Thursday, June 28, 2012

Non-Microsoft patches for June

Here are some other miscellaneous security patches and notices you may want to look at.  Java was updated earlier this month, both for Windows (7u5 and 6u33) and Mac OS X.  If you have Java, please read the articles and update.  Adobe's Flash Player for Firefox was updated last week (to version 11.3.300.262), as was Adobe AIR (to version 3.3.0.3610).  Firefox was updated to version 13.0.1 and 10.0.5 ESR in conjunction with the Flash Player update.

If you run iTunes, you need to update it.

One final story got left out of my last blog post about Microsoft updates. It's the first link below. If you run IE, PATCH NOW!

There are some additional security patches which may be of minor interest.  On Monday, May 14, 2012, I posted a notice that Adobe to patch Illustrator, Photoshop, and Flash Pro CS5.x for free, Well, they have finally issued patched the last member of the three, Flash Pro.  Google's Chrome browser got patched again, but since it auto-updates you should already be using this version.  If you use WinAmp, you should patch to the latest version.  Links are below.

  • Bad guys using unpatched Internet Explorer flaw to hack Gmail accounts

    Last week, Google warned its users that “state-sponsored attacks” were under way aimed at accessing Gmail accounts. Those targeted saw a message at the top of their Gmail inboxes warning that “state-sponsored attackers may be attempting to compromise your account or computer”.

    At the time, Google was mum on the specific exploit, but on Wednesday Microsoft provided details in a security advisory, and they’re not pretty. Google also discussed the exploit in its own blog post.

    Cyberscum are taking advantage of an unpatched, zero-day flaw in Windows XP or later to run malicious code on the user’s computer. The code is planted when the user visits a poisoned website using any version of Internet Explorer. The exploit also works through Microsoft Office documents.

    This is a silent, drive-by download. If you’re attacked, you may not know it . . . unless you get that cryptic message atop your Gmail inbox.

    On Tuesday, Microsoft release some security fixes for Windows, but a patch for this flaw was not included. Don’t think your Windows PC is protected if you conscientiously updated this week. However, Microsoft has released a “Fix It For Me” item that will block the exploit. All Windows users should apply this, even if you don’t use IE or Gmail, but keep in mind it does not fix the underlying flaw in Windows. A future patch – possibly one released before the next Patch Tuesday – will be released for a true fix.

  • Apple, Oracle Ship Java Security Updates — Krebs on Security
    Wednesday, June 13th, 2012
    There must have been some rare planetary alignment yesterday, because the oddest thing happened: Apple and Oracle both shipped software updates for the same Java security flaws on the very same day.  ... The update Oracle released yesterday, Java 6 Update 33 and Java 7 Update 5, fixes at least 14 security flaws in the oft-attacked software that is installed on more than three billion devices worldwide. Apple’s Java update brings Java on the Mac to 1.6.0_33, and patches 11 of the 14 security vulnerabilities that Oracle fixed in Tuesday’s release. It’s unclear whether those other three flaws simply don’t exist in the Mac version of Java, but we’ll take progress where we can get it.
  • ISC Diary | Java 7u5 and 6u33 released
    Published: 2012-06-12,
    Oracle is releasing Java 7 update 5 and Java 6 update 33 today.

    Updated after Oracle released the vulnerability details.

    Unfortunately it's all still made to be useless to determine what the problems are with the software and perform your own risk assessments.

    Just note there are CVSS scores of 10 in there, and in the past months we saw what slacking on patching Java can do (Ref: the recent Apple Mac OS X malware), so just patch this on a rather urgent time schedule due to lack of detailed descriptions.

    Update:

    My words above were barely written or I got the notification of Apple that they are releasing Java for OS X 2012-004 and Java for Mac OS X 10.6 Update 9 today as well. This brings them in line with the updates to 1.6.0_33 above as well as implementing the deactivation of the Java browser plugin and Java Web Start if they remain unused for 35 days to Snow Leopard and deactivating the Java browser plugin and Java Web Start if they do not meet the criteria for minimum safe versions (on Both Lion and Snow Leopard.

  • Adobe fixes Flash Player for Firefox to stop crashes | Applications - InfoWorld
    June 22, 2012

    Adobe yesterday updated Flash Player to solve a weeks-long problem for users of Mozilla's Firefox browser.

    The update, Flash Player 11.3.300.262, was released Thursday and applies only to Firefox on Windows.

    Since Adobe shipped an update to Flash Player to 11.3 two weeks ago, users of Firefox, including older editions as well as the current Firefox 13, had reported crashes when trying to access Flash content.

  • Release Notes | Flash Player 11.3 AIR 3.3
    June 21, 2012. Welcome to Adobe® Flash Player® 11.3 and AIR® 3.3. This release includes bug fixes related to stability with Firefox on Windows
  • ISC Diary | Apple iTunes Security Update
    Published: 2012-06-12
    Apple announced a new update for iTunes today. Per APPLE-SA-2012-06-11-1, this update addresses a problem when importing a maliciously crafted m3u playlist within iTunes and a problem within WebKit when visiting a maliciously crafted website.

    The bulletin is available at http://support.apple.com/kb/HT5318.

  • About the security content of iTunes 10.6.3



Microsoft Updates for June: Critical PATCH NOW fix for IE, an additional manual FixIt needed

Sorry, been unable to keep this up to date in a timely fashion, which is Not Good. I hope you all have been keeping up with your patching.

Windows Updates for June, 2012, included some critical patches, and one that ISC rated PATCH NOW! to fix a soon-to-be-in-the-wild flaw in Microsoft Internet Explorer and Microsoft Office. If you have not patched any of your systems where you use IE or Office, you need to do so ASAP. In addition, Microsoft issued a separate advisory about a "browse-and-get-owned flaw that can be triggered when an Internet Explorer user on any supported version of Windows visits a specially crafted Web page. Microsoft does not have an official patch available yet for this flaw, but it has issued a FixIt tool workaround that effectively disables the vulnerable component"

Not quite one week later ZDnet published an article stating that the IE/Office vulnerability was now available to hackers. Many other security sites are reporting on these issues. Lots of useful links and technical info are below.

If you use IE for your Internet surfing, you should run Windows Update AND run the MS FixIt tool workaround ASAP.

(EDIT: Add final link to MS Blog entry about the FixIt.)
  • ISC Diary | Microsoft June 2012 Black Tuesday Update - Overview
  • Patch Tuesday: Microsoft raises alert for dangerous IE, Windows flaws | ZDNet
    By Ryan Naraine | June 12, 2012, 2:13pm PDT

    Summary: Microsoft expects to see exploit code targeting at least one of the vulnerabilities within the next 30 days.

    Microsoft today warned that cyber-criminals could soon aim exploits at critical security flaws in Internet Explorer browser and Windows to hijack and take complete control of vulnerable machines.

    The warning comes as part of this month’s Patch Tuesday where Microsoft released 7 bulletins with fixes for at least 26 documented vulnerabilities affecting the Windows ecosystem.

    The company is urging users to pay special attention to MS12-037 and MS12-036, which provides cover for “remote code execution” vulnerabilities that could be used in worm attacks and drive-by downloads without any user interaction.
  • Microsoft Patches 26 Flaws, Warns of Zero-Day Attack — Krebs on Security
    Microsoft today released updates to plug at least 26 separate security holes in its Windows operating systems and related software. At the same time, Microsoft has issued a stopgap fix for a newly-discovered flaw that attackers are actively exploiting.
    ...
    In a separate advisory published today, Microsoft warned that it is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0., 4.0, 5.0. and 6.0. This is a browse-and-get-owned flaw that can be triggered when an Internet Explorer user on any supported version of Windows visits a specially crafted Web page. Microsoft does not have an official patch available yet for this flaw, but it has issued a FixIt tool workaround that effectively disables the vulnerable component. The vulnerability was discovered by Google, which said it saw the flaw being exploited in the wild in targeted attacks.
  • Google Online Security Blog: Microsoft XML vulnerability under active exploitation
    Tuesday, June 12, 2012 12:53 PM
    Posted by Andrew Lyons, Security Engineer

    Today Microsoft issued a Security Advisory describing a vulnerability in the Microsoft XML component. We discovered this vulnerability—which is leveraged via an uninitialized variable—being actively exploited in the wild for targeted attacks, and we reported it to Microsoft on May 30th. Over the past two weeks, Microsoft has been responsive to the issue and has been working with us. These attacks are being distributed both via malicious web pages intended for Internet Explorer users and through Office documents. Users running Windows XP up to and including Windows 7 are known to be vulnerable.

    As part of the advisory, Microsoft suggests installing a Fix it solution that will prevent the exploitation of this vulnerability. We strongly recommend Internet Explorer and Microsoft Office users immediately install the Fix it while Microsoft develops and publishes a final fix as part of a future advisory.
  • Attack code published for 'critical' IE flaw; Patch your browser now | ZDNet

    By Ryan Naraine | June 18, 2012, 3:09am PDT

    Summary: Microsoft has confirmed that this flaw is being used in “limited attacks” but the company has not (yet) updated its MS12-037 bulletin to make it clear that public exploit code is now widely available.

  • ISC Diary | Microsoft Security Advisory 2719615 - MSXML - CVE-2012-1889
    Published: 2012-06-12,
    Several readers mentioned that Microsoft today issued a Security advisory regarding Microsoft XML Core Services (MSXML). This is in response to active exploitation.

    The issues affects Office 2003 and 2007 on all versions of windows. All a user has to do to fall victim is visit the wrong website using IE.

    Microsoft has issued a fixit for it in the form of an msi file (see the KB 2719615 link below).

    Alternative strategies would be to use browsers that do not support ActiveX, or disable the support in IE.

    Links:


  • Active Zero-Day Exploit Targets Internet Explorer Flaw | Blog Central
    Tuesday, June 12, 2012 at 1:02pm by Yichong Lin
  • MSXML: Fix it before fixing it - Security Research & Defense - Site Home - TechNet Blogs
    13 Jun 2012 6:30 PM

    Yesterday, Microsoft has released Security Advisory target="_blank"2719615, associated to a vulnerability in Microsoft XML Core Services. We want to share more details about the issue and explain the additional workarounds available to help you protect your computers.

Friday, June 8, 2012

Adobe Patches: Flash Player, Illustrator CS5, and Photoshop CS5 (12.0)

Today Adobe released updates to its ubiquitous Flash Player. The business versions of the patch haven't been posted to the download site yet so I haven't tested them. Home users who don't have a version of the Flash Player which updates itself should apply the patches as soon as they can since the auto-updating version fixes a number of known vulnerabilities. Adobe rates the Windows and Mac versions as Priority 2, saying "This update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for instance, within 30 days)."  I will advise you when the business versions are available so you can distribute them without needing to update each machine on your network manually.

Almost a month ago (on Monday, May 14, 2012), I posted a notice that Adobe to patch Illustrator, Photoshop, and Flash Pro CS5.x for free, Well, they have patched Illustrator and Photoshop CS5.x now. Flash Pro is not patched yet. If you have either of these products, I recommend you apply the patches as the Bad Guys have had almost a month to reverse-engineer the fixes that went in to CS6.

Critical Security Fixes for Adobe Flash Player — Krebs on Security
Adobe has released a critical update to its Flash Player software that fixes at least seven security vulnerabilities in the program. The new version also extends sandboxing protection to Mac OS X users browsing the Web with Mozilla Firefox.

The update, Flash Player 11.3, plugs at least seven security holes in Flash Player and Adobe Air. The company warns that attackers could use these flaws to crash the applications and seize control over unpatched systems. Flash updates are available for Windows, Mac, Linux and Android systems. Adobe AIR patches are available for Windows, Mac and Android platforms. See the chart below for the latest, patched versions numbers for each platform.


Adobe - Security Bulletins: APSB12-14 - Security updates available for Adobe Flash Player
Adobe released security updates for Adobe Flash Player 11.2.202.235 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.8 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.9 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe - Security Bulletins: APSB12-09 - Security bulletin for Adobe Illustrator
Adobe released security updates for Adobe Illustrator CS5 (15.0.x) and Adobe Illustrator CS5.5 (15.1) for Windows and Macintosh. These updates address vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.
Adobe - Security Bulletins: APSB12-11 Security bulletin for Adobe Photoshop
Adobe released security updates for Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) for Windows and Macintosh. These updates address vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.

Security updates to Mozilla Firefox and Thunderbird

New versions of Mozilla products Firefox, Thunderbird (email) and Seamonkey (web suite) have all been released. Technical details of the fixes to Firefox can be found here: Security Advisories for Firefox; details for Firefox ESR, the business version of Firefox, can be found here: Security Advisories for Firefox ESR. Links to update info on the other products are here: Known Vulnerabilities in Mozilla Products.  I'm not having any issues with my Firefoxes after patching, so you should apply the updates.  Please call me if you need help with any of this.

US-CERT: Mozilla Releases Multiple Updates
added Wednesday, June 6, 2012 at 11:40 am

The Mozilla Foundation has released updates for the following products to address multiple vulnerabilities:
  • Firefox 13.0
  • Firefox ESR 10.0.5
  • Thunderbird 13.0
  • Thunderbird ESR 10.0.5
  • SeaMonkey 2.10
These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, disclose sensitive information, operate with elevated privileges, or perform a cross-site scripting attack.

US-CERT encourages users and administrators to review the Mozilla Foundations Advisory for Firefox 13, Firefox ESR 10.0.5, Thunderbird 13, Thunderbird ESR 10.0.5, SeaMonkey 2.10 and apply any necessary updates to help mitigate the risk.

Emergency Patch to fix security hole in Microsoft Windows Update

This one looks like it is under control now, but if you don't have Windows Update turned on and haven't updated recently, stop reading and update NOW!  Someone very clever figured out how to distribute software that looks like it is digitally signed by Microsoft, so it would be inherently trusted by your computer and installed without asking you for permission.  Since Windows Updates for June will come out on Tuesday next week, you should get this done before then!

The first and last articles linked below are the most readable.

‘Flame’ Malware Prompts Microsoft Patch — Krebs on Security
Microsoft has issued an emergency security update to block an avenue of attack first seen in “Flame,” a newly-discovered, sophisticated malware strain that experts believe was designed to steal data specifically from computers in Iran and the Middle East.

According to Microsoft, Flame tries to blend in with legitimate Microsoft applications by cloaking itself with an older cryptography algorithm that Microsoft used to digitally sign programs.

“Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft,” the company said in a blog posting today.

Unauthorized digital certificates could allow spoofing
Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft website:  http://technet.microsoft.com/security/advisory/2718704
ISC Diary | Microsoft Emergency Bulletin: Unauthorized Certificate used in "Flame"
Published: 2012-06-04,
Last Updated: 2012-06-05 10:29:19 UTC
by Johannes Ullrich (Version: 4)

Microsoft just released an emergency bulletin, and an associated patch, notifying users of Windows that a "unauthorized digital certificates derived from a Microsoft Certificate Authority" was used to sign components of the "Flame" malware.
....
It is not clear from the bulletin, who had access to these intermediate certificates, and if they were abused by an authorized user, or if they were compromised and used by an unauthorized user. Either way: Apply the patch.

The bulletin also doesn't state if this intermediate certificate authority or certificates derived from it could be used to fake the patch. Microsoft Certificates are used to sign patches, and a compromise could lead to a sever break in the trust chain. The use of a "real" Microsoft certificate is surely going to increase the speculations as to the origin of Flame.

[1] http://technet.microsoft.com/en-us/security/advisory/2718704
[2] http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx
US-CERT: Unauthorized Microsoft Digital Certificates
added Monday, June 4, 2012 at 09:16 am | updated Tuesday, June 5, 2012 at 12:20 pm

Microsoft has released a security advisory to address the revocation of a number of unauthorized digital certificates. Maintaining these certificates within your certificate store may allow an attacker to spoof content, perform a phishing attack, or perform a man-in-the-middle attack.
....
Microsoft has provided an update to all support versions of Microsoft Windows to address this issue. Additional information can be found in Microsoft Security Advisory 2718704.

US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risk.

Update: For more information, please see US-CERT Technical Alert TA12-156A.
Flame malware used man-in-the-middle attack against Windows Update | Naked Security
by Chester Wisniewski on June 4, 2012Microsoft has released an emergency update for all versions of Windows to address a certificate flaw that was used to spread the Flame malware from machine to machine.

Of course you have to trust that your connection to Windows Update is not being attacked while you're retrieving the update that prevents you from being attacked.

This is not the first time we have seen malware abusing digital certificates, but this one is a bit more advanced than previous attacks.

6.5 million LinkedIn Passwords leaked; eHarmony, Last.FM passwords also leaked.

There has been lots of urgent security news these last few days.  I'll be posting them as several different entries to allow me to include some detail, but email notifications to my clients will go as one consolidated email.

First, for LinkedIn users, bad news: a hashed database containing 6.5 million of your passwords leaked.  Mine was among them, but it had not been "cracked" before I got it changed (it was 12 characters, MiXed CasE, with some punctuation and digits, so it would have been difficult if not impossible to match easily).  Several articles below have details.  To check if your password is among those leaked, CHANGE IT FIRST, then go to LeakedIn: Is your password safe?. Depending on your password, you will see one of the following boxes:





More info here:
Change your LinkedIn password now | Ed Bott
Published June 6, 2012

If you have a LinkedIn account, it’s time to change your password.

As my colleague Zack Whittaker at ZDNet reports, roughly 6.5 million user passwords have apparently been downloaded and made publicly available.

It now looks like LinkedIn may have handled this both quickly enough AND in the right way -- they're claiming nobody's account was hacked.  However if you use the same login (email address) and password on LinkedIn that you use on any other website, you should immediately change your passwords there as well.  I don't have that problem -- I use a password manager called  LastPass to handle all my web passwords -- I have no idea what most of them are, LastPass handles that for me.
Linkedin Blog » Taking Steps To Protect Our Members
Since we became aware of this issue, we have been taking active steps to protect our members. Our first priority was to lock down and protect the accounts associated with the decoded passwords that we believed were at the greatest risk. We’ve invalidated those passwords and contacted those members with a message that lets them know how to reset their passwords.

Going forward, as a precautionary measure, we are disabling the passwords of any other members that we believe could potentially be affected. Those members are also being contacted by LinkedIn with instructions on how to reset their passwords.
If you want to read more about this, see many recent entries on the Linkedin Blog.  Other news stories can be found at LinkedIn confirms passwords were 'compromised' | Security & Privacy - CNET News and 6.46 million LinkedIn passwords leaked online | ZDNet.

There are also MANY reports that dating site eHarmony and music site Last.fm suffered similar breaches. Using the same password in different places just puts you at risk for this kind of problem, so if you don't ready use a password manager like LastPass please PLEASE PLEASE start doing so to make your on-line life easier and safer.