Tag Archives: adobe

Adobe Plugs 0day Flash Hole Found by Kaspersky

Summary:

  • This vulnerability affects: Adobe Flash Player  12.0.0.43 and earlier, running on all platforms
  • How an attacker exploits it: Typically, by enticing users to visit a website containing malicious Flash content
  • Impact: An attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player (version 12.0.0.44 for most computers)

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile ones like Android. It also comes prepackaged with some web browsers like Chome and the latest version of Internet Explorer (IE).

In an out-of-cycle security bulletin released today, Adobe posted an update that fixes a critical, zero day vulnerability in Adobe Flash Player 12.0.0.43 and earlier, running on all platforms. We urge Flash users to install this update as soon as possible, since advanced attackers are exploiting it in the wild.

Adobe’s bulletin describes an integer overflow vulnerability (CVE-2014-0497) in Flash player, which attackers have been exploiting in the wild. In typical fashion, Adobe’s bulletin doesn’t describe the flaw in much technical detail, but they do describe its impact. If an attacker can entice one of your users to visit a malicious website, or into handling specially crafted Flash content (which could be embedded in a document), he could exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have administrator privileges, the attacker could gain full control of their computers.

This particular flaw was brought to Adobe’s attention by one of Kaspersky’s (one of WatchGuard’s antivirus partners) researchers. Yesterday, members of Kaspersky’s research team announced that they plan on disclosing details about a new advanced persistent threat (APT) campaign later next week, which they call “The Mask.” According to some reports, this Flash zero day exploit might be associated with that cyber espionage campaign.

In any case, Adobe has assigned this a “Priority 1” severity rating for Windows and Macintosh computers, which means you should fix it within 72 hours. If you use Flash, I recommend you apply the update as soon as possible.

Solution Path

Adobe has released new versions of Flash Player (12.0.0.44 for Windows and Mac) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

  • Download Flash Player for your computer:
NOTE: Some web browsers, like Chrome and the latest versions of IE, ship with their own versions of Flash built-in. If you use these web browser, you will also have to update them as well.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify various Flash files:

File Extension:

  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p - Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • video/mp4 (used for more than just Flash)
  • audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

  • Hex FLV: 46 4C 56 01
  • ASCII FLV: FLV
  • Hex FLA:  D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives) 

If you decide you want to block Flash files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

BlackPOS Robs Target – WSWiR Episode 91

Patching Trifecta, Mobile Banking Risks, and Hacktivist Hijackings

Patches, mobile malware, hacked off hacktivists, Point-of-Sale (PoS) malware… all that and more in this week’s information and computer security news summary video! If you need a quick roundup of the latest security news in one convenient package, you’ve come to the right place.

Today’s episode covers the week’s huge, triple-vendor patch day, the latest hacktivist hijacking, research on flaws in popular mobile banking apps, and more. I also talk about the latest updates on the huge holiday Target breach, including reports that begin to uncover the specific malware used in the attack. If you want to keep your organization’s network safe, don’t miss this video for the latest news and tips. Remember, check the Reference section below for links to many other security stories too!

Keep vigilant and have a great weekend!

(Episode Runtime: 12:45)

Direct YouTube Link: http://www.youtube.com/watch?v=7bOYMBKF1ws

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Flash and Reader Updates Fix Five Flaws

Severity: High

Summary:

  • These vulnerabilities affect: Flash Player, Reader XI, and Acrobat XI (and Adobe Air)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released or updated two security bulletins that describe vulnerabilities in two of their popular software packages; Flash Player and Reader/Acrobat X.

Adobe Patch Day, Jan 2014

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the Adobe security bulletins below:

  • APSB14-01: Trio of Reader and Acrobat Memory Corruption Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes three vulnerabilities that affect Adobe Reader and Acrobat XI 11.0.05 and earlier, running on Windows and Macintosh.  Adobe doesn’t describe the flaws in much technical detail, but does note that they involve integer overflow and memory corruption issues. They all share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit any of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB14-02: Flash Player Code Execution Vulnerability

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Adobe’s bulletin describes two serious flaws in Flash Player 11.9.900.170 and earlier for all platforms. They don’t describe the  vulnerabilities in much technical detail, just mentioning that one allows you to “bypass security protections” and the other allows you to defeat Address Space Layout Randomization (ASLR), which is a memory obfuscation technique that some software uses to make it harder for attackers to exploit memory corruption flaws. They do, however, describe the flaws’ impacts. In the worst case, if an attacker can lure you to a web site, or get you to open documents containing specially crafted Flash content, he could exploit a combination of these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe Priority Rating: 1 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Hefty Patch Day Despite Light Microsoft Turnout

If any security professionals need quick reminder that the end-of-year holidays are over, and it’s time to get back to protecting information, Microsoft’s first Patch Day of the year will likely do that for you. However, the good news is Microsoft is giving us a slow start with only four security updates for January. Unfortunately, two other companies, Oracle and Adobe, have filled in the gaps with big updates of the own.

Let’s start with Microsoft.

According to their summary post, Microsoft released four bulletins today which fix security flaws in Windows, Office, and their Dynamics AX server (an enterprise resource planning or ERP solution).  They didn’t release any Critical bulletins this month, only ones with an Important rating; essentially their “medium” severity. Though vulnerabilities with this rating might be a bit more difficult to exploit (requiring local access or victim interaction), some of them could still allow remote attackers to gain full control of your users’ machines. In short, you should still takes these updates seriously despite the light load, and their less critical nature.

As far as priority, start with the Windows kernel vulnerability, as it fixes a zero day flaw that attackers are actively exploiting in the wild. Granted, the attackers exploiting it need local access to your computer to leverage the flaw, but if they do they gains full (SYSTEM) control of the PC. The remaining Windows and Office flaws are just about equal in severity. Which you focus on first is up to you. I’d probably consider the Office one since bad guys like using malicious documents in their spear phishing emails lately. Finally, the Dynamix AX update fixes a DoS flaw. I don’t suspect many smaller organizations use this product, and DoS flaws aren’t quite as severe as others. So save this one for last, if you happen to use the product.

With Microsoft done, your focus this month is probably better served with patching Adobe and Oracle products. Adobe’s patch day always falls on the same Tuesday as Microsoft’s. However, Oracle happens to follow a quarterly patch cycle, which only occasionally lines up directly with Microsoft’s Patch Day. Unfortunately, this is one such month, and you get to enjoy the unholy trifecta of patching three big corporations’ products at once. Yay (sarcasm)!

Today, Adobe has released updates for Reader, Acrobat, and Flash Player, and Oracle has released their huge Critical Patch Update, fixing over a hundred flaws in a wide variety of products. I’ll post more details about these updates later today, but for now you can check out Adobe or Oracles pre-announcement advisories if you want a head start.

I’ll post the detailed alerts for Microsoft’s Windows and Office updates shortly. Since I doubt the majority of customer use Dynamics AX, I don’t plan on posting a full alert for it, so if you use it be sure to check out Microsoft alert (MS14-004) yourself, and grab the corresponding updates. Stay tuned! — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day Summary, Jan 2014

Cyber Sharking – WSWiR Episode 88

Tons of Patches, Facebook Scams, and Games for Security

If you’re in a country that celebrates the Christmas holidays, it’s probably getting a little quieter at work lately. With that extra free time, why don’t you catch up on the week’s latest security news with our regular episode of WatchGuard Security Week in Review?

Today’s show covers the patches from patch week, the latest NSA hijinks, a wide-spread Facebook phishing scam, and a story about how playing video games can help improve software security. Like always, I also include links to all these stories, and a few extras, in the references below.

Quick show note: I’ll be taking some time off for the holidays, so this may be the last video until next year (though a may release a short one next week). Keep safe out there, and have a happy holiday!

(Episode Runtime: 7:27)

Direct YouTube Link: http://www.youtube.com/watch?v=7325aKAWktg

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Zero Day Flash Patch & Shockwave Update

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Flash and Shockwave Player
  • How an attacker exploits them: By enticing you to run malicious Flash or Shockwave content from web pages or embedded within documents
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released two security bulletins describing vulnerabilities in Flash and Shockwave Player. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

Adobe Patch Day - Dec, 2013

  • APSB13-29: Two Shockwave Player Memory Corruption Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin describes two unspecified memory corruption vulnerabilities that affects Shockwave Player running on Windows and Macintosh computers.They don’t share any technical details about the flaw, but do share its scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit the flaw to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this vulnerability to gain full control of their computer.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB13-28: Zero Day Flash Player Code Execution Flaw

Adobe’s bulletin describes two vulnerabilities in Flash Player running on all platforms, including one code execution flaw attackers are currently exploiting in the wild. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit the worst of these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe warns that attackers are exploiting this flaw in the wild. The attack arrives as a malicious Word document containing embedded Flash content. They have assigned these flaws their highest severity rating for Windows and Mac computers, but a lesser severity for Linux and Android devices. If you are a Windows Flash user, we recommend you apply this update immediately.

Adobe Priority Rating: 1 for Windows and Mac (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

Keep in mind, if you use Google Chrome you’ll have to update it separately to get the latest Flash fixes.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Shockwave files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Shockwave and Flash. This, however, blocks both legitimate and malicious content. If you do want to block this content via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

APT Exploits IE 0day – WSWiR Episode 85

Forum Hijacks, Singapore Hacking, and IE 0day

Happy Friday, everyone! The weekend is hours away; but before running off to finish of the last of your work week tasks, why not sit down with a hot cup of joe and catch up on what happened in security news this week?

In this episode, I talk about security patches for Microsoft, Adobe, and OpenSSH, cover some interesting web site hijacks, warn you of a new APT attack that leverages an IE zero day flaw, and mention an interesting hacking arrest in Singapore. Click the big red YouTube play button to learn more, and don’t forget to peek at the Reference section for links to other InfoSec news from the week.

Have fun this weekend!

(Episode Runtime: 8:52)

Direct YouTube Link: http://www.youtube.com/watch?v=VU_7KkQY1m4

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Zero Day ColdFusion Patch & Flash Update

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Flash Player and ColdFusion
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or into visiting specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released two security bulletins describing vulnerabilities in Flash Player and ColdFusion. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

Adobe Patch Day: November 2013

  • APSB13-26: Four Flash Player Memory Corruption Flaws

Adobe Flash Player displays interactive, animated web content called Flash. Many users install Flash, so it’s likely present on many of your Windows and Mac computers.

Adobe’s bulletin describes two unspecified memory corruption vulnerabilities in Flash Player running on all platforms. Though the flaws presumably differ technically, they share the same scope and impact. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe assigned these flaws their highest severity rating for Windows and Mac computers, but a lesser severity for Linux machines.

Adobe Priority Rating: 1 for Windows and Mac (Patch within 72 hours)

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from two security vulnerabilities, which Adobe does not describe in much technical detail; a reflected cross site scripting (XSS) vulnerability (CVE-2013-5326), and an unauthorized remote read access flaw  (CVE-2013-5328).  Other than that, the bulletin shares very little about the scope or impact of these flaws, so we’re unsure how easy or hard it is for attackers to leverage them. Presumably, if an attacker could trick someone in clicking a specially crafted link, he could leverage the XSS flaw to do anything on your web site that the user could. We also assume an attacker could exploit the remote read flaw to potentially gain access to files on your server, such as its web application source code. In any case, they rate the vulnerabilities as Priority 1 issues for version 10, which is their high severity rating.

As an aside, Adobe’s own network was recently breached via a zero day flaw in ColdFusion. Adobe claims these ColdFusion issues are not associated with their network breach. However, the discoverer of one of the issues, Alex Holden, was actually one of the researchers who uncovered Adobe’s data breach, and he claims one of the flaws has been used by attackers this year to break into other companies. In other words, you should apply these updates immediately if you use ColdFusion

Adobe Priority Rating: 1 for version 10 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Shockwave files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Shockwave or Flash content. This, however, blocks both legitimate and malicious content. If you do want to block this Flash or Shockwave via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Bitcoin Weakness & Hack – WSWiR Episode 84

Microsoft Zero Day, PCI-DSS Update, and Bitcoin Attacks

Ingest this week’s biggest security news in one, easy to watch video with WatchGuard Security Week in Review. I consolidate the latest Infosec news in one place, so you don’t have to. 

Today’s episode covers the week’s security-related software updates, a zero day flaw in Windows and Office, the latest update to PCI-DSS, and some security problems with Bitcoin. Watch the video for the details, and check out the Reference section for a whole bunch of other interesting stories.

Thanks for watching, and have a great weekend!

(Episode Runtime: 9:28)

Direct YouTube Link: http://www.youtube.com/watch?v=l-yxD12gSbY

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Mysterious BadBIOS Malware – WSWiR Episode 83

Adobe Breach Gets Bigger, NSA MUSCULAR, and Mysterious Malware

No time to follow Infosec news, but need to know the latest so you can protect your network? Well you’ve come to the right place. In my weekly, security summary video I quickly highlight the big security stories from the week, so you’re aware of the latest threats and security news.

Today’s episode includes more concerning details about the recent Adobe network hack (change your password), news of the latest NSA snooping revelation, and a story about a very scary advanced malware infection that sounds more like science fiction than fact. To learn all the details, click play below… and don’t forget to check the Reference section for links to many other interesting Infosec stories.

Thanks for watching, and Happy Halloween!

(Episode Runtime: 11:04)

Direct YouTube Link: http://www.youtube.com/watch?v=1YQ0Ot2yFcg

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,379 other followers

%d bloggers like this: