August 30, 2014

Adobe releases surprise update for Flash

(LiveHacking.Com) – Just one week after releasing a security update for its Flash Player, Adobe has now released a second security update and, unlike last week’s update, it also covers Android. The update for Adobe Flash Player brings the version number for Windows, Macintosh and Linux to 11.4.402.265, users of Adobe Flash Player 11.1.115.11 and earlier versions on Android 4.x devices can now upgrade to Adobe Flash Player 11.1.115.17. The updates fix multiple vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

There are six critical bug fixes in this release.  This means that, if exploited, these bugs  would allow malicious native-code to execute, potentially without a user being aware. The first four bugs are memory corruption vulnerabilities that could lead to code execution, the fifth is an integer overflow vulnerability and the last is a cross-domain information leak vulnerability.

The update has taken many IT managers and security experts by surprise. Adobe (in recent times) releases security updates for its products on the second Tuesday of the month. However it has also remained committed to being flexible when faced with a zero-day attack. Since this new release could be considered out-of-band (as last week’s update also covered Shockwave Player and Acrobat Reader), does Adobe know something about a zero day attack which hasn’t yet been published? Or was last weeks update the out-of-band release as the CVE-2012-1535 vulnerability was being exploited in the wild (via a malicious Word document) and this release is the normal monthly security update?

As a result of the updates Google has released a new version of the Chrome web browser.

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh and Linux operating systems
  • Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.3.0.3670 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.3.0.3690 SDK (includes AIR for iOS) and earlier versions
  • Adobe AIR 3.3.0.3650 and earlier versions for Android

Flash Player 11.3 fixes Critical security vulnerabilities

(LiveHacking.Com) – Adobe has released a new version of its ubiquitous Flash Player. Version 11.3 fixes at least seven critical security vulnerabilities. The new version also enables the background updater for Mac OS X. Older versions are vulnerable to crashes and potential arbitrary code execution. The new version is available for all supported operating systems, i.e. Windows, OS X, Linux. Affected versions including Adobe Flash Player 11.2.202.235 and earlier versions. For Android, Adobe has released a new version of the 11.1.x series where Adobe Flash Player 11.1.115.8 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.9 and earlier versions for Android 3.x and 2.x are vulnerable.

Of the seven vulnerabilities fixed two are memory corruptions, one is a stack overflow vulnerability, one is an  integer overflow vulnerability and another is a null de-referencing problem. All of these could lead to code execution. Of the remaining two, one is a security bypass vulnerability that could lead to information disclosure  and the others is a binary planting vulnerability in the Flash Player installer that could lead to code execution.

Google has released a new version of its Chrome web browser to upgrade the built-in  Flash Player to 11.3.300.257.

For users who cannot update to Flash Player 11.3, Adobe has released a patched version of Flash Player 10.x which can be downloaded here.

Along with the release of Flash 11.3, Adobe has also released a new version of Adobe Air for Windows, Macintosh and Android. Users of Adobe AIR 3.2.0.2070 should update to Adobe AIR 3.3.0.3610.

Adobe Fixes Zero-day Vulnerability in Flash That is Being Exploited in the Wild

(LiveHacking.Com) – Adobe has released a patch to fix a zero-day vulnerability in Flash Player that is being exploited in the wild. According to the security advisory the bug is being exploited in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only. As a remedy Adobe has released a security update for Windows, Macintosh, Linux and Android.

Details of the exact nature of the vulnerability are not available however it is clear that unpatched versions of Adobe Flash Player allow a remote attacker to execute arbitrary code via a crafted file, related to what is being called an “object confusion vulnerability.”

According to Symantec, the email attachment contains a  document with  “an embedded reference to a malicious Flash file hosted on a remote server. When the Flash file is acquired and opened, it sprays the heap with shellcode and triggers the CVE-2012-0779 exploit. Once the shellcode gains control, it looks for the payload in the original document, decrypts it, drops it to disk, and executes it.” Symantec says that the malware payload is Trojan.Pasam.

The vulnerability affects the following versions:

  • Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh, and Linux operating systems
  • Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x

Windows users are advised to upgrade as soon as possible as the exploit is targeting that platform.

Flash Player 11.2 Fixes Critical Vulnerabilities

(LiveHacking.Com) – Adobe has released Flash Player 11.2 with new features while also fixing some critical vulnerabilities. Among the new features is a new background updater for Windows. This system checks once every 24 hours for updates to Flash Player and updates all Flash Player versions installed on your PC including plugins and ActiveX.

The updater isn’t perfect as Firefox users need to restart their computers for Firefox to load the newly installed Plugin. The release notes mention that for 64-bit operating systems “it may be necessary to remove the NPSWF .dll from both WindowsSystem32MacromedFlash AND Windows[SysWow64]MacromedFlash directories”. It isn’t clear if this is instead of a reboot.

On the bug fix front, Flash Player 11.2 fixes critical vulnerabilities in Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

The first bug fixed is a memory corruption vulnerability related to URL security domain checking that could lead to code execution (ActiveX, Windows 7 or Vista only) (CVE-2012-0772), while the second resolves a memory corruption vulnerability in the NetStream class that could also lead to code execution (CVE-2012-0773).

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.1.0.4880 and earlier versions for Windows, Macintosh and Android

Google Releases Chrome 18 – Fixes Security Bugs, Adds Faster Graphics

(LiveHacking.Com) – The version numbers keep flying upwards! Google has released Chrome 18.0.1025.142 for Windows, Mac and Linux with a number of new features (including faster and fancier graphics) and a collection of security fixes. None of the security fixes in this release are marked as Critical but there are three High severity fixes.

Under Google’s definitions, High severity means that the vulnerability lets an attacker read or modify confidential data belonging to other web sites or if the attacker can execute arbitrary code within the confines of the sandbox. Vulnerabilities that interfere with browser security features are also high severity.

The first of the High severity bug fixed was an off-by-one error in OpenType Sanitizer, the next was a use-after-free error in SVG clipping and the third a memory corruption in Skia.

As part of the Chrome Vulnerability Rewards Program, which was created to help reward the contributions of security researchers who invest their time and effort in to making Chrome more secure, Google paid out $3000 for this release.

The full list of security related bug fixed are:

  • [$500] [109574] Medium CVE-2011-3058: Bad interaction possibly leading to XSS in EUC-JP. Credit to Masato Kinugawa.
  • [$500] [112317] Medium CVE-2011-3059: Out-of-bounds read in SVG text handling. Credit to Arthur Gerkis.
  • [$500] [114056] Medium CVE-2011-3060: Out-of-bounds read in text fragment handling. Credit to miaubiz.
  • [116398] Medium CVE-2011-3061: SPDY proxy certificate checking error. Credit to Leonidas Kontothanassis of Google.
  • [116524] High CVE-2011-3062: Off-by-one in OpenType Sanitizer. Credit to Mateusz Jurczyk of the Google Security Team.
  • [117417] Low CVE-2011-3063: Validate navigation requests from the renderer more carefully. Credit to kuzzcc, Sergey Glazunov, PinkiePie and scarybeasts (Google Chrome Security Team).
  • [$1000] [117471] High CVE-2011-3064: Use-after-free in SVG clipping. Credit to Atte Kettunen of OUSPG.
  • [$1000] [117588] High CVE-2011-3065: Memory corruption in Skia. Credit to Omair.
  • [$500] [117794] Medium CVE-2011-3057: Invalid read in v8. Credit to Christian Holler.

Google have also said that some of these items represent the start of hardening measures based on study of the exploits submitted to the Pwnium competition.

Note that the referenced bugs may be kept private until a majority of Chrome users are up to date with the fixes.

New Features

Chrome 18 also introduces some new features, specifically Google have enabled GPU-accelerated Canvas2D on capable Windows and Mac computers. This feature had previously been enabled in the Beta channel and Google hope developers have had a chance to try it out. Chrome 18 also enables SwiftShader, a software rasterizer licensed from TransGaming, for users with graphics cards which can’t cope with WebGL rendering.

Flash 11.2

Chrome 18 also includes Flash Player 11.2 which contains a number of new features along with security updates. See our post here.

Adobe Release Security Details for Latest Version of Flash

(LiveHacking.Com) – Over the weekend Google released a new version of its web browser Chrome which, along with security related bug fixes, included a new version of Adobe Flash Player. At the time of its release, Google were ahead of Adobe meaning that the version of Flash Player in Chrome was not yet announced by Adobe. However Adobe has now released details of the security fixes to Flash Player.

Flash Player 11.1.102.63  contains priority 2 updates that address critical vulnerabilities on Windows, Macintosh, Linux,  Android 4.x, and Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

Specifically the update fixes a memory corruption vulnerability in Matrix3D that could lead to code execution (CVE-2012-0768) and a resolves integer errors that could lead to information disclosure (CVE-2012-0769).

By marking this update as priority 2 Adobe are recommending that users  install the update within 30 days. This is because there are currently no known exploits and based on previous experience, Adobe do not anticipate exploits are imminent.

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Flash Player 11.1.115.6 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x

The new version of Flash is available from the Flash Player Download Center. For users who cannot update to Flash Player 11.1.102.63, Adobe has developed a patched version of Flash Player 10.x, Flash Player 10.3.183.16, which can be downloaded here.

 

Google Release Chrome 17.0.963.56 to Fix Vulnerabilities and Update Flash

(LiveHacking.Com) – Google has updated Chrome to 17.0.963.56 for Windows, Mac and Linux.  This release includes a number of stability and security fixes and also includes a new version of Flash. Google paid out nearly $7000 to security researchers who contributed to fixing these security issues.

The full list of security related bugs fixed is:

  • [105803] High CVE-2011-3015: Integer overflows in PDF codecs. Credit to Google Chrome Security Team (scarybeasts).
  • [$500] [106336] Medium CVE-2011-3016: Read-after-free with counter nodes. Credit to miaubiz.
  • [$1000] [108695] High CVE-2011-3017: Possible use-after-free in database handling. Credit to miaubiz.
  • [$1000] [110172] High CVE-2011-3018: Heap overflow in path rendering. Credit to Aki Helin of OUSPG.
  • [110849] High CVE-2011-3019: Heap buffer overflow in MKV handling. Credit to Google Chrome Security Team (scarybeasts) and Mateusz Jurczyk of the Google Security Team.
  • [111575] Medium CVE-2011-3020: Native client validator error. Credit to Nick Bray of the Chromium development community.
  • [$1000] [111779] High CVE-2011-3021: Use-after-free in subframe loading. Credit to Arthur Gerkis.
  • [112236] Medium CVE-2011-3022: Inappropriate use of http for translation script. Credit to Google Chrome Security Team (Jorge Obes).
  • [$500] [112259] Medium CVE-2011-3023: Use-after-free with drag and drop. Credit to pa_kt.
  • [112451] Low CVE-2011-3024: Browser crash with empty x509 certificate. Credit to chrometot.
  • [$500] [112670] Medium CVE-2011-3025: Out-of-bounds read in h.264 parsing. Credit to Sławomir Błażek.
  • [$1337] [112822] High CVE-2011-3026: Integer overflow / truncation in libpng. Credit to Jüri Aedla.
  • [$1000] [112847] High CVE-2011-3027: Bad cast in column handling. Credit to miaubiz.

Note that the referenced bugs may be kept private until a majority of Chrome users are up to date with the fix.  Full details about what changes are in this release are available in the SVN revision log.

Adobe recetnly released a new version of Flash for Windows, OS X, Linux and Android. This new version of Chrome incorporates the updated version. The update addresses critical vulnerabilities in Adobe Flash Player. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

This update also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. However this is only being exploited in Internet Explorer on Windows and not Chrome. More info on the Flash update is available from Adobe.

Google Releases Chrome 15.0.874.120 With a new Version of Flash Plus Various Security Fixes

Google has released Chrome 15.0.874.120 for Windows, Mac and  Linux with a new version of Flash. This new version of Adobe Flash player fixes several memory corruption vulnerabilities that could lead to arbitrary code execution.

Google paid out $2,000 in rewards for this version with the all of the monet going to Aki Helin of OUSPG:

  • [$500] [100465] High CVE-2011-3892: Double free in Theora decoder. Credit to Aki Helin of OUSPG.
  • [$500] [100492] [100543] Medium CVE-2011-3893: Out of bounds reads in MKV and Vorbis media handlers. Credit to Aki Helin of OUSPG.
  • [101172] High CVE-2011-3894: Memory corruption regression in VP8 decoding. Credit to Andrew Scherkus of the Chromium development community.
  • [$1000] [101458] High CVE-2011-3895: Heap overflow in Vorbis decoder. Credit to Aki Helin of OUSPG.
  • [101624] High CVE-2011-3896: Buffer overflow in shader variable mapping. Credit to Ken “strcpy” Russell of the Chromium development community.
  • [102242] High CVE-2011-3897: Use-after-free in editing. Credit to pa_kt reported through ZDI (ZDI-CAN-1416).
  • [102461] Low CVE-2011-3898: Failure to ask for permission to run applets in JRE7. Credit to Google Chrome Security Team (Chris Evans).

Note that the referenced bugs are kept private by Google until a majority of Chrome users have updated.

Google also fixed the following bugs:

  • Updated V8 – 3.5.10.23
  • Fix small print sizing issues (issues: 10218682472102154)
  • Fixed the “certificate is not yet valid” error for server certificate issued by a VeriSign intermediate CA. (issue 101555) [OS X only]

New Version of Flash Coming to Fix Zero-day Vulnerability – Google Releases Updated Chrome First

(LiveHacking.Com) - Adobe will release an out of cycle update to Flash to address critical security issues. The update will also fix a universal cross-site scripting issue that is reportedly being exploited in the wild.

Although not all the details are available yet, it is likely (since this is an out of cycle release) that this vulnerability, if exploited, would allow malicious native-code to execute, potentially without a user being aware.

Google is one step ahead of Adobe and has released a new version of its Chrome web browser, which has a built-in version of Flash, to address what it calls “a zero-day vulnerability” in Flash Player:

The Beta and Stable channels have been updated to 14.0.835.186 for Windows, Mac, Linux, and Chrome Frame. This release includes an update to Flash Player that addresses a zero-day vulnerability.

Patch Roundup: Java, Flash, VLC, VMware, Chrome

The last few days has seen patches released for several major software packages including Java and Flash.

Java
Oracle has released patches to address several critical vulnerabilities in Java. Nine of the seventeen vulnerabilities have the highest severity rating. Affected versions are the Java Development Kit (JDK) and the Java Runtime Environment (JRE) versions 6.0 (up to and including update 25), version 5.0 (up to and including update 29) and version 1.4.2 (up to and including version 1.4.2_31) across all supported platforms.

According to the update advisory, “all of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.”

VMware
VMware has released security advisory VMSA-2011-0009 to address multiple vulnerabilities in the following products:

  • VMware Workstation 7.1.3 and earlier
  • VMware Player 3.1.3 and earlier
  • VMware Fusion 3.1.2 and earlier
  • ESXi 4.1 without patch ESXi410-201104402-BG
  • ESXi 4.0 without patch ESXi400-201104402-BG
  • ESXi 3.5 without patches ESXe350-201105401-I-SG and ESXe350-201105402-T-SG
  • ESX 4.1 without patch ESX410-201104401-SG
  • ESX 4.0 without patch ESX400-201104401-SG
  • ESX 3.5 without patches ESX350-201105401-SG, ESX350-201105404-SG, and ESX350-201105406-SG

VLC
VideoLAN has released VLC Media Player 1.1.10 to address an integer overflow vulnerability in the xspf demuxer. Exploitation of this vulnerability may allow an attacker to execute arbitrary code. The release notes also mention that libmodplug has been updated for security reasons in the Windows and Mac versions.

Flash
Adobe has released the security bulletin APSB11-13 to address a vulnerability in Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux, and Solaris, and 10.3.185.22 and earlier versions for Android.

The universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

Adobe recommends users of Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.22 (10.3.181.23 for ActiveX). Adobe recommends users of Adobe Flash Player 10.3.185.22 and earlier versions for Android update to Adobe Flash Player 10.3.181.23.

And Chrome

Google has released Chrome 12 with several security fixes:

  • [$2000] [73962] [79746] High CVE-2011-1808: Use-after-free due to integer issues in float handling. Credit to miaubiz.
  • [75496] Medium CVE-2011-1809: Use-after-free in accessibility support. Credit to Google Chrome Security Team (SkyLined).
  • [75643] Low CVE-2011-1810: Visit history information leak in CSS. Credit to Jesse Mohrland of Microsoft and Microsoft Vulnerability Research (MSVR).
  • [76034] Low CVE-2011-1811: Browser crash with lots of form submissions. Credit to “DimitrisV22”.
  • [$1337] [77026] Medium CVE-2011-1812: Extensions permission bypass. Credit to kuzzcc.
  • [78516] High CVE-2011-1813: Stale pointer in extension framework. Credit to Google Chrome Security Team (Inferno).
  • [79362] Medium CVE-2011-1814: Read from uninitialized pointer. Credit to Eric Roman of the Chromium development community.
  • [79862] Low CVE-2011-1815: Extension script injection into new tab page. Credit to kuzzcc.
  • [80358] Medium CVE-2011-1816: Use-after-free in developer tools. Credit to kuzzcc.
  • [$500] [81916] Medium CVE-2011-1817: Browser memory corruption in history deletion. Credit to Collin Payne.
  • [$1000] [81949] High CVE-2011-1818: Use-after-free in image loader. Credit to miaubiz.
  • [$1000] [83010] Medium CVE-2011-1819: Extension injection into chrome:// pages. Credit to Vladislavas Jarmalis, plus subsequent independent discovery by Sergey Glazunov.
  • [$3133.7] [83275] High CVE-2011-2332: Same origin bypass in v8. Credit to Sergey Glazunov.
  • [$1000] [83743] High CVE-2011-2342: Same origin bypass in DOM. Credit to Sergey Glazunov.

Note that the referenced bugs may be kept private until a majority of Chrome users have updated.

Chrome 12.0.742.91 also includes a number of new features including:

  • Hardware accelerated 3D CSS
  • New Safe Browsing protection against downloading malicious files
  • Ability to delete Flash cookies from inside Chrome
  • Launch Apps by name from the Omnibox
  • Integrated Sync into new settings pages
  • Improved screen reader support
  • New warning when hitting Command-Q on Mac
  • Removal of Google Gears