Tag Archives: adobe

TAO Hijack Routers – WSWiR Episode 107

Tons of Patches, NSA Booby-Trapped Routers, and Alleged Iranian Hackers

If you don’t have time to follow all the information security stories popping up each week, you can let our weekly video and blog post summarize the important stuff for you.

In today’s show, I recite the big list of security patches you need to get this week, talk about how the NSA is intercepting and hacking routers to foreigners, and weigh in on whether or not the security industry is blaming advanced attacks on “nation-state” actors a bit too freely. Press play on YouTube for all the details, and don’t forget to check out the Reference section for links to other interesting InfoSec stories.

Hope you have a great weekend, and be careful shopping online!

(Episode Runtime: 8:25)

Direct YouTube Link: https://www.youtube.com/watch?v=LdOHsV88z4Y

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Reader, Flash, and Illustrator Security Patches

Severity: High

Summary:

  • These vulnerabilities affect: Reader and Acrobat, Flash Player, and Illustrator (CS6)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released or updated three security bulletins that describe vulnerabilities in four of their popular software packages; Reader and Acrobat X, Flash Player, and Illustrator.

Adobe Patch Day, May 2014

 

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the Adobe security bulletins below:

  • APSB14-15: Multiple Reader and Acrobat Code Execution Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 11 vulnerabilities that affect Adobe Reader and Acrobat XI 11.0.06 and earlier, running on Windows and Macintosh.  Adobe only describes the flaws in minimal technical detail, but they do share that many of the flaws involve memory corruption issues that attackers could exploit to execute code. Most of these memory corruption flaws share the same scope and impact. If an attacker can entice one of your users into opening a specially crafted PDF file, he can exploit these issues to execute code on that user’s computer, inheriting the user’s privileges. If your users have root or system administrator privileges, the attacker gains complete control of their computer. If you use Reader, you should patch soon.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB14-14: Half a Dozen Flash Player (and Air) Vulnerabilities

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android. It is also built into certain browsers, like Google and Internet Explorer (IE) 11.

Adobe’s bulletin describes six flaws in Flash Player 13.0.0.206 and earlier for all platforms. The vulnerabilities differ technically, and in scope and impact, but the worst could allow attackers to execute code on your users computers. Specifically, Flash Player suffers from a “use after free” vulnerability – a type of memory corruption flaw that attackers can leverage to execute arbitrary code. If an attacker can lure you to a web site, or get you to open documents containing specially crafted Flash content, he could exploit this flaw to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer. Though not as severe as the use after free flaw, the remaining flaws are all security bypass issues that could also help attackers further elevate their privileges after an attack.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB14-011: Illustrator (CS6) Buffer Overflow Vulnerability

Illustrator is a very popular vector drawing program that ships with Adobe’s popular Creative Suite. It suffers from an unspecified buffer overflow vulnerability. Adobe doesn’t describe the flaw in technical detail, but we presume that it has something to do with handling specially crafted Illustrator files. If that’s the case, opening specially crafted files in Illustrator could allow attackers to execute code on your machine with your privileges. Attackers don’t often target Illustrator, so we don’t expect this vulnerability to get exploited much in the wild. Nonetheless, if you use Illustrator, you ought to patch it at your convenience.

Adobe Priority Rating: 3 (Patch at your discretion)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

    • Adobe Reader/Acrobat Security Update APSB14-15
    • Adobe Flash Player Security Update APSB14-14
    • Adobe Illustrator Security Update APSB14-11

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

World Password Day – WSWiR Episode 106

MS Patch Day, 4chan Hacked, and Password Security

If you’re too busy helping your users and maintaining your network to read the latest information security news, you might miss out on new tip that could save your network. No worries. Let my short, weekly Infosec video summarize the week’s biggest news for you.

Today, I warn you about all the upcoming patches next Tuesday, talk about a popular web site hack and what administrators can learn from it, and share my three primary password tips for World Password Day. Click play below for all the details, and take a peek at the Reference section for links to other stories.

Enjoy your weekend, and stay safe out there.

(Episode Runtime: 7:32)

Direct YouTube Link: https://www.youtube.com/watch?v=fKU3Qoaj_Dw

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

IE & Flash 0day – WSWiR Episode 105

White House Cyber Disclosure, Traffic Light Hacking, and Zero Day Exploits

There was a ton of Information Security news this week. More than most people can keep up with; especially busy IT administrators who are already putting out other fires. If you have little time to read the latest news, but want a quick recap of the most important infosec stories each week, this is the vlog for you.

In this episode, I react to the White House talking about their zero day disclosure policy, I share news about a researcher hijacking traffic lights across the US, and I warn you about two critical zero day flaws in very popular software products. If you want to stay informed and get the latest security advice, watch the video below. You can also explore the Reference section for links to more stories.

Enjoy your weekend, and stay safe out there.

(Episode Runtime: 8:04)

Direct YouTube Link: https://www.youtube.com/watch?v=UxQoInvMBcw

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Advanced Attackers Exploit IE & Flash 0days in the Wild

Over the weekend, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability in Internet Explorer (IE), which attackers are exploiting in the wild. Around the same time, Kaspersky also noted an attack campaign leveraging a new Adobe Flash zero day flaw, which Adobe patched today. I’ll discuss both issues below, starting with the IE issue.

IE Zero Day in the Wild

According to this blog post, researchers at FireEye discovered advanced attackers exploiting this zero day IE flaw as part of a persistent attack campaign they are calling “Operation Clandestine Fox.” The attack targets IE 9-11 and also leverages a Flash flaw to help bypass some of Windows’ security features.

Shortly after FireEye’s post, Microsoft released a security advisory confirming the previously undiscovered flaw in IE. The advisory warns that the flaw affects all versions of IE (though the attack seems to target IE 9-11). While Microsoft is still researching the issue, the vulnerability seems to be a “use after free” class of memory corruption vulnerability. In short, if an attacker can entice you to a web page containing maliciously crafted content, he could exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker would gain full control of your machine. It’s interesting to note, the attackers also leverage a known Adobe Flash issue to help defeat some of Microsoft’s Windows memory protection features.

Zero day IE vulnerabilities are relatively rare, and very dangerous. Attackers are already exploiting this IE one in the wild, so it poses a significant risk. Unfortunately, Microsoft just learned of the flaw, so they haven’t had time to patch it yet. I suspect Microsoft will release an out-of-cycle patch for this flaw very shortly since this is a high-profile issue. In the meantime here a few workarounds to help mitigate the flaw:

  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMETEMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. Installing EMET could help protect your computer from many types of memory corruption flaws, including this one. This Microsoft blog post shares more details on how it can help with this issue.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to many browser-based attacks.
  • Disable VML in IE – This exploit seems to rely on VML to work. Microsoft released a blog post detailing how disabling VML in IE, or running IE in “Enhanced Protection Mode” can help.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. In fact, WatchGuard’s IPS engineers have already created signatures to catch this attack. We are QA testing the signatures now, but they should be available to XTM devices shortly. Whatever IPS system you use, be sure to keep your AV and IPS systems updating regularly, to get the latest protections.
  • WatchGuard XTM customers can block Flash with proxies – If you own a WatchGuard XTM security appliance, you can use our proxy policies to block certain content, including Flash content. For instance, you can use our SMTP or HTTP proxies to block SWF files by extensions (.SWF) or by MIME type (application/x-shockwave-flash). Keep in mind, blocking Flash blocks both legitimate and malicious content. So only implement this workaround if you are ok with your users not accessing normal Flash pages.

Adobe Patches Flash Zero Day

Coincidentally, Adobe also released an emergency Flash update today fixing a zero day exploit that other advanced attackers are also exploiting in a targeted watering hole campaign. The patch fixes a single vulnerability in the popular Flash media player, which attackers could exploit to run arbitrary code on your system; simply by enticing you to a web site containing specially crafted Flash content. This exploit was discovered in the wild by Kaspersky researchers (one of our security partners). According to Kaspersky’s research, the exploit was discovered on a Syrian website, and seems to be designed to target potential Syrian dissidents.

The good news is there is a patch for this flaw. So if you use Adobe Flash, go get the latest update now. By the way, some browsers like Chrome and IE 11 embed Flash directly, so you will also have to update those browsers individually. Finally, though the IE zero day I mentioned earlier does rely on a Flash issue, this particular zero day Flash flaw is totally unrelated. One additional note; WatchGuard’s IPS engineers have also created a signature for this exploit as well. It will be available shortly, once testing is complete.

So to summarize, if you use IE, disable VML, install EMET, and watch for an upcoming patch. If you use Flash, updates as soon as you can. I will be sure to inform you here, as soon as Microsoft releases their real patch or FixIt. — Corey Nachreiner, CISSP (@SecAdept)

Heartbleed Bug- WSWiR Episode 102

April Patch Day, Raided Pen-Tester, and OpenSSL Heartbleed

Information security news never stops, even if I have to post it from a Changi Airport lounge. If you need to learn the latest cyber security news, including what to do about the biggest vulnerability of the year (so far), you’ve found the right weekly video blog.

This week’s “on-the-road” episode covers Adobe and Microsoft’s Patch Day, an allegory on why you should avoid greyhat pen-testing, but most important of all, information and advice about the major OpenSSL Heartbleed vulnerability. If you use the Internet, you need to know about the Heartbleed flaw, so click play below to watch this week’s video. Finally, make sure to check the Reference section for links to the stories and some extras; especially if you are interested in all the WatchGuard Heartbleed information.

(Episode Runtime: 8:05)

Direct YouTube Link: http://www.youtube.com/watch?v=gEw-o2GQd1U

Episode References:

Extras:

Heartbleed described by XKCD

— Corey Nachreiner, CISSP (@SecAdept)

Latest Flash Update Mends Four Flaws

Summary:

  • This vulnerability affects: Adobe Flash Player running on all platforms and Adobe Air
  • How an attacker exploits it: By enticing users to visit a website containing malicious Flash content
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player for your platform

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

This week, Adobe released a security bulletin describing four security vulnerabilities (based on CVE numbers) that affect Flash Player running on any platform. It doesn’t describe the flaws in much technical detail, other than saying they consist mostly of buffer overflow vulnerabilities and other types of memory corruption flaws (and a cross-site scripting issue). That said, Adobe does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, he could exploit many of these unspecified vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

Though it doesn’t look like attackers are exploiting these flaws in the wild yet, Adobe rates the flaws as a “Priority 1” issues for Windows and Macintosh users, and recommends you apply the updates within 72 hours. These vulnerabilities also affect other platforms as well, such as Internet Explorer (IE) 11 and Chrome. I recommend you update any Flash capable platform as soon as you can.

Solution Path

Adobe has released new versions of Flash Player to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

You can download Flash for your computer at the link provided below. See the bulletin’s “Affected Software” section for more details on getting Flash updates for other platforms:

Keep in mind, if you use Google Chrome or IE 11, you’ll have to update it seperately.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the memory corruption vulnerabilities described in Adobe’s alert:

  • WEB  Adobe Flash Player High Surrogate Parsing Cross Site Scripting  (CVE-2014-0509)
  • WEB-CLIENT Adobe Flash Player Information Disclosure (CVE-2014-0508)
  • EXPLOIT Adobe Flash Player Memory Corruption (CVE-2014-0506)
  • EXPLOIT Adobe Flash Player Memory Corruption (CVE-2014-0507)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Adobe’s Flash update to completely protect yourself from all of these flaws.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Out-of-Cycle Word FixIt Corrects Zero Day Vulnerability

If you’re worried about spear phishing attacks (and if you’re not, you should be), grab Microsoft’s emergency FixIt to mitigate a zero day vulnerability attackers are exploiting in the wild.

In a security advisory released yesterday, Microsoft warned of a zero day vulnerability in Word, which attackers are exploiting in what Microsoft describes as limited, targeted attacks. Apparently, the exploit in the wild targets Word 2010, but the flaw affects other versions of Word as well. Since this is an early advisory, it doesn’t describe the flaw in much technical detail. However, it does mention attackers can trigger the flaw with specially crafted rich text format (RTF) files. If an attacker can entice you to view a malicious RTF in Word, he could exploit this vulnerability to execute code on you computer, with your privileges. If you are an administrator, the attacker gains complete control of your PC.

By default, most current version of Office use Word as Outlook’s email viewer. This mean attackers can trigger this flaw just by getting you to open an RTF attached to an email. According to some on Twitter, simply previewing an email with a malicious RTF triggers the flaw.

While Microsoft hasn’t had time to release a full patch yet, they have posted a FixIt that mitigates the risk of this vulnerability. If you use Office, I highly recommend you install the FixIt as soon as you can. Also, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) can mitigate the risk of any type of memory corruption flaw. In general, I recommend you install EMET on Windows machines to protect them from any zero day, memory-related issues.

I’ll post more details about this flaw during an upcoming Patch Day, when Microsoft releases the final update. In the meantime, if you’d like more information about it you can check out Microsoft’s security blog post— Corey Nachreiner, CISSP (@SecAdept

 

Shockwave Update Misses Adobe Patch Day

A few days ago, I posted an alert mentioning how Adobe Patch Day was particularly light, and pointing out the one minor Flash Player update. Turns out Adobe had other updates in store for us, they just missed their self-appointed patch day.

Today, Adobe released a Shockwave Player update fixing a single critical Shockwave Player vulnerability. They share almost no technical detail about the flaw, other than it is a memory corruption issue that remote attackers could leverage to execute code on a victim’s computer; presumably by getting them to view or interact with malicious Shockwave content. Though it doesn’t look like attackers are exploiting it in the wild yet, this flaw is quite a bit more severe than the Flash flaws mentioned earlier in the week. Nonetheless, Adobe only assigns them a priority (severity) rating of 2, which means you should update in the next 30 days. I think this is a slightly bigger deal than that, and recommend you update Shockwave as soon as you can. If you are using Adobe’s automatic updater, it should be relatively easy to do so.  — Corey Nachreiner, CISSP (@SecAdept

Adobe Patch Day Consists of Minor Flash Update

Adobe shares Microsoft’s Patch Day, and they usually release a handful of security updates themselves. However, this month they’ve kept it pretty simple, with only one relatively minor update for their Flash Player.

According to their bulletin, the latest Flash update fixes two security flaws in their popular web-based media player. Adobe is never one to share much detail about their vulnerabilities, but they do share the impact of each of these flaws.  They mention one of the flaws allows attackers to bypass the same origin policy, while the other allows attackers to read the contents of your computer’s clipboard. Compared to Adobe’s recent emergency Flash patch, which fixed a zero day issue exploited in the wild, these issues are not very severe. In fact, Adobe only assigns them a priority (severity) rating of 2, which means you should think about updating in the next 30 days.

Nonetheless, it doesn’t hurt to update your client computers, and Adobe’s automatic updater should make it pretty easy. If you aren’t already letting Adobe get it’s automatic updates, at least on client machines, I recommend you do so. — Corey Nachreiner, CISSP (@SecAdept

Follow

Get every new post delivered to your Inbox.

Join 7,560 other followers

%d bloggers like this: