October 31, 2014

Adobe releases hotfix for ColdFusion

adobe-logo(LiveHacking.Com) –  Earlier this month Adobe published a security advisory outlining some Critical vulnerabilities in Adobe ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh, and UNIX. At the time, Adobe promised it would fix the problem and publish patches, which it has now done. The hotfix released by Adobe addresses vulnerabilities that could permit an unauthorized user to remotely circumvent authentication controls and potentially allowing the attacker to take control of the affected server. The flaws have been assigned CVE numbers: CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 and CVE-2013-0632.

Adobe is reporting that it is aware of reports that the vulnerabilities are being exploited in the wild against ColdFusion customers.

The patches fix the follow vulnerabilities:

  • An authentication bypass vulnerability affecting ColdFusion versions 9.0.2, 9.0.1 and 9.0.0, which could result in an unauthorized user gaining administrative access (CVE-2013-0625).
  • A directory traversal vulnerability affecting ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0.0, which could permit an unauthorized user access to restricted directories (CVE-2013-0629).
  • A vulnerability affecting ColdFusion versions 9.0.2, 9.0.1 and 9.0.0, which could result in information disclosure from a compromised server (CVE-2013-0631).
  • An authentication bypass vulnerability affecting ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0.0, which could result in an unauthorized user gaining administrative access (CVE-2013-0632).

Adobe Reader PDF zero-day exploit selling for $50,000 on black market

(LiveHacking.Com) – Although Adobe added sandboxing to Adobe Reader X it still seems that malicious hackers are find ways of compromising the security of computers via specially formed PDF files. Russian security  firm Group-IB has announced that there is a new zero-day exploit for the popular PDF file reader which is being sold in the underground for up to $50,000. The exploit, which targets Windows-based installations of Adobe X and IX, has also been included in a modified version of the notorious BlackHole exploit toolkit.

At the moment the exploit is only being distributed in a small circles of underground hackers but, of course, there is every possibility that its use will become wide spread. The new unpatched zero day threat allows malware writers and bot authors further opportunities to create new attacked vectors by which malware can be loaded into a victims computer.

“The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document. Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution,” said Andrey Komarov, the Head of International Projects Department of Group-IB.

A video showing a proof of concept can be seen here: http://www.youtube.com/watch?v=uGF8VDBkK0M&feature=youtu.be. As the video shows, for the payload to run the web browser needs to be restarted. This means that the malware might not infect the PC at the moment the PDF file is opened, but it will most likely succeed at a future time whenever the web browser is closed.

“We saw the announcement from Group IB, but we haven’t seen or received any details,” Adobe spokeswoman Wiebke Lips told SCMagazine.com in an email. “Adobe PSIRT (Product Security Incident Response Team) has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately — beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”

Brian Krebs has pointed out that Blackhole is by far the most prevalent exploit kit in use today. At any rate, consumers should realize that there are several PDF reader option apart from Adobe’s,  including FoxitPDF-Xchange Viewer,Nitro PDF and Sumatra PDF.

In brief: Microsoft updates Internet Explorer 10 to address vulnerabilities in Adobe Flash Player

(LiveHacking.Com) – Adobe has released a new version of its ubiquitous Flash Player to address vulnerabilities that could cause a crash and potentially be exploited by an attacker to infect a PC with malware. As a result Microsoft has issued a patch to IE10 to update the browser’s built-in version of Flash Player.

Microsoft has revised Security Advisory 2755801 to reflect the changes. The new version of IE is available for all supported editions of Windows 8, Windows Server 2012, and Windows RT. For more information about the update, including download links, see Microsoft Knowledge Base Article 2770041

“We remain committed to taking the appropriate actions to help protect customers and will continue to work closely with Adobe to deliver quality protections that are aligned with Adobe’s update process,” said Dave Forstrom, Director, Microsoft Trustworthy Computing.

Adobe has released a security update for Adobe Flash Player

(LiveHacking.Com) – Adobe has released a security update for Adobe Flash Player to address vulnerabilities that could cause a crash and potentially be exploited by an attacker to infect a PC with malware.

The update applies to Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.243 and earlier versions for Linux, Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x.

The update addresses six different memory issues and a security bypass vulnerability:

  • Buffer overflow vulnerabilities that could lead to code execution (CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5280).
  • Memory corruption vulnerabilities that could lead to code execution (CVE-2012-5279).
  • Security bypass vulnerability that could lead to code execution (CVE-2012-5278).

If you need to check the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. For those with multiple browsers installed you should perform the check for each browser. Android users should tap on Settings > Applications > Manage Applications > Adobe Flash Player x.x.

The built-in version of Flash Player has also been updated in Internet Explorer 10 and Chrome.

Adobe releases security update to fix critical vulnerabilities in Shockwave Player

(LiveHacking.Com) – Adobe has released a security update for its Shockwave Player to fix critical vulnerabilities that could allow an attacker to run malicious code on a victim’s PC and infect it with malware. All installations of Shockwave Player 11.6.7.637 and earlier versions on the Windows and Mac are affected. Adobe recommends that all users upgrade to Shockwave Player 11.6.8.638.

Th update patches 6 distinct security bugs in the software, all of which are related to memory corruption issues:

  • Buffer overflow vulnerabilities that could lead to code execution (CVE-2012-4172, CVE-2012-4173, CVE-2012-4174, CVE-2012-4175, CVE-2012-5273).
  • Array out of bounds vulnerability that could lead to code execution (CVE-2012-4176).

It seems that Adobe was tipped off about many of these errors by Will Dormann of the CERT Coordination Center at the Carnegie Mellon University. Adobe also thank Honggang Ren of Fortinet’s FortiGuard Labs  for pointing out CVE-2012-5273.

The Shockwave plugin is still quite popular for Windows and Mac users who need it to access certain types of multimedia content. However it shouldn’t be confused with Adobe Flash Player which is much more prevalent. There are different but note that Flash Player still shows up as ‘Shockwave Flash’ in Mozilla Firefox’s plugins listing.

Before updating Shockwave, you should check to see if  you have it installed. Use this link and check that a short animation is displayed along with the version number of Shockwave. If you are asked to download Shockwave then you don’t have it installed and it is best to leave things the way they are. If you do have it installed think about the possibilities of uninstalling it. It isn’t as popular as it once was and most sites no longer require Shockwave at all. Uninstalling it will remove a potential attack vector.

In the security advisory, Adobe says it is not aware of any active attacks against these flaws. The newest version can be downloaded here.

Adobe releases fix for Photoshop CS6 PNG parsing heap overflow

Adobe has released a security patch for Adobe Photoshop CS6 (13.0) for Windows and Macintosh. The update fixes critical vulnerabilities in Photoshop’s PNG parsing that could allow an attacker take control of an affected system.

Adobe haven’t release much informaton about the update but only mention that it fixes two buffer overflow vulnerabilities (CVE-2012-4170 and CVE-2012-0275) and that could lead to code execution. However Francis Provencher, from Protek Research Labs, who was responsible for finding one of the vulnerabilities posted more information on exploit-db.com.

The vulnerability is caused due to a boundary error in the “Standart MultiPlugin.8BF” module when processing a Portable Network Graphics (PNG) image. This can be exploited to cause
a heap-based buffer overflow via a specially crafted “tRNS” chunk size. Successful exploitation may allow execution of arbitrary code. However, to exploit the vulnerability a Photoshop user needs to be convinced to open a malicious image in the editor.

Adobe Photoshop CS5.1 (12.1.1) and Adobe Photoshop CS5 (12.0.5) and earlier versions for Windows and Macintosh are not affected by these vulnerabilities.

Adobe releases surprise update for Flash

(LiveHacking.Com) – Just one week after releasing a security update for its Flash Player, Adobe has now released a second security update and, unlike last week’s update, it also covers Android. The update for Adobe Flash Player brings the version number for Windows, Macintosh and Linux to 11.4.402.265, users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x devices can now upgrade to Adobe Flash Player 11.1.115.17. The updates fix multiple vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

There are six critical bug fixes in this release.  This means that, if exploited, these bugs  would allow malicious native-code to execute, potentially without a user being aware. The first four bugs are memory corruption vulnerabilities that could lead to code execution, the fifth is an integer overflow vulnerability and the last is a cross-domain information leak vulnerability.

The update has taken many IT managers and security experts by surprise. Adobe (in recent times) releases security updates for its products on the second Tuesday of the month. However it has also remained committed to being flexible when faced with a zero-day attack. Since this new release could be considered out-of-band (as last week’s update also covered Shockwave Player and Acrobat Reader), does Adobe know something about a zero day attack which hasn’t yet been published? Or was last weeks update the out-of-band release as the CVE-2012-1535 vulnerability was being exploited in the wild (via a malicious Word document) and this release is the normal monthly security update?

As a result of the updates Google has released a new version of the Chrome web browser.

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh and Linux operating systems
  • Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.3.0.3670 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) and earlier versions
  • Adobe AIR 3.3.0.3650 and earlier versions for Android

Adobe updates Flash Player, Shockwave Player and Acrobat Reader to close security vulnerabilities but Google issues warning

(LiveHacking.Com) – Adobe has released a series of security advisories about its Flash Player, Shockwave Player and Acrobat Reader to close security vulnerabilities. As a result of the updates Google has released a new version of the Chrome web browser but they have also issued a warning about using Acrobat Reader on Windows (as there are still Critical vulnerabilities which are unfixed) and on Linux which was not patched at all. Gynvael Coldwind of the Google Security Team said “we consider users of Adobe Reader to be exposed to serious risk.”

According to the Google security researchers, Adobe Reader for Linux users are exposed to all the known critical vulnerabilities, while Adobe Reader for Windows and Mac OS X users are currently vulnerable to up to 6 and 10 unpatched issues (respectively).

What Adobe did patch for its PDF reader affects Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. The updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system. The new versions fix stack and buffer overflow vulnerabilities as well as memory corruption vulnerabilities. In the security advisory Adobe thanks Mateusz Jurczyk and Gynvael Coldwind, of the Google Security Team, for twelve of the bugs found.

Adobe has also released an update for Adobe Shockwave Player 11.6.5.635 and earlier versions on the Windows and Macintosh operating systems. The update addresses five memory corruption vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.

There is also an update for Flash Player on Windows, Macintosh and Linux. The updates address a vulnerability (CVE-2012-1535) that could cause the application to crash and potentially allow an attacker to take control of the affected system. This bug is currently being exploited in the wild via a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.

Flash Player 11.3 fixes Critical security vulnerabilities

(LiveHacking.Com) – Adobe has released a new version of its ubiquitous Flash Player. Version 11.3 fixes at least seven critical security vulnerabilities. The new version also enables the background updater for Mac OS X. Older versions are vulnerable to crashes and potential arbitrary code execution. The new version is available for all supported operating systems, i.e. Windows, OS X, Linux. Affected versions including Adobe Flash Player 11.2.202.235 and earlier versions. For Android, Adobe has released a new version of the 11.1.x series where Adobe Flash Player 11.1.115.8 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.9 and earlier versions for Android 3.x and 2.x are vulnerable.

Of the seven vulnerabilities fixed two are memory corruptions, one is a stack overflow vulnerability, one is an  integer overflow vulnerability and another is a null de-referencing problem. All of these could lead to code execution. Of the remaining two, one is a security bypass vulnerability that could lead to information disclosure  and the others is a binary planting vulnerability in the Flash Player installer that could lead to code execution.

Google has released a new version of its Chrome web browser to upgrade the built-in  Flash Player to 11.3.300.257.

For users who cannot update to Flash Player 11.3, Adobe has released a patched version of Flash Player 10.x which can be downloaded here.

Along with the release of Flash 11.3, Adobe has also released a new version of Adobe Air for Windows, Macintosh and Android. Users of Adobe AIR 3.2.0.2070 should update to Adobe AIR 3.3.0.3610.

Adobe Finally Updates the CS5 & CS5.5 Versions of Illustrator and Photoshop to Fix Security Vulnerabilities

Three weeks ago Adobe published two security advisories describing critical vulnerabilities in the CS5 and CS5.5 versions of Illustrator and Photoshop. The original advisories recommended that users upgrade to CS6 (which they would have to pay for) and didn’t offer any patches or updates for the CS5 and CS5.5 versions. Following complaints, bad press and an outcry from users, Adobe made a U turn and promised patches in due course. Those patches have now been released.

Illustrator

The vulnerabilities present in Adobe Illustrator CS5 (15.0.x) and Adobe Illustrator CS5.5 (15.1) for Windows and Macintosh could allow an attacker who successfully exploits these vulnerabilities to take control of the affected computer. Adobe has now released Adobe Illustrator CS5 (15.0.3) and Adobe Illustrator CS5.5 (15.1.1) to address the vulnerabilities. Specifically the update addresses six separate memory corruption vulnerabilities that could be exploited to let an attacker execute arbitrary code.

Photoshop

Like Adobe Illustrator, the vulnerabilities present in Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) for Windows and Macintosh could allow an attacker who successfully exploits these vulnerabilities to take control of the affected computer.

Adobe has now released security updates for Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) for Windows and Macintosh. For an attacker to exploit the vulnerabilities a malicious file must be opened in Photoshop. Adobe is not aware of any attacks exploiting these vulnerabilities. The update fixes three specific problems:

  1. A use-after-free TIFF vulnerability that could lead to code execution.
  2. A buffer overflow vulnerability that could lead to code execution.
  3. A stack-based buffer-overflow vulnerability in the Collada .DAE file format that could lead to code execution.