Thursday, February 23, 2012

Two months of security links

I promise to get better about more frequent updates ... anyway, you need to update just about everythign that touches the Internet or processes stuff downloaded from the 'net or in email


Browser Patches:


ASF note:   Consider the Iron Browser instead of Chrome if you're at all concerned about Google and your privacy.

Adobe Updates this year:

  • ISC Diary | Adobe January 2012 Black Tuesday overview

    Adobe Reader and Acrobat patches

  • Adobe plugs critical Reader X security holes | ZDNet

    Adobe has shipped a critical Reader X update to fix at least six security flaws that expose Windows and Mac OS X users to hacker attacks.

    “These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system,” Adobe warned in an advisory.

  • Flash Player Update Nixes Zero-Day Flaw — Krebs on Security

    Adobe has issued a critical security update for its ubiquitous Flash Player
    software. The patch plugs at least seven security holes, including one reported
    by Google that is already being used to trick users into clicking on malicious
    links delivered via email. 

  • Adobe Flash Player XSS flaw under 'active attack' | ZDNet

    Adobe ships a Flash Player patch amidst reports that a universal cross-site
    scripting flaw “is being exploited in the wild in active targeted attacks.”

  • Adobe confirms new zero-day Flash bug

    Adobe on Wednesday patched seven critical vulnerabilities in Flash Player, including one reported by Google researchers that hackers are using in "active
    targeted attacks." The bug attackers have been exploiting is a cross-site scripting (XSS) flaw in the Flash Player plug-in used by Microsoft's Internet
    Explorer (IE). 

  • Adobe - Security Bulletins: APSB12-03 - Security update available for Adobe Flash Player

    This update addresses critical vulnerabilities in Adobe Flash Player
    11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris,
    Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe
    Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. These
    vulnerabilities could cause a crash and potentially allow an attacker to take
    control of the affected system. This update also resolves a universal
    cross-site scripting vulnerability that could be used to take actions on a
    user's behalf on any website or webmail provider, if the user visits a
    malicious website. There are reports that this vulnerability (CVE-2012-0767) is
    being exploited in the wild in active targeted attacks designed to trick the
    user into clicking on a malicious link delivered in an email message (Internet
    Explorer on Windows only).

    Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions
    for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player
    11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on
    Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of
    Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier
    versions should update to Flash Player 11.1.111.6.

    •  

     

     

  • Critical Fixes from Microsoft, Adobe — Krebs on Security

    Adobe released a critical update that addresses nine vulnerabilities in its
    Shockwave Player software. 

  • Adobe - Security Bulletins: APSB12-02 - Security update available for Adobe Shockwave Player

    This update addresses critical vulnerabilities in Adobe Shockwave Player 11.6.3.633 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.3.633 and earlier versions update to Adobe Shockwave Player 11.6.4.634 using the instructions provided below.


Oracle Java Updates this month:

  • Java Security Update Scrubs 14 Flaws — Krebs on Security

    Oracle has shipped a critical update that fixes at least 14 security
    vulnerabilities in its Java JRE software. The company is urging users to deploy the fixes as quickly as possible.

  • Have you uninstalled Java yet? Here are 14 new reasons... | ZDNet

    Summary: All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

    If you still haven’t uninstalled Java to reduce the attack surface on your computer, here are 14 new reasons from Oracle Sun.  A new version of the Java SE has been released to patch 14 documented security vulnerabilities, some serious enough to let hackers remotely install malware on vulnerable machines.


Microsoft Updates in January and February

  • 'Critical' Windows Media flaws put millions at risk | ZDNet

    By Ryan Naraine | January 10, 2012, 12:04pm PST
    Microsoft has dropped its first batch of security bulletins for 2012: Seven bulletins with cover for at least eight vulnerabilities affecting all versions of the Windows operating system.

    The company is urging Windows users to pay special attention to MS12-004, a “critical” bulletin that provides fixes for two serious flaws in the way Windows Media handles certain media files.

  • Adobe, Microsoft Issue Critical Security Fixes — Krebs on Security

    Tuesday, January 10th, 2012
    Adobe and Microsoft today each issued software fixes to tackle dangerous security flaws in their products. If you use Acrobat, Adobe Reader or Windows, it’s time to patch.

  • Critical Fixes from Microsoft, Adobe — Krebs on Security

          If you use Microsoft Windows, it’s time again to get patched: Microsoft today issued nine updates to fix at least 21 security holes in its products.   

 

    Posted by at No comments:

    Friday, December 30, 2011

    Unusual out-of-cycle Microsoft Patch

    This one shouldn't affect most people, but system admins would be well advised to take a look at this seriously.  For Microsoft to issue an out-of-cycle patch on a Thursday is very unusual, so there may be some serious side-effects they're not disclosing.  Even if you don't think you're running an ASP.NET server you might be, as many modern services actually run a web server inside your machine.

    None of my systems (XP Pro , Windows 7 Pro, Windows Server 2008 R2) required a reboot.

    Microsoft releases out-of-band security update to plug .NET hole | ZDNet

    MS11-100, released today, is a rare out-of-band security update—one delivered on a Thursday, several weeks ahead of the next regularly scheduled Patch Tuesday release. ...

    The four patched vulnerabilities affect the Microsoft .NET Framework on every supported version of Windows, including Windows XP SP3, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 and 2008 R2. Exploits against unpatched systems could allow an attacker to “take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands.”
    ...
    Typically, an out-of-band update indicates that the risk of “in the wild” exploits is high, so this update demands immediate attention.
    Microsoft delivers rare out-of-band patch for ASP.NET issue - SC Magazine US
    Microsoft engineers on Thursday gave IT administrators a late Christmas present: a fix for an unpatched and publicly known vulnerability affecting the software giant's ASP.NET web application framework.

    One day after disclosing the flaw, which affects ASP.NET versions 1.1 and later on all supported versions of the .NET Framework, Microsoft released an emergency patch, which also addresses three other bugs, all of which were privately reported.


    "An attacker who successfully exploited this vulnerability could take
    any action in the context of an existing account on the ASP.NET site,
    including executing arbitrary commands," the bulletin from Micrsoft
    said.


    What makes the previously unpatched bug particularly worrisome is
    that it enables attackers to use limited means to launch a devastating
    denial-of-service (DoS) attack against web servers. According to
    Microsoft, "a single, specially crafted ~100kb HTTP request can consume
    100 percent of one CPU core for between 90 to 110 seconds."


    Posted by at No comments:

    Friday, December 16, 2011

    Adobe Reader 9.4.7 patch is out

    This patch fixes an in-the-wild exploit.  Adobe Reader X has the same vulnerability but in its default configuration has protections which prevent the exploit from working.  If you have AR9, PATCH NOW.  If you have AR X, make sure your settings are configured properly.  Foxit Software has issued a press release claiming their software is not affected by this flaw.

    Adobe - Security Bulletins: APSB11-30 - Security updates available for Adobe Reader and Acrobat
    There have been reports of two critical vulnerabilities being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows. These vulnerabilities (CVE-2011-2462, referenced in Security Advisory APSA11-04, and CVE-2011-4369) could cause a crash and potentially allow an attacker to take control of the affected system.

    While these vulnerabilities exist in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh, there is no immediate risk to users of Adobe Reader and Acrobat X for Windows (with Protected Mode/Protected View enabled), Adobe Reader and Acrobat X or earlier versions for Macintosh, and Adobe Reader 9.x for UNIX based on the current exploits and historical attack patterns.

    Today's updates address these vulnerabilities in Adobe Reader and Acrobat 9.x for Windows. Adobe recommends users of Adobe Reader 9.4.6 and earlier 9.x versions for Windows update to Adobe Reader 9.4.7. Adobe recommends users of Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows update to Adobe Acrobat 9.4.7.
    FOXIT® READER SAFE FROM LATEST “ZERO-DAY” (CVE-2011-2462) VULNERABILITY - Foxit Software
    FREMONT, Calif. - December 14, 2011 - Foxit® Corporation, a leading provider of solutions for reading, editing, creating, organizing, and securing PDF documents, today announced that the Foxit Reader is not vulnerable to the latest zero-day (CVE-2011-2462) vulnerability. Users who are concerned about this much publicized issue should feel safe in downloading the Foxit Reader to meet their PDF reader requirements.

    If you have either Adobe Reader or Foxit Reader, I recommend you disable all javascript and multimedia operations and (in Adobe Reader) disable AR's ability to call other programs.
    Posted by at No comments:

    December Windows Update - PATCH NOW! Also, Java updates are out.

    The December Windows Updates were released on Tuesday, and one of them is rated PATCH NOW! by SANS as it is actively being exploited already.  The patches are widely documented both on user-friendly blogs and Microsoft's Technet blog.
    ISC Diary | December 2011 Microsoft Black Tuesday Summary
    Security Updates for Microsoft Windows, Java — Krebs on Security
    Microsoft today issued software updates to patch at least 19 security holes in Windows, including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software.

    The most talked-about vulnerability fixed in December’s patch batch is a critical flaw in all supported versions of Windows that’s been exploited for at least the past two months (and probably much longer) by the Duqu Trojan, a sophisticated information-stealer that experts say was an espionage tool constructed to extract sensitive data from industrial control systems.

    The other two critical updates fix bugs in ActiveX and Windows Media Player. The remaining patches address less severe but still dangerous security holes in Windows, Microsoft Office and Microsoft Publisher. A more detailed breakdown of this month’s updates is available here. Patches are available via Windows Update.

    Thirteen patches from Microsoft, including Duqu fix - SC Magazine US

    Microsoft on Tuesday pushed out 13 patches, one fewer than anticipated, to address 19 security vulnerabilities, including a bug that allows the data-stealing Duqu trojan to spread.

    Duqu, the so-called "son of Stuxnet" trojan, contains a dropper program that exploits the vulnerability, located in the Windows kernel, Microsoft revealed in early November. The software giant subsequently issued a workaround, and the issue now is corrected with bulletin MS11-087, rated "critical."

    “The most important patch this month is the TrueType font parsing issue, which is the zero-day vulnerability exploited as part of the Duqu targeted attacks,” said Joshua Talbot, security intelligence manager of Symantec Security Response. “The Duqu malware didn't actually incorporate an exploit for this issue in its code, but the vulnerability was used by malicious email attachments to load Duqu onto targeted systems.”

    Tuesday's other high-priority patch is MS11-092, also rated critical, which remedies a vulnerability in Windows Media that could permit remote code execution. The third and final critical fix, MS11-090, involves an ActiveX issue.

    The security update also included a patch -- MS11-099 -- for three Internet Explorer (IE) vulnerabilities. A cumulative patch for the popular web browser typically ranks higher on Microsoft's deployment priority chart, but not this month.


    The December bulletins are released - MSRC - Site Home - TechNet Blogs
    13 Dec 2011 10:19 AM

    Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, three of which are rated Critical in severity, and 10 Important.

    These bulletins will increase protection by addressing 19 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these critical updates:

        MS11-092 – Windows Media: Vulnerability In Windows Media Could Allow Remote Code Execution
        MS11-087 – Windows: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
    In other security news, Oracle has released security updates to both active versions of Java and the JRE. If you have Java installed, you need to update from 6u29 or 7u1 to 6u30 or 7u2.  You may have to update manually as the "Update" button on any Java 6u29 installation that I tested was not returning update 6u30 as I write this.  The installers can be downloaded from here: Java SE Downloads. Again the updates are widely documented on user-friendly blogs (and also in the extremely user-hostile Oracle release notes).
    ISC Diary | Java 6u30 released
    Oracle have released Java 6 Update 30 (6u30) today. The fixes are mostly of functional nature. As far as we can tell from the release notes, no gaping security craters had to be leveled out this time .. for a change. Two security related fixes are still noteworthy for developers, one affects the use of SSL (TLS_DH_anon_WITH_AES_128_CBC_SHA), the other is about the use of secure cookies in HTTPS when the applet gets invoked via JavaScript.  The full release information and list of fixes are available on Oracle's web site.
    Oracle updates Java, Adobe patches ColdFusion - SC Magazine US
    Oracle on Monday released an update to its Java software, fixing several security flaws.

    The update, Java 6 Update 30 (6u30), contains mostly performance and stability fixes and is largely void of “gaping security craters .. for a change,” Daniel Wesemann, a handler for the SANS Internet Storm Center, wrote in a blog post Monday. It does, however, contain security fixes that impact developers, he said.

    The update, for example, clears up an issue that caused Java 6 Update 29 to break SSL connectivity. Another problem involves secure cookies being sometimes dropped.

    Security Updates for Microsoft Windows, Java — Krebs on Security
    In other patch news, Oracle has released yet another update to its Java software. Oracle released updates to Java versions 6 and 7, but only the Java 6 Update 30 includes security fixes. It appears from a close examination of Oracle’s unbelievably labyrinthine security advisories that Update 30 addresses at least six separate security issues. Anyone who wants to read more about the specific details of the flaws fixed in this update without having wade through countless advisories can do so by clicking this link. While none of the flaws look especially bad, if you are using Java it’s time to either update it or dump it (I continually urge readers to do the latter). Updates are available from the Java console (available through the Windows Control Panel).
    Oracle Java - 6u30-relnotes
    Oracle Java - 7u2-relnotes
    Posted by at No comments:

    Friday, December 9, 2011

    Download.com IS STILL NOT safe to use

    This is a revision of my earlier post titled "Download.com may be safe to use again"
    They have taken what appears to be corrective steps. A blog posting by them claims they have removed any toolbar bundles from open-source software and that they have removed the requirement that you have to be a "registered member") in other words "give them your email address") to download files directly without using their "download manager". However, the fact that they have not committed to never bundle toolbars is troublesome, so if you have a choice, download your freeware from another source if possible. And ALWAYS use the "direct download" option -- if you find it among the clutter of their download page.

    A note from Sean regarding the Download.com Installer | The Download Blog - Download.com
    ... we are removing the registration requirement to use the Direct Download Link on our site. This allows you, the user, to download the Installer without using the download manager.

    EDIT Fri 09 Dec 2011 08:57 AM MST: Sean lies. As of this morning the open-source application Evince is still being bundled with a downloader when you download it from CNet. When I clicked the download button at CNet I got a file called cnet_evince-2_32_0_msi.exe.

    I submitted that file to VirusTotal and it reported the following:
    File name: cnet_evince-2_32_0_msi.exe
    Submission date: 2011-12-09 13:24:56 (UTC)
    Result: 2/ 43 (4.7%)
    • DrWeb 5.0.2.03300 2011.12.09 Adware.InstallCore.8
    • NOD32 6691 2011.12.07 a variant of Win32/InstallCore.D
    Posted by at No comments:

    Thursday, December 8, 2011

    Update to Foxit Reader 5.1.3

    If you use the Foxit Reader instead of Adobe's bloated, insecure PDF reader, you should update.
    Foxit Reader Unspecified Memory Corruption Vulnerability - Secunia.com
    Description:
    A vulnerability has been reported in Foxit Reader, which can be exploited by malicious people to compromise a user's system.

    The vulnerability is caused due to an unspecified error. No further information is currently available.

    The vulnerability is reported in versions 5.1.0.1021 and prior.

    Solution:
    Update to version 5.1.3.
    Foxit Reader - Building the Most Secure PDF Reader - Foxit Software
    Fixed an issue when opening certain PDF files.

    SUMMARY
    Foxit Reader 5.1.3 fixed an issue when opening certain PDF files. This issue was caused by the cross-border assignment of an array which may result in memory corruption vulnerabilities.

    Affected Versions
    Foxit Reader 5.1.0.1021 and earlier.

    Fixed in Version
    Foxit Reader 5.1.3

    SOLUTION
    Please do one of the followings:

    • Please go to "Check for Updates Now" in Reader help menu to update to the latest version 5.1.3
    • Click here to download the updated version now.

    According to the Foxit Software Announcement, there are also several other useful fixes in this update:
    Maintenance Release - Foxit® Reader 5.1.3 - Foxit Software
    Maintenance Release - Foxit® Reader 5.1.3
    ... Foxit Reader 5.1.3 fixes an issue of Foxit Reader when opening certain PDF files. This issue was caused by the cross-border assignment of an array which may result in memory corruption vulnerabilities or potential memory corruption vulnerabilities.

    Other product modifications include:

    • Fixed an issue when right-clicking an opened PDF file in an internet browser after changing the UI language.
    • Fixed an issue where the paper size in the Preview Area of Print Dialogue Box cannot be updated accordingly if users choose the Xerox® Printer.
    • Fixed an issue when switching the interface language.
    • Fixed an issue where the Paper Drawer cannot be changed to Cassette when printing.

    Posted by at No comments:

    Download.com may be safe to use again

    revised and reposted on Fri 09 Dec 2011 at 09:10 AM MST
    They have taken what appears to be corrective steps. A blog posting by them claims they have removed any toolbar bundles from open-source software and that they have removed the requirement that you have to be a "registered member") in other words "give them your email address") to download files directly without using their "download manager". However, the fact that they have not committed to never bundle toolbars is troublesome, so if you have a choice, download your freeware from another source if possible. And ALWAYS use the "direct download" option -- if you find it among the clutter of their download page.

    A note from Sean regarding the Download.com Installer | The Download Blog - Download.com
    ... we are removing the registration requirement to use the Direct Download Link on our site. This allows you, the user, to download the Installer without using the download manager.
    Posted by at No comments:
    Subscribe to: Posts (Atom)