Thursday, May 17, 2012

Microsoft Patch Tuesday for May, 2012: Critical Patches for soon-to-be-active exploits

Well, it has been a week+ since Patch Tuesday, and I haven't heard anything bad about any of these patches.  If you haven't run Windows Update, do so now.  Read the stories below for more technical details.  I have patched all my boxes and not had any issues.  Please let me know if you need help patching.

Microsoft patches 23 Windows flaws, warns of risk of code execution attacks | ZDNet

By | May 8, 2012, 11:53am PDT

Summary: The Patch Tuesday batch for May 2012 covers at least 23 documented vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework and Microsoft Silverlight.

Microsoft wheeled out another batch of  security patches today to fix multiple dangerous security flaws that expose billions of Windows users to remote code execution attacks.

The Patch Tuesday batch for May 2012 covers at least 23 documented vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework and Microsoft Silverlight.

The company is urging Windows users to pay special attention to MS12-034, a “critical” bulletin that patches 10 distinct security holes.  Three of these vulnerabilities have already been publicly disclosed and Microsoft expects to see working exploit code released within 30 days.

ISC Diary | Microsoft May 2012 Black Tuesday Update - Overview

Overview of the May 2012 Microsoft patches and their status.

Bulletin Management Process and the May 2012 Bulletins - MSRC - Site Home - TechNet Blogs

For Update Tuesday we’re releasing seven security bulletins – three Critical-class and four Important – addressing 23 issues in Microsoft Windows, Office, Silverlight, and the .NET Framework. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing on the following two critical updates first:

  • MS12-034 (Microsoft Office, Windows, .NET Framework, and Silverlight): This security update addresses 10 issues affecting a cross section from Microsoft Windows , Office, Silverlight, and the Microsoft .NET Framework. The maximum severity for these issues is Critical and could result in remote code execution. To ensure protection all updates from this bulletin must be applied. We recommend that customers read through the bulletin information concerning MS12-034 and apply it as soon as possible.
  • MS12-029 (Microsoft Word): This security update addresses one Critical issue affecting Microsoft Office that could result in remote code execution. Attack vectors for this issue include maliciously crafted websites and email. We recommend that customers read through the bulletin information concerning MS12-029 and apply it as soon as possible.
Microsoft releases seven security updates

This month, Microsoft released seven bulletins, three critical and four important, that addressed a total of 23 vulnerabilities. MS12-029
is the bulletin that should be highest on the list for most
organizations, as it can be used to gain control of an end-user's
machine without requiring user interaction. The bulletin provides a
patch for a vulnerability in the RTF file format that can be exploited
through Microsoft Office 2003 and 2007. It is rated critical because
simply viewing an attached file in the preview pane of Microsoft Outlook
is sufficient to trigger the exploit.


MS12-034
- addressing 10 vulnerabilities - is the second critical bulletin, and
it applies to the broadest selection of Microsoft software this month.

Wednesday, May 16, 2012

Thursday Miscellany: Quicktime, FBI warning about open WiFi, Open/LibreOffice

Here are several small items to brighten up your Thursday.
  • If you have Apple QuickTime installed, update it -- a new version with security fixes has been released.
  • If you travel and use open WiFi access points or hotel WiFi or hotel networks, DO NOT APPLY SOFTWARE UPDATES WHICH YOU MIGHT BE OFFERED THERE. See the second set of stories below. 
  • OpenOffice has crawled out of the grave in which Oracle buried it a year ago, it's now an Apache Software Foundation project.  This gives us two competing open-source office suites, OpenOffice and LibreOffice (my preference).  See the third set of stories about OpenOffice's resurrection and new versions of LibreOffice.
  • There are reports of a single piece of malware which infects both Windows PCs and Apple Macs using the same Java vulnerability.  Patch your Java or uninstall it!
Enjoy!

Postscript: My next blog post will be about last week's Windows Updates, which appear to be deploying without issues.  If you haven't updated yet, do so!


TweakGuides.com reports that Apple has released a new Version 7.7.2 of the QuickTime media player. This version has security fixes.

About the security content of QuickTime 7.7.2
This document describes security content of QuickTime 7.7.2.

FBI: Updates Over Public ‘Net Access = Bad Idea — Krebs on Security
The Federal Bureau of Investigation is advising travelers to avoid updating software while using hotel or other public Internet connections, warning that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms.

From the FBI’s advisory:

“Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

The warning is a good opportunity to revisit some wireless safety tips I’ve doled out over the years. Avoid updating software while you’re using networks that are untrusted and public, whether they are wired or wireless. This generally means Wi-Fi networks like those available in hotels and coffee shops, and even wired connections at hotels. The only exception I make to this rule is when I have a device that is tethered to the 3G connection on a mobile phone. But even this can be dicey, because many laptops and mobile devices will switch over to available Wi-Fi networks in the event that the 3G signal dies.


FBI: Beware of software updates on hotel connections | ZDNet
Road warriors beware: Cyber-criminals are using pop-up alerts on hotel Internet connections to trick computer users into downloading malware.

According to to a warning from the FBI’s Internet Crime Complaint Center (IC3), the pop-up lures are appearing while users are establishing an Internet connection in their hotel rooms.

“In these instances, the traveler was attempting to setup the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available,” the IC3 said.



Apache OpenOffice 3.4 makes official debut; LibreOffice makes its case | ZDNet
Summary: Let the games begin. Tuesday, the Apache Software Foundation announced the first official release of Apache OpenOffice, version 3.4, since Oracle donated it to the ASF in mid 2011.

As expected, the first version of OpenOffice under new management — the Apache Software Foundation — has been released.

Apache OpenOffice 3.4, which had been in incubation since Oracle donated the code to the ASF mid last year, offers improved performance and a number of new features and enhancements and is available on Windows, MacIntosh and Linux and in 15 languages as of today.

The list of new bells and whistles — such as improved ODF support, including new ODF 1.2 encryption option, new spreadsheet functions, an enhanced pivot table support in Calc and enhanced graphics — is welcome news.

...

Not all would agree with Apache’s point of view. The Document Foundation, which developed its own LibreOffice fork of OpenOffice after Oracle signaled its intention to cease development of the office suite, holds that its own organization is independent of vendor control and is the leading open source developer of OpenOffice today.

It has received the support of SUSE , Ubuntu and Intel. The Document Foundation is incorporated in Germany.

One LibreOffice spokesman, a longtime OpenOffiice developer and top SUSE engineer, disputed that the Apache license is the best open source license.

“We find this announcement particularly interesting as, a year after Oracle shuttered OpenOffice.org, the Incubator (also cited as Apache) now have their release out. As we said when this move was announced, this has a positive angle, allowing LibreOffice to adopt a more future-proof copy-left licensing model.  It also goes without saying that SUSE continues to provide a fully supported SUSE LibreOffice product on Windows and Linux built from the same code base.  I have a more detailed comparison on my blog, but let me focus on the great things that are happening in LibreOffice Land.

“We’ve got our monthly release of 3.5.3 out, steadily increasing quality, and our 3.6 release is one month away from feature freeze and looking great - so we continue to execute on our time-based release schedule. Also, yesterday we announced an exciting certification program to increase the confidence of purchasers of support and services around LibreOffice,” said Michael Meeks, Distinguished Engineer at SUSE.

Let the games begin.


A LibreOffice/Apache OpenOffice Comparison

As the date of the Apache OpenOffice release approaches, and the final release candidate wends its way through a couple of rounds of approval / voting, I thought it might help clarify the current situation to have a side-by-side summary of what is in each suite. I'll update this entry in response to feedback, please do mail me with corrections if I've got things wrong.

Let me say, straight off, that I think the 'removal of copy-left' code (or at least its replacement) has been done reasonably well. Potentially rather a confusing description though: there are still great big gobs of copy-left code as hard requirements for a useful Apache OpenOffice but these are category b copy-left, instead of the category x licenses: (including the LGPL) that Apache excludes. The functionality loss from this removal is modest, as new versions of dependencies have been selected or system dependencies added, with even some rule-bending around shipping GPL dictionaries.

On the other hand, thus far, there are rather few really new features in the release that did not come from Oracle's existing work; that is outside of some pleasant drawing improvements, which we hope to merge into LibreOffice for our next major release.




Cross-platform malware exploits Java to attack PCs and Macs | ZDNet
Summary: The same Java vulnerability used in the infamous Flashback malware is now being used as an attack vector for a single piece of malware that can infect both Windows and Mac OS X computers.

Security vendors have discovered a new piece of malware that attacks both PCs and Macs. It uses the same Java security vulnerability exploited by the Flashback malware that infected hundreds of thousands of Macs. While the attack vector is the same as in Flashback, this Java applet checks which OS it is running on and downloads suitable malware for it.
...

Patches for this Java vulnerability have been available since February 14 for Windows, Linux, and Unix computers. Apple released a patch in early April, before the Flashback botnet was discovered. Apple has not issued a Java security update for users running versions of Mac OS X prior to 10.6 (Snow Leopard) because it wants to upgrade to a newer version of its operating system. These users can only protect themselves by disabling Java.

If you don’t use Java, you also should disable it. Even if you don’t have it installed, always get the latest security updates for your operating system and software, whether it’s from Microsoft, Apple, or any other company.


Tuesday, May 15, 2012

Apple OS X security update for version 10.5 (Leopard)

Apple has released a security update for an older version of OS X, version 10.5 AKA Leopard, which is a "must install" for users with that version.  If you are running Leopard* you should update IMMEDIATELY.

Note that while Apple claims to disable "old versions of Flash" in their current update set, this is not completely true. They do NOT check to see if you are running the latest version, version 11.2.202.235. They only disable Flash you if you are running version 10.1.102.64 or older, but there are many versions of Flash between 10.1.x and the current 11.2.x version. This is NOT a complete fix IMHO. If you are running Leopard, please apply this security update from Apple AND update your Flash Player manually from Adobe's website.

About the security content of Leopard Security Update 2012-003
Available for: Mac OS X v10.5 to 10.5.8 Intel

Impact: Out-of-date versions of Adobe Flash Player are disabled

Description: This update disables Adobe Flash Player if it is older than 10.1.102.64 by moving its files to a new directory. This update presents the option to install an updated version of Flash Player from the Adobe website.

Apple releases Leopard update, Flashback removal tool | TUAW - The Unofficial Apple Weblog
Apple has released a security update for Leopard, the first in quite a while, as well as a Flashback removal tool for that version of the OS.

According to Apple, Leopard Security Update 2012-003 "disables versions of Adobe Flash Player that do not include the latest security updates and provides the option to get the current version from Adobe's website."

Also, the Flashback Removal Security Update "removes the most common variants of the Flashback malware. If the Flashback malware is found, a dialog will notify you that malware was removed. In some cases, the update may need to restart your computer in order to completely remove the Flashback malware."

Grab them both to secure your Leopard machine.


* To determine what version of OS X you are running, follow the instructions on this page: How do I find my operating system (OS) version?

Monday, May 14, 2012

Adobe to patch Illustrator, Photoshop, and Flash Pro CS5.x for free

A few days ago I blogged about Adobe Security Patches for May 8, 2012
"Adobe has only fixed the security holes in new versions, and you have to pay to upgrade."
Well, Adobe realized it had some egg on its face regarding this policy and has quickly changed its mind. It will be providing security patches at some unspecified date in the future.

Adobe about-face: Photoshop, Illustrator patches will be free | ZDNet
Facing widespread criticism for its decision to bundle critical security updates into paid upgrades for Photoshop and Illustrator, Adobe has changed course and will now backport the fixes to existing software versions.

The company’s about-face was included in an update to the security bulletin:

We are in the process of resolving the vulnerabilities addressed in these Security Bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x (12.x) and Adobe Flash Professional CS5.x, and will update the respective Security Bulletins once the patches are available.

The company did not provide a timeline for when the backported patches will be available.

Adobe backs down, will patch old software for free
Faced with a backlash from angry customers, Adobe bowed to the pressure and backpedalled on its original decision, deciding to patch the eight vulnerabilities in question free of charge.

"We are in the process of resolving the vulnerabilities addressed in these security bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x and Adobe Flash Professional CS5.x, and will update the respective security bulletins once the patches are available," they stated.

They did not say how long it will take for the patches to be issued.

Tuesday, May 8, 2012

Adobe Security Patches for May 8, 2012

Adobe has released two security bulletins for Adobe Photoshop CS and Adobe Flash Professional CS.  However, there is bad news for those who use these Adobe products to create content,  Adobe has only fixed the security holes in new versions, and you have to pay to upgrade.  The latest Adobe Security bulletins and advisories as of May 8, 2012, links to the advisories for these products which tells users who cannot upgrade that "Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources."  In other words, you're being abandoned. 

Those who cannot upgrade (or who choose not to support Adobe any longer) should look into alternative products such as GimpShop or LibreOffice Impress.  Two articles listing alternatives to these Adobe programs are here:
EDIT Fri 11 May 2012 14:32: Other blogs are chiming in on this issue, and they're NOT happy about Adobe's position:

In other Adobe security news, today Adobe has released another patch, this one free, for the Shockwave Player.  Details here: Security update available for Adobe Shockwave Player.

Adobe - Security Bulletins: APSB12-11 Security bulletin for Adobe Photoshop

Summary

Adobe released a security upgrade for Adobe Photoshop CS5.5 and earlier for Windows and Macintosh. This upgrade addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.

Adobe has released Adobe Photoshop CS6, which addresses these vulnerabilities. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.

Affected software versions

Adobe Photoshop CS5.5 and earlier versions for Windows and Macintosh

Solution

Adobe has released Adobe Photoshop CS6 (paid upgrade), which addresses these vulnerabilities. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.

Adobe - Security Bulletins: APSB12-12 Security bulletin for Adobe Flash Professional

Summary

Adobe released a security upgrade for Adobe Flash Professional CS5.5 (11.5.1.349) and earlier for Windows and Macintosh. This upgrade addresses a vulnerability that could allow an attacker who successfully exploits this vulnerability to take control of the affected system.

Adobe has released Adobe Flash Professional CS6, which addresses this vulnerability. For users who cannot upgrade to Adobe Flash Professional CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.

Affected software versions

Adobe Flash Professional CS5.5 (11.5.1.349) and earlier for Windows and Macintosh

Solution

Adobe has released Adobe Flash Professional CS6 (paid upgrade), which addresses this vulnerability. For users who cannot upgrade to Adobe Flash Professional CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.

Apple updates iOS for iPx devices

Information about the content of this update is not currently available, as Apple is usually VERY close-mouthed about security fixes, but all the sites are saying there are security holes that are plugged. Apple's security write-up on this update (HT5278) is still coming up blank.   The best write-up I have seen is the ZDNet article linked near the end of this blog posting.

Given the latest spate of fixes to other Apple operating systems, I would recommend that if you are offered this update through iTunes you accept it and update.  Of course, you are going to back up your data before you update, right?

ISC Diary | iOS 5.1.1 Software Update for iPod, iPhone, iPad
Apple released iOS 5.1.1 for iPod, iPhone, iPad (exclude Mac OS X) only available through iTunes. The updates address Safari and WebKit for iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2. At the time of this writing, the advisory was still not posted (APPLE-SA-2012-05-07-1) but the update is available through iTunes.
Apple offers iOS 5.1.1 update, fixes some serious vulnerabilities | Naked Security
Apple's latest update to iOS just came out. Version 5.1.1 is more than just a cosmetic fix: it patches at least three security flaws, all of which should be considered serious.

Information about the update can be found in Apple's knowledgebase article DL1521.

Unfortunately, the security reasons for updating sooner rather than later are hard to find from DL1521.

The page leads with a list of five "improvements and bug fixes", none of which is a compelling reason on its own to update now.

As usual, Apple relegates the security content of the update to the well-known landing page HT1222. But when I visited, the most recent security updates in the list were still April's malware-related Flashback fixes.

Nevertheless, the page you need to consult for iOS 5.1.1 does exist - it's HT5278, and if you have an iDevice, I strongly suggest you read it.

Apple patches serious security holes in iOS devices | ZDNet
Apple has shipped a high-priority iOS update to fix multiple security holes affecting the browser used on iPhones, iPads and iPod Touch devices.

The iOS 5.1.1 update fixes four separate vulnerabilities, including one that could be used to take complete control of an affected device.

Here’s the skinny of this batch of updates:
  • A URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems.
  • Multiple security holes in the open-source WebKit rendering engine.  These could lead to cross-site scripting attacks from maliciously crafted web sites. These vulnerabilities were used during Google’s Pwnium contest at this year’s CanSecWest conference.
  • A memory corruption issue in WebKit. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.  This issue was discovered and reported by Google’s security team.

This patch is only available via iTunes. To check that the iPhone, iPod touch, or iPad has been updated:

  • Navigate to Settings
  • Select General
  • Select About. The version after applying this update will be “5.1.1″.

Friday, May 4, 2012

Extremely Urgent: Adobe Flash Player Emergency Patch Released

Update your Adobe Flash Players ASAP, especially if you run Windows and
use Internet Explorer or any of Microsoft's email programs (which use IE
to display email).  The vulnerability exists in all versions of the
Flash Player, but has not been used on other platforms -- YET.  Lots of noise about this in the press.

Adobe - Security Bulletins: APSB12-09 - Security update available for Adobe Flash Player
Release date: May 4, 2012
Adobe warns: Flash Player malware hitting IE on Windows users | ZDNet
By Ryan Naraine | May 4, 2012, 8:24am PDT

Summary: Although the vulnerability affects Flash Player on all platforms, the malware attacks target Flash Player on Internet Explorer for Windows only.

Adobe has shipped an extremely urgent Flash Player patch to block in-the-wild malware attacks against Windows users.

Adobe described the attacks as “targeted” and warned that malicious Flash files are being delivered in e-mail messages.

Although the vulnerability affects Flash Player on all platforms, the malware attacks target Flash Player on Internet Explorer for Windows only.
Adobe Releases Security Advisory for Adobe Flash Player - US-CERT Current Activity
Friday, May 4, 2012 at 11:06 am

Adobe has released a Security Advisory for Adobe Flash Player to address a vulnerability affecting the following software versions:

  • Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh, and Linux operating systems
  • Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x

This vulnerability may allow an attacker to cause a denial-of-service condition or take control of the affected system.
Critical Flash Update Fixes Zero-day Flaw — Krebs on Security
Adobe Systems Inc. today issued a security update to its Flash Player software. The company stressed that the update fixes a critical vulnerability that malicious actors have been using in targeted attacks.

Adobe classifies a security flaw as critical if it can be used to break into vulnerable machines without any help from users. The company said the vulnerability (CVE-2012-0779) fixed in the version released today has been exploited in targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message, and that the exploit used in the attacks seen so far target Flash Player on Internet Explorer for Windows only.