November 1-7, 2010 has been a busy week for security news and application updates. Several new zero day vulnerabilities have been reported and are being exploited in the wild. An entire country was taken offline by a targeted DDoS attack. Some major programs received updates to fix critical vulnerabilities.
Let's start with the DDoS attacks that took most of a country offline, on or about November 3, 2010.
In a politically motivated attack, the nation of Myanmar, formerly known as Burma, found itself cut off from the Internet by a massive denial of service attack on the country's Ministry of Post and Telecommunication (or PTT), which is the main conduit for Internet traffic in and out of the nation. Internet access was disrupted for both government agencies and private sector firms, with major disruptions to Myanmar's important tourism industry. The cyber attack crippled Myanmar's servers, just days ahead of the its first election in two decades. The attack on Myanmar could be the largest DDoS ever targeting a single country; it was far larger than the attacks on Estonia and Georgia in 2007.
According to Arbor Networks, the DDoS attack against Myanmar was attempting to push 10-15 gigabits of data through those connections, which can only support about 45 megabits per second! The attacks have actually been ongoing since October 25; getting worse as the Nov 7 election date approaches.
Next in line is a new, zero day vulnerability affecting most versions of Microsoft's Internet Explorer browser.
Microsoft Corp. has warned Internet Explorer users that attackers are exploiting a previously unknown security hole in the browser to install malicious software. The company is urging users who haven't already done so to upgrade to IE8, which includes technology that makes the vulnerability more difficult to exploit. Microsoft has released Microsoft Security Advisory 2458511 to alert users of the new vulnerability affecting all supported versions of Internet Explorer (versions 6 - 8). This vulnerability may allow an attacker to execute arbitrary code.
Microsoft has released a Fix it Toolto help mitigate the risks until a security update is available. It is unlikely that the update will be ready for inclusion in this month's Windows Updates, due for release on November 9, 2010. Apparently, Microsoft has deemed this vulnerability as less critical, due to flaws in the coding of the initial attacks. One can expect that hackers will fix those problems before Microsoft plugs the vulnerable code. Look out IE users! There's no better time to switch to Mozilla's Firefox or Google Chrome (I use Firefox exclusively).
Speaking of Firefox and Google Chrome, both browsers were updated for security reasons over the past week or so. Firefox was updated to version 3.6.12, on Oct 27, and Chrome was updated to version 7.0.517.44, on Nov 4. Use the built-in check for updates links to get the latest versions of these browsers.
Adobe Releases Security Bulletin for Flash Player, Shockwave, Reader, and Acrobat.
Adobe has released a security advisory to alert users of a vulnerability affecting Adobe Flash Player 10.1.85.3 and earlier for Windows, Macintosh, Linux, and Solaris. Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. The advisory indicates that there are reports of active exploitation affecting Adobe Reader and Acrobat. Updates for Adobe Reader and Acrobat will be available by November 15, 2010.
On November 5, 2010, Adobe has already released Flash Player 10.1.102.64 for Windows, Macintosh, Linux, and Solaris to address multiple vulnerabilities described in the aforementioned advisory. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or bypass cross-domain policy file restrictions. The Adobe security bulletin indicates that updates for Android will be available by November 9, 2010.
On October 29, 2010, Adobe released a security update for Shockwave Player to address multiple vulnerabilities. The new version is 11.5.9.615.
Please visit http://www.adobe.com to obtain updates for their Flash and Shockwave players and for Adobe Reader and Acrobat.
Note, that for Flash and Shockwave, you will need to visit the appropriate Adobe installation page with Internet Explorer and your other browsers. This is because Microsoft uses an ActiveX version of Flash and Shockwave, while Firefox and others use a different, universal technology. Chrome, on the other hand, uses a proprietary version of Flash, made specifically for their browser. Oi!
Stay away from dangerous links leading to browse exploit pages, keep your anti-malware programs fully up to date, and always practice safe Hex.
back to top ^