Time to Patch


14
Apr 15

Critical Updates for Windows, Flash, Java

Get your patch chops on people, because chances are you’re running software from Microsoft, Adobe or Oracle that received critical security updates today. Adobe released a Flash Player update to fix at least 22 flaws, including one flaw that is being actively exploited. Microsoft pushed out 11 update bundles to fix more than two dozen bugs in Windows and associated software, including one that was publicly disclosed this month. And Oracle has an update for its Java software that addresses at least 15 flaws, all of which are exploitable remotely without any authentication.

brokenflash-aAdobe’s patch includes a fix for a zero-day bug (CVE-2015-3043) that the company warns is already being exploited. Users of the Adobe Flash Player for Windows and Macintosh should update to Adobe Flash Player 17.0.0.169 (the current versions other OSes is listed in the chart below).

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to version 17.0.0.169.

Google has an update available for Chrome that fixes a slew of flaws, and I assume it includes this Flash update, although the Flash checker pages only report that I now have version 17.0.0 installed after applying the Chrome update and restarting (the Flash update released last month put that version at 17.0.0.134, so this is not particularly helpful). To force the installation of an available update, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

brokenwindowsMicrosoft has released 11 security bulletins this month, four of which are marked “critical,” meaning attackers or malware can exploit them to break into vulnerable systems with no help from users, save for perhaps visiting a booby-trapped or malicious Web site. The Microsoft patches fix flaws in Windows, Internet Explorer (IE), Office, and .NET

The critical updates apply to two Windows bugs, IE, and Office. .NET updates have a history of taking forever to apply and introducing issues when applied with other patches, so I’d suggest Windows users apply all other updates, restart and then install the .NET update (if available for your system). Continue reading →


18
Mar 15

OpenSSL Patch to Plug Severe Security Holes

The world is about to get another reminder about just how much of the Internet runs on technology maintained by a handful of coders working on a shoestring budget. OpenSSL — the software used by thousands of companies to encrypt online communications — is set to get a security makeover this week: The OpenSSL project said it plans to release new versions of its code to fix a number of security weaknesses, including some classified as “high” severity.

iheartOpenSSL is deployed at countless organizations, including at Web giants like Facebook, Google and Yahoo — as well as broadly across U.S. federal government networks. As its name suggests, OpenSSL implements Secure Sockets Layer (SSL) encryption (also known as “transport layer security” or TLS) for Web sites and associated networks, ensuring that the data cannot be read by untrusted parties.

The patch is likely to set off a mad scramble by security teams at organizations that rely on OpenSSL. That’s because security updates — particularly those added to open-source software like OpenSSL that anyone can view — give cybercriminals a road map toward finding out where the fixed vulnerabilities lie and insight into how to exploit those flaws.

Indeed, while the OpenSSL project plans to issue the updates on Thursday, Mar. 19, the organization isn’t pre-releasing any details about the fixes. Steve Marquess, a founding partner at the OpenSSL Software Foundation, said that information will only be shared in advance with the major operating system vendors.

“We’d like to let everyone know so they can be prepared and so forth, but we have been slowly driven to a pretty brutal policy of no [advance] disclosure,” Marquess said. “One of our main revenue sources is support contracts, and we don’t even give them advance notice.”

Advance notice helps not only defenders, but attackers as well. Last year, ne’er-do-wells pounced on Heartbleed, the nickname given to an extremely critical flaw in OpenSSL that allowed anyone to extract passwords, cookies and other sensitive data from servers that were running vulnerable versions of OpenSSL. This Heartbleed disclosure timeline explains a great deal about how that process unfolded in a less-than-ideal manner. Continue reading →


12
Mar 15

Adobe Flash Update Plugs 11 Security Holes

Adobe has released an update for its Flash Player software that fixes at least 11 separate, critical security vulnerabilities in the program. If you have Flash installed, please take a moment to ensure your systems are updated.

brokenflash-aNot sure whether your browser has Flash installed or what version it may be running? Browse to this link. The newest, patched version is 17.0.0.134 for Windows and Mac users. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to version 17.0.0.134.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

The last few Flash updates from Adobe have been in response to zero-day threats targeting previously unknown vulnerabilities in the program. But Adobe says it is not aware of any exploits in the wild for the issues addressed in this update. Adobe’s advisory on this patch is available here.


10
Mar 15

Microsoft Fixes Stuxnet Bug, Again

Microsoft today shipped a bundle of security updates to address more than three dozen vulnerabilities in Windows and associated software. Included in the batch is a fix for a flaw first patched in 2010 — the very same vulnerability that led to the discovery of the infamous cyberweapon known as Stuxnet. Turns out, the patch that Microsoft shipped to fix that flaw in 2010 didn’t quite do the trick, leaving Windows users dangerously exposed all this time.

brokenwindowsOn this, the third Patch Tuesday of 2015, Microsoft pushed 14 update bundles to address at least 43 separate vulnerabilities in Internet Explorer, Exchange, Office and a host of other components.

Five of the the patches released today fix flaws that Microsoft has assigned its most serious “critical” label, meaning the vulnerabilities these patches fix can be exploited to compromise vulnerable systems through little or no action on the part of the user — save for perhaps opening a booby-trapped file or visiting a hacked/malicious Web site.

One of the more curious critical fixes is MS15-020, which according to HP’s Zero Day Initiative researchers addresses the same vulnerability that Microsoft patched in August 2010. That vulnerability — first revealed in a post on this blog July 15, 2010 — was later discovered to have been one of four zero-day flaws used in Stuxnet, a weapon of unprecedented sophistication that is now widely considered to have been a joint U.S. and Israeli project aimed at delaying Iran’s nuclear ambitions. The folks at HP TippingPoint have published a blog post on their work in uncovering the failed fix, and how the original 2010 patch missed the mark. For more on Stuxnet, check out Kim Zetter‘s excellent new book, Countdown To Zero Day. Continue reading →


5
Feb 15

Yet Another Flash Patch Fixes Zero-Day Flaw

For the third time in two weeks, Adobe has issued an emergency security update for its Flash Player software to fix a dangerous zero-day vulnerability that hackers already are exploiting to launch drive-by download attacks.

brokenflash-aThe newest update, version 16.0.0.305, addresses a critical security bug (CVE-2015-0313) present in the version of Flash that Adobe released on Jan. 27 (v. 16.0.0.296). Adobe said it is are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Adobe’s advisory credits both Trend Micro and Microsoft with reporting this bug. Trend Micro published a blog post three days ago warning that the flaw was being used in malvertising attacks – booby-trapped ads uploaded by criminals to online ad networks. Trend also published a more in-depth post examining this flaw’s use in the Hanjuan Exploit Kit, a crimeware package made to be stitched into hacked Web sites and foist malware on visitors via browser plug-in flaws like this one. Continue reading →


27
Jan 15

Yet Another Emergency Flash Player Patch

For the second time in a week, Adobe has issued an emergency update to fix a critical security flaw that crooks are actively exploiting in its Flash Player software. Updates are available for Flash Player on Windows and Mac OS X.

brokenflash-aLast week, Adobe released an out-of-band Flash Patch to fix a dangerous bug that attackers were already exploiting. In that advisory, Adobe said it was aware of yet another zero-day flaw that also was being exploited, but that last week’s patch didn’t fix that flaw.

Earlier this week, Adobe began pushing out Flash v. 16.0.0.296 to address the outstanding zero-day flaw. Adobe said users who have enabled auto-update for Flash Player will be receiving the update automatically this week. Alternatively, users can manually update by downloading the latest version from this page.

Adobe said it is working with its distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. Google Chrome version 40.0.2214.93 includes this update, and is available now. To check for updates in Chrome, click the stacked three bars to the right of the address bar in Chrome, and look for a listing near the bottom that says “Update Chrome.”

To see which version of Flash you have installed, check this link. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).


22
Jan 15

Flash Patch Targets Zero-Day Exploit

Adobe today released an important security update for its Flash Player software that fixes a vulnerability which is already being exploited in active attacks. Compounding the threat, the company said it is investigating reports that crooks may have developed a separate exploit that gets around the protections in this latest update.

brokenflash-aEarly indicators of a Flash zero-day vulnerability came this week in a blog post by Kafeine, a noted security researcher who keeps close tabs on new innovations in “exploit kits.” Often called exploit packs — exploit kits are automated software tools that help thieves booby-trap hacked sites to deploy malicious code.

Kafeine wrote that a popular crimeware package called the Angler Exploit Kit was targeting previously undocumented vulnerability in Flash that appears to work against many different combinations of the Internet Explorer browser on Microsoft Windows systems.

Attackers may be targeting Windows and IE users for now, but the vulnerability fixed by this update also exists in versions of Flash that run on Mac and Linux as well. The Flash update brings the media player to version 16.0.0.287 on Mac and Windows systems, and 11.2.202.438 on Linux.

While Flash users should definitely update as soon as possible, there are indications that this fix may not plug all of the holes in Flash for which attackers have developed exploits. In a statement released along with the Flash update today, Adobe said its patch addresses a newly discovered vulnerability that is being actively exploited, but that there appears to be another active attack this patch doesn’t address.

“Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player,” Adobe said. “Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild.”

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although as of this writing it seems that the latest version of Chrome (40.0.2214.91) is still running v. 16.0.0.257Continue reading →


21
Jan 15

Java Patch Plugs 19 Security Holes

Oracle this week released its quarterly patch update for Java, a widely-installed program that for most casual users has probably introduced more vulnerability than utility. If you have Java installed and require it for some application or Web site, it’s time to update it. If you’re not sure you have Java on your computer or are unsure why you still have it, read on for advice that could save you some security headaches down the road.

javamessOracle’s update brings Java 7 to Update 75 and Java 8 to Update 31, and fixes at least 19 security vulnerabilities in the program. Security vendor Qualys notes that 13 of those flaws are remotely exploitable, with a CVSS score of 10 (the most severe possible score).

Java 7 users should know that Oracle plans to start using the auto-update function built into the program to migrate those users to Java 8 this week.

According to a new report (PDF) from Cisco, online attacks that exploit Java vulnerabilities have decreased by 34 percent in the past year. Cisco reckons this is thanks to security improvements in the program, and to bad guys embracing new attack vectors — such Microsoft Silverlight flaws (if you’re a Netflix subscriber, you have Silverlight installed). Nevertheless, my message about Java will remain the same: Patch it, or pitch it. Continue reading →


12
Dec 14

‘Security by Antiquity’ Bricks Payment Terminals

Last week, several thousand credit card payment terminals at various retailers across the country suddenly stopped working, their LCD displays showing blank screens instead of numbers and letters. Puzzled merchants began to worry that this was perhaps part of some sophisticated hacker attack on their cash registers. It turns out that the incident was indeed security-related, but for once it had nothing to do with cyber thieves.

Hypercom L4250 payment terminal.

Hypercom L4250 payment terminal.

On Dec. 7, 2014, certain older model payment terminals made by Hypercom stopped working due to the expiration of a cryptographic certificate used in the devices, according to Scottsdale, Ariz.-based Equinox Payments, the company that owns the Hypercom brand.

“The security mechanism was triggered by the rollover of the date and not by any attack on or breach of the terminal,” said Stuart Taylor, vice president of payment solutions at Equinox. “The certificate was created in 2004 with a 10 year expiry date.”

Taylor said Equinox is now working with customers, distributors and channel partners to replace the certificate to return terminals to an operational state. The company is pointing affected customers who still need assistance to this certificate expiry help page.

“Many of these terminals have been successfully updated in the field,” Taylor said. “Unfortunately, a subset of them can’t be fixed in the field which means they’ll need to be sent to our repair facility.  We are working with our customers and distribution partners to track down where these terminals are and will provide whatever assistance we can to minimize any disruption as a result of this matter.”

According to two different merchants impacted by the incident that reached out to KrebsOnSecurity, the bricking of these payment terminals occurs only after the affected devices (in the 4x version of the terminals) are power-cycled or rebooted, which some merchants do daily.

Michael Rochette, vice president at Spencer Technologies, a Northborough, Mass.-based technology installation and support company, said his firm heard last week from an East Coast supermarket chain that opened for business on Monday morning only to find all of their payment terminals unresponsive. Rochette said that the supermarket chain and other retailers impacted by the incident across the country were immediately worried that the incident was part of a hacker attack on their payment infrastructure.

“Not all stores power cycle overnight, but for those that do, they came up all blank and inoperative,” Rochette said. “If that’s something that a retail chain does as a matter of policy across a whole chain of stores, that can be pretty damaging.” Continue reading →


11
Dec 14

‘Poodle’ Bug Returns, Bites Big Bank Sites

Many of the nation’s top banks, investment firms and credit providers are vulnerable to a newly-discovered twist on a known security flaw that exposes Web site traffic to eavesdropping. The discovery has prompted renewed warnings from the U.S. Department of Homeland Security advising vulnerable Web site owners to address the flaw as quickly as possible.

chasepoodleIn mid-October, the world learned about “POODLE,” an innocuous acronym for a serious security flaw in a specific version (version 3.0) of Secure Sockets Layer (SSL), the technology that most commercial Web sites use to protect the privacy and security of communications with customers.

When you visit a site that begins with “https://” you can be sure that the data that gets transmitted between that site and your browser cannot be read by anyone else. That is, unless those sites are still allowing traffic over SSL 3.0, in which case an attacker could exploit the POODLE bug to decrypt and extract information from inside an encrypted transaction — including passwords, cookies and other data that can be used to impersonate the legitimate user.

On Dec. 8, researchers found that the POODLE flaw also extends to certain versions of a widely used SSL-like encryption standard known as TLS (short for Transport Layer Security).

“The impact of this problem is similar to that of POODLE, with the attack being slightly easier to execute,” wrote Ivan Ristic, director of engineering at security firm Qualys, which made available online a free scanning tool that evaluates Web sites for the presence of the POODLE vulnerability, among other problems. “The main target are browsers, because the attacker must inject malicious JavaScript to initiate the attack.”

A cursory review using Qualys’s SSL/TLS scanning tool indicates that the Web sites for some of the world’s largest financial institutions are vulnerable to the new POODLE bug, including Bank of AmericaChase.comCitibankHSBC, Suntrust — as well as retirement and investment giants Fidelity.com and Vanguard (click links to see report). Dozens of sites offering consumer credit protection and other services run by Experian also are vulnerable, according to SSL Labs. Qualys estimates that about 10 percent of Web servers are vulnerable to the POODLE attack against TLS. Continue reading →