April 20, 2014

Adobe releases surprise update for Flash

(LiveHacking.Com) – Just one week after releasing a security update for its Flash Player, Adobe has now released a second security update and, unlike last week’s update, it also covers Android. The update for Adobe Flash Player brings the version number for Windows, Macintosh and Linux to 11.4.402.265, users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x devices can now upgrade to Adobe Flash Player 11.1.115.17. The updates fix multiple vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

There are six critical bug fixes in this release.  This means that, if exploited, these bugs  would allow malicious native-code to execute, potentially without a user being aware. The first four bugs are memory corruption vulnerabilities that could lead to code execution, the fifth is an integer overflow vulnerability and the last is a cross-domain information leak vulnerability.

The update has taken many IT managers and security experts by surprise. Adobe (in recent times) releases security updates for its products on the second Tuesday of the month. However it has also remained committed to being flexible when faced with a zero-day attack. Since this new release could be considered out-of-band (as last week’s update also covered Shockwave Player and Acrobat Reader), does Adobe know something about a zero day attack which hasn’t yet been published? Or was last weeks update the out-of-band release as the CVE-2012-1535 vulnerability was being exploited in the wild (via a malicious Word document) and this release is the normal monthly security update?

As a result of the updates Google has released a new version of the Chrome web browser.

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh and Linux operating systems
  • Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.3.0.3670 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) and earlier versions
  • Adobe AIR 3.3.0.3650 and earlier versions for Android

Adobe updates Flash Player, Shockwave Player and Acrobat Reader to close security vulnerabilities but Google issues warning

(LiveHacking.Com) – Adobe has released a series of security advisories about its Flash Player, Shockwave Player and Acrobat Reader to close security vulnerabilities. As a result of the updates Google has released a new version of the Chrome web browser but they have also issued a warning about using Acrobat Reader on Windows (as there are still Critical vulnerabilities which are unfixed) and on Linux which was not patched at all. Gynvael Coldwind of the Google Security Team said “we consider users of Adobe Reader to be exposed to serious risk.”

According to the Google security researchers, Adobe Reader for Linux users are exposed to all the known critical vulnerabilities, while Adobe Reader for Windows and Mac OS X users are currently vulnerable to up to 6 and 10 unpatched issues (respectively).

What Adobe did patch for its PDF reader affects Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. The updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system. The new versions fix stack and buffer overflow vulnerabilities as well as memory corruption vulnerabilities. In the security advisory Adobe thanks Mateusz Jurczyk and Gynvael Coldwind, of the Google Security Team, for twelve of the bugs found.

Adobe has also released an update for Adobe Shockwave Player 11.6.5.635 and earlier versions on the Windows and Macintosh operating systems. The update addresses five memory corruption vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.

There is also an update for Flash Player on Windows, Macintosh and Linux. The updates address a vulnerability (CVE-2012-1535) that could cause the application to crash and potentially allow an attacker to take control of the affected system. This bug is currently being exploited in the wild via a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.

Flash Player 11.3 fixes Critical security vulnerabilities

(LiveHacking.Com) – Adobe has released a new version of its ubiquitous Flash Player. Version 11.3 fixes at least seven critical security vulnerabilities. The new version also enables the background updater for Mac OS X. Older versions are vulnerable to crashes and potential arbitrary code execution. The new version is available for all supported operating systems, i.e. Windows, OS X, Linux. Affected versions including Adobe Flash Player 11.2.202.235 and earlier versions. For Android, Adobe has released a new version of the 11.1.x series where Adobe Flash Player 11.1.115.8 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.9 and earlier versions for Android 3.x and 2.x are vulnerable.

Of the seven vulnerabilities fixed two are memory corruptions, one is a stack overflow vulnerability, one is an  integer overflow vulnerability and another is a null de-referencing problem. All of these could lead to code execution. Of the remaining two, one is a security bypass vulnerability that could lead to information disclosure  and the others is a binary planting vulnerability in the Flash Player installer that could lead to code execution.

Google has released a new version of its Chrome web browser to upgrade the built-in  Flash Player to 11.3.300.257.

For users who cannot update to Flash Player 11.3, Adobe has released a patched version of Flash Player 10.x which can be downloaded here.

Along with the release of Flash 11.3, Adobe has also released a new version of Adobe Air for Windows, Macintosh and Android. Users of Adobe AIR 3.2.0.2070 should update to Adobe AIR 3.3.0.3610.

Adobe Finally Updates the CS5 & CS5.5 Versions of Illustrator and Photoshop to Fix Security Vulnerabilities

Three weeks ago Adobe published two security advisories describing critical vulnerabilities in the CS5 and CS5.5 versions of Illustrator and Photoshop. The original advisories recommended that users upgrade to CS6 (which they would have to pay for) and didn’t offer any patches or updates for the CS5 and CS5.5 versions. Following complaints, bad press and an outcry from users, Adobe made a U turn and promised patches in due course. Those patches have now been released.

Illustrator

The vulnerabilities present in Adobe Illustrator CS5 (15.0.x) and Adobe Illustrator CS5.5 (15.1) for Windows and Macintosh could allow an attacker who successfully exploits these vulnerabilities to take control of the affected computer. Adobe has now released Adobe Illustrator CS5 (15.0.3) and Adobe Illustrator CS5.5 (15.1.1) to address the vulnerabilities. Specifically the update addresses six separate memory corruption vulnerabilities that could be exploited to let an attacker execute arbitrary code.

Photoshop

Like Adobe Illustrator, the vulnerabilities present in Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) for Windows and Macintosh could allow an attacker who successfully exploits these vulnerabilities to take control of the affected computer.

Adobe has now released security updates for Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) for Windows and Macintosh. For an attacker to exploit the vulnerabilities a malicious file must be opened in Photoshop. Adobe is not aware of any attacks exploiting these vulnerabilities. The update fixes three specific problems:

  1. A use-after-free TIFF vulnerability that could lead to code execution.
  2. A buffer overflow vulnerability that could lead to code execution.
  3. A stack-based buffer-overflow vulnerability in the Collada .DAE file format that could lead to code execution.

 

 

Apple Releases First OS X 10.5 Update For Nearly a Year – But Doesn’t Patch Any Known Vulnerabilities

(LiveHacking.Com) – Apple have made the interesting move of releasing a security update for OS X 10.5 Leopard which doesn’t actually patch any known vulnerabilities. Instead the update for the oldest of the OS X versions that runs on Intel Macs disables out-of-date versions of Adobe Flash Player.

Leopard Security Update 2012-003 disables Adobe Flash Player if it is older than 10.1.102.64. It does this by moving its files to a new directory. If the update disables Flash Player the user is presented with the option to install an updated version of from the Adobe website. Apple disabled Flash Player older than 10.1.102.64 on OS X Snow Leopard and OS X Lion a few days ago.

Apple have also released a version of the Flashback malware removal tool designed for Leopard. Apple released the same tool for Snow Leopard and Lion almost a month ago. According to the advisory: “This update runs a malware removal tool that will remove the most common variants of the Flashback malware. If the Flashback malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found.”

Leopard has been left languishing without any updates from Apple for nearly a year. The last application update was for iTunes in November 2011, while the last operating system level update was in June of the same year.

There are of course still users of OS X 10.4 and OS X 10.5 for the PowerPC which it seems Apple has completely abandoned.

Adobe Releases Security Bulletins for Illustrator, Photoshop, Flash Professional and Shockwave Player

(LiveHacking.Com) – Adobe has released security bulletins describing critical vulnerabilities in Illustrator, Photoshop, Flash Professional and Shockwave Player:

Illustrator

Adobe released a security upgrade for Adobe Illustrator CS5.5 and earlier for Windows and Macintosh. This upgrade addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Illustrator.

Photoshop

Adobe has released a security upgrade for Adobe Photoshop CS5 and earlier for Windows and Macintosh. This upgrade addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious .TIF file must be opened in Photoshop CS5 and earlier for Windows and Macintosh by the user for an attacker to be able to exploit these vulnerabilities. Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Photoshop.

Flash Professional

Adobe has released a security upgrade for Adobe Flash Professional CS5.5 (11.5.1.349) and earlier for Windows and Macintosh. This upgrade addresses a vulnerability that could allow an attacker who successfully exploits this vulnerability to take control of the affected system. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Flash Professional.

Shockwave Player

Adobe has released a security update for Adobe Shockwave Player 11.6.4.634 and earlier versions for Windows and Macintosh. This update addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to run malicious code on the affected system.

Adobe Fixes Zero-day Vulnerability in Flash That is Being Exploited in the Wild

(LiveHacking.Com) – Adobe has released a patch to fix a zero-day vulnerability in Flash Player that is being exploited in the wild. According to the security advisory the bug is being exploited in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only. As a remedy Adobe has released a security update for Windows, Macintosh, Linux and Android.

Details of the exact nature of the vulnerability are not available however it is clear that unpatched versions of Adobe Flash Player allow a remote attacker to execute arbitrary code via a crafted file, related to what is being called an “object confusion vulnerability.”

According to Symantec, the email attachment contains a  document with  “an embedded reference to a malicious Flash file hosted on a remote server. When the Flash file is acquired and opened, it sprays the heap with shellcode and triggers the CVE-2012-0779 exploit. Once the shellcode gains control, it looks for the payload in the original document, decrypts it, drops it to disk, and executes it.” Symantec says that the malware payload is Trojan.Pasam.

The vulnerability affects the following versions:

  • Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh, and Linux operating systems
  • Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x

Windows users are advised to upgrade as soon as possible as the exploit is targeting that platform.

Adobe Releases Security Updates for Adobe Reader X

(LiveHacking.Com) – Adobe has released security updates for Adobe Reader to address vulnerabilities that could cause the application to crash and potentially allow an attacker to take control of the affected system.

The vulnerabilities fixed include:

  • An integer overflow in the True Type Font (TTF) handling that could lead to code execution (CVE-2012-0774).
  • A memory corruption in the JavaScript handling that could lead to code execution (CVE-2012-0775).
  • A security bypass via the Adobe Reader installer that could lead to code execution (CVE-2012-0776).
  • A memory corruption in the JavaScript API that could lead to code execution (CVE-2012-0777) (Macintosh and Linux only).

Affected Versions

  • Adobe Reader X (10.1.2) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.4.6 and earlier 9.x versions for Linux
  • Adobe Acrobat X (10.1.2) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5 and earlier 9.x versions for Windows and Macintosh

The Adobe Reader X (10.1.3) and Adobe Acrobat X (10.1.3) updates also incorporate the Adobe Flash Player updates as noted in Security Bulletins APSB12-03APSB12-05 and APSB12-07.

Adobe Releases Malware Classifier Tool as Open Source

(LiveHacking.Com) – Adobe has released a new command line tool for quick malware triage. Known as the “Adobe Malware Classifier“, this Python based tool was developed by Adobe’s Product Security Incident Response Team (PSIRT) who used it as part of the initial response to security incidents.

“I’ve since decided to make this tool available to other first responders (malware analysts, IT admins and security researchers of any stripe) as an open-source tool, since you might find it equally helpful,” said its creator, Karthik Raman.

The tool classifies Windows executables (EXEs) and dynamic link libraries (DLLs) into one of three categories: “0″ for clean, “1″ for malicious and “UNKNOWN”. To do this it uses machine learning algorithms that process seven key features extracted from a binary and then, based on one or all of four classifiers, and presents its classification results. Specifically, the tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a data set of approximately 100,000 malicious programs and 16,000 clean programs.

Testing

To test this tool I downloaded the file onto a Ubuntu 10.04 machine. To run, it needs some additional Python modules which I installed:

sudo apt-get install python-pefile
sudo apt-get install python-argparse

The tool supports a few command line options:

usage: AdobeMalwareClassifier.py [-h] [-f filename] [-n model] [-v [verbose]]

Classify an unknown binary as MALWARE or CLEAN.

optional arguments:
  -h, --help    show this help message and exit
  -f filename   The name of the input file
  -n model      The ordinal for model classifier: 0=all (default) | 1=J48 |
                2=J48Graft | 3=PART | 4=Ridor
  -v [verbose]  Dump the PE data being processed

I tested the tool on several different types of .exe including 7-Zip, VLC and the Java runtime:

  • All the .exe files test returned UKNOWN except for the Java runtime.
  • The Java runtime returned MALWARE!
  • The tool can’t read .msi files

Conclusion

Although this looks like interesting research it really can only be seen as a triage tool. Maybe if I had tested it against some actual malware I might have got some better results.

Flash Player 11.2 Fixes Critical Vulnerabilities

(LiveHacking.Com) – Adobe has released Flash Player 11.2 with new features while also fixing some critical vulnerabilities. Among the new features is a new background updater for Windows. This system checks once every 24 hours for updates to Flash Player and updates all Flash Player versions installed on your PC including plugins and ActiveX.

The updater isn’t perfect as Firefox users need to restart their computers for Firefox to load the newly installed Plugin. The release notes mention that for 64-bit operating systems “it may be necessary to remove the NPSWF .dll from both WindowsSystem32MacromedFlash AND Windows[SysWow64]MacromedFlash directories”. It isn’t clear if this is instead of a reboot.

On the bug fix front, Flash Player 11.2 fixes critical vulnerabilities in Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

The first bug fixed is a memory corruption vulnerability related to URL security domain checking that could lead to code execution (ActiveX, Windows 7 or Vista only) (CVE-2012-0772), while the second resolves a memory corruption vulnerability in the NetStream class that could also lead to code execution (CVE-2012-0773).

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.1.0.4880 and earlier versions for Windows, Macintosh and Android