To ensure protection all updates from this bulletin must be applied. We recommend that customers read through the bulletin information concerning MS12-034 and apply it as soon as possible.
  • MS12-029 (Microsoft Word): This security update addresses one Critical issue affecting Microsoft Office that could result in remote code execution. Attack vectors for this issue include maliciously crafted websites and email. We recommend that customers read through the bulletin information concerning MS12-029 and apply it as soon as possible.
Microsoft releases seven security updates

This month, Microsoft released seven bulletins, three critical and four important, that addressed a total of 23 vulnerabilities. MS12-029
is the bulletin that should be highest on the list for most
organizations, as it can be used to gain control of an end-user's
machine without requiring user interaction. The bulletin provides a
patch for a vulnerability in the RTF file format that can be exploited
through Microsoft Office 2003 and 2007. It is rated critical because
simply viewing an attached file in the preview pane of Microsoft Outlook
is sufficient to trigger the exploit.


MS12-034
- addressing 10 vulnerabilities - is the second critical bulletin, and
it applies to the broadest selection of Microsoft software this month.

Wednesday, May 16, 2012

Thursday Miscellany: Quicktime, FBI warning about open WiFi, Open/LibreOffice

Here are several small items to brighten up your Thursday.
  • If you have Apple QuickTime installed, update it -- a new version with security fixes has been released.
  • If you travel and use open WiFi access points or hotel WiFi or hotel networks, DO NOT APPLY SOFTWARE UPDATES WHICH YOU MIGHT BE OFFERED THERE. See the second set of stories below. 
  • OpenOffice has crawled out of the grave in which Oracle buried it a year ago, it's now an Apache Software Foundation project.  This gives us two competing open-source office suites, OpenOffice and LibreOffice (my preference).  See the third set of stories about OpenOffice's resurrection and new versions of LibreOffice.
  • There are reports of a single piece of malware which infects both Windows PCs and Apple Macs using the same Java vulnerability.  Patch your Java or uninstall it!
Enjoy!

Postscript: My next blog post will be about last week's Windows Updates, which appear to be deploying without issues.  If you haven't updated yet, do so!


TweakGuides.com reports that Apple has released a new Version 7.7.2 of the QuickTime media player. This version has security fixes.

About the security content of QuickTime 7.7.2
This document describes security content of QuickTime 7.7.2.

FBI: Updates Over Public ‘Net Access = Bad Idea — Krebs on Security
The Federal Bureau of Investigation is advising travelers to avoid updating software while using hotel or other public Internet connections, warning that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms.

From the FBI’s advisory:

“Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

The warning is a good opportunity to revisit some wireless safety tips I’ve doled out over the years. Avoid updating software while you’re using networks that are untrusted and public, whether they are wired or wireless. This generally means Wi-Fi networks like those available in hotels and coffee shops, and even wired connections at hotels. The only exception I make to this rule is when I have a device that is tethered to the 3G connection on a mobile phone. But even this can be dicey, because many laptops and mobile devices will switch over to available Wi-Fi networks in the event that the 3G signal dies.


FBI: Beware of software updates on hotel connections | ZDNet
Road warriors beware: Cyber-criminals are using pop-up alerts on hotel Internet connections to trick computer users into downloading malware.

According to to a warning from the FBI’s Internet Crime Complaint Center (IC3), the pop-up lures are appearing while users are establishing an Internet connection in their hotel rooms.

“In these instances, the traveler was attempting to setup the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available,” the IC3 said.



Apache OpenOffice 3.4 makes official debut; LibreOffice makes its case | ZDNet
Summary: Let the games begin. Tuesday, the Apache Software Foundation announced the first official release of Apache OpenOffice, version 3.4, since Oracle donated it to the ASF in mid 2011.

As expected, the first version of OpenOffice under new management — the Apache Software Foundation — has been released.

Apache OpenOffice 3.4, which had been in incubation since Oracle donated the code to the ASF mid last year, offers improved performance and a number of new features and enhancements and is available on Windows, MacIntosh and Linux and in 15 languages as of today.

The list of new bells and whistles — such as improved ODF support, including new ODF 1.2 encryption option, new spreadsheet functions, an enhanced pivot table support in Calc and enhanced graphics — is welcome news.

...

Not all would agree with Apache’s point of view. The Document Foundation, which developed its own LibreOffice fork of OpenOffice after Oracle signaled its intention to cease development of the office suite, holds that its own organization is independent of vendor control and is the leading open source developer of OpenOffice today.

It has received the support of SUSE , Ubuntu and Intel. The Document Foundation is incorporated in Germany.

One LibreOffice spokesman, a longtime OpenOffiice developer and top SUSE engineer, disputed that the Apache license is the best open source license.

“We find this announcement particularly interesting as, a year after Oracle shuttered OpenOffice.org, the Incubator (also cited as Apache) now have their release out. As we said when this move was announced, this has a positive angle, allowing LibreOffice to adopt a more future-proof copy-left licensing model.  It also goes without saying that SUSE continues to provide a fully supported SUSE LibreOffice product on Windows and Linux built from the same code base.  I have a more detailed comparison on my blog, but let me focus on the great things that are happening in LibreOffice Land.

“We’ve got our monthly release of 3.5.3 out, steadily increasing quality, and our 3.6 release is one month away from feature freeze and looking great - so we continue to execute on our time-based release schedule. Also, yesterday we announced an exciting certification program to increase the confidence of purchasers of support and services around LibreOffice,” said Michael Meeks, Distinguished Engineer at SUSE.

Let the games begin.


A LibreOffice/Apache OpenOffice Comparison

As the date of the Apache OpenOffice release approaches, and the final release candidate wends its way through a couple of rounds of approval / voting, I thought it might help clarify the current situation to have a side-by-side summary of what is in each suite. I'll update this entry in response to feedback, please do mail me with corrections if I've got things wrong.

Let me say, straight off, that I think the 'removal of copy-left' code (or at least its replacement) has been done reasonably well. Potentially rather a confusing description though: there are still great big gobs of copy-left code as hard requirements for a useful Apache OpenOffice but these are category b copy-left, instead of the category x licenses: (including the LGPL) that Apache excludes. The functionality loss from this removal is modest, as new versions of dependencies have been selected or system dependencies added, with even some rule-bending around shipping GPL dictionaries.

On the other hand, thus far, there are rather few really new features in the release that did not come from Oracle's existing work; that is outside of some pleasant drawing improvements, which we hope to merge into LibreOffice for our next major release.




Cross-platform malware exploits Java to attack PCs and Macs | ZDNet
Summary: The same Java vulnerability used in the infamous Flashback malware is now being used as an attack vector for a single piece of malware that can infect both Windows and Mac OS X computers.

Security vendors have discovered a new piece of malware that attacks both PCs and Macs. It uses the same Java security vulnerability exploited by the Flashback malware that infected hundreds of thousands of Macs. While the attack vector is the same as in Flashback, this Java applet checks which OS it is running on and downloads suitable malware for it.
...

Patches for this Java vulnerability have been available since February 14 for Windows, Linux, and Unix computers. Apple released a patch in early April, before the Flashback botnet was discovered. Apple has not issued a Java security update for users running versions of Mac OS X prior to 10.6 (Snow Leopard) because it wants to upgrade to a newer version of its operating system. These users can only protect themselves by disabling Java.

If you don’t use Java, you also should disable it. Even if you don’t have it installed, always get the latest security updates for your operating system and software, whether it’s from Microsoft, Apple, or any other company.


Tuesday, May 15, 2012

Apple OS X security update for version 10.5 (Leopard)

Apple has released a security update for an older version of OS X, version 10.5 AKA Leopard, which is a "must install" for users with that version.  If you are running Leopard* you should update IMMEDIATELY.

Note that while Apple claims to disable "old versions of Flash" in their current update set, this is not completely true. They do NOT check to see if you are running the latest version, version 11.2.202.235. They only disable Flash you if you are running version 10.1.102.64 or older, but there are many versions of Flash between 10.1.x and the current 11.2.x version. This is NOT a complete fix IMHO. If you are running Leopard, please apply this security update from Apple AND update your Flash Player manually from Adobe's website.

About the security content of Leopard Security Update 2012-003
Available for: Mac OS X v10.5 to 10.5.8 Intel

Impact: Out-of-date versions of Adobe Flash Player are disabled

Description: This update disables Adobe Flash Player if it is older than 10.1.102.64 by moving its files to a new directory. This update presents the option to install an updated version of Flash Player from the Adobe website.

Apple releases Leopard update, Flashback removal tool | TUAW - The Unofficial Apple Weblog
Apple has released a security update for Leopard, the first in quite a while, as well as a Flashback removal tool for that version of the OS.

According to Apple, Leopard Security Update 2012-003 "disables versions of Adobe Flash Player that do not include the latest security updates and provides the option to get the current version from Adobe's website."

Also, the Flashback Removal Security Update "removes the most common variants of the Flashback malware. If the Flashback malware is found, a dialog will notify you that malware was removed. In some cases, the update may need to restart your computer in order to completely remove the Flashback malware."

Grab them both to secure your Leopard machine.


* To determine what version of OS X you are running, follow the instructions on this page: How do I find my operating system (OS) version?

Monday, May 14, 2012

Adobe to patch Illustrator, Photoshop, and Flash Pro CS5.x for free

A few days ago I blogged about Adobe Security Patches for May 8, 2012
"Adobe has only fixed the security holes in new versions, and you have to pay to upgrade."
Well, Adobe realized it had some egg on its face regarding this policy and has quickly changed its mind. It will be providing security patches at some unspecified date in the future.

Adobe about-face: Photoshop, Illustrator patches will be free | ZDNet
Facing widespread criticism for its decision to bundle critical security updates into paid upgrades for Photoshop and Illustrator, Adobe has changed course and will now backport the fixes to existing software versions.

The company’s about-face was included in an update to the security bulletin:

We are in the process of resolving the vulnerabilities addressed in these Security Bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x (12.x) and Adobe Flash Professional CS5.x, and will update the respective Security Bulletins once the patches are available.

The company did not provide a timeline for when the backported patches will be available.

Adobe backs down, will patch old software for free
Faced with a backlash from angry customers, Adobe bowed to the pressure and backpedalled on its original decision, deciding to patch the eight vulnerabilities in question free of charge.

"We are in the process of resolving the vulnerabilities addressed in these security bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x and Adobe Flash Professional CS5.x, and will update the respective security bulletins once the patches are available," they stated.

They did not say how long it will take for the patches to be issued.

Tuesday, May 8, 2012

Adobe Security Patches for May 8, 2012

Adobe has released two security bulletins for Adobe Photoshop CS and Adobe Flash Professional CS.  However, there is bad news for those who use these Adobe products to create content,  Adobe has only fixed the security holes in new versions, and you have to pay to upgrade.  The latest Adobe Security bulletins and advisories as of May 8, 2012, links to the advisories for these products which tells users who cannot upgrade that "Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources."  In other words, you're being abandoned. 

Those who cannot upgrade (or who choose not to support Adobe any longer) should look into alternative products such as GimpShop or LibreOffice Impress.  Two articles listing alternatives to these Adobe programs are here:
EDIT Fri 11 May 2012 14:32: Other blogs are chiming in on this issue, and they're NOT happy about Adobe's position:

In other Adobe security news, today Adobe has released another patch, this one free, for the Shockwave Player.  Details here: Security update available for Adobe Shockwave Player.

Adobe - Security Bulletins: APSB12-11 Security bulletin for Adobe Photoshop

Summary

Adobe released a security upgrade for Adobe Photoshop CS5.5 and earlier for Windows and Macintosh. This upgrade addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.

Adobe has released Adobe Photoshop CS6, which addresses these vulnerabilities. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.

Affected software versions

Adobe Photoshop CS5.5 and earlier versions for Windows and Macintosh

Solution

Adobe has released Adobe Photoshop CS6 (paid upgrade), which addresses these vulnerabilities. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.

Adobe - Security Bulletins: APSB12-12 Security bulletin for Adobe Flash Professional

Summary

Adobe released a security upgrade for Adobe Flash Professional CS5.5 (11.5.1.349) and earlier for Windows and Macintosh. This upgrade addresses a vulnerability that could allow an attacker who successfully exploits this vulnerability to take control of the affected system.

Adobe has released Adobe Flash Professional CS6, which addresses this vulnerability. For users who cannot upgrade to Adobe Flash Professional CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.

Affected software versions

Adobe Flash Professional CS5.5 (11.5.1.349) and earlier for Windows and Macintosh

Solution

Adobe has released Adobe Flash Professional CS6 (paid upgrade), which addresses this vulnerability. For users who cannot upgrade to Adobe Flash Professional CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.

Apple updates iOS for iPx devices

Information about the content of this update is not currently available, as Apple is usually VERY close-mouthed about security fixes, but all the sites are saying there are security holes that are plugged. Apple's security write-up on this update (HT5278) is still coming up blank.   The best write-up I have seen is the ZDNet article linked near the end of this blog posting.

Given the latest spate of fixes to other Apple operating systems, I would recommend that if you are offered this update through iTunes you accept it and update.  Of course, you are going to back up your data before you update, right?

ISC Diary | iOS 5.1.1 Software Update for iPod, iPhone, iPad
Apple released iOS 5.1.1 for iPod, iPhone, iPad (exclude Mac OS X) only available through iTunes. The updates address Safari and WebKit for iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2. At the time of this writing, the advisory was still not posted (APPLE-SA-2012-05-07-1) but the update is available through iTunes.
Apple offers iOS 5.1.1 update, fixes some serious vulnerabilities | Naked Security
Apple's latest update to iOS just came out. Version 5.1.1 is more than just a cosmetic fix: it patches at least three security flaws, all of which should be considered serious.

Information about the update can be found in Apple's knowledgebase article DL1521.

Unfortunately, the security reasons for updating sooner rather than later are hard to find from DL1521.

The page leads with a list of five "improvements and bug fixes", none of which is a compelling reason on its own to update now.

As usual, Apple relegates the security content of the update to the well-known landing page HT1222. But when I visited, the most recent security updates in the list were still April's malware-related Flashback fixes.

Nevertheless, the page you need to consult for iOS 5.1.1 does exist - it's HT5278, and if you have an iDevice, I strongly suggest you read it.

Apple patches serious security holes in iOS devices | ZDNet
Apple has shipped a high-priority iOS update to fix multiple security holes affecting the browser used on iPhones, iPads and iPod Touch devices.

The iOS 5.1.1 update fixes four separate vulnerabilities, including one that could be used to take complete control of an affected device.

Here’s the skinny of this batch of updates:
  • A URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems.
  • Multiple security holes in the open-source WebKit rendering engine.  These could lead to cross-site scripting attacks from maliciously crafted web sites. These vulnerabilities were used during Google’s Pwnium contest at this year’s CanSecWest conference.
  • A memory corruption issue in WebKit. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.  This issue was discovered and reported by Google’s security team.

This patch is only available via iTunes. To check that the iPhone, iPod touch, or iPad has been updated:

  • Navigate to Settings
  • Select General
  • Select About. The version after applying this update will be “5.1.1″.

Friday, May 4, 2012

Extremely Urgent: Adobe Flash Player Emergency Patch Released

Update your Adobe Flash Players ASAP, especially if you run Windows and
use Internet Explorer or any of Microsoft's email programs (which use IE
to display email).  The vulnerability exists in all versions of the
Flash Player, but has not been used on other platforms -- YET.  Lots of noise about this in the press.

Adobe - Security Bulletins: APSB12-09 - Security update available for Adobe Flash Player
Release date: May 4, 2012
Adobe warns: Flash Player malware hitting IE on Windows users | ZDNet
By Ryan Naraine | May 4, 2012, 8:24am PDT

Summary: Although the vulnerability affects Flash Player on all platforms, the malware attacks target Flash Player on Internet Explorer for Windows only.

Adobe has shipped an extremely urgent Flash Player patch to block in-the-wild malware attacks against Windows users.

Adobe described the attacks as “targeted” and warned that malicious Flash files are being delivered in e-mail messages.

Although the vulnerability affects Flash Player on all platforms, the malware attacks target Flash Player on Internet Explorer for Windows only.
Adobe Releases Security Advisory for Adobe Flash Player - US-CERT Current Activity
Friday, May 4, 2012 at 11:06 am

Adobe has released a Security Advisory for Adobe Flash Player to address a vulnerability affecting the following software versions:

  • Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh, and Linux operating systems
  • Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x

This vulnerability may allow an attacker to cause a denial-of-service condition or take control of the affected system.
Critical Flash Update Fixes Zero-day Flaw — Krebs on Security
Adobe Systems Inc. today issued a security update to its Flash Player software. The company stressed that the update fixes a critical vulnerability that malicious actors have been using in targeted attacks.

Adobe classifies a security flaw as critical if it can be used to break into vulnerable machines without any help from users. The company said the vulnerability (CVE-2012-0779) fixed in the version released today has been exploited in targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message, and that the exploit used in the attacks seen so far target Flash Player on Internet Explorer for Windows only.

Tuesday, April 17, 2012

Mac Users need to update Java AGAIN

If you're running an Apple Mac with OS X 10.6 or later, you need to make sure your software is up-to-date, as Apple has updated Java again.  Sorry, OS X 10.5 and earlier users, you're out of luck, and it doesn't look like Apple is ever going to patch these older versions.  Users of older Macs should uninstall or disable Java ASAP as there is an unpatched vulnerability that makes you subject to drive-by infection.

AFAICT Apple has abandoned users of Tiger and Leopard (v10.5).  Apple expects users to pay to upgrade at least to OS X 10.6 (Snow Leopard) or 10.7 (Lion).  If your computer won't run one of those, too bad, so sad, please give Apple more money for a newer Mac (or switch to Linux, which is free).  BUT see the last item below for more info on what you can do if you're using an old Mac.

Third Apple Java update rids infections and turns off Java - SC Magazine
Apple has released a third Java update related to the outbreak Flashback, but this time, the patch comes with a detection and removal capability for the prolific trojan.
ISC Diary | Flashback Trojan Removal Tool Released
Published: 2012-04-14
Earlier in the week Apple released a Java update which included software to remove the Flashback Trojan from OS X Lion machines running Java.

The Flashback Trojan removal tool is now also available for OS X Lion machines not running Java. This Flashback malware removal tool is available through the OS X Software Update tool, or from Apple's downloads site at http://www.apple.com/support/downloads/.
About the security content of Java for OS X 2012-003 and Java for Mac OS X 10.6 Update 8
This document describes the security content of Java for OS X 2012-003 and Java for Mac OS X 10.6 Update 8, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
About the security content of Flashback malware removal tool
Available for: OS X v10.7 or later without Java installed


I just came across this interesting note -- and if I were a home user, I would certainly be using OpenDNS instead of Comcast's DNS or Qwest's DNS:

OpenDNS´s Allison Rhodes reports that OpenDNS ... is blocking the Flashback Trojan. People not yet using OpenDNS need only to set up the service on their wireless router, computer or device to secure their computers and devices from the attack.

... Even for those people who find their machine has already been infected by Flashback, Rhodes maintains, enabling OpenDNS will prevent the malware from connecting to its command and control and causing your machine any damage.

To set up the OpenDNS free service, you need simply create an account, choose your router or computer and follow the step-by-step instructions. Note that setting up OpenDNS on your router will protect all devices connecting to the Internet through your WiFi network, and Windows users should use OpenDNS, too.

For more information, visit http://blog.opendns.com/

Seen here: Free mini-apps to check your Mac for Flashback malware infection AppleTell.

Thursday, April 12, 2012

Patch Tuesday April 2012 - Critical updates for Windows, Office and Adobe Reader

I'm not seeing any negative feedback on the Patch Tuesday updates from this month, so go ahead and update.  Updates apply to both Microsoft Windows/Office and Adobe Reader/Acrobat 9/5 and 10.x.  ISC/SANS have rated most of the Microsoft patches as "Critical", which means they are either being exploited on a targeted basis or exploits are imminent.  The Bad Guys *_will_* be taking advantage of unpatched machines in the next few weeks.  The Krebs-on-Security entry below has the most user-friendly and descriptive write-up.  Links to the official Microsoft and Adobe security bulletins are below for the nerds among you.

Microsoft warns of 'limited, targeted attacks' against Windows vulnerability | ZDNet

By | April 10, 2012, 11:52am PDT

Summary: The vulnerability under attack exists in Windows Common Controls and can be exploited to launch remote code execution attacks if a user simply surfs to a malicious website.

Microsoft today shipped patches for at least 11 documented security vulnerabilities, including one that’s already being hit with “limited, targeted attacks.”

The vulnerability under attack — now fixed today with the MS12-027 bulletin — exists in Windows Common Controls and can be exploited to launch remote code execution attacks if a user simply surfs to a malicious website.

The vulnerability is caused when the MSCOMCTL.OCX ActiveX control, while being used in Internet Explorer, corrupts the system state in such a way as to allow an attacker to execute arbitrary code.

Microsoft is calling on Windows users to apply this bulletin as a priority because of the high-risk of code execution attacks.
Patch Tuesday April 2012 – Critical updates for Windows, Office and Adobe Reader | Naked Security
This month Microsoft has released six patches, four critical, for eleven vulnerabilities in Office, Windows and various server products. ...

Adobe, not wanting to feel left out, also delivered fixes for four vulnerabilities in Adobe Reader and Acrobat versions 9 and X.

All four vulnerabilities can lead to remote code execution, so I advise everyone be sure to update to Reader/Acrobat 10.1.3.

Adobe, Microsoft Issue Critical Updates — Krebs on Security
Adobe and Microsoft today each issued critical updates to plug security holes in their products. The patch batch from Microsoft fixes at least 11 flaws in Windows and Windows software. Adobe’s update tackles four vulnerabilities that are present in current versions of Adobe Acrobat and Reader.

Seven of the 11 bugs Microsoft fixed with today’s release earned its most serious “critical” rating, which Microsoft assigns to flaws that it believes attackers or malware could leverage to break into systems without any help from users. In its security bulletin summary for April 2012, Microsoft says it expects miscreants to quickly develop reliable exploits capable of leveraging at least four of the vulnerabilities.

Among those is an interesting weakness (MS12-024) in the way that Windows handles signed portable executable (PE) files. According to Symantec, this flaw is interesting because it lets attackers modify signed PE files undetected.

“In addition, the attacker doesn’t need to worry about controlling memory; once the user runs the content, the device has been infected,” wrote John Harrison, group product manager for Symantec Security Response. “The most common attack will probably be a scenario in which a site offers a free download of a specific program that appears to be legitimately signed.”

Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys, is particularly worried about MS12-027, because the weakness spans an unusually wide range of Microsoft products. Microsoft agrees, calling this patch the highest priority security update this month.

“What makes this bulletin stand out is that Microsoft is aware of attacks in the wild against it and it affects an unsually wide-range of Microsoft products, including Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime,” Kandek said. “Attackers have been embedding the exploit for the underlying vulnerability (CVE-2012-0158) into an RTF document and enticing the target into opening the file, most commonly by attaching it to an e-mail. Another possible vector is through web browsing, but the component can potentially be attacked through any of the mentioned applications.”

ISC Diary | Microsoft April 2012 Black Tuesday Update - Overview
Published: 2012-04-10,
Last Updated: 2012-04-11 01:57:49 UTC
by Swa Frantzen (Version: 1)
Overview of the April 2012 Microsoft patches and their status.
Adobe warns of Reader X security holes | ZDNet

By | April 11, 2012, 11:26am PDT

Summary: Adobe ships patches for flaws that could cause the application to crash and potentially allow an attacker to take control of the affected system.

Adobe’s flagship PDF Reader/Acrobat software contains multiple security vulnerabilities that expose computer users to dangerous hacker attacks.

Adobe warned about the vulnerabilities in a security bulletin that contained patches for Windows, Mac OS X and Linux users.


Microsoft Security Bulletin Summary for March 2012
Adobe - Security Bulletins: APSB12-08 - Security updates available for Adobe Reader and Acrobat