October 22, 2014

Microsoft, Adobe release security patches plus high profile domains rush to fix XSS vulnerability

(LiveHacking.Com) – The last few days have seen lots of security related activity from some of the world’s leading software vendors. Both Microsoft and Adobe have released patches for some of their key software while almost simultaneously a Google engineer has released details of an obscure cross-scripting request forgery bug that left several high profile domains scrambling to protect themselves over the weekend.

Microsoft

microsoft logoMicrosoft has released six new security bulletins, to tackle 29 different vulnerabilities in Microsoft Windows and Internet Explorer. Two of these security bulletins are rated Critical, while the rest are either rated as Important or Moderate.

The first of the two Critical level bulletins (MS14-037) is a cumulative security update for Internet Explorer. The update fixes one publicly disclosed vulnerability and twenty-three privately reported vulnerabilities in Microsoft’s web browser. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using IE. This security update is rated Critical for IE 6 through to IE 11 on Microsoft Windows desktop operating systems. For the server versions of Windows the update is rated as Moderate.

The other Critical level update (MS14-038) fixes a remote code execution vulnerability that exists because of the way that Windows Journal parses specially crafted files. The vulnerability could be exploited if a user opens a specially crafted Journal file. The fix is rated Critical for all supported editions of Windows Vista, Windows Server 2008 (excluding Itanium), Windows 7, Windows Server 2008 R2 (excluding Itanium), Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

The other bulletins release by Microsoft are:

  • MS14-039 – Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker uses a vulnerability in a low integrity process to execute the On-Screen Keyboard (OSK) and upload a specially crafted program to the target system.
  • MS14-040 – Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker logs onto a system and runs a specially crafted application.
  • MS14-041 – Vulnerability in DirectShow Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker first exploits another vulnerability in a low integrity process and then uses this vulnerability to execute specially crafted code in the context of the logged on user.
  • MS14-042Vulnerability in Microsoft Service Bus Could Allow Denial of Service. The vulnerability could allow denial of service if a remote authenticated attacker creates and runs a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system.

Adobe

adobe-logoAdobe has released security updates for Adobe Flash Player on Windows, OS X and Linux. The updates patch vulnerabilities that could potentially allow a remote attacker to take control of the affected system. The affected software versions are:

  • Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.378 and earlier versions for Linux
  • Adobe AIR 14.0.0.110 SDK and earlier versions
  • Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions
  • Adobe AIR 14.0.0.110 and earlier versions for Android

As well as fixing two, as yet undisclosed, security bypass vulnerabilities (CVE-2014-0537, CVE-2014-0539), the update also includes additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs (CVE-2014-4671).

XSS

rosettaflash_convertAs mentioned above, the update to Adobe Flasher Player includes additional validation checks for an obscure cross-scripting request forgery bug that was disclosed by Google’s information security engineer Michele Spagnuolo over the weekend. In his blog “Abusing JSONP with Rosetta Flash,” Michele details how his tool Rosetta Flash can convert Adobe SFW files from binary to text. Attackers can then upload the “weaponised” SWF file to a domain where they will be loaded by a victim’s browser and executed by Adobe Flash Player.

Several high-profile websites were vulnerable, including most Google domains, Instagram, Tumblr and eBay. Many of these sites have worked over the weekend to protect themselves against the vulnerability.

Because of the sensitivity of this vulnerability, Spagnuolo first disclosed it internally to Google, and then privately to Adobe. He also told Twitter, eBay, Tumblr and Instagram before going public with his findings.

Microsoft, Adobe and Google release security patches for Critical vulnerabilities

binarycodeMicrosoft, Adobe and Google have released patches for their products to fix Critical security vulnerabilities. Microsoft released eight security bulletins – two rated Critical and six rated Important – to address 13 different vulnerabilities in .NET Framework, Office, SharePoint, Internet Explorer, and Windows. Adobe released security updates to address multiple vulnerabilities in Reader, Acrobat, Flash Player, and Illustrator. For both companies, some of the vulnerabilities could allow hackers to run arbitrary code and take control of the affected system. Google also updated its Chrome web browser with the new version of Adobe Flash, but it also took the opportunity to patch some vulnerabilities in the internals of its browser.

Microsoft

Listed among Microsoft’s updates is a patch for IE which fixes the zero-day vulnerability that attackers were using against the browser at the end of April. Microsoft released this particular patch on May 1 2014 and the patch also applied to Windows XP. However the same can’t be said of the rest of Microsoft’s updates. XP is now officially dead, from a support point of view anyway.

May’s patches also include another update for IE. This time to fix two privately reported vulnerabilities in the browser. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. IE 6 to IE 11 are all affected.

Microsoft are also recommending that system administrators ensure that their systems are updated with  MS14-024 and MS14-025. The former fixes a vulnerability in the MSCOMCTL common controls library that could allow a security feature bypass if a user views a specially crafted webpage with a web browser capable of instantiating COM components, such as Internet Explorer. The latter patches a vulnerability in Windows that could allow elevation of privilege if the Active Directory Group Policy preferences are used to distribute passwords across the domain. The update removes the ability to configure and distribute passwords that use certain Group Policy preference extensions because such actions could allow an attacker to retrieve and decrypt the password stored with Group Policy preferences.

Adobe

Adobe’s updates cover three main product groups: Adobe Reader and AcrobatAdobe Flash Player and Adobe Illustrator (CS6). The affected versions are as follows:

  • Adobe Reader XI 11.0.07 for Windows and Macintosh
  • Adobe Reader X 10.1.10 for Windows and Macintosh
  • Adobe Acrobat XI (11.0.07) for Windows and Macintosh
  • Adobe Acrobat X (10.1.10) for Windows and Macintosh
  • Adobe Flash Player 13.0.0.214 for Windows, Macintosh, and Linux
  • Adobe Flash Player 11.2.202.359 for Linux
  • Adobe AIR SDK and Compiler 13.0.0.111 for Windows and Macintosh
  • Adobe Illustrator (subscription) 16.2.2 for Windows and Macintosh
  • Adobe Illustrator (non-subscription) 16.0.5 for Windows and Macintosh

The patch for Adobe Illustrator (CS6) for Windows and Macintosh fixes a “vulnerability that could be exploited to gain remote code execution on the affected system”, while the updates for Adobe Flash Player “address vulnerabilities that could potentially allow an attacker to take control of the affected system.” All the updates are rated as Critical including the third set which patch Adobe Reader and Acrobat XI to “address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”

Google

With the release of a new version of Adobe Flash, Google released Chrome 34.0.1847.137 for Windows, Mac and Linux to include Flash Player 13.0.0.214. However the search giant also took the opportunity to fix three security problems. The non-Google researchers who contributed to finding the vulnerabilities where rewarded $4500 between them for their efforts:

  • [$2000][358038] High CVE-2014-1740: Use-after-free in WebSockets. Credit to Collin Payne.
  • [$1500][349898] High CVE-2014-1741: Integer overflow in DOM ranges. Credit to John Butler.
  • [$1000][356690] High CVE-2014-1742: Use-after-free in editing. Credit to cloudfuzzer.

Internet Explorer attacked via multiple zero-day exploits

ie10-logoIt has been a rough week for Internet Explorer. Over the weekend Microsoft released Security Advisory 2963983 about a zero-day exploit in IE which is being used in the wild. Then yesterday Adobe released an emergency security update to fix a critical flaw in its Flash Player. As a result of Adobe’s patch, Microsoft has also updated the version of Adobe Flash Player built-in to Internet Explorer 10 and 11.

The zero-day exploit in IE allows attackers to execute arbitrary code if users visit a malicious website with an affected browser. In the worst case scenario the vulnerability can be used to silently install malware on a PC without any interaction with users, just because they visited a hacked or malicious site.

The vulnerability was found by FireEye which its own advisory. According to FireEye, the zero-day exploit affects IE6 through IE11, but the attacks seen in the wild are only targeting IE9 through IE11. “The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” wrote Xiaobo Chen, Dan Caselden and Mike Scott for FireEye.

Dustin Childs from Microsoft’s Security Response Center wrote that IE users should “exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders.” There is currently no Fix It or patch for this zero-day exploit, however Microsoft did release some workaround information as part of the security advisory.

The Flash Player vulnerability was discovered by Kaspersky Lab. According to Vyacheslav Zakorzhevsky, Kaspersky Lab detected two new Flash exploits which it hadn’t seen before. They sent the exploits off to Adobe and the company has now confirmed that they are indeed new zero-day vulnerabilities.

The Flash update for IE applies to Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT, and for Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Adobe releases out-of-band security update to fix zero-day exploit

adobe-logoAdobe has released an out-of-band security patch for Flash Player to fix a critical zero-day vulnerability that is being exploited in the wild. The vulnerability allows attackers to remotely take control of the affected system. Once they have control the attackers can install malware and recruit the affected PC into a botnet. Adobe was forced into issuing an immediate patch to the problem as an exploit for this vulnerability exists in the wild and is being used by attackers. Adobe recommends that users update Flash Player on their PCs immediately.

Because of an Integer underflow, that is present in Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, remote attackers can execute arbitrary code on a victim’s PC. However Adobe did not include any details about how the vulnerability is being exploited.

Adobe did however thank two researchers from Kaspersky Lab for reporting the vulnerability. There is speculation that the vulnerability could be related to “The Mask” an Advanced Persistent Threat (APT) that a Kaspersky Lab Expert wrote about recently. The Kaspersky post references Adobe Flash in the context of a long-running cyber espionage campaign that Kaspersky says it will present more about during the next week at the Kaspersky Security Analyst Summit 2014.

In response to Adobe’s update Google has released Chrome 32.0.1700.107 for Windows, Mac and Linux with an updated version of the embedded Flash Player. Microsoft likewise has updated Internet Explorer 10 and 11 on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Apple has released an update to its web plug-in blocking mechanism to disable all versions prior to Flash Player 12.0.0.44. If OS X users try to view Flash content in Safari they will see a “Blocked Plug-in” alert unless they have updated to the latest version of Flash Player.

Adobe Acrobat source code stolen along with 2.9 million customer records

adobe-logo(LiveHacking.Com) – Adobe has suffered what it is calling a series of “sophisticated attacks” on its network, resulting in the theft of customer information as well as source code for numerous Adobe products including Adobe Acrobat.

It is currently thought that the attackers stole Adobe customer IDs and encrypted passwords as well as personal and financial information relating to 2.9 million of its customers. The data stolen includes customer names, encrypted credit or debit card numbers and expiration dates.

As a result of the breach Adobe has reset all the  relevant customer passwords, and notified the customers whose credit or debit card information was taken. Adobe is also offering the customers, whose card information was taken, the option of a one-year complimentary credit monitoring membership. Adobe has also notified the banks that process its customer payments and have contacted the relevant federal law enforcement agencies.

In what is being seen as a related incident, Adobe is investigating the unauthorized access of source code for Adobe Acrobat, ColdFusion and ColdFusion Builder.  Brian Krebs, a former reporter for The Washington Post and renowned security expert spotted a 40 GB source code dump stored on a server used by some known cyber criminals. The dump contained huge repositories of uncompiled and compiled code that appeared to be for ColdFusion and Adobe Acrobat. Krebs told Adobe about the source dump, Adobe then revealed to Krebs that the company has been investigating a security breach into its networks since Sept. 17, 2013.

“We are in the early days of what we expect will be an extremely long and thorough response to this incident,” said Adobe’s Chief Security Officer Brad Arkin. “We’re still at the brainstorming phase to come up with ways to provide higher levels of assurance for the integrity of our products, and that’s going to be a key part of our response. We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”

Adobe isn’t aware of any zero-day exploits targeting any Adobe products. However, as always, it recommends that customers use only supported versions of its software and apply all available security updates.

In an unrelated announcement, Adobe confirmed it will it will be releasing critical security updates next Tuesday for Adobe Acrobat and Adobe Reader.

Microsoft and Adobe release patches for Critical vulnerabilities

microsoft logo(LiveHacking.Com) – Two of the biggest names in PC software have released patches for a variety of their respective software products to fix critical security related issues. Microsoft has released 10 security bulletins to address 33 vulnerabilities Microsoft Windows, Internet Explorer, .NET Framework, Lync, Office, and Windows Essentials. While Adobe has issued security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

Among the Microsoft patches are two cumulative updates for Internet Explorer. The first (MS13-037) resolves 11 issues in IE that could allow remote code execution if a user visits a specially crafted Web page using the browser. The second (MS13-038) addresses the Internet Explorer 8 remote code execution vulnerability that could affect users if they mistakenly follow a link, in an email or instant message, to a malicious website. This update to IE8 is important as it is the only currently supported version of IE that users of Windows XP can use.

Another interesting patch from Redmond is a security update that resolves an issue in Windows that could allow denial of service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client.

Adobe’s updates include security updates for Adobe Flash Player for Windows, Macintosh, Linux and Android.  These updates address vulnerabilities that could cause a crash or potentially allow an attacker to take control of the affected system. The updates also affect Adobe AIR. All the patches are related to memory corruption issues that could be exploited allow an attacker to execute arbitrary code.

Adobe also updated Adobe Reader and Acrobat for Windows, OS X and Linux. As with the updates to flash, these patches address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. The following versions are affected:  Adobe Reader and Acrobat XI (11.0.02) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.4 and earlier 9.x versions for Linux.

 

Microsoft and Adobe release patches to fix critical vulnerabilities

(LiveHacking.Com) – For March’s Patch Tuesday Microsoft has released seven bulletins, four Critical-class and three Important-class. The bulletins address 20 vulnerabilities in total across several Microsoft products including Windows, Office, Internet Explorer, Server Tools, and Silverlight. Likewise Adobe has released a security update for its popular Flash Player to address vulnerabilities that could potentially allow a hacker to take control of a vulnerable system.

Microsoft

Among the fixes is a patch for an issue in the Kernel-Mode Drivers (KMD) where an attacker could gain administrator privileges by inserting a malicious USB flash drive into a Windows machine. Since the attack works even when no user is currently logged on, it means that anyone with casual access, such as a security guard, office cleaner or anyone with access to office space, could simply plug in a USB flash drive into a PC and perform any action as an administrator. In total MS13-027 resolves three privately reported vulnerabilities correcting the way that a Windows kernel-mode USB drivers handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

Nine issues have also been fixed in Internet Explorer. The most severe of these could allow remote code execution if a user views a specially crafted webpage using IE. Upon successful exploit An attacker could gain the same rights as the current owner. All but one of these issues were privately reported to Microsoft and there are no reports of these vulnerabilities being used in the wild.

Microsoft Silverlight has also been patched to fix a vulnerability that could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.

Adobe

adobe-logoAdobe has released a security update for Adobe Flash Player for Windows, OS X, Linux and Android. These update addresses vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected Versions

  • Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.273 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.597 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.597 SDK and earlier versions
  • Adobe AIR 3.6.0.599 SDK & Compiler and earlier versions

The update address four known vulnerabilities  an integer overflow vulnerability that could lead to code execution (CVE-2013-0646), a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650), a memory corruption vulnerability that could lead to code execution (CVE-2013-1371), a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-1375).

As a result of the update, Google has also released a new version of Chrome.

 

Microsoft to fix 57 unique vulnerabilities in February’s Patch Tuesday, also updates Flash in IE 10

microsoft logo(LiveHacking.Com) – Microsoft has published an advanced notification of security patches that it intends to release on Tuesday February 12, 2013. It will  release 12 bulletins, five of which are rated as Critical and seven as Important. These bulletins address 57 unique vulnerabilities in various Microsoft products including Windows, Internet Explorer and Exchange Software, Office, .NET Framework, and Microsoft Server Software.

All five Critical bulletins resolve remote code execution problems while the Important class advisories will address denial of service and elevation of privilege problem along with another less harmful remote code execution vulnerability.

Windows XP is affected by four of the five Critical bulletins, while Windows 8 is affected by only two of them. The common vulnerabilities between the oldest and newest of Microsoft’s current supported operating systems are all connected with Internet Explorer. It seems that Microsoft will patch some holes in IE which can be found in IE 6, 7, 8, 9 and 10. The version of IE 10 in Windows RT is also affected.

The other Critical bulletin will be issued regarding Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010.

IE 10 and Adobe Flash Player

Microsoft has also issued an update for Internet Explorer 10 on Windows 8 to update the built-in version of Adobe Flash Player which Adobe recently updated.  Adobe released security updates for Adobe Flash Player on Windows, OS X, Linux and Android to address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is reporting that at least two of the vulnerabilities addressed are being exploited in the wild. In one targeted attack, users are tricked  into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The other vulnerability is being exploited via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening another Microsoft Word document.

Adobe releases hotfix for ColdFusion

adobe-logo(LiveHacking.Com) –  Earlier this month Adobe published a security advisory outlining some Critical vulnerabilities in Adobe ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh, and UNIX. At the time, Adobe promised it would fix the problem and publish patches, which it has now done. The hotfix released by Adobe addresses vulnerabilities that could permit an unauthorized user to remotely circumvent authentication controls and potentially allowing the attacker to take control of the affected server. The flaws have been assigned CVE numbers: CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 and CVE-2013-0632.

Adobe is reporting that it is aware of reports that the vulnerabilities are being exploited in the wild against ColdFusion customers.

The patches fix the follow vulnerabilities:

  • An authentication bypass vulnerability affecting ColdFusion versions 9.0.2, 9.0.1 and 9.0.0, which could result in an unauthorized user gaining administrative access (CVE-2013-0625).
  • A directory traversal vulnerability affecting ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0.0, which could permit an unauthorized user access to restricted directories (CVE-2013-0629).
  • A vulnerability affecting ColdFusion versions 9.0.2, 9.0.1 and 9.0.0, which could result in information disclosure from a compromised server (CVE-2013-0631).
  • An authentication bypass vulnerability affecting ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0.0, which could result in an unauthorized user gaining administrative access (CVE-2013-0632).

In Brief: Adobe fixes at least 26 security problems in Adobe Acrobat and Adobe Reader

pdf_icon(LiveHacking.Com) –  Along with its update to Flash, Adobe has released updates that fix at least 26 security problems in Adobe Acrobat and Adobe Reader. The update for the popular PDF file reader and its companion PDF creator is available for Windows, OS X and Linux.

These update addresses vulnerabilities that could cause a crash and possibly allow an attacker to run arbitrary code on an affect system. Details of the bugs fixed are:

  • Memory corruption vulnerabilities that could lead to code execution (CVE-2012-1530, CVE-2013-0601, CVE-2013-0605, CVE-2013-0616, CVE-2013-0619, CVE-2013-0620, CVE-2013-0623).
  • Use-after-free vulnerability that could lead to code execution (CVE-2013-0602).
  • Heap overflow vulnerabilities that could lead to code execution (CVE-2013-0603, CVE-2013-0604).
  • Stack overflow vulnerabilities that could lead to code execution (CVE-2013-0610, CVE-2013-0626).
  • Buffer overflow vulnerabilities that could lead to code execution (CVE-2013-0606, CVE-2013-0612, CVE-2013-0615, CVE-2013-0617, CVE-2013-0621).
  • Integer overflow vulnerabilities that could lead to code execution (CVE-2013-0609, CVE-2013-0613).
  • Local privilege escalation vulnerability (CVE-2013-0627).
  • Logic error vulnerabilities that could lead to code execution (CVE-2013-0607, CVE-2013-0608, CVE-2013-0611, CVE-2013-0614, CVE-2013-0618).
  • Security bypass vulnerabilities (CVE-2013-0622, CVE-2013-0624).

Affected Versions

  • Adobe Reader XI (11.0.0) for Windows and Macintosh
  • Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.5.1 and earlier 9.x versions for Linux
  • Adobe Acrobat XI (11.0.0) for Windows and Macintosh
  • Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh