Tag Archives: adobe

TweetDeck XSS – WSWiR Episode 111

Patch Day, P.F. Changs Hack, and TweetDeck XSS

This week delivered a lot of infosec news and a ton of software security updates. If you didn’t have time to follow it all, check out our weekly computer security video to fill in the blanks.

During today’s episode, I cover the critical patches from Microsoft, Adobe and Mozilla, mention the latest credit card breach against a U.S. restaurant chain, and talk about the cross-site scripting worm spreading via TweetDeck. Click play below to learn more, and check out the References for other interesting infosec stories.

Before wishing you a great weekend, here are a couple of quick show notes. First, I’m starting a vacation during the middle of next week, so I won’t be publishing this weekly video for the next two weeks. It will return in July.

Second, if you are a WatchGuard customer curious about our OpenSSL updates, we are in the process of posting new versions of software for many of our products. Keep your eye on this blog, as those will likely start coming out early next week.

(Episode Runtime: 7:37)

Direct YouTube Link: https://www.youtube.com/watch?v=hbGqdrxvOyA

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Latest Flash Update Mends Code Execution and XSS Flaws


  • This vulnerability affects: Adobe Flash Player and earlier, running on all platforms (and Air)
  • How an attacker exploits it: By enticing users to visit a website containing malicious Flash content
  • Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player (version for computers)


Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

In a security bulletin released today, Adobe announced a patch that fixes six critical vulnerabilities in Adobe Flash Player and earlier, running on all platforms.

The six vulnerabilities differ technically, and in scope and impact, but one flaw stands out as the worst. Specifically, Flash Player suffers from an unspecified memory corruption vulnerability that attackers could exploit to execute arbitrary code. Adobe doesn’t share the details, but we assume if an attacker can entice you to a site containing maliciously crafted Flash content, he could exploit this flaw to execute any code with your privileges. If you are a local administrator, or have root access, the attacker gains complete control of your computer. The remaining flaws include three cross-site scripting (XSS) vulnerabilities and two unspecified security bypass flaws.

Adobe rates these issues as a “Priority 1” issue for Windows and Mac, and recommend you apply the updates as soon as possible (within 72 hours).   However, the vulnerability technically affects other platforms as well, so I recommend you update any Flash capable device as soon as you can.

Solution Path

Adobe has released new versions of Flash Player ( for computers) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

  • Download Flash Player for your computer:
NOTE: Chrome and newer versions of IE ship with their own versions of Flash, built-in. If you use them as you web browser, you will also have to update them separately, though both often receive their updates automatically.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

More importantly, WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has already developed a signature that can detect and block one of the Flash flaws:

  • EXPLOIT Adobe Flash Player security bypass vulnerability (CVE-2014-0520)

Your XTM appliance should get this new IPS signature update shortly.

Finally, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Adobe’s Flash update to completely protect yourself from all of these flaws.


Adobe has released updates to fix these Flash vulnerabilities.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Microsoft Black Tuesday: Seven Security Bulletins Include a Huge IE Update

If there is one day of the month you should really focus on software patching, this is the day. The second Tuesday of the month is both Microsoft and Adobe patch day. If you run a Windows shop, or you use Adobe products on any platform, it’s time for you to get patching!

As they promised, Microsoft released seven bulletins today to fix a wide range of security vulnerabilities in a number of their products, including:

  • Windows and its components,
  • Office (Word),
  • Internet Explorer (IE),
  • and Lync Server.

Microsoft rates two of the bulletins as Critical.

The big news here is the major Internet Explorer (IE) update. Not only does it fix a zero day vulnerability I discussed a few weeks ago, but it corrects a whooping total of 59 security flaws in the popular web browser. If you have Windows computers in your network, you need to patch IE immediately. The second Critical update fixes a Windows graphics component (GDI+) flaw, which attackers can leverage simply by tricking your users into viewing maliciously crafted images.

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can or you can also let Windows’ Automatic Update do it for you. You can find more information about these bulletins and updates in Microsoft’s June Summary advisory.

Adobe’s Patch Day, on the other hand, seems a bit lighter than Microsoft’s. They only released one security update fixing six security flaws in Flash Player. That said, the update fixes some pretty serious vulnerabilities that attackers could exploit just by enticing you to the wrong web site. Be sure to update Flash as well.

I’ll share more details about today’s patches on the blog throughout the day, so stay tuned.  — Corey Nachreiner, CISSP (@SecAdept).

GOZeus Down – WSWiR Episode 110

NSA Facial Recognition, OpenSSL Patch, and Zeus Takedown

It’s that time again. If you have a hankering for the latest InfoSec news, this is the place to get it. You can watch me summarize all of the week’s biggest security stories in one short video.

Today I talk about the NSA scanning the Internet for our pictures, a big OpenSSL security update, and the latest botnet takedown that puts a damper on GOZeus and Cryptolocker. Watch the video for the scoop, and check out the Extras below for other news.

Hope you have a great weekend, and stay safe out there.

(Episode Runtime: 8:33)

Direct YouTube Link: https://www.youtube.com/watch?v=gp46hzT6G1E

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

iPhone Ransom Message – WSWiR Episode 109

Iranian Social Hackers, XP Patch Hack, and iPhone Ransom Notes

Did you have time to follow security mailings lists, check out infosec news sites, or find that latest patches this week? If not, don’t worry. This weekly video blog will cover the top three computer security news items each Friday for you. Subscribe to this blog or the YouTube channel to stay informed.

This episode covers an Iranian hacking campaign where attackers pose journalists on social media sites, shares a tip about a Windows XP registry hack that could give you security updates until 2019, and highlights a recent iCloud attack that attackers are using to hold iPhones for ransom. Click play for the details, and check out the reference section for other stories.

(Episode Runtime: 7:38)

Direct YouTube Link: https://www.youtube.com/watch?v=sa-2RLe_sr4

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Ebay Pwned – WSWiR Episode 108

Ebay Data Breach, IE8 0Day, and Alleged Chinese Hackers

With all the information security (InfoSec) news coming out each week, it’s hard to believe anyone can keep up with it; let alone an already busy IT professional with other things on his plate. If that sounds like you, rather than worrying about finding the most important security news you can let my weekly summary video fill you in.

Today’s episode covers the 145M record Ebay breach, and new zero day Internet Explorer (IE) 8 vulnerability released early by the supposedly good guys, and the Department of Justice’s official charges against five alleged Chinese government hackers. Check out the video below for the details, and peruse the Reference section for links to other InfoSec stories.

If you’re in the USA, enjoy your extended holiday weekend. See you next time…

(Episode Runtime: 8:00)

Direct YouTube Link: https://www.youtube.com/watch?v=Ib7nI1H13P8

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

TAO Hijack Routers – WSWiR Episode 107

Tons of Patches, NSA Booby-Trapped Routers, and Alleged Iranian Hackers

If you don’t have time to follow all the information security stories popping up each week, you can let our weekly video and blog post summarize the important stuff for you.

In today’s show, I recite the big list of security patches you need to get this week, talk about how the NSA is intercepting and hacking routers to foreigners, and weigh in on whether or not the security industry is blaming advanced attacks on “nation-state” actors a bit too freely. Press play on YouTube for all the details, and don’t forget to check out the Reference section for links to other interesting InfoSec stories.

Hope you have a great weekend, and be careful shopping online!

(Episode Runtime: 8:25)

Direct YouTube Link: https://www.youtube.com/watch?v=LdOHsV88z4Y

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Reader, Flash, and Illustrator Security Patches

Severity: High


  • These vulnerabilities affect: Reader and Acrobat, Flash Player, and Illustrator (CS6)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.


Today, Adobe released or updated three security bulletins that describe vulnerabilities in four of their popular software packages; Reader and Acrobat X, Flash Player, and Illustrator.

Adobe Patch Day, May 2014


A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the Adobe security bulletins below:

  • APSB14-15: Multiple Reader and Acrobat Code Execution Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 11 vulnerabilities that affect Adobe Reader and Acrobat XI 11.0.06 and earlier, running on Windows and Macintosh.  Adobe only describes the flaws in minimal technical detail, but they do share that many of the flaws involve memory corruption issues that attackers could exploit to execute code. Most of these memory corruption flaws share the same scope and impact. If an attacker can entice one of your users into opening a specially crafted PDF file, he can exploit these issues to execute code on that user’s computer, inheriting the user’s privileges. If your users have root or system administrator privileges, the attacker gains complete control of their computer. If you use Reader, you should patch soon.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB14-14: Half a Dozen Flash Player (and Air) Vulnerabilities

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android. It is also built into certain browsers, like Google and Internet Explorer (IE) 11.

Adobe’s bulletin describes six flaws in Flash Player and earlier for all platforms. The vulnerabilities differ technically, and in scope and impact, but the worst could allow attackers to execute code on your users computers. Specifically, Flash Player suffers from a “use after free” vulnerability – a type of memory corruption flaw that attackers can leverage to execute arbitrary code. If an attacker can lure you to a web site, or get you to open documents containing specially crafted Flash content, he could exploit this flaw to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer. Though not as severe as the use after free flaw, the remaining flaws are all security bypass issues that could also help attackers further elevate their privileges after an attack.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB14-011: Illustrator (CS6) Buffer Overflow Vulnerability

Illustrator is a very popular vector drawing program that ships with Adobe’s popular Creative Suite. It suffers from an unspecified buffer overflow vulnerability. Adobe doesn’t describe the flaw in technical detail, but we presume that it has something to do with handling specially crafted Illustrator files. If that’s the case, opening specially crafted files in Illustrator could allow attackers to execute code on your machine with your privileges. Attackers don’t often target Illustrator, so we don’t expect this vulnerability to get exploited much in the wild. Nonetheless, if you use Illustrator, you ought to patch it at your convenience.

Adobe Priority Rating: 3 (Patch at your discretion)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.


Adobe has released patches correcting these issues.


    • Adobe Reader/Acrobat Security Update APSB14-15
    • Adobe Flash Player Security Update APSB14-14
    • Adobe Illustrator Security Update APSB14-11

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

World Password Day – WSWiR Episode 106

MS Patch Day, 4chan Hacked, and Password Security

If you’re too busy helping your users and maintaining your network to read the latest information security news, you might miss out on new tip that could save your network. No worries. Let my short, weekly Infosec video summarize the week’s biggest news for you.

Today, I warn you about all the upcoming patches next Tuesday, talk about a popular web site hack and what administrators can learn from it, and share my three primary password tips for World Password Day. Click play below for all the details, and take a peek at the Reference section for links to other stories.

Enjoy your weekend, and stay safe out there.

(Episode Runtime: 7:32)

Direct YouTube Link: https://www.youtube.com/watch?v=fKU3Qoaj_Dw

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

IE & Flash 0day – WSWiR Episode 105

White House Cyber Disclosure, Traffic Light Hacking, and Zero Day Exploits

There was a ton of Information Security news this week. More than most people can keep up with; especially busy IT administrators who are already putting out other fires. If you have little time to read the latest news, but want a quick recap of the most important infosec stories each week, this is the vlog for you.

In this episode, I react to the White House talking about their zero day disclosure policy, I share news about a researcher hijacking traffic lights across the US, and I warn you about two critical zero day flaws in very popular software products. If you want to stay informed and get the latest security advice, watch the video below. You can also explore the Reference section for links to more stories.

Enjoy your weekend, and stay safe out there.

(Episode Runtime: 8:04)

Direct YouTube Link: https://www.youtube.com/watch?v=UxQoInvMBcw

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)


Get every new post delivered to your Inbox.

Join 7,676 other followers

%d bloggers like this: