Wednesday, March 28, 2012

Java exploit in-the-wild

Here's some good advice from Brian Krebs:

New Java Attack Rolled into Exploit Packs — Krebs on Security
If your computer is running Java and you have not updated to the latest version, you may be asking for trouble: A powerful exploit that takes advantage of a newly-disclosed security hole in Java has been rolled into automated exploit kits and is rapidly increasing the success rates of these tools in attacking vulnerable Internet users.
...

If you do not need Java, junk it; you can always re-install it later
if you need to. If you need Java for a specific Web site, I would
suggest a two-browser approach. If you normally browse the Web with Firefox,
for example, consider disabling the Java plugin in Firefox (from the
Add-ons menu, click Plugins and then disable anything Java related, and
restart the browser), and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.


Firefox 11 includes critical security fix

Firefox 11.0 was released earlier this month.  Firefox 10.0.3 Enterprise also includes the same security fixes, but is much more difficult to find.

Mozilla knew of Pwn2Own bug before CanSecWest | ZDNet

By | March 13, 2012, 6:56pm PDT

... That fix arrived today with Firefox 11, a high-priority update that fixes a dozen security flaws that expose Windows and Mac OS X users to a wide range of hacker attacks.


See also:
Download Firefox Extended Release Support for Your Organization, Business, Enterprise
Firefox Extended Release Support for Your Organization, Business, Enterprise - Overview
Firefox Extended Support Release for organizations | International versions: Get Firefox in your language

Windows Updates for March include critical fix for RDP

The Windows Update round for March, 2012, included one patch, MS12-020, "Vulnerabilities in Remote Desktop Could Allow Remote Code Execution", which has the security blogosphere buzzing. It is probably critical only for corporate environments where Remote Desktop is enabled and exposed to the open Internet. Home Users don't routinely have RDP enabled and if they do, they have to expose it manually through their routers, a technical step most won't understand.

That said, if this affects you, please read on.  [EDIT] NOTE THAT EXPLOIT CODE HAS BEEN DEVELOPED -- see last few links for more.

ISC Diary | March 2012 Microsoft Black Tuesday

Overview of the March 2012 Microsoft patches and their status.

Microsoft warns: Expect exploits for critical Windows worm hole | ZDNet

Attention Microsoft Windows administrators: Stop what you’re doing and apply the new — and very critical — MS12-020 update.

Microsoft is warning that there’s a remote, pre-authentication, network-accessible code execution vulnerability in its implementation of the RDP protocol.
RDP Flaws Lead Microsoft’s March Patch Batch — Krebs on Security
Microsoft today released updates to sew up at least seven vulnerabilities in Windows and other software. The sole “critical” update in the bunch patches a particularly dangerous flaw in all supported versions of Windows that allows attackers to seize control over vulnerable systems remotely without authentication.

The critical update plugs two security holes in Microsoft’s Remote Desktop Protocol (RDP), a service that is designed to let administrators access Windows systems remotely over a network. The saving grace for these vulnerabilities — which are present in Windows XP, Vista and 7, and Windows Server 2003, and 2008 — is that RDP not enabled by default on standard Windows installations. That means it is far more likely to be a threat to businesses than to consumer systems.
ISC Diary | Why We Rated the MS12-020 Issue with RDP "Patch Now"

Microsoft's March 2012 "Black Tuesday" announcement included the MS12-020 patch, which fixes a vulnerability in Microsoft's implementation of RDP. This vulnerability (CVE-2012-0002) could allow a remote unauthenticated attacker to execute arbitrary code on the affected system. Microsoft labeled this issue "Critical" and we assigned it our highest severity label "Patch Now" for servers. Here's why:

  • The CVE-2012-0002 vulnerability applies to most flavors of Microsoft Windows.
  • It can be exploited over the network.
  • Companies often make RDP accessible on the standard TCP port 3389 from the Internet for remote access to servers and sometimes workstations.
These factors make it very attractive for attackers to attempt reverse-engineering Microsoft's MS12-020 patch to, understand the details of the bug and craft an exploit. This will likely happen sooner than 30 days. The universal applicability of the exploit and its targetability over the Internet and internal networks might motivate the creation auto-propagating worms to capture systems quickly and efficiently.
Exploit code published for RDP worm hole; Does Microsoft have a leak? | ZDNet

Chinese hackers have released proof-of-concept code that provides a roadmap to exploit a dangerous RDP (remote desktop protocol) vulnerability that was patched by Microsoft earlier this week.

The publication of the code on a Chinese language forum heightens the urgency to apply Microsoft’s MS12-020 update, which addresses a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft’s implementation of the RDP protocol.

It also sets of alarm bells in the corridors at Redmond because there are clear signs that Microsoft’s pre-patch vulnerability sharing program has been breached or has suffered a major leak.
Microsoft confirms MAPP proof-of-concept exploit code leak | ZDNet
An embarrassing leak within the Microsoft Active Protections Program (MAPP) has led to the publication of proof-of-concept code for a serious security hole in all versions of Windows, Microsoft confirmed late Friday.
RDP Flaw Found – Get Patched Now | Remote Administration For Windows

Adobe Flash Player updated -- includes automatic background updates

Adobe has released Version 11.2.202.288 of the Flash Player plugin for browsers.  This update includes a major change:  it installs a background service called "Adobe Flash Player Update Service" and creates a scheduled task which runs once an hour to check for updates.  The service only runs when the task activates it, so there is no significant load on the computer.  If you use a passive install from the MSI, the updater is enabled automatically.  When I installed my two flash updates (plugin and ActiveX), the first one created the task and installed the service.

Adobe Security Bulletin here:
Adobe - Security Bulletins: APSB12-07 - Security update available for Adobe Flash Player

These priority 2 updates address critical vulnerabilities in Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.228.
Adobe blog entry discussing how the updater works here:
Introducing Adobe Flash Player Background Updater for Windows | Adobe Developer Connection
...
At the core of Adobe Flash Player Background Updater is a scheduled task in the Windows Task Scheduler (see Figure 2) and a Windows service (see Figure 3). These two elements ensure that Flash Player remains up to date with the latest patches and updates. The Windows service used for Adobe Flash Player Background Updater is launched on an as-needed basis by the scheduled task and is therefore dormant for most of the time, saving memory and CPU resources.

Tuesday, March 6, 2012

Another Emergency Update for Adobe Flash Player

US-CERT Current Activity

Adobe Releases Update for Adobe Flash Player

added March 5, 2012 at 04:30 pm

Adobe has released a security bulletin for Adobe Flash Player to address multiple vulnerabilities affecting the following software versions:

  • Adobe Flash Player 11.1.102.62 and earlier versions from Windows, Linux, and Solaris operating systems
  • Adobe Flash Player 11.1.115.6 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x
Exploitation of these vulnerabilities may allow an attacker to take control of the affected system or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Adobe Security Bulletin APSB12-05 and apply any necessary updates to help mitigate the risks. 
Adobe warns of 'critical' Flash Player security holes | ZDNet
A pair of researchers in Google’s security team has found gaping holes in Adobe’s ubiquitous Flash Player software.

According to an advisory from Adobe, Googlers Tavis Ormandy and Fermin J. Serna discovered integer errors and a memory corruption vulnerability that could be used by hackers to take complete control of an affected computer.

The vulnerabilities, rated “critical,” were fixed today for Windows, Macintosh, Linux and Solaris OS users.
Adobe Patches Critical Flash Flaws — Krebs on Security
For the second time in less than a month, Adobe has issued an update to fix dangerous flaws in its Flash Player software. The patch addresses two vulnerabilities rated “critical,” but Adobe says it is not aware of active attacks against either flaw.

The fixes being released today address a pair of critical bugs that are present in Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Mac, Linux and Solaris, Flash Player v 11.1.115.6 and earlier versions for Android 4.x, and Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x. Adobe says both flaws in today’s release were reported by Google security researchers.


ISC Diary | Adobe Flash Player Security Update
Adobe today released bulletin with details regarding two new vulnerabilities in Adobe Flash Player [1]. The vulnerabilities can lead to arbitrary code execution and affects all platforms (don't forget Android and Google Chrome patches!).

There is no indication at this point that the vulnerability has been exploited yet. However, I believe this is an unannounced out-of cycle release.

Also note that twitter is littered with links to various "adobe updates" with suspect destinations. Only download adobe updates using Adobe's own update tools or use the Adobe site itself.
Adobe - Security Bulletins: APSB12-05 - Security update available for Adobe Flash Player

These priority 2 updates address critical
vulnerabilities in Adobe Flash Player 11.1.102.62 and earlier versions
for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.115.6
and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.6
and earlier versions for Android 3.x and 2.x. These vulnerabilities
could cause a crash and potentially allow an attacker to take control of
the affected system.


Adobe recommends users of Adobe Flash Player 11.1.102.62 and
earlier versions for Windows, Macintosh, Linux and Solaris update to
Adobe Flash Player 11.1.102.63. Users of Adobe Flash Player 11.1.115.6
and earlier versions on Android 4.x devices should update to Adobe Flash
Player 11.1.115.7. Users of Adobe Flash Player 11.1.111.6 and earlier
versions for Android 3.x and earlier versions should update to Flash
Player 11.1.111.7.

.