Category Archives: Flash

Zero-day Flash bug under active attack in Windows threatens OS X, Linux too

A fragment of the shellcode exploiting a critical vulnerability in Adobe Flash.

A day after reports that attackers are exploiting a zero-day vulnerability in Microsoft's Internet Explorer browser, researchers warned of a separate active campaign that was targeting a critical vulnerability in fully patched versions of Adobe's ubiquitous Flash media player.

The attacks were hosted on the Syrian Ministry of Justice website at hxxp://jpic.gov.sy and were detected on seven computers located in Syria, leading to theories that the campaign targeted dissidents complaining about the government of President Bashar al-Assad, according to a blog post published Monday by researchers from antivirus provider Kaspersky Lab. The attacks exploited a previously unknown vulnerability in Flash when people used the Firefox browser to access a booby-trapped page. The attackers appear to be unrelated to those reported on Sunday who exploited a critical security bug in Internet Explorer, a Kaspersky representative told Ars.

While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well. Adobe has updated all three versions to plug the hole. Because security holes frequently become much more widely exploited in the hours or days after they are disclosed, people on all three platforms should update as soon as possible. People using IE 10 and 11 on Windowws 8 will receive the update automatically, as will users of Google's Chrome browser. It can sometimes take hours for the automatic updates to arrive. Those who are truly cautious should consider manually installing them. Windows users with Firefox installed must run a separate update for both IE and the Mozilla browser.

Read 4 remaining paragraphs | Comments

Adobe releases emergency Flash update amid new zero-day drive-by attacks

Adobe has released an emergency update for its widely used Flash Player to combat active attacks that exploit a previously unknown security bug that hackers are actively exploiting to surreptitiously install malware on end-user computers.

The vulnerability, which affects the latest versions of Flash, was being exploited in drive-by attacks on the websites of at least three nonprofit organizations, according to a blog post published Thursday by researchers from security firm FireEye. Two of the institutions—the Peter G. Peterson Institute for International Economics and the Smith Richardson Foundation—focus on matters of national security and public policy. The targets, combined with the technical signatures of the attacks themselves, have led researchers to suspect that the attackers are the same ones behind similar campaigns from 2012. The FireEye researchers wrote:

This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit sociocultural issues. The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically.

This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems. Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term.

The vulnerability, which is indexed as CVE-2014-0502 under the common vulnerabilities and exposure system, allows attackers in certain cases to execute malicious code by overwriting the virtual function table pointer of a Flash object. In a testament to the growing effectiveness of modern exploit mitigation techniques, a protection known as address space layout randomization (ASLR) prevents the exploit from working on the vast majority of machines. ASLR vastly decreases the chances that a remote-code-execution attack will succeed by loading downloaded scripts in a different memory location each time the computer is rebooted. The attackers behind the campaign discovered by FireEye found a way to bypass ASLR on computers running older software. Specifically, PCs running Windows XP, Windows 7 with the now-unsupported 1.6 version of Oracle's Java, and Windows 7 with a now out-of-date version of Office 2007 or Office 2010 don't benefit from the protection of ASLR.

Read 2 remaining paragraphs | Comments

Adobe, Microsoft Release Critical Updates

Patch Tuesday is upon us once again. Adobe today pushed out security fixes for its Flash and Shockwave media players. Separately, Microsoft released seven patch bundles addressing at least 34 vulnerabilities in Microsoft Windows and other software. At least one of the Windows flaws is already being exploited in active attacks.

crackedwinSix of the seven Microsoft patches released today earned the company’s most dire “critical” rating, meaning the patches plug security holes that could be exploited by malware or miscreants with no help from PC users, save for visiting a hacked site or opening a specially crafted document.

Microsoft and security experts are calling special attention to MS13-053, which fixes at least eight flaws in Windows’ implementation of TrueType font files. These critical TrueType vulnerabilities exist on nearly every supported version of Windows, including XP, Vista, Windows 7 and Windows 8, and can be exploited to gain complete control over a vulnerable Windows system, just by having the user visit a Web page that contains malicious TrueType content. To make matters worse, Microsoft says one component of this vulnerability (CVE-2013-3660) is already being exploited in the wild.

There’s something else that’s interesting about these TrueType flaws: Ross Barrett, senior manager of security engineering at Rapid7, notes that For the first time ever Microsoft is addressing a single TrueType vulnerability (CVE-2013-3129) in three different advisories (MS13-052, MS13-053, and MS13-054). “By splitting this out, Microsoft is directly addressing a complaint about previous “rolled up” advisories where it was difficult to properly prioritize the multiple patches required to remediate the problem, and component patches were frequently missed,” Barrett notes.

The other big deal in today’s patch batch from Redmond is the Internet Explorer update (MS13-055), which is rated critical for all versions of IE and addresses 17 vulnerabilities. For a breakdown of the updates released today, check out this summary page, which includes links to all of the individual patches.

Also, Microsoft today announced a policy change related to the security of applications for sale or download in the Microsoft marketplace: Henceforth, any app that has a reported security issue will be removed from the marketplace store if it is not patched within 180 days of Microsoft confirming the problem. Read more about that policy change at Microsoft’s Technet Blog.

ADOBE FLASH & SHOCKWAVE

brokenflash-aAdobe’s Flash Player update fixes at least three critical bugs in the program. Updates are available for Windows, Mac, Linux and Android versions of Flash. This update brings Flash Player to version 11.8.800.94 on Windows and Mac systems (other OS users see the chart at the end of this post). To find out which version of Flash you have installed, visit this page. Internet Explorer 10 auto-updates its built-in Flash Player; Chrome does as well, but the latest patched version of Flash on Chrome is 11.8.800.97. My installation of Chrome does not appear to have updated to the latest version yet.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (FirefoxOpera, e.g.).

Adobe also released a new version of its Shockwave Player software that fixes at least one critical flaw, bringing Shockwave to v. 12.0.3.133 on Windows and Mac systems. Updates are available here. Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.

shockwaveIf you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or, in the case of Google Chrome, just downloads it for you), then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.

Adobe did not release any updates for AIR today, as it normally does when it pushes out Flash updates. The company says it is not aware of any active exploits or attacks in the wild that take advantage of the vulnerabilities fixed in today’s Flash and Shockwave releases.

If all of this patch frenzy has your head spinning, consider using some free tools to help automate the process for you. File Hippo’s Update Checker works great on this front, as does Secunia’s Personal Software Inspector (I prefer PSI 2 over PSI 3, but your mileage may vary). And, as always, if you experience any problems or interesting issues applying the Windows updates or any of the other patches, please drop a note in the comments section below.

adobeflash11-8-800-94

Apple blacklists older versions of Flash plugin due to security risk

Just as it did with some versions of Java, Apple has now blocked older versions of Adobe's Flash plugin to protect Mac users from security risks. In a new support document posted to its website on Friday, Apple explained that it has already updated its plugin blocking tool built into Safari—users don't need to lift a finger.

"To help protect users from a recent vulnerability, Apple has updated the web plug-in-blocking mechanism to disable older versions of the web plug-in: Adobe Flash Player," the company wrote.

Earlier this year, Apple blacklisted the latest version of Java—twice—due to security vulnerabilities. But Flash comes with its own security risks: Adobe issued an emergency Flash update earlier this month due to similar vulnerabilities on OS X and Windows, with another emergency update issued again three days ago. Like the Java holes, the Flash vulnerabilities allow remote attackers to surreptitiously install malware on vulnerable machines.

Read 1 remaining paragraphs | Comments

Copyright © 2014. Powered by WordPress & Romangie Theme.