June 17, 2013

You are here: Home / Archives for Vulnerability

Apple updates OS X and Safari to fix critical security issues

June 5, 2013 by

(LiveHacking.Com) – Apple has released updates for Mac OS X 10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.3 to fix a range of Apple-logoCritical security vulnerabilities including a fix for an error that could allow a remote attacker to execute arbitrary code with system privileges on Macs with Directory Service enabled. At the same time Apple has also released Safari 6.0.5. The new release of the web browser, which is also included in OS X Mountain Lion v10.8.4, fixes a range of WebKit errors many of which have been previously fixed in Google Chrome.

Mac OS X

Several different security related bugs gave been fixed in OS X. Among them was an unbounded stack allocation issue that existed in the handling of text glyphs. It could be exploited by visiting a maliciously crafted site and may lead to an unexpected application termination or arbitrary code execution. The Directory Services vulnerability only applies to OS X 10.6. A remote attacker could execute arbitrary code with system privileges on Macs with Directory Service enabled due to an error with the way the directory server handled certain messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges.

There were also several fixes for OpenSSL. There are known attacks on the confidentiality of TLS 1.0 when compression was enabled. To address this Apple has disabled compression in OpenSSL. Also OpenSSL was updated to version 0.9.8x to address multiple vulnerabilities, which may lead to denial of service or disclosure of a private key.

Other fixes include:

  • An attacker with access to a user’s session may be able to log into previously accessed sites, even if Private Browsing was used
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
  • A local user in the lpadmin group may be able to read or write arbitrary files with system privileges
  • A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication.
  • Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted QTIF file may lead to an unexpected application termination or arbitrary code execution
  • Viewing a maliciously crafted FPX file may lead to an unexpected application termination or arbitrary code execution
  • Playing a maliciously crafted MP3 file may lead to an unexpected application termination or arbitrary code execution

Also Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18.

It is worth noting that starting with OS X 10.8.4, Java Web Start (i.e. JNLP) applications downloaded from the Internet need to be signed with
a Developer ID certificate.

Safari

All the fixes in the new release of Safari are related to WebKit as follows:

  • Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
  • A cross-site scripting issue existed in the handling of iframes. This issue was addressed through improved origin tracking.
  • A cross-site scripting issue existed in the handling of copied and pasted data in HTML documents. This issue was addressed through additional validation of pasted content.
  • XSS Auditor may rewrite URLs to prevent cross-site scripting attacks. This may lead to a malicious alteration of the behavior of a form submission. This issue was addressed through improved validation of URLs.

More information about the security content of Safari 6.0.5 can be found here.

Filed Under: Apple, News, Vulnerability Tagged With: , ,

Microsoft and Adobe release patches for Critical vulnerabilities

May 15, 2013 by

microsoft logo(LiveHacking.Com) – Two of the biggest names in PC software have released patches for a variety of their respective software products to fix critical security related issues. Microsoft has released 10 security bulletins to address 33 vulnerabilities Microsoft Windows, Internet Explorer, .NET Framework, Lync, Office, and Windows Essentials. While Adobe has issued security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

Among the Microsoft patches are two cumulative updates for Internet Explorer. The first (MS13-037) resolves 11 issues in IE that could allow remote code execution if a user visits a specially crafted Web page using the browser. The second (MS13-038) addresses the Internet Explorer 8 remote code execution vulnerability that could affect users if they mistakenly follow a link, in an email or instant message, to a malicious website. This update to IE8 is important as it is the only currently supported version of IE that users of Windows XP can use.

Another interesting patch from Redmond is a security update that resolves an issue in Windows that could allow denial of service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client.

Adobe’s updates include security updates for Adobe Flash Player for Windows, Macintosh, Linux and Android.  These updates address vulnerabilities that could cause a crash or potentially allow an attacker to take control of the affected system. The updates also affect Adobe AIR. All the patches are related to memory corruption issues that could be exploited allow an attacker to execute arbitrary code.

Adobe also updated Adobe Reader and Acrobat for Windows, OS X and Linux. As with the updates to flash, these patches address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. The following versions are affected:  Adobe Reader and Acrobat XI (11.0.02) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.4 and earlier 9.x versions for Linux.

 

Filed Under: Adobe, Microsoft, News, Vulnerability Tagged With: , ,

Microsoft releases Fix It for critical Internet Explorer 8 vulnerability

May 9, 2013 by

fix_it(LiveHacking.Com) – Less than a week ago Microsoft revealed that version 8 of its web browser Internet Explorer suffers from a nasty remote code execution vulnerability that could catch users if they mistakenly follow a link, in an email or instant message, to a malicious website. Microsoft’s initial recommendation was to upgrade to IE 9 or IE 10 which unfortunately isn’t possible for Windows XP users.

For those stuck with IE 8, Microsoft suggested setting the Internet and local intranet security zone settings to “High” and configuring Internet Explorer to prompt before running any Active Scripting. Microsoft didn’t however mention one other important option – switch to Google Chrome or Mozilla Firefox!

If switching isn’t a option and you don’t know how to fiddle with the security zone settings, Microsoft has now released an “easy, one-click Fix it” to help mitigate this problem. The MSHTML Shim Workaround isn’t intended to be a replacement for a proper security update and Microsoft is suggesting that we all wait a day or two to see what it has planned for May’s Patch Tuesday, the implication being that the IE8 bug will be fixed then.

Filed Under: Microsoft, News, Vulnerability Tagged With: ,

Microsoft fixes Critical IE and Remote Desktop flaws

April 10, 2013 by

Windows(LiveHacking.Com) – Microsoft has released a series of nine security bulletins, (two Critical and seven Important) to fix 14 different vulnerabilities in a range of its products including Microsoft Windows, Internet Explorer, Microsoft Antimalware and Windows Server Software.

The first of the two Critical level bulletins patches Internet Explorer against a remote code execution attack which could occur if users visited a specially crafted webpage using IE. A successful exploited would mean that the attacker would gain the same rights as the current user. The good news is that both of these IE issues were privately disclosed and Microsoft has not detected any attacks or customer impact. The vulnerabilities affect Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10.

There is also a remote code execution patch for Windows in connection with the Windows Remote Desktop Client ActiveX control. As with the IE bugs, this vulnerability could allow remote code execution if an attacker convinces a customer to view a website containing specially crafted content that exploits the vulnerability. This bug is seen as Critical for the Remote Desktop Connection 6.1 Client and the Remote Desktop Connection 7.0 Client on Windows XP, Windows Vista, and Windows 7.

Although Windows 8 was not affected by the Remote Desktop vulnerability, it isn’t immune to other problems including an exclusive patch for problems with the Windows 8 antimalware client used in Windows Defender.

Microsoft received a private report about a vulnerability that could allow elevation of privilege due to the pathnames used by the Microsoft Antimalware Client. If successfully exploited an attacker could execute arbitrary code and take complete control of an affected system. This would allow them to install programs and create new accounts. The bulletin is marked as Important (and not Critical)  for Windows 8 and Windows RT as an attacker must have valid logon credentials to exploit the vulnerability.

Filed Under: Intenet Explorer, Microsoft, News, Vulnerability Tagged With: , ,

Microsoft to patch critical flaws in Windows and IE on Tuesday

April 5, 2013 by

microsoft logo(LiveHacking.Com) – Microsoft has released its customary advanced warning about security vulnerabilities that it plans to fix during its next Patch Tuesday. April’s update will contain nine bulletins, two of which are marked as Critical. The Critical bulletins address vulnerabilities in Microsoft Windows and Internet Explorer. The remaining seven are tagged as Important and will address issues in Microsoft Windows, Office, Anti-malware Software, and Server Software.

The IE bulletin affects all supported versions of Microsoft’s browser from IE 6 on XP to IE 10 on Windows 8 and RT. These vulnerabilities in IE could allow hackers to remotely execute arbitrary code (often used to infect a PC with malware via a drive-by download) on unpatched machines.

The Critical patches for Windows, which are also to fix remote code execution vulnerabilities, affects only the older versions of Windows from Windows 7 back to Windows XP. Windows 8, Windows Server 2012 and the version of Windows for tablets, Windows RT, are not affected.

Bulletin 7 only affects Windows 8 and Windows 8 RT and applies to some flaws in Windows Defender which could allow a hacker to run programs at an elevated privilege. Paul Henry, security and forensic analyst at Lumension, told The Register that “Windows Defender is an important security component for the new operating systems, so it’s a little concerning to see it impacted here, even if only at an ‘important’ rather than critical level. If you’re running either of those systems, I would patch this important bulletin first.

Microsoft plans to publish the bulletins on April 9, 2013 at approximately 10 a.m. PDT.

Filed Under: Microsoft, News, Vulnerability Tagged With: , , ,

Microsoft and Adobe release patches to fix critical vulnerabilities

March 13, 2013 by

(LiveHacking.Com) – For March’s Patch Tuesday Microsoft has released seven bulletins, four Critical-class and three Important-class. The bulletins address 20 vulnerabilities in total across several Microsoft products including Windows, Office, Internet Explorer, Server Tools, and Silverlight. Likewise Adobe has released a security update for its popular Flash Player to address vulnerabilities that could potentially allow a hacker to take control of a vulnerable system.

Microsoft

Among the fixes is a patch for an issue in the Kernel-Mode Drivers (KMD) where an attacker could gain administrator privileges by inserting a malicious USB flash drive into a Windows machine. Since the attack works even when no user is currently logged on, it means that anyone with casual access, such as a security guard, office cleaner or anyone with access to office space, could simply plug in a USB flash drive into a PC and perform any action as an administrator. In total MS13-027 resolves three privately reported vulnerabilities correcting the way that a Windows kernel-mode USB drivers handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

Nine issues have also been fixed in Internet Explorer. The most severe of these could allow remote code execution if a user views a specially crafted webpage using IE. Upon successful exploit An attacker could gain the same rights as the current owner. All but one of these issues were privately reported to Microsoft and there are no reports of these vulnerabilities being used in the wild.

Microsoft Silverlight has also been patched to fix a vulnerability that could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.

Adobe

adobe-logoAdobe has released a security update for Adobe Flash Player for Windows, OS X, Linux and Android. These update addresses vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected Versions

  • Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.273 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.597 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.597 SDK and earlier versions
  • Adobe AIR 3.6.0.599 SDK & Compiler and earlier versions

The update address four known vulnerabilities  an integer overflow vulnerability that could lead to code execution (CVE-2013-0646), a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650), a memory corruption vulnerability that could lead to code execution (CVE-2013-1371), a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-1375).

As a result of the update, Google has also released a new version of Chrome.

 

Filed Under: Adobe, Intenet Explorer, Microsoft, News, Vulnerability Tagged With: , , , , ,

Oracle patches Java vulnerabilities being exploited in the wild

March 5, 2013 by

java-square(LiveHacking.Com) – Oracle has rushed out an emergency patch to address two Java vulnerabilities, one of which is being actively exploited by attackers to maliciously install the McRat malware onto victim’s PCs.  Both vulnerabilities affect the 2D component of Java SE.  Targeting Java running in the browser, these vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.

Security Alert CVE-2013-1493 patches Java to fix the vulnerabilities, which although were reported to Oracle on February 1st 2013, came too late to be included in February’s Critical Patch Update for Java SE. The fix had originally been planned for the April Critical Patch Update for Java SE, but since the vulnerabilities are being exploited in the wild, the company decided to release this out-of-band fix. The Java run-time environment (JRE) and the development kit (JDK) are affected for Java 5, Java 6 and Java 7.

“These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system,” said Oracle in a statement.

Apple simultaneously released an update for Java on OS X. OS X 2013-002 and Java for Mac OS X v10.6 Update 14 are availble for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7, OS X Lion Server v10.7, OS X Mountain Lion 10.8 or later.

According to Apple, “Multiple vulnerabilities existed in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.”

All users who don’t need to run Java in the browser should disable all Java plugins in all of the browsers on their PC or Mac. Also you should strongly considering removing Java completely from your machines.

Filed Under: Java, News, Vulnerability Tagged With: , ,

More zero-day vulnerabilities found in Java

February 28, 2013 by

java-square(LiveHacking.Com) – Java was last updated only a few days ago when Oracle released an updated patch for Java SE to included five additional fixes that did not make it into the original patches delivered on February 1st. Now Adam Gowdiak, from Security Explorations, has posted to the full disclosure mailing list revealing details of two more zero-day vulnerabilities in the latest Java version.

According to Gowdiak, his company started to analyze the February 19th update and found two new security issues which when combined together can be successfully used to gain a complete Java security sandbox bypass. The company immediately reported the vulnerabilities to Oracle along with working Proof of Concept code.

Oracle did some investigation and has confirmed that the two issues when combined result in a full sandbox bypass for Java SE 7 Update 15. However, Oracle did note that one of the issues was actually the intended behavior, something that the team at Security Explorations reject. According to Gowdiak, there is a mirror case corresponding to the issue that leads to an access denied condition and a security exception.

“That alone seems to be enough to contradict the ‘allowed behavior’ claim,” said Adam Gowdiak. “Is it possible to claim a non-security vulnerability when access is denied for a public API, but allowed for some private code path?”

It seems that Gowdiak is going to release details of the issue which he claims is a security vulnerability, but Oracle claim is the ‘allowed behavior’, if Oracle doesn’t change its stance.

Both the issues are specific to Java SE 7 only as they abuse the Reflection API in a particularly interesting way.

Filed Under: Java, News, Vulnerability Tagged With: , ,

Apple releases fixes after its computers got hacked

February 20, 2013 by

Apple-logo(LiveHacking.Com) – Apple has revealed that a small number of its computers where hacked by the same group who recently targeted Facebook. The iPhone-maker said it has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. As a result Apple has released some updates for Java and Mac OS X 10.6.

Java for OS X 2013-001 and Mac OS X v10.6 Update 13 are now available and addresses the following:

  • Multiple vulnerabilities existed in Java 1.6.0_37, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
  • Multiple vulnerabilities existed in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.

The Java updates are available for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.x, OS X Lion Server v10.7.x, OS X Mountain Lion 10.8.x.

Apple also released a update to its malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed.

Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days

Filed Under: Apple, Java, News, Vulnerability Tagged With: , ,

Microsoft fixes Critical remote code execution vulnerabilities

February 13, 2013 by

microsoft logo(LiveHacking.Com) – Microsoft has released 12 bulletins, five Critical and seven Important , to addressing 57 different vulnerabilities in Microsoft Windows, Office, Internet Explorer, Exchange and .NET Framework.

Among the fixes was a security update that resolves thirteen vulnerabilities in Internet Explorer. The most severe of these issues could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. As well as generally patching IE, the company also patched its implementation of the Vector Markup Language (VML) in its browser. If exploited the vulnerability could allow remote code execution if a user viewed a specially crafted webpage. Microsoft says that it is aware of this vulnerability being used as an information disclosure vulnerability in targeted attacks. It is therefore essential that this patch is applied as soon as possible.

There is also an update for Microsoft Windows Object Linking and Embedding (OLE) Automation. Again, the vulnerability could allow remote code execution, this time  if a user opens a specially crafted file. The fix corrects the way in which OLE Automation parses files. This security update is rated as Critical but only for Windows XP Service Pack 3. All other support versions of Microsoft Windows are not affected.

Similarly Microsoft fixed a vulnerability in how different types of media are decompressed. The remote code execution vulnerability could be exploited by tricking a user to open  a specially crafted media file (such as an .mpg file), open a Microsoft Office document (such as a .ppt file) that contains a maliciously crafted embedded media file, or if the user runs programs to receives streaming content designed to exploit the vulnerability.

There is also a fix for remote code execution vulnerabilities in Microsoft Exchange Server, the most severe of which could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing.

Filed Under: Intenet Explorer, Microsoft, News, Vulnerability Tagged With: , ,
«Older Posts