(LiveHacking.Com) – The last few days have seen lots of security related activity from some of the world’s leading software vendors. Both Microsoft and Adobe have released patches for some of their key software while almost simultaneously a Google engineer has released details of an obscure cross-scripting request forgery bug that left several high profile domains scrambling to protect themselves over the weekend.
Microsoft has released six new security bulletins, to tackle 29 different vulnerabilities in Microsoft Windows and Internet Explorer. Two of these security bulletins are rated Critical, while the rest are either rated as Important or Moderate.
The first of the two Critical level bulletins (MS14-037) is a cumulative security update for Internet Explorer. The update fixes one publicly disclosed vulnerability and twenty-three privately reported vulnerabilities in Microsoft’s web browser. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using IE. This security update is rated Critical for IE 6 through to IE 11 on Microsoft Windows desktop operating systems. For the server versions of Windows the update is rated as Moderate.
The other Critical level update (MS14-038) fixes a remote code execution vulnerability that exists because of the way that Windows Journal parses specially crafted files. The vulnerability could be exploited if a user opens a specially crafted Journal file. The fix is rated Critical for all supported editions of Windows Vista, Windows Server 2008 (excluding Itanium), Windows 7, Windows Server 2008 R2 (excluding Itanium), Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.
The other bulletins release by Microsoft are:
- MS14-039 – Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker uses a vulnerability in a low integrity process to execute the On-Screen Keyboard (OSK) and upload a specially crafted program to the target system.
- MS14-040 – Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker logs onto a system and runs a specially crafted application.
- MS14-041 – Vulnerability in DirectShow Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker first exploits another vulnerability in a low integrity process and then uses this vulnerability to execute specially crafted code in the context of the logged on user.
- MS14-042Vulnerability in Microsoft Service Bus Could Allow Denial of Service. The vulnerability could allow denial of service if a remote authenticated attacker creates and runs a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system.
Adobe has released security updates for Adobe Flash Player on Windows, OS X and Linux. The updates patch vulnerabilities that could potentially allow a remote attacker to take control of the affected system. The affected software versions are:
- Adobe Flash Player 220.127.116.11 and earlier versions for Windows and Macintosh
- Adobe Flash Player 18.104.22.1688 and earlier versions for Linux
- Adobe AIR 22.214.171.124 SDK and earlier versions
- Adobe AIR 126.96.36.199 SDK & Compiler and earlier versions
- Adobe AIR 188.8.131.52 and earlier versions for Android
As well as fixing two, as yet undisclosed, security bypass vulnerabilities (CVE-2014-0537, CVE-2014-0539), the update also includes additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs (CVE-2014-4671).
As mentioned above, the update to Adobe Flasher Player includes additional validation checks for an obscure cross-scripting request forgery bug that was disclosed by Google’s information security engineer Michele Spagnuolo over the weekend. In his blog “Abusing JSONP with Rosetta Flash,” Michele details how his tool Rosetta Flash can convert Adobe SFW files from binary to text. Attackers can then upload the “weaponised” SWF file to a domain where they will be loaded by a victim’s browser and executed by Adobe Flash Player.
Several high-profile websites were vulnerable, including most Google domains, Instagram, Tumblr and eBay. Many of these sites have worked over the weekend to protect themselves against the vulnerability.
Because of the sensitivity of this vulnerability, Spagnuolo first disclosed it internally to Google, and then privately to Adobe. He also told Twitter, eBay, Tumblr and Instagram before going public with his findings.