Busy Day For Patches

Happy Valentines Day everyone.  Our vendors are bringing us the gifts of security vulnerability patches.  Lots of them.  Yes, it’s extra work for our IT teams, but removing these vulnerabilities could mean that we all get to keep our jobs, and remain in business.  I was hearing on the news today that Nortel is now coming clean regarding the fact that hackers 0wn3d their network for roughly 10 years, with full and complete access to everything.

Wonder how they got that?

Where is Nortel today?  Something to think about…

Microsoft released the expected batch of 9 patches:

  • MS12-008: Critical Remote Code Execution Vulnerabilities in Windows Kernel-Mode Drivers
  • MS12-009: Important Elevation of Privilege Vulnerabilities in Ancillary Function Driver
  • MS12-010: Critical Cumulative Security Update for Internet Explorer
  • MS12-011: Important Elevation of Privilege Vulnerabilities in Microsoft SharePoint
  • MS12-012: Important Remote Code Execution Vulnerability in Color Control Panel
  • MS12-013: Critical Remote Code Execution Vulnerability in C Run-Time Library
  • MS12-014: Important Remote Code Execution Vulnerability in Indeo Codec
  • MS12-015: Important Remote Code Execution Vulnerabilities in Microsoft Visio Viewer 2010
  • MS12-016: Critical Remote Code Execution Vulnerabilities in .NET Framework and Silverlight  (This one I would recommend holding off on, as Microsoft is expected to re-release after identifying a “metadata (logic) error”.)

Microsoft has also released Update Rollup 1 for Exchange Server 2010 SP2 http://www.microsoft.com/download/en/details.aspx?id=28809 to the Download Center.

Adobe released 2 Security Bulletins:

  • APSB12-02: Critical Security update available for Adobe Shockwave Player.  This update addresses critical vulnerabilities in Adobe Shockwave Player and earlier versions on the Windows and Macintosh operating systems.  These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.
  • APSB12-04: Important Security update available for RoboHelp for Word.  This update addresses an important vulnerability in RoboHelp 9 (or 8) for Word on Windows.  A specially crafted URL could be used to create a cross-site scripting attack on Web-based output generated using RoboHelp for Word.

There have also been vulnerabilities and patches announced for Mozilla Thunderbird, Firefox, and an as yet unpatched local exploit POC code release for Yahoo Instant Messanger 11.5.

UPDATE: Oracle released also patches fixing 14 vulnerabilities in:

  •  JDK and JRE 7 Update 2 and earlier
  • JDK and JRE 6 Update 30 and earlier
  • JDK and JRE 5.0 Update 33 and earlier
  • SDK and JRE 1.4.2_35 and earlier
  • JavaFX 2.0.2 and earlier


Start planning, testing, and patching, folks.

Adobe Sandboxes Flash in Firefox

I am happy to post that Adobe has released beta code for sandboxing Flash content within Firefox.  Sandboxing is an excellent way to isolate ancillary code from the operating system and other applications.  I have been using it for years to keep my browser and its myriad vulnerabilities isolated after experimenting with it in malware analysis.  It just makes sense to contain the raft of cruft that tends to come in from an uncontroled, but necessary network, like the Internet.

It is not a foolproof method for containing all malware or avoiding malicious content, but it cuts down significantly on the impact of what mal-content can do by restricting its reach, and it increases the cost, package size, and effort required on the part of the bad guys to get through an additional layer of defense.  Every defensive layer that they have to identify and circumvent presents another opportunity to discover and analyze their attack code…

Adobe used elements of Google’s Chrome sandboxing technology in its Reader code after a flurry of vulnerability announcements and high profile attacks targeting the application.  Adobe says that since its launch in November 2010, they have not seen a single successful exploit in the wild against Adobe Reader X, where they initially offered sandboxing technology.

The new code currently supports Firefox 4.0 or later running on Windows 7 or Vista.  Adobe promises wider browser protection soon.  More details will be given at the CanSecWest security conference in Vancouver, BC next month.  I sure would like to attend this conference.  Maybe I will meet some of you there?!

UPDATE:  ComputerWorld reports that IE is next on Adobe’s list to “sandbox” its popular Flash Player within browsers, Adobe’s head of security said today.

Adobe January Patch Release

Security Bulletin (APSB12-01) has been posted in regards to this quarter’s security updates for Adobe Reader and Acrobat.  The updates address critical security issues, including CVE-2011-2462 and CVE-2011-4369, previously addressed in Adobe Reader and Acrobat 9.x for Windows as referenced in Security Bulletin APSB11-30.

Adobe recommends that users apply the updates for their product installations.  Mark adds ASAP.

The next quarterly security updates for Adobe Reader and Acrobat are currently scheduled for April 10, 2012.

Adobe 0-Day Patches Released

There have been reports of two critical vulnerabilities being actively exploited in targeted attacks against Adobe Reader 9.x on Windows.  These vulnerabilities could cause a crash and may allow an attacker to take control of the affected system.

Today’s updates address these vulnerabilities in Adobe Reader and Acrobat 9.x for Windows.  Version X has protected mode available that prevents this type of attack.  Adobe recommends users of Adobe Reader 9.4.6 and earlier 9.x versions for Windows update to Adobe Reader 9.4.7. Adobe recommends users of Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows update to Adobe Acrobat 9.4.7.


Adobe “PIDIEF” 0-Day

On December 6, Adobe announced that a zero-day vulnerability in all supported versions of Adobe Acrobat and Reader is being exploited in the wild.  No patch is currently available.  Apparently, Lockheed Martin reported the issue, indicating this may have been used in an attack on the defense technology company.  Targeted attacks were reported in the first week of November, so this one has been active a while.

The vulnerability is being exploited in the wild through PDF attachments to e-mails containing what Symantec is calling “Pidief“, listed as a family of Trojans that drop or download additional malware on to a compromised computer.  The malware agent is reportedly dropping “Sykipot” once initially compromised, providing a backdoor into the system for remote control.

Adobe expects to have a patch released for Reader and Acrobat 9 by the week of December 12, and will update Reader/Acrobat X as part of its regular quarterly patch cycle January 10th, 2012.  Adobe recommneds that in the meantime, use Reader and Acrobat X’s protected mode or sand-box capabilities to protect users.

  • Exercise extreme caution when handling PDF files.  Any PDF email attachments should be treated suspiciously. Email attachments are a common vector for targeted attacks withg this kind of vulnerability.
  • Instruct users to use extreme caution when opening PDF files from unknown or untrusted sources, especially email attachments.
  • Upgrade to Adobe Reader X and Adobe Acrobat X, which provide a built in sand-box enabled by default.
  • Apply the patch from Adobe as soon as it becomes available.

Big Patch Tuesday Coming

Microsoft will issue 16 security updates next week to patch 34 vulnerabilities in Windows, Internet Explorer, Office, SQL Server, and other products.  9 of the 16 updates will be rated critical, the remainder rated important.  2 updates will target vulnerabilities in IE, 10 target Windows, 2 will address Office components (Excel, InfoPath, Visual Studio, and SQL).  8 of the 10 Windows updates affect Microsoft’s newest operating system, Windows 7.

Adobe has also announced that it will ship updates for Reader and Acrobat on Tuesday.  Adobe did not specify how many vuilnerabilities will be fixed in the update.

Get ready to test and deploy some patches…

Adobe Flash XSS Patch

Adobe has issued a patch for Flash after 0-day cross site scripting (XSS) attacks were detected in the wild using email as the primary attack vector.

Anyone with Flash Player or earlier for Windows, Mac, or Linux should update to ( for ActiveX) ASAP.  Flash running on Android devices is also affected, and will be addressed in a separate fix this week.

CVE-2011-2107 is rated as “important” by the vendor, rather than the expected critical.  The patch was considered serious enough for Adobe to fix it outside of its normal monthly cycle, all part of the company’s reformed ‘beter safe than sorry’ attitude in the wake of repeated attacks on its products and add-ons during 2008, 2009, and 2010.


Adobe Reader & Flash Patches

Adobe has released important security updates for Windows and Macintosh products about a week ahead of schedule.

CVE-2011-0611 is being actively exploited in the wild against both Adobe Flash Player, Reader and Acrobat, as well as through embedding Flash (.swf) files in Word (.doc) or Excel (.xls) files delivered as email attachments, and targeting the Windows platform.

Get all of your end point systems that are running this software patched or mitigated quickly.  This is definitely an easy target for the bad guys to gain entry into your organizations and home computers.

Another Adobe 0-day

Adobe has issued another  SecurityAdvisory (APSA11-02) in regards to a critical vulnerability that exists in Flash Player and earlier for Windows, Mac, Linux and Solaris, as well as Adobe Flash Player and earlier for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.x) and earlier for Windows and Mac operating systems. This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system.

There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment.  At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat.

Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, Adobe is planning to address this issue in Reader X for Windows with their June 14 security update.


Beware Excel Docs – Adobe 0-day Patch Coming

Adobe will release emergency fixes for a critical flaw in Flash and Reader that is being actively exploited in targeted attacks, planting malware on vulnerable computers.  The patches will be available the week of March 21, and will address the problem in Adobe Flash player 10 and Adobe Reader versions 9, 10 and X, with the exception of Reader X for Windows, which ships with a sandbox feature that has blocked the attacks so far.  The attackers are using specially-crafted Microsoft Excel documents to exploit the flaw.