September 23, 2014

Microsoft to fix 57 unique vulnerabilities in February’s Patch Tuesday, also updates Flash in IE 10

microsoft logo(LiveHacking.Com) – Microsoft has published an advanced notification of security patches that it intends to release on Tuesday February 12, 2013. It will  release 12 bulletins, five of which are rated as Critical and seven as Important. These bulletins address 57 unique vulnerabilities in various Microsoft products including Windows, Internet Explorer and Exchange Software, Office, .NET Framework, and Microsoft Server Software.

All five Critical bulletins resolve remote code execution problems while the Important class advisories will address denial of service and elevation of privilege problem along with another less harmful remote code execution vulnerability.

Windows XP is affected by four of the five Critical bulletins, while Windows 8 is affected by only two of them. The common vulnerabilities between the oldest and newest of Microsoft’s current supported operating systems are all connected with Internet Explorer. It seems that Microsoft will patch some holes in IE which can be found in IE 6, 7, 8, 9 and 10. The version of IE 10 in Windows RT is also affected.

The other Critical bulletin will be issued regarding Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010.

IE 10 and Adobe Flash Player

Microsoft has also issued an update for Internet Explorer 10 on Windows 8 to update the built-in version of Adobe Flash Player which Adobe recently updated.  Adobe released security updates for Adobe Flash Player on Windows, OS X, Linux and Android to address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is reporting that at least two of the vulnerabilities addressed are being exploited in the wild. In one targeted attack, users are tricked  into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The other vulnerability is being exploited via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening another Microsoft Word document.

Adobe updates Flash Player to fix 25 security vulnerabilities

(LiveHacking.Com) – Adobe has released a new version of its Flash Player to address a multitude of security vulnerabilities. The new release fixes at least 25 separate security flaws. Adobe also released a security patch for its Adobe AIR software. According to Adobe, “these updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”

The update affects all Flash platforms including Windows, Mac, Linux and Android. Adobe has released security updates for:

  • Adobe Flash Player 11.4.402.278 and earlier versions for Windows
  • Adobe Flash Player 11.4.402.265 and earlier versions for Macintosh,
  • Adobe Flash Player 11.2.202.238 and earlier for versions for Linux,
  • Adobe Flash Player 11.1.115.17 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.16 and earlier versions for Android 3.x and 2.x.

For Adobe AIR users, all versions prior to 3.4.0.2540 on Windows, Macintosh and Android should update to Adobe AIR 3.4.0.2710.

There are two categories of vulnerabilities fix in this release: buffer overflow vulnerabilities that could lead to code execution and memory corruption vulnerabilities that could also lead to code execution.

If you are still using Flash Player 10 and you cannot update to Flash Player 11.4.402.287, Adobe has released Flash Player 10.3.183.29, which can be downloaded here.

Adobe releases surprise update for Flash

(LiveHacking.Com) – Just one week after releasing a security update for its Flash Player, Adobe has now released a second security update and, unlike last week’s update, it also covers Android. The update for Adobe Flash Player brings the version number for Windows, Macintosh and Linux to 11.4.402.265, users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x devices can now upgrade to Adobe Flash Player 11.1.115.17. The updates fix multiple vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

There are six critical bug fixes in this release.  This means that, if exploited, these bugs  would allow malicious native-code to execute, potentially without a user being aware. The first four bugs are memory corruption vulnerabilities that could lead to code execution, the fifth is an integer overflow vulnerability and the last is a cross-domain information leak vulnerability.

The update has taken many IT managers and security experts by surprise. Adobe (in recent times) releases security updates for its products on the second Tuesday of the month. However it has also remained committed to being flexible when faced with a zero-day attack. Since this new release could be considered out-of-band (as last week’s update also covered Shockwave Player and Acrobat Reader), does Adobe know something about a zero day attack which hasn’t yet been published? Or was last weeks update the out-of-band release as the CVE-2012-1535 vulnerability was being exploited in the wild (via a malicious Word document) and this release is the normal monthly security update?

As a result of the updates Google has released a new version of the Chrome web browser.

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh and Linux operating systems
  • Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.3.0.3670 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) and earlier versions
  • Adobe AIR 3.3.0.3650 and earlier versions for Android

Adobe Fixes Zero-day Vulnerability in Flash That is Being Exploited in the Wild

(LiveHacking.Com) – Adobe has released a patch to fix a zero-day vulnerability in Flash Player that is being exploited in the wild. According to the security advisory the bug is being exploited in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only. As a remedy Adobe has released a security update for Windows, Macintosh, Linux and Android.

Details of the exact nature of the vulnerability are not available however it is clear that unpatched versions of Adobe Flash Player allow a remote attacker to execute arbitrary code via a crafted file, related to what is being called an “object confusion vulnerability.”

According to Symantec, the email attachment contains a  document with  “an embedded reference to a malicious Flash file hosted on a remote server. When the Flash file is acquired and opened, it sprays the heap with shellcode and triggers the CVE-2012-0779 exploit. Once the shellcode gains control, it looks for the payload in the original document, decrypts it, drops it to disk, and executes it.” Symantec says that the malware payload is Trojan.Pasam.

The vulnerability affects the following versions:

  • Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh, and Linux operating systems
  • Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x

Windows users are advised to upgrade as soon as possible as the exploit is targeting that platform.

Flash Player 11.2 Fixes Critical Vulnerabilities

(LiveHacking.Com) – Adobe has released Flash Player 11.2 with new features while also fixing some critical vulnerabilities. Among the new features is a new background updater for Windows. This system checks once every 24 hours for updates to Flash Player and updates all Flash Player versions installed on your PC including plugins and ActiveX.

The updater isn’t perfect as Firefox users need to restart their computers for Firefox to load the newly installed Plugin. The release notes mention that for 64-bit operating systems “it may be necessary to remove the NPSWF .dll from both WindowsSystem32MacromedFlash AND Windows[SysWow64]MacromedFlash directories”. It isn’t clear if this is instead of a reboot.

On the bug fix front, Flash Player 11.2 fixes critical vulnerabilities in Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

The first bug fixed is a memory corruption vulnerability related to URL security domain checking that could lead to code execution (ActiveX, Windows 7 or Vista only) (CVE-2012-0772), while the second resolves a memory corruption vulnerability in the NetStream class that could also lead to code execution (CVE-2012-0773).

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.1.0.4880 and earlier versions for Windows, Macintosh and Android

Adobe Release Security Details for Latest Version of Flash

(LiveHacking.Com) – Over the weekend Google released a new version of its web browser Chrome which, along with security related bug fixes, included a new version of Adobe Flash Player. At the time of its release, Google were ahead of Adobe meaning that the version of Flash Player in Chrome was not yet announced by Adobe. However Adobe has now released details of the security fixes to Flash Player.

Flash Player 11.1.102.63  contains priority 2 updates that address critical vulnerabilities on Windows, Macintosh, Linux,  Android 4.x, and Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

Specifically the update fixes a memory corruption vulnerability in Matrix3D that could lead to code execution (CVE-2012-0768) and a resolves integer errors that could lead to information disclosure (CVE-2012-0769).

By marking this update as priority 2 Adobe are recommending that users  install the update within 30 days. This is because there are currently no known exploits and based on previous experience, Adobe do not anticipate exploits are imminent.

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Flash Player 11.1.115.6 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x

The new version of Flash is available from the Flash Player Download Center. For users who cannot update to Flash Player 11.1.102.63, Adobe has developed a patched version of Flash Player 10.x, Flash Player 10.3.183.16, which can be downloaded here.

 

New Version of Flash Coming to Fix Zero-day Vulnerability – Google Releases Updated Chrome First

(LiveHacking.Com) – Adobe will release an out of cycle update to Flash to address critical security issues. The update will also fix a universal cross-site scripting issue that is reportedly being exploited in the wild.

Although not all the details are available yet, it is likely (since this is an out of cycle release) that this vulnerability, if exploited, would allow malicious native-code to execute, potentially without a user being aware.

Google is one step ahead of Adobe and has released a new version of its Chrome web browser, which has a built-in version of Flash, to address what it calls “a zero-day vulnerability” in Flash Player:

The Beta and Stable channels have been updated to 14.0.835.186 for Windows, Mac, Linux, and Chrome Frame. This release includes an update to Flash Player that addresses a zero-day vulnerability.

Patch Roundup: Java, Flash, VLC, VMware, Chrome

The last few days has seen patches released for several major software packages including Java and Flash.

Java
Oracle has released patches to address several critical vulnerabilities in Java. Nine of the seventeen vulnerabilities have the highest severity rating. Affected versions are the Java Development Kit (JDK) and the Java Runtime Environment (JRE) versions 6.0 (up to and including update 25), version 5.0 (up to and including update 29) and version 1.4.2 (up to and including version 1.4.2_31) across all supported platforms.

According to the update advisory, “all of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.”

VMware
VMware has released security advisory VMSA-2011-0009 to address multiple vulnerabilities in the following products:

  • VMware Workstation 7.1.3 and earlier
  • VMware Player 3.1.3 and earlier
  • VMware Fusion 3.1.2 and earlier
  • ESXi 4.1 without patch ESXi410-201104402-BG
  • ESXi 4.0 without patch ESXi400-201104402-BG
  • ESXi 3.5 without patches ESXe350-201105401-I-SG and ESXe350-201105402-T-SG
  • ESX 4.1 without patch ESX410-201104401-SG
  • ESX 4.0 without patch ESX400-201104401-SG
  • ESX 3.5 without patches ESX350-201105401-SG, ESX350-201105404-SG, and ESX350-201105406-SG

VLC
VideoLAN has released VLC Media Player 1.1.10 to address an integer overflow vulnerability in the xspf demuxer. Exploitation of this vulnerability may allow an attacker to execute arbitrary code. The release notes also mention that libmodplug has been updated for security reasons in the Windows and Mac versions.

Flash
Adobe has released the security bulletin APSB11-13 to address a vulnerability in Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux, and Solaris, and 10.3.185.22 and earlier versions for Android.

The universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

Adobe recommends users of Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.22 (10.3.181.23 for ActiveX). Adobe recommends users of Adobe Flash Player 10.3.185.22 and earlier versions for Android update to Adobe Flash Player 10.3.181.23.

And Chrome

Google has released Chrome 12 with several security fixes:

  • [$2000] [73962] [79746] High CVE-2011-1808: Use-after-free due to integer issues in float handling. Credit to miaubiz.
  • [75496] Medium CVE-2011-1809: Use-after-free in accessibility support. Credit to Google Chrome Security Team (SkyLined).
  • [75643] Low CVE-2011-1810: Visit history information leak in CSS. Credit to Jesse Mohrland of Microsoft and Microsoft Vulnerability Research (MSVR).
  • [76034] Low CVE-2011-1811: Browser crash with lots of form submissions. Credit to “DimitrisV22”.
  • [$1337] [77026] Medium CVE-2011-1812: Extensions permission bypass. Credit to kuzzcc.
  • [78516] High CVE-2011-1813: Stale pointer in extension framework. Credit to Google Chrome Security Team (Inferno).
  • [79362] Medium CVE-2011-1814: Read from uninitialized pointer. Credit to Eric Roman of the Chromium development community.
  • [79862] Low CVE-2011-1815: Extension script injection into new tab page. Credit to kuzzcc.
  • [80358] Medium CVE-2011-1816: Use-after-free in developer tools. Credit to kuzzcc.
  • [$500] [81916] Medium CVE-2011-1817: Browser memory corruption in history deletion. Credit to Collin Payne.
  • [$1000] [81949] High CVE-2011-1818: Use-after-free in image loader. Credit to miaubiz.
  • [$1000] [83010] Medium CVE-2011-1819: Extension injection into chrome:// pages. Credit to Vladislavas Jarmalis, plus subsequent independent discovery by Sergey Glazunov.
  • [$3133.7] [83275] High CVE-2011-2332: Same origin bypass in v8. Credit to Sergey Glazunov.
  • [$1000] [83743] High CVE-2011-2342: Same origin bypass in DOM. Credit to Sergey Glazunov.

Note that the referenced bugs may be kept private until a majority of Chrome users have updated.

Chrome 12.0.742.91 also includes a number of new features including:

  • Hardware accelerated 3D CSS
  • New Safe Browsing protection against downloading malicious files
  • Ability to delete Flash cookies from inside Chrome
  • Launch Apps by name from the Omnibox
  • Integrated Sync into new settings pages
  • Improved screen reader support
  • New warning when hitting Command-Q on Mac
  • Removal of Google Gears

Zero Day Exploit in Flash was Used to Crack Open RSA’s Servers

Two weeks ago RSA revealed in an open letter to its customers that its servers where compromised by, what they called, “an extremely sophisticated cyber attack”. As a result information relating to RSA’s SecurID two-factor authentication products was extracted from RSA’s systems.

Now, Avivah Litan, an analyst at Gartner Research, has revealed that the hackers used the recently revealed zero day exploit in Adobe’s Flash.

The hackers started their attack by sending phishing emails to groups of RSA employees. The emails were cheekily titled “2011 Recruitment Plan”. Attached to the email was an Excel spreadsheet with the recently-discovered Adobe Flash zero day flaw CVE-2011-0609. In turn this allowed them to download trojans onto RSA’s system where they started hacking until they finally gained privileged access.

Litan does praise RSA’s openness about the attack, but there are questions about RSA’s internal security especially since they sell a fraud detection systems based on user and account profiling that should spot abnormal behavior and intervene in real time.

Flash Player as a spy system

If a forged certificate is accepted when accessing the Flash Player’s Settings Manager, which is available exclusively online, attackers can potentially manipulate the player’s website privacy settings. This allows a web page to access a computer’s web cams and microphones and remotely turn the computer into a covert listening device or surveillance camera.

Read the full article here.

Source:[TheHSecurity]