Wiz's Computer and Website Security Blog

7/14/2016

On Patch Tuesday, July 13, 2016, Adobe and Microsoft both released critical patches for vulnerabilities in various programs and services that were being or could be exploited in the wild.

First, Adobe Flash Player is still deployed on millions, if not billions of devices of all types. Flash videos and interactive games used to be all the rage until a few short years ago. However, since around 2010, a new standard has been emerging to not only challenge Flash, but to surpass it. That new video player is known as "HTML5 Video." The HTML5 <video> element specifies a standard way to embed a video in a web page. Furthermore, that video need not be made in Adobe Flash format.

That is good news for people who want to watch video content on web pages with Apple iPhones and iPads, plus a large swath of Mac computers, all of which do not natively support Flash (thank Steve Jobs). It's also good news to the millions of computer users who are tired of being at constant risk from malware exploit kits targeting web browsers that have Flash Player installed and enabled. This is because the Flash plug-in is the number one target of almost all of the current exploit attack kits in distribution. Cybercriminals pay researchers to probe various versions of Flash Player for unpatched vulnerabilities that they can exploit in what is known as a "zero day attack."

Continue reading "Adobe Flash Player and Microsoft Windows critical updates released in July, 2016" »

Posted by Wiz at 10:19 PM | Permalink

back to top ^

June 16, 2016

Updated with new version numbers

Adobe has released a patch for a zero day exploit targeting Flash Player versions 21.0.0.242 and under. The patched version, 22.0.0.192, first announced on June 14, was released on June 16, 2016. The Adobe security advisory, rated critical, is here. This version patches a total of 36 new vulnerabilities, as listed in this security bulletin.

The active zero-day exploit affects Flash versions 21.0.0.242 and earlier. It was detected in the wild in targeted attacks by Kaspersky Labs. The technical details are in this blog post.

Many zero day exploits in Flash Player start life in very targeted attacks aimed at high value targets. After word gets out, these attacks are included in general purpose exploit kits, where everybody running Flash Player is targeted. The attacks may come in the guise of a fake invoice or other email attachment. Or, they may be inside a JavaScript redirect hidden in a poisoned advertisement that is displayed on an innocent web page you happen to be viewing. Some exploits are placed as links on websites, often using terms like "OMG" to trick people into clicking on an image or fake movie link that is worded to peak your curiosity.

Continue reading "Adobe issues a patch for a zero-day exploit in Flash 21.0.0.242" »

Posted by Wiz at 1:05 AM | Permalink

back to top ^

January 7, 2016

This article should be taken seriously by anybody running a Windows 7 or 8.0 computer that has a version of Internet Explorer below version 11. After the Windows Updates on January 12, 2016, there won't be any more security fixes for versions of Internet Explorer below version 11.

Why? Because Microsoft has decided to mothball older versions of Internet Explorer and only provide patches for versions 11 and any that may follow (if any!). It is actually believed that version 11 will be the final one for IE. All of Microsoft's browser development is now being focused on the new Edge browser and IE is relegated to the back row..

What does this mean for versions IE below version 11?

It means that, like Windows XP users, your Windows 7 computers will be more at risk of malware infections that exploit weaknesses in Internet Explorer and its components than if it was still receiving security patches. Those aforementioned components are deeply embedded into the operating system. The Internet Explorer rendering engine is called upon to display HTML email when you open it in Microsoft Outlook, or Windows Live Mail. That is but one example of many. You don't have to actually open Internet Explorer as a browser to be at risk of specifically targeted attacks on its components.

Continue reading "Last security update for Internet Explorer 9 or 10 is Jan 12, 2016" »

Posted by Wiz at 1:28 PM | Permalink

back to top ^

October 16, 2015

For the second time this week, Adobe has released a patched version of its Flash Player, addressing a zero day exploit that was both targeted and of limited scope (for now). The new patched version is now 19.0.0.226

The first Flash update, 19.0.0.207, released on Tuesday, October 13, 2015, addressed 21 separate CVE vulnerabilities. Today's update patches 3 more.

All of these 24 CVE vulnerabilities are critical, meaning that attackers could potentially use them to take control of an affected operating system. And, ALL operating systems are affected by these vulnerabilities.

All versions of Abode's Flash Player up to and including 19.0.0.207, on Windows and Macintosh, and 11.2.202.535 and earlier on Linux computers are vulnerable and exploitable. Users who operate with fewer account privileges would be less at risk of automatic exploitation. However, they can still be tricked into allowing a malicious Trojan to download, or might open a booby-trapped email attachment, then inputting the administrator credentials to install it. In fact, this is the tactic used in targeted attacks, where a valuable recipient is personally baited to open/download and execute hostile code.

Continue reading "Flash Player Mayhem" »

Posted by Wiz at 12:38 PM | Permalink

back to top ^

February 2, 2015

Prologue

I just published a warning about a serious 0-day vulnerability being exploited in Flash Player, 11 days ago. It took 4 days for Adobe to release a good working patch for those exploits. Well, the dust has barely settled and Adobe and threat researchers at Trend Micro just announced another 0-day exploit targeting the freshly patched Flash Player!

Like the previous Flash exploits of mid-January, this one is delivered via malicious advertising that was paid for on an ad delivery network (who were tricked by bait and switch advertisers working for the criminals behind the Angler Exploit Kit). The actual known poisoned ads have been taken down by the ad network, but others may be lingering. There is really no way of knowing if you are going to a page that has those ads in rotation, unless you have substantial security protection installed (see addendum in my extended content).

See my updates at the end of this article

What OS and browsers are affected?

All Windows operating systems from 8.1 down are affected. The targeted browsers are Firefox and Internet Explorer on these platforms. Mac OS is also vulnerable through browser exploits. Affected browser is Safari. Finally, Linux computers are vulnerable through Firefox, if the Flash plugin in installed.

In the case of Firefox, if you have opted for Flash Player to "Ask to Activate," aka, Click to Play, and you don't allow it to run on a page carrying an exploit ad, you are not going to be automatically exploited. If you visit using Internet Explorer, the download is automatic and the exploit happens in the background.

Continue reading "Yet another Flash Player 0-day vulnerability being exploited! Patch released." »

Posted by Wiz at 11:38 AM | Permalink

back to top ^

January 27, 2015

By now, most of you will have heard about the recently discovered Flash Player vulnerabilities being exploited by a crime pack, called the Angler Exploit Kit (Angler EK for short). I wrote a blog article about it on January 22, 2015.

I posted three updates to my article, ending yesterday morning, alerting to an upcoming final patch from Adobe. I also noted that some computers were having the new version pushed to them via the Adobe Flash Player automatic updater (if it was fully enabled). But, the rest of the folks who had to update manually were left of out the security update.

That has finally changed today, Tuesday, January 27, 2015. The About Adobe Flash Player page now shows version 16.0.0.296 as the most current version. You should not delay after reading this. Go to that page in each browser installed on your computers and see if those browsers are up to date or not. If not, use the link labeled "Player Download Center" to get the new version for your operating system and browser type.

After updating Flash, it's a good idea to close and restart the browser.

Note:
There are different flavors of Flash for different brands and versions of browsers. Internet Explorer always used an "ActiveX" version (which may have changed or be changing in IE 11 forward). Firefox and Opera use a different version known as a "Plugin." Google Chrome has Flash built right into the architecture of the browser, requiring the browser itself to be updated. That is about to change as a standalone installer has just become available for advanced users of Chrome. People using Mac computers would have to manually install and update Flash, as Apple doesn't support it at all. Linux users also have to manually check for software updates and apply new Flash versions themselves.

Wrap-up:
If you missed the hoopla, read my previous blog article, titled: New Flash Player zero day exploit in the wild.

Posted by Wiz at 12:53 PM | Permalink

back to top ^

July 4, 2014

Oracle Corporation, the keeper of the keys to Java software, has announced that the next quarterly security update to Java will occur on July 15, 2014. This just happens to coincide with Microsoft's Patch Tuesday. On that date, a new major revision will be released, version 8.x, which will not install on Windows XP computers. With that release, full support of the current version 7 will cease, except for companies with more than 1000 user seat licenses who pay for custom support packages.

The wording about the end of Java support for XP, on Oracle's FAQ page for Windows XP is a bit confusing. I have researched this and learned that others have received possible clarification for Oracle spokespersons. It appears that Java 7 will receive security patches until July 2015. But, get this, they will not be testing them on XP operating systems! There is a disclaimer on the FAQ page stating that XP users may download updates to Java 7 at their own risk!

Here's how Oracle words the notice:

As of April 8, 2014 Microsoft stopped supporting Windows XP and therefore it is no longer an officially supported platform. Users may still continue to use Java 7 updates on Windows XP at their own risk, but support will only be provided against Microsoft Windows releases Windows Vista or later.

Do you really need to keep or install Java at all?

Continue reading "Oracle's upcoming Java updates will leave XP users less protected" »

Posted by Wiz at 1:43 AM | Permalink

back to top ^

February 20, 2014

Today, Adobe released an unscheduled updated version of its Flash Player; the one that nearly every computer and hand held device except Apple iPhones and iPads use to view videos and animations online. The new releases are version 12,0,0,70 for all Windows and Mac OS X operating systems, version 11.2.202.341 for Linux, and 11.2.202.223 for Solaris.

Adobe strongly recommends that users of Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 12.0.0.70 and folks using 11.2.202.336 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.341.

You can find out what, if any, version of Flash your various browsers are running on the Adobe About Flash page. It contains a link to download the newest version of Flash for you browser and any others you may have installed. Firefox, Internet Explorer and Google Chrome all use different builds of Flash. You update Flash plug-in for Firefox, an ActiveX version for Internet Explorer and Google Chrome itself is updated to include new builds of Flash.

Adobe normally releases updated versions of Flash on a monthly cycle, on the second Tuesday of every month, soon after Microsoft pushes out its Patch Tuesday Windows Updates. However, as fate would have it, the Flash exploit patched today is directly linked to Microsoft's Internet Explorer browsers, but currently, only IE 9 and 10 and only on particular versions of Windows, from Vista up.

So, Microsoft joined with Adobe to plug their interconnected "zero day" vulnerability being exploited in online attacks against specifically targeted entities. While Microsoft hasn't pushed out an out-of-cycle patch yet, they have published a "Microsoft Fix it 51007 as a so-called "MSHTML Shim Workaround." Security Advisory 2934088 lists all of the impacted operating systems and IE browsers.

There is a negative impact after installing the Fix it solution above. According to the Microsoft Security Advisory 2934088, "after you install this Fix it solution, you may experience increased memory usage when you use Internet Explorer to browse the web. This behavior occurs until you restart Internet Explorer."

Continue reading "Adobe Flash Player updated to fix 0 day exploit" »

Posted by Wiz at 6:57 PM | Permalink

back to top ^

September 27, 2013

In my previous article I wrote about an ongoing botnet hacking campaign targeting WordPress Blog installations on web servers around the World. Read this excerpt.

There is an ongoing attack targeting /wp-login.php, /admin.php and /administrator/ for at least a month, if not longer. Most are brute force password crack attempts, but others are exploiting vulnerable code in WordPress itself.

Hackers continue to probe with old exploits targeting WordPress and its plug-ins - because these attacks work, due to the software not being patched in a timely manner and due to the people administering the blogs not securing them with strong passwords.

According to recently published research by WP White Security, conducted between September 12 - 15, 2013, as many as 73% of the WordPress installation tested were running out-dated, vulnerable versions of the program itself. This research doesn't say anything about out-dated, exploitable plug-ins or weak or default passwords. The WordPress software itself is out-dated on 73% of the web servers tested just after the release of version 3.6.1. Hopefully, in the 12 days that have passed, more people have upgraded to the current version!

Continue reading "If you run a WordPress Blog on your own web hosting account, read this." »

Posted by Wiz at 12:52 PM | Permalink

back to top ^

March 6, 2013

Oracle, the current owner and maintainer of Java technology, has just released another critical patch for its "write once, run anywhere" Java Virtual Machine. This makes 3 critical patches in about 30 days. The new versions are now: Java 7 Update 17 and Java 6 Update 43. This patch closes a critical vulnerability (#CVE-2013-1493) in Java that is being used in targeted attacks against important targets in sensitive positions (e.g. espionage).

In a previous blog entry, I mentioned that Oracle had intended to quit shipping updates for Java 6 at the end of February, in an effort to get users to migrate to the new Java version 7 platform. Apparently, due to the huge number of companies and Government agencies that still use version 6 and are being targeted by this exploit, they reversed their decision.

What does this mean for you?

If you have Java installed on any computer that accesses the Internet, either update to the latest version (6-43, or 7-17), or disable Java in your web browsers, or uninstall it altogether (unless your business requires it). Instructions for upgrading or uninstalling Java follow. But, if you use Java applications for business or development purposes, verify that it is okay to upgrade to the new version (6 or 7), and/or reduce your risk by securing your Java enabled computers and operating with reduced user privileges. If you use Firefox as your browser, consider installing the NoScript Add-on and learn to use it for your protection against JavaScript driven, Java Plug-in exploit kits.

Continue reading "Oracle patches Java vulnerabilities for 3rd time in 30 days" »

Posted by Wiz at 12:13 PM | Permalink

back to top ^

February 3, 2013

Last night, on Feb 2, 2013, Oracle Corporation released 2 new versions of its Java virtual machine: Java 7 Update 13 and Java 6 Update 39. These new versions contain fixes for an unbelievable 50 exploitable vulnerabilities in the previous versions (Java 6 and 7). These updates were not supposed to be released until February 19, but new Java exploits are already in the wild. So, Oracle did the right thing and released them ahead of schedule.

Some of the patched vulnerabilities have already been reported publicly and were rolled into online exploit attack kits (e.g. Blackhole Exploit Kit 2.0 and Cool Exploit Kit). Others were reported to Oracle, or discovered by them and kept quiet. Most of the exploitable vulnerabilities exist in Java 6, not Java 7. Oracle is already applying tactics aimed at getting users of Java to stop using version 6 and migrate to the new version 7 platform. Apparently, patching version 6 is no longer feasible and this update (build 39) is the last one planned for Java 6.

Secure your Java software!

If you are an end user, not an employee using a company workstation, and you have and want Java installed on your computers, go to www.java.com and download and install the latest build of Java 7. Then reboot. When the computer boots up and you are logged in, for Windows users, go to Control Panel (Start > Settings > Control Panel) > Programs and Features (or Add/Remove Programs in XP). Open the list of installed programs and find Java alphabetically. If you see any previous versions still installed (prior to Java 6 b39 or Java 7 b13), uninstall them, then reboot.

The reason for uninstalling older versions of Java is because cybercriminals and hackers have been targeting specific versions of Java, installed into default folder locations, for many years. This way, if your computer is attacked by an exploit kit but has the latest version of Java as the active one, JavaScript code might still run to search out a previous version lurking in your Program Files. If the secondary (older) Java target is installed, your PC could be exploited through that version.

Continue reading "Java 7 Update 13 and Java 6 Update 39 released to patch critical flaws" »

Posted by Wiz at 1:12 PM | Permalink

back to top ^

January 17, 2013

It was 5 days and a few hours ago that I published a blog article about a recent Java vulnerability being exploited in the wild. In it I advised my readers to disable Java plug-ins from running in their browsers, or to uninstall Java altogether.

Then, three days later, on Jan 14, 2013, Oracle, the keeper and maintainer of the Java code, released an out-of-band patch to plug the vulnerability that was the cause of the exploits. This was done with the release of Java 7 update 11.

However, on Wednesday, Jan 16, 2013, Trend Micro researchers posted findings that revealed that the Oracle patch was incomplete and left a related attack vector open. A few hours later, a high ranking admin on a malware distribution forum offered to sell a working exploit of this new zero day exploit for a starting bid of $5,000 USD (see Brian Krebs' article), to two more individuals (he had already sold one copy). Within a short time his offer was taken down, leading Brian Krebs to postulate that the bidding had ended and all three copies of the hardened and ready to go exploit had been sold.

I know that there are some business programs and commercial web pages that operate with Java Applets, requiring users to have Java enabled in their browsers, and/or operating systems. These people cannot just uninstall Java hodge-podge. They want a workable method of keeping Java, but reducing their exposure to malware sneak attacks. Let's see if I can help a little.

Continue reading "Hello, another Java 0-day exploit has been revealed!" »

Posted by Wiz at 12:22 AM | Permalink

back to top ^

December 11, 2012

On Patch Tuesday, December 11, 2012, Adobe and Microsoft released critical updates to some of their software. Adobe Flash has been updated to version 11.5.502.135, fixing a critical vulnerability and Microsoft released 8 critical or important updates. You are strongly advised to update your Windows computers now to protect against exploit kits targeting the patched vulnerabilities.

Windows Updates almost always require a reboot to complete the installing of new system files. This is because such files are in use when the operating system is running and can only be replaced when it is shut down temporarily.

I found out that sometimes Adobe Flash acts the same way as Windows Updates, in not letting go while Windows is running. On my Windows 7 computer, I found it necessary to reboot after upgrading Flash today. This was after I logged into my Administrator level account to run these updates. After the Windows Updates completed and I had rebooted, I upgraded to the new version of Adobe Flash. The "About Flash" results page showed the new version was installed. So, I logged out of the Admin account and into my Standard User account.

But, when I opened Firefox, something caused it to hang repeatedly, making the browser unusable. I Grokked that since the browser was fine when I went to fetch the new version of Flash, but was unstable after upgrading it, the old version must still be lingering, either in the Registry, or as an active file in use. So, I force-closed the browser and rebooted. After logging in again, the problem was fixed. Files in use people...

There is another way to update Flash without rebooting, which I applied to my XP computer, on a hunch. I simply uninstalled Adobe Flash with my browsers closed. This is done via Control Panel, Add/Remove Programs. Once Flash was uninstalled, I opened Firefox, went to Adobe.com and downloaded a new copy of Flash Player. When the download completed, I opened the download location, closed the browser, then ran the Flash installer. After the installation completed I opened my browser and everything worked normally. So, you can use this method to flush out an old version of a browser plug-in, rather than rebooting.

By the way, Adobe provides a Flash uninstaller, as a stand alone Windows executable that you can run from your downloads folder. It gets rid of both the Firefox and Internet Exploder versions of Flash at the same time.

Continue reading "It's time to update Adobe Flash and Microsoft Windows!" »

Posted by Wiz at 11:50 PM | Permalink

back to top ^

September 19, 2012

This is an urgent update to a vulnerability alert I published two days ago, on Sept 17, 2012.

Bowing to pressure from concerned organizations around the World, Microsoft has just released a temporary "Fix It Tool" to block the primary attack vector used in the newest zero day attacks targeting Internet Explorer users. This Fix It Tool was released only a few days after the initial publication of the details of the exploit code, on the Metasploit website.

The Fix It Tool is designed to "Prevent Memory Corruption via ExecCommand in Internet Explorer." The details about the vulnerability can be found on this page.

If you use Internet Explorer versions 6, 7, 8, or 9, you are vulnerable. Go to the Microsoft Fix It Tool page and download "Microsoft Fix it 50939" to enable your protection. There is also a second tool to disable the protection: "Microsoft Fix it 50938."

Furthermore, Microsoft has announced that they are preparing to release a comprehensive official patch for Internet Explorer, for all affected and still supported Windows platforms. The official patch is scheduled for release on Friday, September 21, 2012. If you set your Automatic Windows Updates option to automatically check for and download important updates, you should receive the official patch sometime on Friday, this week.

Posted by Wiz at 8:12 PM | Permalink

back to top ^

August 22, 2012

August has been a busy month for both cyber criminals and security patches from software vendors targeted by malware distributors. Microsoft released 9 security patches through its monthly Patch Tuesday, on August 14, 2012. The same day, Adobe released a new version of its Flash Player, to plug a vulnerability being exploited in the wild. Earlier today, Adobe released yet another version of Flash Player, fixing six more vulnerabilities.

These updates are all rated either "critical," or "Important" by their owners. You are strongly advised to update your Windows computers, via the links on your Start Menu for Windows or Microsoft Update, plus all installed Adobe programs, but especially Flash and AIR. Today's updates bring Flash to version 11.4.402.265 for most browsers, except for Google Chrome. Its new version is bundled into a newly released version of Chrome and holds version number 11.3.31.230. This applies to Windows and Mac computers.

To find out if you are running the current version, or an out-dated version of Flash, go to the Adobe "About Flash" page.

Continue reading "Roundup of recently patched Internet security vulnerabilities" »

Posted by Wiz at 12:31 PM | Permalink

back to top ^

July 6, 2012

On July 2, 2012, I published an article detailing a vulnerability in Microsoft's XML Core Services that is being exploited in the wild. A Fix It Tool link was given to use as a workaround until an official patch can be released. That patch is to be released through Windows Update Services on Patch Tuesday, July 10, 2012.

The exact details are yet to be announced, as to any additional files or Registry settings that will be changed when the official patch is released, compared to the Fit It Tool modifications. If you have applied the Fix It Tool, continue to use it until Tuesday afternoon at the equivalent of about 2 PM Eastern Time, July 10. If you downloaded the second, unFix It Tool, run it on the 10th to reverse the changes. If you did not download the unFix It tool, go to the Microsoft Advisory KB2719615 page and see if they left the two Fix It buttons on the page. If so, use the button on the right, under "Disable" (#50898), to download and run the Fix It Tool that reverses the changes.

Note: The Fix It Tools are .msi files which require Administrator level credentials. You will have to answer a UAC challenge (under Windows 7, Server 2008+ and Vista) to proceed and you may need to provide an Administrator password, depending on what type of user account you are logged into. XP users will need to log into an Administrator level account, because "Run As" doesn't usually appear for .msi file types (unless you have hacked your Registry).

After running the aforementioned unFix Tool, go directly to Windows Updates and download all applicable patches for your Windows computers. Doing this immediately minimizes your exposure to an attacks targeting the XML Core Services. This is especially so because many people use Internet Explorer to visit the Windows Update site and Internet Explorer is the main conduit for the XML vulnerability being exploited in the BlackHole Exploit Kit.

Posted by Wiz at 9:52 AM | Permalink

back to top ^

June 12, 2012 was a huge Patch Tuesday, with Adobe, Microsoft and Oracle all releasing patches to fix critical vulnerabilities in their software. The affected programs include Adobe Flash, Oracle Java and Microsoft's Windows Kernel, Internet Explorer, .NET and Remote Desktop software.

I have already published a blog article today about the Java update on 6/12/2012. You need to update Java now, if you have it installed. The BlackHole Exploit Kit is targeting vulnerabilities just patched.

If you have Windows computers, running on XP (w/SP 3), Vista, 7 or Server 2003 or 2008, you need to use your Windows Update link on the Start Menu, or in Control Panel, to check for and install between 7 to 11 or more patches, rated from Important to Critical. The actual number of patches you receive depends on what, if any, Office and .NET programs you have installed, You will need to restart the computer to complete the updates. If you use Internet Explorer, you can go to Windows Updates via a link in the Safety menu item.

Adobe Flash was simultaneously updated on the 12th, to version 11.3.300.257 for most users. An Adobe Security Advisory describes how previous versions are being exploited and how this new version plugs those holes. It also lists the affected versions for other operating systems and devices, like Mac and Android. If you use Flash at all, it needs to be updated NOW. Malware exploit kits have been updated to target the vulnerabilities that were just patched.

To update Flash, go to www.adobe.com, click the link for Flash, then download the version for your browser. If you use Internet Explorer and Firefox, Safari, Opera or Chrome, there are separate downloads. IE uses an ActiveX version, while Firefox, Safari and Opera use another plug-in version and Google Chrome uses a special, bundled version, requiring you to update Chrome itself ( go to Tools > About Google Chrome and it will begin checking and updating if necessary).

After you update Flash in all of your browsers, they need to be closed for the upgrade to take. You may even need to reboot the computer to flush out a previous version if it was in use during the update process.

I believe it is a good thing that these major software vendors have released critical updates on the same day and time period. This allows users to perform multiple security updates sequentially or simultaneously, restart once, then get back to work.

All of the above updates require Administrator privileges. While you can perform these updates as a Standard User, via "Run As Administrator" it is really best to log into an actual Administrator level account first, since you will have to reboot after installing these updates.

Posted by Wiz at 12:08 PM | Permalink

back to top ^

On June 12, 2012, Oracle released patched versions of its Java SE and FX software, patching 14 security holes. Oracle proudly proclaims that over 3 billion devices run on Java, so it's a reasonable bet that you use Java on some of your Internet capable digital devices. You may not even be aware that you have Java installed.

In case you didn't know, Java is the number one targeted browser plug-in in all of the current malware attack kits, distributed in spam email blasts. It is specifically targeted in the notorious BlackHole Exploit Kit, which I write about often.

The problem with running vulnerable versions of Java is that a successful exploit can cause a scripted attack to jump out of the safe area known as the "sandbox" in a browser and penetrate to the operating system. Once it gains access to the O.S., anything goes. This usually ends up with the PC, or smart-phone becoming botted, rooted (rootkit), Trojanized (e.g.: ZeuS banking Trojan, rogue anti-virus, ransom-ware) and used as both a spam sending and DDoS attack tool.

In the Patch Advisory for June, 2012, Oracle enumerates the software packages updated and the threats these patches fix. This patch affects the versions of Java (SE or JRE) used by most consumers in their browsers, as well as developer versions of Java. Oracle is quite clear in urging all users of affected versions of Java to upgrade as soon as possible. Here is a quote from the latest advisory:

Continue reading "Java gets 14 security fixes on 6/12/2012. Update now!" »

Posted by Wiz at 1:05 AM | Permalink

back to top ^

Earlier today I published a blog article detailing why Microsoft has issued an out-of-band patch that plugs a vulnerability used by the Flame malware, as one means of installing itself. Now, I have learned how the malware is exploiting these certificates and what the patch does to stop this method of exploitation.

According to recent analysis of the Flame malware, by Kaspersky Labs, one of the methods used by the Flame to propagate inside a network is to present a forged signed-by-Microsoft digital certificate when trying to install itself on an uninfected PC. The certificate is used to install a fake Windows Update component deceptively named "Desktop Gadget Platform" - which lies to you by claiming it: "Allows you to display gadgets on your desktop."

Because it uses a previously acceptable certificate of authenticity, claiming to have been signed by Microsoft itself, the operating system would allow the installation to take place without a second thought, or any user interaction. But, not any more! Today's critical patch KB2718704 has revoked the digital certificates used by the Flame Worm. Now, if this malware attempts to install, a challenge box will pop-up. It will list the installer as Unsigned or Untrusted, rather than Signed. If you check for a certificate, it will reveal that the certificate used has been revoked by the issuer.

Thus, The out-of-cycle patch that Microsoft released earlier today will block unattended infections that were previously allowed by the fraudulently signed (by Microsoft) certificates. These revocations will stop this attack vector, but not others. It is still unknown how the Flame malware is introduced into a system, to infect the first host. Researchers are currently looking for an unknown zero day exploit. Keep in mind that the forged signed certificates were a form of zero day attack. It took a long time for this vector to be discovered, but only hours to revoke their permissions and plug that hole.

Footnote: The digital certificates used to spread the Flame malware were signed in 2010. This subterfuge was only discovered in the last few days, a full two years after the fact. It is still not known how these fake certs were signed. That will eventually come to light, along with other facts about this new Flame malware burning up the security news channels as The Hot Topic (puns intended)!

My previous article urges all Windows computer owners and Admins to use Windows Update to install Patch KB2718704 as soon as possible. I repeat the call for urgency in patching against this new malware and others like it that are bound to follow. The next Flame might not be an espionage tool but a new form of botnet and attack weapon.

If you operate with less than Administrator privileges, the patch may be pushed to you when you shut down, or log off. If you run Microsoft Security Essentials, it runs with System privileges and may install the patch with no user interaction or restarts at all. It did just that on my XP Pro machine!

Posted by Wiz at 4:51 PM | Permalink

back to top ^

The Flame malware has been a hot topic for the last week, after it was discovered infecting industrial computer systems in the Middle East and Iran. This malware is very high level and is designed for spying on carefully selected industrial and Government systems. It has attracted a lot of attention in the short time it has been known to security companies, and today it got Microsoft's attention.

Today, June 4, 2012, Microsoft has issued an out-of-band patch for one of the vulnerabilities used by the Flame to infect Windows computers. Patch KB2718704 is now being pushed to all supported versions of Windows, via Windows Updates. I just applied it to my Windows 7 PC and it did not require a restart.

What vulnerability does patch 2718704 fix?

According to the aforementioned Microsoft Advisory, one of the infection vectors used by the Flame malware is exploiting an old feature belonging to Windows Terminal Services and used in Remote Desktop connections. Specifically, this is labeled: "Unauthorized Digital Certificates Could Allow Spoofing" - and is defined as follows:

"Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows."

The advisory reveals that at least three unauthorized signed certificates are being used in the Flame attacks. Additionally, this patch addresses unauthorized digital certificates described in previous advisories: Microsoft Security Advisory 2524375, Microsoft Security Advisory 2607712, and Microsoft Security Advisory 2641690.

What does this patch do?

We (Microsoft) have updated the Untrusted Certificate Store to remove the trust in the affected Microsoft certification authorities.

Today's advisory goes on to urge all people running any supported version of Windows, including XP (w/SP 3), Vista, 7, Server 2003, to Server 2008, to run Windows Updates immediately, to install Patch KB2718704.

If the Flame is an industrial espionage Trojan, why should we all have to patch against it?

We have previous experience with another similar computer Worm, discovered in June 2010, which was also designed for industrial espionage. That Worm that was meant to only infect nuclear facilities in Iran, but accidentally broke loose and infected an untold number of business and personal computers around the world, none of which were its intended targets. That malware is known as the Stuxnet Worm and it is still infecting computer systems two years after being discovered.

So, while you and I are probably not an intended target of the Flame malware, now that is is loose, it is prudent that we apply the patch that blocks one of its most common methods of propagating. Go to Windows Updates on all of your Windows computers, check for patch KB2718704 and install it.

Posted by Wiz at 11:53 AM | Permalink

back to top ^

I, among many other security bloggers, have recently posted articles regarding Java vulnerabilities and patches and how crimeware exploit kits target Java before any other commonly installed software. In fact, I published an article last night, April 12, 2012 about security patches that have been released so far this year, in which I mentioned that Apple had lagged way behind in patching the version of Java used on Mac computers.

Well, it may have taken Apple 2 months to issue "a" patch, but they enjoyed doing that so much that they have now released their third patch in 7 days! Yes Mac owners, you have three critical patches to download and apply, including the latest one issued late yesterday (April 12, 2012).

You see, Apple has a policy of discontinuing support for certain third party software for various reasons. They decided about a year ago to drop support for Adobe Flash. Not too long ago they also decided to drop support for Oracle Java and removed it from the list of applications that are installed or updated by Apple Software Updates.

This decision to stop deploying Java with Apple/Mac updates was a tactical error in my opinion. It was well intentioned, but short sighted. Java exploits are absolutely the number one infection vector used by perpetrators of the ZeuS Trojan and various botnet installers. Java is cross-platform, and has been described by its original maker Sun Corporation as "write once, run anywhere" technology. Java is not a scripted language, but is deployed as compiled mini-programs, known as Applets, using what are known as .JAR files to distribute these programs and their supporting files.

Run Anywhere includes Mac OS computers, as well as smartphones, tablets, ATMs, on and on. Even though the user base for Mac computers is relatively small, compared to Windows, they have now become targets of Java exploit kits, due to the erroneous attitude of many Mac users that they are immune to malware sneak attacks. This has been proven to be wrong thinking.

Continue reading "Apple releases third patch for Java exploits, plus Flashback removal tool" »

Posted by Wiz at 11:34 AM | Permalink

back to top ^

We are just 1/3 month into the second quarter of 2012 and we have had a lot of security vulnerabilities, threats attacking them and program patches released by major software companies. These patches include Windows Updates, Mac (Apple) Updates, Adobe Flash, Air and Reader, Oracle's Java Virtual Machine, Internet Explorer, Firefox, Safari and Chrome browsers, Real Player and iTunes.

All of the software updated by these companies, over the past three months has suffered from highly critical security vulnerabilities, many of which are now being actively exploited by cyber crime gangs who publish exploit attack kits. Java exploits are almost always the first types of exploits targeted by crimeware kits, like the Russian Blackhole kit.

Some of you may be wondering how these exploits are delivered to your computer in the first place. The most common method of luring potential victims to scripted exploit kits is via cleverly crafted, hostile email spam messages. These hostile spam messages differ from standard commercial spam in that they aren't trying to sell you counterfeit pills, watches, or pirated software. Rather, they use well constructed come-ons to con or panic recipients into either opening attached files containing Trojans or JavaScript codes redirecting your browser to a malware server, or clicking on obscured links to compromised websites.

After one clicks upon such a link, the scripts on the compromised landing page usually redirect you to other compromised websites and scripts, until you ultimately arrive at a distant server owned by cyber criminals, often in Eastern Europe. These servers use domains registered in places like Russia and the Ukraine to launch exploit kit attacks on your web browser and its add-ons and plug-ins, with Java plug-ins leading the pack. Adobe Reader (PDF files) and Flash are major secondary targets, followed by iTunes and Quicktime, Microsoft Word and just about any popular software that can be used to gain access to the operating system.

This is why reputable software companies release security updates on a more or less regular basis. Microsoft releases Windows Updates almost every month, on the second Tuesday of the month. Adobe has agreed to also release any critical patches on the same Tuesday. This has become known as Patch Tuesday. Make a note of this and if you have a Windows computer running XP with Service Pack 3, or Vista, or Windows 7, or Windows Server 2003 or newer, set your Automatic Windows Updates to check for updates at least every Tuesday, at the equivalent of 2 PM Eastern time for your time zone. Accept all updates rated Important or Critical. Reboot after all updates are installed and log back into an administrator level account to ensure that any further processing takes place, before logging into a less privileged account.

Note: There have now been four Patch Tuesdays so far in 2012, with the most recent being April 10, 2012. If you have not run Windows Updates this week, do so now. Two very serious vulnerabilities were patched this week. One is for Internet Explorer and the other for Microsoft Word. Exploits are now in the wild for both vulnerabilities.

Continue reading "Security threats and program patches for 1st quarter of 2012" »

Posted by Wiz at 10:10 PM | Permalink

back to top ^

It was just 20 days ago, on Feb 14, 2012, that Adobe Systems released a critical update for their Flash Player, which I blogged about here. That version was 11.1.102.62, for Windows, Mac, Linux and Solaris operating systems. Today, March 5, 2012, they released another unexpected critical patch, version 11.1.102.63, for the same systems.

Android smartphone users who have Flash installed also have upgrades waiting, to version 11.1.111.7 (Android 2x, 3x) or 11.1.115.7 (Android 4x) respectively.

The previous patch fixed 7 security vulnerabilities, one of which was being exploited in the wild in February. This latest update patches 2 more newly discovered vulnerabilities (CVE-2012-0768 and CVE-2012-0769), which they claim are not yet being exploited by web browser attack kits. That is bound to change in a few days.

The first newly announced vulnerability allows an attacker to take over control of a user's computer or smartphone via a memory corruption attack against a component of Flash known as Matrix 3D. The second vulnerability in Flash Player allows a hacker to steal sensitive information from a victim's computer or smartphone.

While the Adobe Priority table says users should apply the new patches within 30 days, I recommend you do it as soon as you read this. Exploit kit writers are not going to wait 30 days to go after unpatched computers or smartphones. If you have Flash on a computer, visit the Adobe Flash Download page and download one version of Flash for Internet Explorer and another if you use Firefox or Safari browsers.

Mac users should visit the Adobe Flash download page for other systems and browsers. Apple itself does not support Adobe Flash.

Google Chrome has released a new version of the Chrome browser, which has an embedded version of Flash. To upgrade, open Chrome, then click on the Settings wrench icon on the upper right of the browser, then on "About Google Chrome." If the update has not already been installed it will begin downloading as you open the About Chrome box.

You will have to restart your browsers for the upgrades to take effect. This goes for most plug-ins like Flash. After restarting them, go to the About Flash page and verify that you have the most current version for your browser and operating system. Your installed version is displayed above a table on the page, which lists all current versions of Flash, by operating system.

Continue reading "Adobe quick-releases a critical Flash Player update on March 5, 2012" »

Posted by Wiz at 11:16 PM | Permalink

back to top ^

Hmmm, it's been a busy two days for updates. On February 14, 2012, Microsoft released its monthly handful of Windows updates and patches. Later that night, I discovered that Oracle has just pushed out a critical update for their Java virtual machine. One day later, on Feb 15, I discovered that Adobe has just released a patched version of its Flash Players (all versions).

All of these updates, from three software companies, are rated anywhere from "important" to critical. I strongly advise my readers to update their Windows PCs with Windows Updates, and all operating systems with Adobe updates, and, if you use Java at all, get the Java update as well.

Java JRE Update of Feb 14, 2012

Oracle, the current owner and maintainer of Java technology, estimates that over 3 billion devices run their Java Virtual Machines. Java (not to be confused with JavaScript, which is different) is a powerful programming language that allows for mini-programs to run on a device, or desktop, or in your browsers. It is found in smart phones, tablets, computers and many other digital devices. The official website for distributing the consumer version of Java is fittingly called java.com.

For all of its fancy tricks and useful features, the devil lies in programming errors that have existed for a very long time, or which are introduced when other problems are patched. Java goes way back to the late-1990s. I used to run Java applet pets on my Windows 95 desktop, as far back as 1997. They were fun programs to play with and none of us thought that they could be used for evil purposes. Unfortunately, "we" were wrong.

For the last several years Java technology has been the primary target of cyber-criminals who write exploit kits (like the infamous Russian Blackhole Exploit Kit) that attack computers through vulnerabilities that have not been patched by the owners of those computers. The reason is that many people simply are not even aware that Java is installed on their PCs and hence, never think to update it. Older versions of Java, as far back as series 4 and 5 contain all kinds of coding errors that allow easy exploitation. To make matters worse, when people did upgrade to newer versions of Java, the old versions were not uninstalled! They were left intact, in their default folder locations, for any hacker to take advantage of simply by specifying the path to those versions of Java's executables and .JAR files.

So, the first thing my readers need to do is see what, if any versions of Java are installed, by visiting Java.com and clicking the "Do I have Java?" link. If you have the previous version installed, you should be able to update by opening your Windows Control Panel and (double) clicking on the Java icon, going to the "Update" tab and clicking the "Update Now" button. Then, open the "Add/Remove Programs," or the newer "Programs and Features" icon and uninstall all older versions of Java.

After you have updated Java, go to Control Panel (Windows), open the Java icon and click on the Update tab. Set the options to automatically check for updates every day, at a time the PC is normally on. One never knows when an update will be pushed out until it arrives. Tis far better safe than sorry when it comes to Java technology. The latest versions, released on February 14, 2012, are Java 6 Update 31, and the newer series Java 7 Update 3.

Adobe Flash Updated

Continue reading "Oracle Java and Adobe Flash get critical updates on Feb 15, 2012" »

Posted by Wiz at 7:02 PM | Permalink

back to top ^

Oracle, the current keeper of Java software, has released a new version to fix stability problems in previous versions and improve performance (see bug fix page). The new version's common name is Java 6 update 30. The official version number is actually 1.6.0_30-b12. If you have Java installed I recommend keeping it updated to the latest version, whenever Oracle releases one.

I often write about Java vulnerabilities being exploited by criminals who install exploit attack kits onto web servers under their control; mostly in the former Soviet Union. The number one exploit targets vulnerabilities in Java. In my last blog article I wrote a couple of paragraphs about how Java vulnerabilities are exploited to take over computers with no user interaction.

If you have Java installed on any of your PCs, it is important to check for updates and apply them as soon as possible. Windows PC users can check for updates by using the Control Panel Java applet's "Update" tab. On that tab there is a section where you can select automatic checking for updates on a schedule of your choice. Since Oracle doesn't seem to have any regular schedule for updating Java, I recommend setting the automatic checks to every day, at a time when the PC is turned on. The updater hides in the System Tray, be the clock, and only appears if there is an update available.

You can also check for Java updates manually, from the same Java applet icon in Control Panel. It is found on the Update tab page, as a button labeled Update Now. Use it to install the latest version, if you haven't already received notification by the auto-updater.

It is important that you uninstall all previous versions of Java, in order to protect your computers from exploits that target them by their default folder location. Use your Control Panel "Add/Remove Programs," or the Windows 7 "Programs and Features" icon, to get rid of all previous builds prior to the latest version. Reboot after you run all of the old Java uninstallers. Then, after you re-enter Windows, go to Start and click to open "(My) Computer" - then double-click on the C drive, then on Program Files, and look for the Java folder. Open it (double-click) and look for any leftover older Java version number folders and delete them manually. Keep in mind that the new current version, as of 12/12/2011, is version 6 build 30.

You can also check to see if you have Java installed on this page on Java.com. You can download the latest stable version of Java from java.com.

If your computers have Java installed (even an old insecure version), you can check to see if you have any insecure software installed, or are missing any Windows Updates, by using the Secunia Online Software Inspector. It uses Java to scan your computer for out-dated software and browser plug-ins, including Java and provides download links to get the latest versions of those programs or plug-ins. I recommend scanning from Secunia one a week, just to be sure you are fully patched!

Posted by Wiz at 1:13 AM | Permalink

back to top ^

Adobe Systems has published an advisory announcing that they will be releasing an "out-of-band" patch, sometime during the week starting on December 12, 2011, for their Acrobat and Reader programs for Windows, version 9.4.6. This is in response to cyber criminals exploiting a critical vulnerability discovered in the code used by those related programs.

The same vulnerability being exploited in Reader 9.4.6 also exists in the newer version 10.1.1 of Adobe Reader X and Acrobat X. However, those programs operate by default in protected mode, which nullifies the exploit vector being target in the ongoing attacks. Nonetheless, Adobe has scheduled a security update for these newer versions, to be released on January 10, 2012. That update will apply to all supported platforms of Adobe Reader.

If you use the Foxit PDF reader, they have released a new version to respond to the same vulnerability as exists in Adobe's Reader (see Foxit security notice here). You can download the latest version (5.1.3) of Foxit from their website.

Microsoft is going to be releasing 14 patches on December 13, 2011. Be sure you check for these Windows Udates during the afternoon of this coming Patch Tuesday. You may or may not need all 14 patches, depending on your Windows operating system and installed Microsoft Office programs. If you use Windows XP, with SP 3, you are definitely going to get a lot of patches! If you haven't upgraded to SP 3, your PC is in extreme danger of takeover by numerous vulnerabilities that were patched, but require SP 3 to receive them.

Other software vulnerabilities being exploited in the wild this week include a critical flaw in Yahoo Messenger 11.5.0.152 and older. This happens to include the current version! The World waits with bated breath for Yahoo to respond with a patched update. The flaw allows hostile status update messages to be placed by hackers and criminals, with links to malware servers. The victims are unaware that their status message system is being used to trick other people on their Yahoo Messenger contact lists.

To protect themselves until a patch is released, Yahoo users should set their Yahoo Messenger to "ignore anyone who is not in your Yahoo! Contacts." That should keep you safe from being exploited by strangers, but you could still be tricked if one of your existing contacts gets hacked. Keep this in mind and check for updates regularly, via the Yahoo Messenger Help menu item.

Continue reading "Adobe and Windows critical patches coming in mid-December and January" »

Posted by Wiz at 3:10 PM | Permalink

back to top ^

According to a Microsoft Technet Blog article published on June 14, 2011, Malware infections resulting from exploits involving Autorun (like when you plug in a USB memory device and it runs a program or setup automatically) have dropped by 82% from the numbers recorded during the same period in 2010.

The percentage of decline varied with the operating system and service pack installed. Windows XP users who have Service Pack 3 installed saw a 62% drop in Autorun installed malware, after accepting the optional patch issued on Feb 8, 2011, or the forced installation of the reissued patch, pushed out on February 24, 2011.

If you are operating a Windows XP computer with any service pack older that SP 3, your version of Windows is now out of support and you are no longer receiving any critical patches. Thus, your computer is not protected against this, or any other recently patched vulnerabilities. If it is connected to the Internet, or if you plug in an infected USB device, unless you have manually edited your computer's Registry to disable Autorun, or it is running industrial strength anti-malware protection, it will eventually become infected and probably botted.

Computers running on Windows Vista with SP1 saw a 68% decline, while those with SP2 installed had a whopping 82% drop in malware installations.

Note! Microsoft will stop supporting Windows Vista Service Pack 1 on July 12, 2011. From that date onward, Microsoft will no longer provide support or free security updates for Windows Vista Service Pack 1 (SP1). You folks need to upgrade to Vista SP 2 by July 12, 2011, or you will not receive any more updates or patches.

Why have Autorun infection rates dropped so dramatically?

The drop in malware infections from Autorun exploits is attributable to patch KB971029 that Microsoft released optionally, with the Windows Updates of February 8, 2011, which turned OFF Autorun for "non-shiny" media (e.g. CDs, DVDs) and two weeks later, as a non-optional update. Before then, if you plugged a USB stick (a.k.a. thumbdrive, flash drive) into your Windows XP or Vista computer and there was a setup file on that memory device, it would run automatically. With the update installed, flash drives inserted into a PC running XP (SP3), or Vista no longer offer the option to run programs. However, the demise of AutoRun does not affect CDs or DVDs (just USB devices or shared network drives).

Some notorious infections went so far as spoofing the wording of options on the dialog box that usually opens when you plug in a USB device. The wording was crafted to induce unwary users into choosing the spoofed option, which was rewritten to appear that if clicked upon, it would open the drive as a folder, for them to look at. In fact, that option was still there, as the next option down! The first one executed a hidden file on the device, named "autorun.inf" - which triggered a hidden executable file on the drive, which was a malware/spyware setup file. Because of its being the first choice and the craftiness of the wording, many thousands of intelligent people were fooled into clicking it and installing the malware contained on those devices.

It was by means of infected thumb-drives that allowed the Conficker Worm to spread so widely and quickly in late 2009 and early 2010.

Continue reading "Windows malware infections from Autorun exploits down by 82% from 2010" »

Posted by Wiz at 12:00 PM | Permalink

back to top ^

Oracle, the new owners and maintainers of the Java Virtual Machine technology, will be releasing a new, patched version of Java, on June 7, 2011. This "Critical" update is a collection of patches for multiple security vulnerabilities in Oracle Java SE. This patch contains 17 new security vulnerability fixes. All these vulnerabilities may be remotely exploitable without authentication, (may be exploited over a network without the need for a username and password). Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply this Critical Patch as soon as possible (June 7 will do!).

A rating of "Critical," in new-speak, indicates that no direct user interaction is required for an exploit to take ownership of an attacked PC, if that PC is running unpatched versions of exploitable software. All that must occur is that the operator of the PC either clicks on a hostile link, or views a web page which has had hidden malicious redirection links embedded within hidden iframes, or which contains injected JavaScript redirection codes, or navigates to an infected network share (using an unpatched machine).

Once an innocent Netizen has been redirected to an attack site, numerous attack vectors will be tried, until one succeeds in downloading malware to that PC. To date, the most frequently exploited software which plugs into web browsers - is the Java Virtual Machine.

You may or may not be aware that you have Java installed on your PC. If you do know, update it on June 7, 2011 and set the automatic check for updates to every day. You never know on what day Java updates will be issued. If you don't know if Java is installed, and it is, you are probably in greater danger than you can imagine. Read on...

Continue reading "Java Virtual Machine patch issued on June 7, 2011" »

Posted by Wiz at 10:10 PM | Permalink

back to top ^

On Sunday, June 5, 2011, while I was enjoying a steak dinner, Adobe was busy releasing critical patches for its ubiquitous Flash Player. The bulletin, strangely rated as only "important," addresses Vulnerability identifier: APSB11-13 and CVE number: CVE-2011-2107 and affects all operating systems and platforms, including smart phones.

A vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android. This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

Note the last sentence in the blockquote, where it refers to malicious links in email messages. For the last two weeks I have been updating my custom MailWasher Pro spam filters to combat these very links. Spam email has been pumped out by rented botnets, pretending to come from Adobe, Skype and a filesharing program that is claimed to be an alternative for the now dead LimeWire system. All contain links to exploit websites, all of which are hosted on servers in China. The goal was to draft more innocent computers into spam botnets.

The Adobe scam claims to provide an urgent update for Adobe Flash, Acrobat and Reader software. Please believe me when I tell you that Adobe does NOT send out unsolicited email messages to the general public, announcing updates to its products.

The facts is that there were serious zero day, highly targeted attacks launched from China, disclosed last week by Google, exploiting a previously unpublished cross site scripting vulnerability in all versions of Adobe Flash. Kudos to the Adobe security team for rushing out patched versions so quickly.

Continue reading "Adobe Flash Player patched for zero day vulnerabilities" »

Posted by Wiz at 11:55 PM | Permalink

back to top ^

This is a roundup of the most important security vulnerability alerts announced and patches issued, between March 10 through 23, 2011. Most affect Windows, operating systems, but some also target Macintosh and Linux computers. By applying vendors' patches as they are released you can keep your computers secured against the exploits targeting these vulnerabilities.

The following security alerts were issued in the past two weeks, with the latest first and the oldest last (FILO logic).

Fraudulent SSL Certificates
March 23, 2011

There have been recent published reports about the existence of at least nine fraudulent "Comodo" SSL certificates. These fake SSL certificates could be used by an attacker to masquerade as a trusted website. Multiple web browser vendors have provided updates to recognize and block these fraudulent SSL certificates.

Mozilla has updated Firefox 4.0, 3.6, and 3.5 which you get by upgrading your Firefox browser via Help > "Check for updates." Firefox 3.6.16 blacklists a few of the now invalid HTTPS certificates.

Microsoft has released a revised list of trusted root certificates for Internet Explorer browsers, which you can obtain via Windows Updates (under "Express").

Finally, Google Chrome was updated on March 22 to version 10.0.648.151 for Windows, Mac, Linux and Chrome Frame. This release blacklists the revoked Comodo HTTPS certificates.

Adobe Releases Security Updates for Reader and Acrobat
March 22, 2011

Adobe has released updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address a vulnerability in the authplay.dll component. Exploitation of this vulnerability may allow an attacker to execute arbitrary code. End users and system administrators should review Adobe security bulletin APSB11-06 and apply any necessary updates to help offset the risks posed by this vulnerability.

Apple patches 56 bugs in Mac OS X
March 22, 2011

Apple on Monday patched 56 vulnerabilities, most of them critical flaws that could be used to hijack machines running Mac OS X, code-named "Snow Leopard." The patched version is 10.6.7.

Of the 56 bugs patched in the update for Snow Leopard, 45 were included the description that exploitation could lead to arbitrary code execution. Translated, that means complete system takeover is possible (even on a Mac!).

According to Apple's advisory , more than a dozen of the bugs can be exploited by "drive-by" attacks that execute as soon as a victim browses to a malicious Web site with an unpatched edition of Mac OS X.

The update to Mac OS X 10.6.7 also fixed several non-security bugs including issues in the AirPort Wi-Fi driver and other usability and stability improvements.

Use your Apple software updater to obtain the latest version of OS X.

Adobe Releases Flash Player Update
March 21, 2011

Adobe has released an update for Flash Player to address multiple vulnerabilities (see this Adobe bulletin). These vulnerabilities affect Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.106.16 and earlier versions for Android. Exploitation of these vulnerabilities may allow an attacker to cause a denial-of-service attack or execute arbitrary code.

PC owners should upgrade to Adobe Flash Player 10.2.152.26 by downloading it from the Adobe Flash Player Download Center.

Users of Flash Player for Android version 10.1.106.16 and earlier can update to Flash Player version 10.2.156.12 by browsing to the Android Marketplace on an Android phone.

Continue reading "Security News and Updates for March 10 - 23, 2011" »

Posted by Wiz at 9:08 PM | Permalink

back to top ^

With the Pwn2Own competition just getting underway, several security updates were released over the past week for two of the World's more popular web browsers, along with the monthly Windows Updates, an iTunes patch, and one Java update. The following is a list of the significant updates released this past 6 days, starting with the most recent.

On March 9, 2011, Apple Releases Java Updates for Mac OS X 10.5 and OS X 10.6

Apple has released Java for Mac OS X 10.5 Update 9 and Java for Mac OS X 10.6 Update 4 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

Apple computer users running these systems should review Apple articles HT4563 and HT4562 and apply any necessary updates to help counteract the risks. Do not think that your computer is invulnerable just because it is a Mac!

Also on March 9, 2011, Google released Google Chrome 10.0.648.127

Just eight days after the previous security update, Google has released Chrome 10.0.648.127 for all platforms to address 50 25 vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or bypass security restrictions.

You can review the Google Chrome Releases blog and apply any necessary updates to help mitigate the risks. Chrome can be updated by opening the browser, clicking on the Settings icon on the upper right and selecting About Chrome. This starts the online check for updates and downloads them.

On Patch Tuesday, March 8, 2011, Microsoft released its monthly Windows Updates.

Microsoft has released updates to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for March 2011. Two were rated as important and one as Critical.

One vulnerability patched this week is in Windows Media Player and is rated Critical, and affects almost all versions of Media Player on almost all supported versions of Windows. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

Make sure you check for and apply Windows Updates to all of your supported Windows PCs.

On March 4, 2011, Firefox was updated to version 3.6.15, fixing a stability problem caused by one of the security fixes in version 3.6.14, which was released 3 days earlier, on March 1, 2011.

On March 3, 2011, Apple Released iTunes 10.2

Apple has released iTunes 10.2 to address multiple vulnerabilities affecting the ImageIO, libxml, and WebKit packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition. You can review Apple article HT4554 for the details and links to download the patched version. Or, use your installed Apple Software Updater to download the latest version of iTunes.

That completes the list of vulnerabilities patched this past week, in Windows and Mac applications. You can keep tabs on all installed and exploitable software by running the Secunia Online Software Inspector every week. It reveals out-dated and insecure programs and offers download links to obtain the latest patched versions. It also tells you about any missing Windows Updates.

Posted by Wiz at 2:38 PM | Permalink

back to top ^

On Wednesday, February 16, 2011, Oracle, the current owner of the Java technology developed by Sun Corporation, released their Java second update in 6 days. It was just on Feb 10 that Java 6 build 23 was released, plugging a critical vulnerability, which I included in my last Security Patch Roundup, published on Feb 11, 2011. Now, just six days later, Java 6 build 24 has been released, plugging 21 more security holes!

Multiple vulnerabilities have been reported by Secunia and others in Sun Java, which can be exploited by malicious, local users to disclose potentially sensitive information and by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

One doesn't really get a sense of how big of a deal this is, until one reads an outline detailing each one of those 21 vulnerabilities and the impact each one can have. Take a stroll over to Secunia Vulnerability Advisory 43262 and scroll down through the long list of these 21 exploitable weaknesses that were just fixed with this week's Java update.

Here is how the impacts of the 21 patched vulnerabilities break down:

• Execution of arbitrary code on unpatched machines: 10


• Disclosure and/or manipulation of sensitive data (espionage, sabotage, data theft): 8


• Code escaping the Sandbox security field (system invasion): 1


• Denial Of Service (DOS) on a server running Java: 1


• Infinite Loop condition (Denial of use of browser, user's Desktop, or even the entire computer): 1

Of these 21 vulnerabilities, the one about the infinite loop is the most interesting, from a mathematical viewpoint:

An error in the "doubleValue()" method in FloatingDecimal.java when converting "2.2250738585072012e-308" from a string type to a double precision binary floating point can be exploited to cause an infinite loop.

This infinite loop condition could be used to sabotage a particular computer, or a network, or computers that manage electro-mechanical systems, reactors and municipal utilities.

The vulnerabilities that allow arbitrary code usually lead to complete takeover of infected machines by cyber criminals. They use these vulnerabilities to download remote control backdoor Botnet executables (used to send spam or launch DDoS attacks), to install hidden rootkits to oversee and protect other installed malware; like data stealing keyloggers to empty your bank, PayPal and stock accounts and fake/rogue security programs that extort cleanup money from victims owning the infected computers.

Go here to download the latest Java Virtual Machine, or go here to see if you have the latest version, or an older, vulnerable version. You must make sure that older versions are uninstalled from your computers, not just left behind. Malware can still exploit older versions left on a computer by specifying the original default path to their executables and JAR files. The new version of Java does remove older versions of the same series, but not previous ones. You'll need to uninstall them manually, via Control Panel (Windows) , or drag them to your Mac's Trash Can.

You can check the security and patch availability status of many types of commonly installed software by routinely running the Secunia Online Software Inspector, which ironically runs on Java technology.

Now, go fix yourself a cup of Mocca Java and get busy updating Virtual Java on all of your computers (including Mac and Linux)!

Posted by Wiz at 3:49 PM | Permalink

back to top ^

It's been over a month since I published a roundup of security news and bulletins that have a major impact on computer users. Quite a lot of vulnerabilities and fixes have been announced just in the first 11 days of this month. Links are provided to obtain patched versions of affected software. All of these are very serious and could be, or are being exploited in the wild. I will start with the newest announcements and work my way back to early January.

Oracle Releases Security Alert for Java Runtime Environment
February 10, 2011

Oracle has released a security alert to address a vulnerability in the Java Runtime Environment (JRE) component of the Oracle Java SE and Java for Business products. Exploitation of this vulnerability may allow an attacker to cause a denial-of-service condition. To cut through the geek-speak, this involves the Java "plug-in" that many computers use in the browsers to be able to use and interact with Java Applets in web pages. This plug-in, as well as the standalone version of Java need to be updated as soon as possible, if not sooner.

The new Java is coded Version 6 Update 23 - for Windows, Solaris, and Linux. Go here to download the latest Java Virtual Machine, or go here to see if you have the latest version, or an older, vulnerable version. You must make sure that older versions are uninstalled from your computers, not just left behind. Malware can still exploit older versions left on a computer by specifying the original default path to their executables and JAR files.

I want you to be aware that Java is the most frequently exploited browser plug-in for the last year. When an update is released, do not delay in applying it. Java normally is setup for automatic updates. You can verify this, or even change the frequency of checking, via Control Panel > Java > "Update" tab.

Google Releases Chrome 9.0.597.98
February 10, 2011

Google has released an updated version of their Chrome browser: Chrome 9.0.597.98, for all platforms to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition. This update also includes a recently released version of Adobe Flash Player that repairs several vulnerabilities.

If you have the Chrome browser installed, open it and click on the wrench icon to the right side of the browser, which opens the Tools menu. From there, click on "About Google Chrome" - which launches a check for updates, or tells you if it has already updated itself in the background (it does that via the Google Updater).

Adobe Releases Security Update for Flash Player
February 9, 2011

Adobe Flash Player has also been updated this week, to version 10.2.152.26, to address multiple vulnerabilities in Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition. (This leads to taking over your computer, if you operate with Administrator level privileges)

You can download the latest version of Flash Player from the Adobe Flash Player page. If you have the Windows operating system and use other browsers too, you'll need to visit the Flash Player page once with Internet Explorer, and once with Firefox, or Opera. Google Chrome maintains its own installation of Flash and updates the entire browser when Adobe updates the Flash plug-in.

Find out what version of Flash Player you have installed, for Internet Explorer and your other browsers, on the Adobe About Flash page. Only install Flash Player at Adobe.com! Criminals use fake Flash Player icons and links to fool people into installing Trojan Horse Botnet programs, from hostile web pages linked to in spam emails.

RealNetworks, Inc. Releases Security Updates for RealPlayer
February 9, 2011

RealNetworks, Inc. has released security updates to address a vulnerability affecting Windows RealPlayer 14.0.1 and earlier versions and RealPlayer Enterprise 2.1.4 and earlier versions. Exploitation of this vulnerability may allow an attacker to execute arbitrary code in the context of the browser. You can update your version of RealPlayer here.

Adobe Releases Updates for Adobe Reader and Acrobat
February 8, 2011

Adobe has released updates for Reader and Acrobat to address multiple vulnerabilities affecting the following software versions:

* Adobe Reader X (10.0) and earlier versions for Windows and Macintosh
* Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh, and Unix
* Adobe Acrobat x (10.0) and earlier versions for Windows and Macintosh

Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, operate with escalated privileges, or conduct cross-site scripting attacks.

At this time, updates are available for the Windows platform. Adobe indicates that it plans to release updates for Macintosh and Unix the week of February 28, 2011. All recent versions of Adobe Reader and Acrobat are now set to automatically check for updates. I still recommend manually checking by opening Adobe Reader, clicking on Help, then "Check for Updates."

Adobe Reader updates require Administrator privileges.

Patch Tuesday Windows Updates

Microsoft released a bunch of Windows Updates on Patch Tuesday, February 8, 2011. If you operate a Windows XP (with SP3), Vista, or 7, or Server 2008, you need to make sure you have received all updates available for your computers. There is a link to do so in your Start Menu, and in Internet Explorer's Safety menu.

Webmaster Alert! WordPress Releases Version 3.0.5
February 8, 2011

WordPress has released WordPress 3.0.5 to address multiple vulnerabilities. Execution of these vulnerabilities may allow an attacker to conduct cross-site scripting attacks or obtain sensitive information.

To download WordPress 3.0.5, update automatically from the Dashboard > Updates menu in your site's admin area or visit the Wordpress.org current stable version download page.

This updated followed closely on the heels of a previous mandatory security updated for WordPress, which was version 3.0.4, which was released on January 3, 2011.

That is the roundup for January 3, through February 11, 2011. You can keep up with all of these updates by using the Secunia Online Software Inspector. It scans your computer, using Java, then displays a readout of any vulnerable software it finds, along with links to download the latest versions.

Posted by Wiz at 10:14 PM | Permalink

back to top ^

On Patch Tuesday, January 11, 2011, Microsoft re-released an update that fixes the three issues identified in the December 14, 2010 Office Update for Microsoft Outlook 2007 (see my extended content for details). The original December update was withdrawn three days later, following numerous complaints about problems caused by that update. The new update released on January 11 was distributed by Microsoft Update and referenced as updated KB article KB2412171.

If you did not uninstall the December Update for Outlook 2007, then the update released on Tuesday, January 11, will fix the three known issues which you may be experiencing. It can be installed over the previous patch; thus, patching the patch.

If you did uninstall the December Update for Outlook 2007, then you can benefit from the new January update. To receive the January 11 update you can either run Windows Update on your computer; or download and install the update directly from the Microsoft Download Center. If you have automatic updates enabled, you will receive this update automatically.

Coincidentally, This re-released Office 2007 update has also patched a long standing vulnerability in the allowable Dynamic Link Library path; which was being targeted in published exploit kits used by hackers and criminals. The list of known applications affected by that particular Dll path vulnerability are listed on the Insecure Library Loading advisories page, on Secunia.com. Microsoft had 20 of its programs listed as being exploitable. Now, half have been patched; and it took five months to fix those 10. The list first appeared on August 24, 2010.

Continue reading "Microsoft re-releases previously canceled update for Outlook 2007" »

Posted by Wiz at 5:59 PM | Permalink

back to top ^

It has taken the Microsoft code writers 15 weeks to patch just half of the insecure library loading vulnerabilities they announced on August 23, 2010. These patches were released with the December 14, 2010 Windows Updates.

I first wrote about the insecure library loading vulnerabilities back on October 10, 2010. At that time there were 176 programs, 20 of which belong to Microsoft, that were affected by the underlying vulnerability in how applications can call on a .dll file (Dynamic Link Library) when a program loads in Windows (this is a Windows flaw). Now, there are 239 exploitable programs on list of vulnerable programs, maintained by the security firm Secunia.

It was revealed on August 23, in Microsoft Security Advisory 2269637, that Windows itself allowed for a wider range of actual paths to be searched when a ".dll" file was requested than most thought was the case. These paths allowed a software program to specify a remote location for a required dll file, which could include the Internet! Many commonly used programs could be exploited by adding a line of code that changed the path to their dll files. This made it possible for malware writers to infect Windows PCs by tricking users into opening their own installed vulnerable applications, that they had exploited to request remote mal-crafted dll files, instead of the legitimate files installed by the program.

Here is what I wrote about this remote vulnerability:

the security firm Secunia has identified 176 programs that can be exploited by directing one of these applications to load a remotely hosted hostile file, when the targeted program opens, or opens an associated file. The exploited files are .dll libraries, which just about every Windows program uses as includes to add functionality to the main program executable. The .dll files are actually executable files, but only when called by another executable.

On November 9, 2010, Microsoft released critical patches for several of its newer MS Office applications, one of which plugged a security issue involving .dll path hijacking. It took an additional 5 weeks for them to patch another 9 programs, on December 14, 2010. This brings their new total for MS programs affected by the insecure library loading issue to 10. Unfortunately, three of these unpatched programs include Windows XP Home, XP Professional and Windows Live Mail. Millions of people are using those operating systems and that email client!

Since there are still 10 Microsoft programs, include operating systems remaining exploitable, plus 229 from other very popular software companies, I recommend that technically adept PC users read the information on this Microsoft Support Article 2264107 and apply the Fix It Tool about half way down the page. You must first apply a Registry change, in the beginning of that article, before the Fix It Tool will work.

In the meantime, apply all available Microsoft patches, especially those for MS Office programs, and read the Secunia list of vulnerable programs, and apply the Fix It recommendations from Microsoft. As the other software companies released patched versions of their programs, you should install those new versions.

Posted by Wiz at 12:01 PM | Permalink

back to top ^

On Thursday, August 19, 2010, Adobe released critical "out of cycle" security updates, 9.3.4 and 8.2.4, for its commercial Acrobat PDF encoder and free Adobe PDF Reader programs. Today's updates fix at least two critical vulnerabilities that are being exploited in the wild. Exploitation of these vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Updates are available for Windows, Mac and UNIX versions of these Adobe programs. Windows users may receive automatic updates notices, or may be auto-updated, depending on how you have set your updater preferences (Edit > Preferences > Updater). You can also check manually, buy going to the Help menu item, then down to "Check for updates." An updater window will open separately, download the new version upon receiving your permission. It will close Reader or Acrobat, then install then new version. If you were working on any PDF documents, save them and exit the application during the update phase. It may take some time to complete (I don't know why, it just does!).

The official Common Vulnerabilities and Exposures code for today's update is: CVE-2010-2862, which was discussed and demonstrated at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. The actual vulnerability is described as: "Integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3, allows remote attackers to execute arbitrary code via a TrueType font with a large maxCompositePoints value in a Maximum Profile (maxp) table."

Further details are: "Network exploitable; Victim must voluntarily interact with attack mechanism" - which they are tricked into doing.

Vulnerability details were provided and/or discovered by: Charlie Miller, Independent Security Evaluators, and Tavis Ormandy, Google Security Team.

All of this follows on the heels of another out-of-cycle critical update in Adobe's Flash Player, on August 11. It appears that Adobe Acrobat and Reader bundle a version of Flash inside the program, and that version was exploitable, via authplay.dll. The new updates to Reader and Acrobat supply the latest, patched version of Flash, bundled inside those programs.

Posted by Wiz at 4:30 PM | Permalink

back to top ^

August 11, 2010

Adobe Releases Security Update for Flash Player: Adobe has released Flash Player 10.1.82.76 to address multiple vulnerabilities. See Go here for the details.

See what version of Flash you have installed for each browser brand, here. If you use the current version of Firefox it will tell you to update Flash, when a new version has been released. Internet Explorer users still need to go to Adobe and update the ActiveX version manually.

Due to exploits in the wild, you are strongly advised to update your Flash players now! Adobe recommends users of Adobe AIR 2.0.2.12610 and earlier versions update to Adobe AIR 2.0.3, by downloading it from the Adobe AIR Download Center.

Note, that previously, one could navigate to C:\Windows\System32\Macromed\Flash and use the FlashUtil(version#).exe application to run a manual update. Those files no longer work that way. Now, the FlashUtil apps uninstall Flash, rather than update it. You can download the new Flash installers, named: install_flash_player_ax.exe, for Internet Explorer based browsers, and install_flash_player.exe, for Mozilla based browsers (non-ActiveX), from the Adobe Flash Download Center. Administrator privileges are required to install or update Flash via these installer files. Use "Run As" (Administrator & password) if necessary.

A word of warning!
As you browse the Internet, or read emails about watching movies online, always beware of any links that take you to a page that tells you to update your Flash Player, but the link does not go to www.adobe.com, or http://www.adobe.com/go/getflash/ . Cyber criminals are famous for creating fake Flash and YouTube players, with a spinning circle in a black player screen, telling you that your Flash Player needs updating and click there. If you hover your mouse over those links you may or may not see that they never leave that website. The files you are about to downland and run from these fake web pages are Trojan Horse programs designed to make your PC a member of a Botnet, or install rogue security scanners, or a login stealing Trojan, like the Zeus/Zbot Trojan.

If you are tricked into clicking on a fake media player and a download dialog appears, dismiss it immediately, then close your browser. Use your anti-virus scanner to see if malware was downloaded into the browser's cache and remove it, or clear the cache. Always update your anti-malware definitions before scanning for new threats.

Posted by Wiz at 1:43 PM | Permalink

back to top ^

Vulnerability identifier: Adobe security advisory APSB10-15 - a.k.a. CVE-2010-1297

On June 29, 2010, Adobe is planning to release updates for Adobe Reader 9.3.2 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.2 for Windows and Macintosh, and Adobe Reader 8.2.2 and Acrobat 8.2.2 for Windows and Macintosh to resolve critical security issues in the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This has been known about since June 4 and is being exploited in the wild.

According to the advisory, "the June 29, 2010 updates represent an accelerated release of the next quarterly security update originally scheduled for July 13, 2010. With this accelerated schedule, Adobe will not release additional updates for Adobe Reader and Acrobat on July 13, 2010."

UPDATE: June 29, 2010

As scheduled, Adobe has released patched versions 9.3.3 and 8.2.3 of its pdf Acrobat and Reader. 17 vulnerabilities were fixed in this update, including one zero-day flaw that has been exploited in the wild. I applied this update to my XP SP 3 computer and it required a reboot to complete, and your computer may also require a restart, depending on the OS. Be prepared to save any work in progress and reboot after you receive this update, whether manually or automatically.

Adobe warned about that vulnerability, which also affected Flash Player, on June 4, 2010, and plugged the hole in Flash on June 10. If you haven't updated Flash for all of your browsers, do so now, at http://www.adobe.com/go/EN_US-H-GET-FLASH, or from http://get.adobe.com/flashplayer/.

If you are currently using the latest version of Adobe Reader or Acrobat, you should have automatic checking for updates and notification of availability turned on by default, unless you purposely turned this safety feature off. That means that when the check for updates is run after these updates are pushed out, you will be notified about their availability and can download the update. If you set your Updates preference to automatically download and install the updates, this will happen automatically, in the background. This could be the same day, or the next day, depending on what time your Adobe Reader checks for updates. You can also run a manual check for updates, via the Help menu > Check for Updates.

You can set or reset your preferences for Adobe Reader and Acrobat update checking, via Edit > Preferences > Updater. I recommend "Automatically Install Updates." Note, that you must use Administrator credentials to check for and apply updates to Adobe Reader and Acrobat. This can be done from a less privileged account by right clicking on the desktop or Start Menu icon for Adobe Reader/Acrobat and choosing "Run As" (Administrator).

If you are running Ubuntu or Debian Linux, you must update Adobe Reader via the Updates Manager, found under the Menu item: Administration. An Administrator password is required to check for and install updates.

Please apply the security update to all PCs running Adobe Reader and or Acrobat, as the vulnerability is critical and if exploited, may lead to complete takeover of unpatched PCs. From that point on, anything goes.

Posted by Wiz at 12:18 AM | Permalink

back to top ^

According to a security bulletin posted on Adobe.com, on April 13, 2010 they will be releasing updated version 9.3.2 of Adobe's PDF Reader and Acrobat PDF encoder software, for Windows, Mac and Linux/Unix operating systems. This is a critical update that will correct a feature that has been demonstrated to be an attack vector that can be used by criminal exploiters. There is also going to be an update from version 8.2.1 to v 8.2.2 for Windows and Macintosh platforms using that version.

If you have installed Adobe Acrobat or Reader 9.3.1 and chosen to set the preferences to automatically check for and apply updates, you should receive the new version when it is released in your timezone, on April 13, 2010. If you haven't set that preference, you can do so now, by following these steps...

Open Adobe Reader 9.x. Click on Edit. Scroll down to the bottom of the flyout options and click on "Preferences." When the Preferences box opens go to the last entry on the left, labeled "Updater" and click on it. In the left options select "Automatically install updates." Click OK to save your changes.

If you cannot allow the automatic updater to be enabled, due to company policy or paranoia, you should check for updates manually, by opening Reader or Acrobat, then go to the "Help" menu item, then click on the flyout option "Check for Updates." You must have Administrator privileges to check for updates, or to alter the automatic updater preferences.

The feature that is being patched on April 13 is a command known as "/Launch /Action" - which has been a part of Adobe' Reader and Acrobat for a long long time. Adobe's Reader and Acrobat are able to open or launch embedded and external applications by using this function, but they first display a dialog box requesting the user's permission. The wording inside the dialog box can be set by the author of the PDF file in question. This would allow a criminal or hacker to craft words designed to fool users into thinking that they were doing the right thing by opening an application or executable that may be embedded within the PDF package. This could be accomplished by social engineering tactics, such as are already used successfully in various Phishing attacks. They could make a PDF document look like a message from your bank or loan company, with authentic logos, then present the Open dialog box with wording to the effect that you must click Open to submit the enclosed form. You could be fooled into installing a keylogger, or Bot malware on your PC, just like that.

As was demonstrated by researcher Didier Stevens, on March 29, 2010, if a user receives such a specially crafted PDF file and is tricked into allowing the Launch action to take place, their computer could become infected with an embedded virus, or malware downloader, or the default browser could be opened to a URL where malware attacks could be launched. Furthermore, another proof of concept exploit has been demonstrated showing the this attack could be used to infect other clean PDF files on that computer, turning the original malware laden PDF file into a replicating Worm.

If you don't want to wait for Adobe's patch to be released on April 13, you can manually disable the feature that allows the exploit to occur. Just open the Adobe Reader or Acrobat Preferences (under Edit), find the left sidebar option labeled "Trust Manager" and click on it. When the Trust Manager options load, uncheck the top option labeled: "Allow opening of non-PDF file attachments with external applications." Click OK and you are protected from this particular exploit vector.

While the Reader/Acrobat Preferences are still open, consider disabling JavaScript (under "JavaScript") and/or displaying of PDF documents in Web browsers (under "Internet"). That fixes two other attack vectors already in use by malware authors. If you find that you need JavaScript to fill in forms or read certain documents, just re-enable it as needed.

You can really reduce your computer's likelihood of becoming infected by operating with non-Administrator rights. If you use Windows XP Home you can demote your account to Limited User, while XP Professional users can become Power Users. Vista and Windows 7 has a new account type called Standard User and that is what you should use for your every day operation. You should read my recent post explaining how 90% of critical Windows vulnerabilities can be mitigated by removing Admin rights from an account.

Posted by Wiz at 1:11 AM | Permalink

back to top ^

On Monday, November 2, 2009, Microsoft began using Automatic Windows Updates to forcibly push out a re-release of a critical patch for its Internet Explorer browsers. Monday's hotfix, named KB976749, targeted MS09-054, originally released on October 13, 2009. That update patched four vulnerabilities, all "critical," in Internet Explorer. It was the third fix released for last month's Windows Updates! Whew!

Microsoft Knowledge base article KB976749 outlines the two issues, one that scrambles Web page elements, while the other spawns a "Type Mismatch" script error on sites that use VBScript, or a mix of VBScript and JavaScript. That article is titled: "An update is available for Internet Explorer that resolves issues that occur after you apply security update 974455 (MS09-054)."

The following warning appears on the aforementioned page:

Important Do not install this update if you have not installed security update 974455. If you install this update without first installing security update 974455, Internet Explorer may not work correctly. If this occurs, uninstall this update, install security update 974455, and then reinstall this update.

This update affects all versions of Internet Explorer, from 5.01 through 8.x. So, if you applied last month's Windows Updates (Oct 13, 2009) and allowed the IE patch to be installed, you will need to install this patched patch.

Many people will have already received this update automatically by the time I published this blog article. It requires a reboot to install the patch and you will be logged off and your PC will restart automatically, unless you intercept the pop-under notice giving you a 15 minute warning before shutdown (Maybe it was 20 minutes to start. When I first noticed it the timer said 15 minutes). Even Power Users and probably Limited Users are affected by the automatic installation and reboot process, if your PC is set to install Windows Updates automatically.

BTW: The "Restart later" button was grayed out for me, so I was forced to save all work in progress, close open applications to avoid data loss, then use "Restart Now" to let the inevitable update complete. The aggravating part of this process was that I don't browse at all with Internet Explorer! I only open it to obtain Windows Updates, after logging into a Administrator level account, or to check layouts of websites I design and maintain. I do all daily browsing on Mozilla's Firefox, using latest version. I operate as a Power User and was forced to allow the installation and forced reboot. Not much finesse on Microsoft's part.

Note, that if this patch causes you more problems that it solves, you can uninstall it via Control Panel > Add/Remove Programs, with the Show Updates option checked. After rebooting you will be rolled back to the previous state of "patchedness."

Note also that one can only avoid these forced installation/reboot routines by disabling Automatic Windows Updates. Anything less will allow critical patches to be downloaded and installed if you are browsing on a less privileged account type. People who (foolishly, in my opinion) insist on using Administrator level accounts will at least see the gold shield tray icon notification that an update is available. or has been downloaded. By the time a Power User sees the shield, the countdown timer has starting its countdown to a forced restart.

Posted by Wiz at 5:38 PM | Permalink

back to top ^

I have a couple of new items to alert my readers about today. First, Sun Corporation has just updated their Java Virtual Machine (JVM) to version 6, Update15 (build 1.6.0_15-b03), fixing vulnerabilities announced by Microsoft in ATL components of Visual Studio. Apparently, Java itself used some of the vulnerable ATL modules and had to re-code the JVM to prevent it from being exploited in drive-by attacks against these components. Go to www.java.com to download and install the current version of Java from your browser. You can also manually choose an online or offline setup version for various operating systems, from this page.

As of today, updating the Java VM does not automatically uninstall older versions of Java. This is by an executive decision made by Sun Corp. They are afraid of breaking existing programs that depend on certain versions of Java. However, cyber-criminals are known to write codes pointing to the default installation paths of vulnerable versions of Java. If you leave an exploitable Java executable on your computer, then accidentally surf to, or get redirected to a hostile website, that version of Java can be used against you! If at all possible, if you aren't running a critical application that depends on an older version of Java, uninstall older versions after you update to a new version. You must close all browsers for the updates to take effect. If an application stops working properly after you update the Java VM, go to the manufacturer's website or look for a built-in check for updates link, to see if they have released a patched version to work with the new JVM.

The second matter affects Windows PC users who download Hotmail messages to their desktops, via Microsoft's Outlook, Outlook Express or Entourage programs. Microsoft has decided to make code changes to the way the Hotmail email servers work and these changes will cause Outlook and Outlook Express to stop sending and receiving Hotmail messages on September 1, 2009. Hotmail is now called "Windows Live Hotmail."

To continue to receive e-mail from your Hotmail account, you will have to select one of the alternative solutions below before September 1, 2009. After that day, new Hotmail e-mail can only be delivered to, or sent from your mail programs through the following alternative solutions. However you can continue to view and send your Hotmail messages via your web browsers.

If you use Microsoft Office Outlook to view Hotmail, you can download the free Office Outlook Connector to continue accessing your Windows Live Hotmail within Outlook 2003 or 2007. If you run an older version, read this information.

If you use Outlook Express (OE) to view Hotmail, you can choose to download the free Windows Live Mail (WLM), which resembles Outlook Express, but is much more powerful, less prone to crashes and contains a junk filter. You can import all of your saved .eml messages and accounts from OE into WLM (via Export/Import, or drag and drop between email clients). You can also import your personal folders from OE. The view is a little different, but you'll get used to it. You can find help on this page with exporting messages from Outlook Express into WLM.

If you are using Entourage to send and receive Hotmail, read these instructions to continue connecting to the new servers.

Why did this change happen? Because Microsoft Outlook, Outlook Express, and Entourage use a legacy communications method, known as the DAV protocol, to access Hotmail. Because the DAV protocol is not optimally suited for programs to access large inboxes such as Hotmail which now provides users ever-growing storage*, new alternatives have been built. Microsoft postponed their initial plans to retire the DAV protocol until more options were available. Now that these options (including the POP3 protocol) are available, they are ready to retire the DAV protocol, on September 1, 2009.

Posted by Wiz at 4:04 AM | Permalink

back to top ^

July 25, 2009

There are some new vulnerabilities to be alerted to that are being exploited in the wild right now and may impact you. Some affect Windows computers, while others are cross platform (Linux, Mac, Solaris). Foremost among the vulnerable software are Internet Explorer, Visual Studio components and three Adobe programs.

First off, Microsoft just announced that they will be releasing two out-of-cycle security patches on Tuesday, July 28, 2009. This is very rare for Microsoft, who mainly stick to a Patch Tuesday happening just once a month schedule. The two vulnerabilities are being actively exploited in the wild and cannot wait until August 11 to be fixed. Too many PCs would be compromised by then.

If you have followed Microsoft's recommendation and set your Windows PCs to download and install Windows Updates Automatically, you will receive them sometime during the day of July 28, 2009, depending on where you are located. For folks living in the Eastern US time zone these updates will probably show up around 2 PM. If you are going to be away from your PC during that afternoon you should save any work in progress, because Windows Update will reboot your computer without interaction, if required to install those updates, after popping up a pending shutdown alert. If you aren't there to dismiss that alert your PC will be automatically rebooted to finish installing these critical patches.

Adobe has three products being exploited by cyber criminals this week. They are Adobe's Acrobat, Reader and Flash Player. This time the exploit lies in the way in which Adobe Reader and Acrobat are set to automatically run embedded Flash code whern a person opens a .pdf document (pdf = Portable Document Format) in any current version of Reader or Acrobat. In case you were wondering, Acrobat is an expensive program used to create pdf documents. Reader opens them for reading and printing. Flash is active content for interactive forms and video presentations on web pages, or for embedding into pdf files. YouTube videos are encoded using Adobe Flash and are viewed in Flash Player.

Adobe will be releasing patches on two days this month. An update for Flash Player v9 and v10 for Windows, Macintosh, and Linux will be available by July 30, 2009. They expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009. While you patiently wait for those patches you can protect you computers from getting hacked from hostile pdf documents by applying two officially recommended workarounds.

UPDATE:
August 2, 2009

Both Microsoft and Adobe did release the promised, out-of-band, critical updates, fixing the reported vulnerabilities in Microsoft's Internet Explorer and Visual Studio ATL and in Adobe's Flash, Reader and Acrobat. If you have not already done so, please run the Secunia Online Software Inspector, to see what insecure software is installed on your computers. Download links are provided in its report.

Note: If you are a programmer and have written any code that utilizes the Microsoft Visual Studio ATL, you may need to make changes to get those controls working again. See this MSDN page for more information about how the security update of 7/28/09 will impact your code.

Details about the Adobe vulnerabilities and their workarounds are in my extended content.

Continue reading "Microsoft and Adobe to release out-of-band patches" »

Posted by Wiz at 6:29 PM | Permalink

back to top ^

There have been significant program updates issued for Microsoft Windows, the Firefox browser, Adobe Acrobat and Reader and Apple's QuickTime browser plug-in. All updates were released this week to fix critical vulnerabilities that were reported and were being exploited by hackers and cyber-criminals. These criminal elements hijack legitimate websites and install hidden codes to redirect innocent visitors to hostile websites loaded with exploit attack codes.

Most of the successful attacks exploit vulnerabilities in browsers (usually Internet Exploder), or their installed add-ons and plug-ins. like Apple QuickTime, Adobe Flash and Reader (and other PDF readers) and Sun's Java plug-in. If any of these items are a vulnerable version you may have your computer hijacked by cyber-criminals who will make it a zombie member of their Botnet. This will turn your PC into a spam machine, or it could be used to attack websites or Governments, with whom the hackers have a difference of opinion.

In order to stay safe from the barrage of hack attacks targeting browsers and their plug-ins it is imperative that you keep Windows and its components and all third party add-ons up to date. One way is to always select the option to automatically check for, download and install updates to those programs. If there is no automatic update mechanism for a program you use you should check to see if it has been updated. This could be at the manufacturer's website, or by using the free Secunia Online Software Inspector (requires current version of Java).

The details of this week's updates are below, in my extended comments.

Continue reading "Windows, Firefox, Adobe Reader and Apple QuickTime updated" »

Posted by Wiz at 1:07 PM | Permalink

back to top ^

From the security desk of Wiz Feinberg
March 11, 2009

On March 9 and 11, Foxit then Adobe released patched, updated versions of their PDF readers, responding to critical vulnerabilities, like the JBIG exploit, currently being exploited in the wild. Until the Foxit patch was announced on the 9th, many people believed that it was a safe alternative to the Adobe Reader. Not so. The Adobe exploits are targeting all Reader and Acrobat versions 7, through 9.0.

Foxit has patched three critical vulnerabilities with version 3.0 Build 1506. You can download the latest patched Foxit PDF Reader here. Interestingly, Foxit was only notified about these exploitable vulnerabilities a few weeks ago, in mid-February and were able to push out a patch in a short time.

Adobe, on the other hand, has been aware of the vulnerabilities in it's PDF Reader and Acrobat PDF encoder for three months (since early January 2009) and just today released the patch. When these security concerns were publicized Adobe recommended disabling JavaScript and browser plug-in functions in the Adobe Reader and in Acrobat. However, it was later demonstrated in a lab test at Secunia that Reader and Acrobat are still exploitable with these functions disabled. The patched versions released on March 11 finally plugs the holes that allow these exploits to occur. JavaScript and displaying a pdf in your browser can now be re-enabled, after you upgrade to Adobe Reader and Acrobat 9.1. Older Readers version 7 and 8 x will be patched on March 18, 2009.

You can download the current version of Adobe Reader here. This Adobe page has links to patch your version of Adobe Acrobat.

Adobe has published a security bulletin about the vulnerabilities affecting its Reader and Acrobat software, with the dates the vulnerabilities were announced and the release dates for the patches. This page goes far back and shows how they have responded to exploitable weaknesses for years.

If you missed the news, Adobe also released a patched version of Adobe Flash Player, on February 24, 2009. Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

The risk of browsing the Internet or opening emails containing links to or attachments containing rigged Flash and PDF files, without being fully patched against the exploit codes, is total system compromise. There have been malicious Flash banner ads released through some affiliate ad services that are capable of redirecting your browser to a hostile web server, where it will attempt to forceably and invisibly download exploit codes to your computer, if you have installed a vulnerable version of Flash Player, or Adobe (PDF) Reader or Acrobat.

You can scan your PCs online at Secunia.com, using their Online Software Inspector tool. It requires Java to operate and will report on any missing Windows patches, as well as any left over insecure versions of third party applications, like Flash, Reader and Java. It provides direct download links to obtain the latest patched versions, plus shows you the exact path to the old, exploitable versions still installed on your PC. I use it and recommend you do so every week, say on Tuesday evenings (after Windows Updates are released on Patch Tuesdays). It usually takes under a minute to complete the online scans. You must uninstall old software and install the updates yourself.

Posted by Wiz at 8:32 PM | Permalink

back to top ^

A faulty definitions update issued on November 9, 2008 caused AVG Anti Virus 7.5 and 8.0 (free and paid versions) to either automatically or manually delete and/or quarantine a required Windows XP System file; User32.dll, as soon a scheduled scan came to that file, or when a user opened the System32 directory to search files in it. Without this file in the System32 directory, Windows will not boot! AVG released updated definitions shortly thereafter to fix the false positive detection. If your computer was still on and you checked for AVG updates again before shutting it down, you may have received the patched definitions and are OK to operate as usual. You will know the next time you reboot or shut down and restart your computer!

If this bad update occurred while your PC was operating and you either rebooted, or shut it down, before obtaining the updates that fixed the false detection, it will not boot into Windows again until you disable the AVG Resident shields using the Recovery Console and restore user32.dll from a backup image, or location, or from your Windows XP CD.

The system can be restored by using the Windows XP Recovery Console to copy a backup of User32.dll into the System32 directory. If you have already installed the Recovery Console as a boot option, boot into it, then run the copy command listed in the next paragraph.

If you haven't installed the Recovery Console, but you do have your bootable Microsoft XP CD, it contains the Recovery Console. Boot from the Microsoft Windows XP CD and choose Setup Option "R" to Repair your Windows Installation using the "Recovery Console." You will be taken to a black screen with white text which will halt at a blinking command prompt (just like MS DOS). The Recovery Console command to type in would be as follows:

copy c:\windows\system32\dllcache\user32.dll c:\windows\system32\user32.dll

Press Enter and wait a second or two. If it reports "1 file copied" then the Windows boot portion of the problem is fixed. However, you will still need to disable the AVG Resident shields from the Recovery Console, as described in my extended comments and on the AVG Support website, until you are able to boot into Windows and run a manual check for AVG updates and receive the patched definitions file. Don't forget to reactivate the resident shields after updating the definitions (as described in my extended comments or on the AVG Support site)!

If the above code fails, try the following:

copy c:\windows\servicepackfiles\i386\user32.dll c:\windows\system32\user32.dll

If that doesn't work you will have to expand and copy it from the XP CD, as follows:

copy d:\i386\user32.dl_ c:\windows\system32\user32.dll

The above uses drive letter "d:" as the source for the CD drive containing the recovery media. Your CD drive letter may be different, depending on how many hard disks or partitions you have installed. So, for instance, if your Windows CD is in drive F, substitute F: for D: in the last command.

If this, or another update or software installation has crippled your PC and you use Acronis True Image to make daily backups, insert your bootable Acronis Recovery CD (you were told to create that CD when you installed Acronis True Image), boot into the rescue interface, locate the most recent backup of the entire computer and restore it to the C drive. You should be up and running within about a half hour, or so.

If you don t have any recent backup images, nor a Windows operating system CD, your OEM hard drive might have a hidden recovery partition on it. Reboot your computer and press the Pause key when the first screen appears. It will usually contain information about pressing a particular key to restore your computer to "Day-1" condition. You will lose everything you have saved or created since that day, but at least the PC will boot into Windows. This is a worse case scenario for most of you.

Continue reading "AVG False Positive Cripples Windows XP PCs, on November 9, 2008" »

Posted by Wiz at 4:48 PM | Permalink

back to top ^

May 2, 2007

Apple today released QuickTime 7.1.6 for Mac and QuickTime 7.1.6 for Windows which delivers numerous bug fixes, addresses a critical security issue with QuickTime for Java and includes support for:

Final Cut Studio 2
Timecode and closed captioning display in QuickTime Player

This update is recommended for all QuickTime 7 users, including Firefox users. (Firefox uses the QuickTime Plug-in which is vulnerable and needs updating)

About the security content of QuickTime 7.1.6:

CVE-ID: CVE-2007-2175
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2, Windows 2000 SP4

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. The code will run with the privileges of the target user.

QuickTime 7.1.6 is available via Software Update and also as standalone installers, using the following links:

QuickTime 7.1.6 for Mac (43.6MB)
http://www.apple.com/support/downloads/quicktime716formac.html

QuickTime 7.1.6 for Windows (19.1MB)
http://www.apple.com/support/downloads/quicktime716forwindows.html

The official Apple advisory is available at:
http://docs.info.apple.com/article.html?artnum=305446

Posted by Wiz at 7:54 PM | Permalink

back to top ^

Three flawed Windows security and driver updates were released on Patch Tuesday, February 13, and continued through Friday, February 16, 2007. The first one involves a defective "signed" VIA IDE driver update that places most computers into endless reboot cycles. The second involves installing an unnecessary Alps Pointing Device driver, on computers that don't have such a device. The third is a patch for PowerPoint that fails to fix the stated vulnerabilities it is meant to address.

The flawed VIA Primary IDE driver only appeared under optional Hardware Updates, if you ran manual updates, using the Custom Option. I first became aware of the problem on Friday, February 16, when I performed Windows Updates for a client, at his office. The first and second machines to receive updates had the VIA Primary IDE Driver listed under Hardware Updates, so I installed it and rebooted, and rebooted, and rebooted... After the third time I realized that there was a problem with that driver and I used F8 to get to the boot menu, where I selected "Last Known Good Configuration," which succeeded in getting back into Windows. From there I right-clicked on My Computer, selected Properties, then Hardware, then Device Manager > IDE ATA ATAPI Controllers, then rolled-back the VIA Primary Channel IDE driver update to the previous driver, rebooted, and all was well again.

Another one of the Hardware updates seems to have placed an unwanted and unneeded Alps Touchpad/Pointing device driver and icon on the computers that did not have an Alps Touchpad attached to them. Using Device Manager > Mice/Pointing Devices I rolled-back the driver and the touchpad icon and other pointer problems were resolved, after a reboot.

The third problem was just announced via Microsoft Technet, in this security re-release notice: http://www.microsoft.com/technet/security/bulletin/ms06-058.mspx

Microsoft Security Bulletin MS06-058
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163)
Published: October 10, 2006 | Updated: February 21, 2007

Recommendation: Customers should apply the update immediately

Security Update Replacement: This bulletin replaces a prior security update.

Why did Microsoft minor revise this bulletin on February 13, 2006?

Further investigation of CVE-2006-3877 as originally revealed that the update was not effective in removing the vulnerability from affected systems. The Microsoft Security bulletin, MS07-015 has been issued to properly address CVE-2006-3877 and customers should apply the updates in this bulletin immediately.

More information and links to download hotfixes are in the extended entry -->

Continue reading "Microsoft Releases Flawed Windows Updates in Feb 13-16, 2007 Patch and Hardware Updates" »

Posted by Wiz at 3:40 PM | Permalink

back to top ^

I am posting this for my viewers who use Apple's Mac operating systems, the percentage of which is not declining ;-)

Apple released Security Update 2006-007 in various versions. The update is available via Software Update and also as standalone installers.

Security Update 2006-007 is recommended for all users and improves the security of the following components:

- AirPort
- ATS
- CFNetwork
- Finder
- Font Book
- Font Importer
- Installer
- OpenSSL
- PHP
- PPP
- Samba
- Security Framework
- VPN
- WebKit
- gnuzip

About the security content of Security Update 2006-007:
http://docs.info.apple.com/article.html?artnum=304829

Continue reading "Apple releases Security Update 2006-007" »

Posted by Wiz at 6:20 PM | Permalink

back to top ^

YPOPs, a free POP3 email interface for sending and receiving Yahoo email via your POP3 email client, was updated on October 18, 2006. POP3 email clients include Outlook, Outlook Express, Thunderbird, Eudora, etc. If you use one of these programs and would like to be able use it to send and receive your Yahoo email, YPOPs will allow you to do so. Normally, Yahoo email must be accessed via HTTP, using a web browser. This program bridges the gap between HTTP and POP3 email.

I have written out instructions for configuring and using YPOPs on my Wiz's Workshop page. I am using YPOPs on various operating systems, including Windows Vista RC1. I am not affiliated with YPOPs in any way; I am just a happy user.

Download
You can download the latest version of YPOPs from Don Beusee's Download Site (He is involved in the project).

YPOPs Project information, documentation and discussion forums

Continue reading "YPOPs has been updated (delivers Yahoo email via POP3)" »

Posted by Wiz at 1:08 PM | Permalink

back to top ^

Microsoft Security Bulletin MS06-055:

Vulnerability in Vector Markup Language Could Allow Remote Code Execution - Patched

Published: September 26, 2006

This information deals with the VML vgx.dll buffer overflow vulnerability announced on September 19, 2006, and the VML exploits that are currently in the wild.

http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx

VML Buffer Overrun Vulnerability - CVE-2006-4868:

A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft has issued an out-of-cycle patch for the Vector Markup Language vulnerability mentioned above and in a previous entry on my blog. This is a critical vulnerability and if you have not already obtained the patch you should do so immediately. Go to Windows Updates to receive it manually, or turn on Automatic Windows Updates (Control Panel > Automatic Updates), or visit the page linked to above and download the patch for your OS.

Undo the suggested Microsoft workaround if you applied it! See my extended comments for details.

Continue reading "Microsoft Patch MS06-055 Issued for VML Exploit" »

Posted by Wiz at 12:48 PM | Permalink

back to top ^