Tag Archives: adobe

Adobe Patch Day: Shockwave and (More) Flash Updates

February 13, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Shockwave and Flash Player
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Yesterday, Adobe released two security bulletins describing vulnerabilities in both Shockwave and Flash Player. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

  • APSB13-06: Two Shockwave Player Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin describes two security vulnerabilities that affect Shockwave Player 11.6.8.638 and earlier for Windows and Macintosh (as well as all earlier versions). Both flaws consist of memory corruption vulnerabilities (one being a stack buffer overflow), which share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

Adobe Priority Rating: 2 for Windows (Patch within 30 days)

  • APSB11-21 : Flash Player Update Corrects 13 Security Flaws

Adobe Flash Player displays interactive, animated web content called Flash. A report from Secunia states that 99% of Windows computers have Adobe Flash Player installed, so you users very likely have it.

Adobe’s update fixes 17 security vulnerabilities in Flash Player (for Windows, Mac, Linux, and Android), which they only describe in minimal detail. The flaws include buffer overflow vulnerabilities,  “use after free” flaws, and other memory corruption issues. Though the vulnerabilities differ technically, most share the same scope and impact. In the worst case, if an attacker can lure one of your users to a web site with malicious Flash content, they could exploit some of these flaws to gain control of that user’s computer. We assume the attacker would only gain the privileges of the logged-in user. However, since most Windows users have local administrator privileges, the attacker would likely gain full control of Windows machines.

Flash has suffered many zero day vulnerabilities recently. This is actually the second Flash update for the month; the last being an emergency update. Since attackers are exploiting these vulnerabilities actively, we highly recommend you patch immediately.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Shockwave files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Shockwave or Flash content. This, however, blocks both legitimate and malicious content. If you do want to block this Flash or Shockwave via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , , ,

WatchGuard Security Week in Review: Episode 51 – Flash 0day

February 8, 2013 by Corey Nachreiner 3 Comments

Flash Exploit, ICS Hacks, and Federal Reserve Bank Breach

We’ve had another busy week of security news, with more stories than I can cover in a short video. So I’ll stick to the highlights. Today’s episode talks about a couple Adobe Flash zero day vulnerabilities, the latest Anonymous hijinks, some cross-platform mobile malware, and more. If you missed this week’s InfoSec news, and want to learn about the biggest stories (including how to defend against the latest attacks), click the play button below. Also, check out the Reference section for links to some other interesting security stories I skipped.

Enjoy your weekend, and stay frosty out there.

(Episode Runtime: 8:03)

Direct YouTube Link: http://www.youtube.com/watch?v=B6YdI3NGwlg

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , , ,

Emergency Flash Update Fixes “In the Wild” Vulnerabilities

February 7, 2013 by Corey Nachreiner 5 Comments

Summary:

  • These vulnerabilities affect: Adobe Flash Player running on all platforms
  • How an attacker exploits it: By opening any malicious Flash (SWF) content; whether from a web site, within a Word document, and so on
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player for your platform

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Today, Adobe released an emergency security bulletin to fix two Flash Player vulnerabilities, which attackers are actively exploiting in the wild. Both flaws are memory corruption-related issues; one being a buffer overflow vulnerability. If an attacker can entice one of your users into opening any Flash content, he could exploit either of these flaws to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PCs.

As mentioned earlier, attackers are actively exploiting both these vulnerabilities in the wild. Currently, the attackers try to deliver the malicious Flash either via a booby-trapped web site, or by embedding it within malicious Word documents.

Besides patching, we recommend you educate your users about the dangers of interacting with unsolicited Word (or PDF) documents. Many of the more advanced breaches over the last few years have begun as very targeted spear-phishing emails which included malicious Word or PDF documents. Although security appliances, like WatchGuard’s, can detect some of these malicious documents using AV and IPS, you should still inform your employees to remain vigilant against these sorts of attacks.

Solution Path

Adobe has released new versions of Flash Player to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

You can download Flash for your computer at the link provided below. See the bulletin’s “Affected Software” section for more details on getting Flash updates for other platforms:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content (and Word documents). Keep in mind, doing so blocks all such content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify these various files:

File Extension:

  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p - Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • video/mp4 (used for more than just Flash)
  • audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

  •  FLV Hex: 46 4C 56 01
  • FLV ASCII: FLV
  • FLA Hex:  D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives.) 

If you decide you want to block these files, the links below contain instructions that will help you configure your XTM proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Security Updates
, , , , , , ,

WatchGuard Security Week in Review: Episode 49 – Expelled Hacker

January 25, 2013 by Corey Nachreiner 2 Comments

Red October, Cisco WLAN Updates, and Expelled Hacker

Welcome to another “on the road” edition of WatchGuard Security Week in Review, the video podcast dedicated to summarizing the biggest InfoSec stories each week. This week’s episodes covers a Cisco wireless controller security update, Kaspersky’s investigation into the Red October cyber-espionage campaign, and the controversy surrounding an expelled “white hat” hacker. For more details on those stories and others, watch the short video below. You can also check out the ?Reference section for more details on any of these topics.

(Episode Runtime: 6:48)

Direct YouTube Link: http://www.youtube.com/watch?v=Q08Gcu_7EXo

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , ,

WatchGuard Security Week in Review: Episode 48 – 0day Updates

January 19, 2013 by Corey Nachreiner 0 Comments

0Day Updates, Oracle Patches, and Mobile Botnets

Better late than never, right?

This week’s security video summary comes a tad late due to my travel schedule this week. It covers updates on the two latest zero day exploits, Oracle’s critical patch update, and stories about a mobile phone botnet and US power plant breach. Click play below to watch the short episode, or check out the References for more details.

Next week’s episode may also post at a weird time due to continued travel.

(Episode Runtime: 5:11)

Direct YouTube Link: http://www.youtube.com/watch?v=d1xVktaX_1o

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , ,

WatchGuard Security Week in Review: Episode 47 – Piles of Patches

January 11, 2013 by Corey Nachreiner 3 Comments

Critical Java 0Day, Piles of Patches, and More

Ready for a weekly dose of InfoSec? This episode has a strong “patch” theme, with many vendors releasing some big security updates this week. Besides the patches, I also cover a few new 0day exploits, including a serious Java one getting leveraged quite a bit in the wild, and a couple crazy sounding security-related news items. If you want all the details, click play below, or check out the Reference section.

Note: I will be traveling the next few weeks. I still plan on trying to post the weekly video, but it may be shorter, less produced, and arrive at odd hours due to travel.

(Episode Runtime: 9:17)

Direct YouTube Link: http://www.youtube.com/watch?v=AkNqamIAPs8

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , ,

Adobe Patch Day: Reader X and Shockwave Player Fixes

January 8, 2013 by Corey Nachreiner 2 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Flash Player, Reader X, and Acrobat X. Also news of a ColdFusion zero day exploit
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released two security bulletins describing vulnerabilities in Flash Player, and Reader and Acrobat X.

Adobe Patch Day: January 2013

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the bulletins below:

  • APSB13-02: Multiple Reader and Acrobat  Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 27 vulnerabilities that affect Adobe Reader and Acrobat X 11.0.0 and earlier, running on any platform (Windows, Mac, Linux).  Adobe’s alert only describes the flaws in minimal detail, but most of them involve memory corruption-related vulnerabilities, such as buffer overflows,  integer overflows, use-after-free issues, and so on. For the most part, they share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit many of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

  • APSB13-03: Flash Player Buffer Overflow Vulnerability

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Flash player suffers from a buffer overflow flaw. If an attacker can lure you to a web site, or get you to open specially crafted Flash content, he could exploit this flaw to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

Aside from the Reader and Flash updates, Adobe also posted a warning about three zero day ColdFusion vulnerabilities that attackers are exploiting in the wild. They have not had time to fix these vulnerabilities yet, but they do offer some mitigation techniques in their advisory. If you use ColdFusion, especially as your public web server, we recommend you try to implement the mitigation techniques described in the “Mitigations” section of Adobe’s alert. We will let you know as soon as they release the real patch.

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Though our IPS and AV services may help prevent some of these attacks, or the malware they try to load, installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , , , ,

WatchGuard Security Week in Review: Episode 45 – OpWestboro

December 21, 2012 by Corey Nachreiner 2 Comments

Hacktivists Against Hate, SMS Spam Bots, and Exynos Exploits

Hey! Look at that. The world hasn’t ended.

I guess that means my decision to prepare my weekly security news video rather than my apocalyptical fallout shelter wasn’t a tragic mistake. If you are in the mood for some information security (infosec) news on the last Mayan calendar day of the, well, er…ever…then you’ve come to the right place.

In this week’s show, I cover some important software update news, an android SMS botnet, a mobile  zero day flaw, and the latest Anonymous operation, which I suspect many people might appreciate despite its illegal nature. If you’d like to learn how to avoid the latest malware and attacks, or just want to follow the latest infosec drama, play the video below.

Also, don’t forget to check out the Reference section if you’d like to read more details about any of these stories. As always, I’ll include a few extras for those looking for bonus material.

Speaking of end of times, this will be the last WatchGuard Security Week in Review episode for 2012. Enjoy your holiday. I’ll see you next year.

(Episode Runtime: 10:21)

Direct YouTube Link: http://www.youtube.com/watch?v=ua1FfpZy7qI

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , , ,

Adobe Patch Day: Flash and ColdFusion Updates

December 11, 2012 by Corey Nachreiner 3 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Flash Player and ColdFusion 1o
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released two security bulletins, describing vulnerabilities in their Flash Player and ColdFusion products.

Adobe Patch Day: December 2012

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the Adobe security bulletins below:

  • APSB12-27: Flash Player Code Execution Vulnerabilities

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Adobe’s bulletin describes a three vulnerabilities in Flash Player 11.5.502.110 and earlier for all platforms. The three flaws consist of various buffer overflow and memory corruption flaws, all of which attackers can leverage to execute arbitrary code. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

They assign these flaws their highest severity rating for Windows computers, but a lesser severity for Mac and Linux machines.

Adobe Priority Rating: 1 (Patch within 72 hours)

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from what Adobe only describes as “a sandbox permissions violation in a shared hosting environment.” The bulletin shares very little about the scope of this flaw (CVE-2012-5675), so we’re unsure how easy or hard it is for attackers to leverage. Adobe rates it as Priority 2 issue, which is essentially their medium severity rating.

Adobe Priority Rating: 2 (Patch within 30 days)

Solution Path:

Adobe has released updates for all their affected software. If you use Flash Player or ColdFusion, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , , , ,

November Patch Day Light in Number, Heavy in Severity

November 8, 2012 by Corey Nachreiner 1 Comment

Those hip to the patch cycle know the first Thursday of the month means an early peek at Microsoft’s plans for Patch Tuesday.

According to this Month’s Advanced Notification post, Microsoft will release six security bulletins next Tuesday, and rates four of those bulletins as Critical. According to their corresponding blog post, the six bulletins will fix 19 actual vulnerabilities. The affected products include Windows, Internet Explorer (IE), Office, and the .NET Framework.

It’s hard to say more about these updates without any other details. However, I can say it looks like a pretty important Patch Day. Though six bulletins sounds low compared to some previous Patch Days, at least 13 of the vulnerabilities are serious,  and likely could result in remote code execution. I recommend you get your IT staff prepared to jump on these updates as soon as they come out.

I’ll release a more details about next Tuesday’s updates on the 13th. Stay tuned! — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , ,
Newer Entries
Older Entries

Follow

Get every new post delivered to your Inbox.

Join 7,114 other followers

%d bloggers like this: