Advertisement
<a href="http://krebsonsecurity.com/flash-player-update-fixes-critical-flaws/?administer_redirect_13=http://abaca.com/free_trial.html"><img src="/a-ab/missing.gif" /></a>
  • About the Author
  • About this Blog

    • Time to Patch

    Latest Warnings / Security Tools / Time to Patch13 Comments
    21
    Sep 11

    Flash Player Update Fixes Critical Flaws

    Adobe today issued an out-of-band software update to fix dangerous security flaws in its Flash Player products, including at least one that is actively being exploited. Patches are available for versions of Flash on Windows, Mac, Linux, Solaris and Android operating systems.

    Adobe said one of the bugs, a cross-site scripting flaw, is being exploited in the wild in targeted attacks to trick users into clicking on a malicious link delivered in an email message. At the moment there isn’t much more information about this vulnerability (other than Adobe credits Google with reporting it). That may soon change if news begin to surface about which organizations were targeted with the help of this flaw.

    According to Adobe: “This universal cross-site scripting issue could be used to take actions on a user’s behalf on any website or webmail provider if the user visits a malicious website.”

    Continue reading →

    Latest Warnings / Time to Patch30 Comments
    13
    Sep 11

    Adobe, Windows Security Patches

    If you use Windows or Adobe Reader/Acrobat, it’s patch time. Microsoft released five updates to fix at least 15 security vulnerabilities, and Adobe issued a quarterly update to eliminate 13 security flaws in its PDF Reader and Acrobat products.

    The Microsoft patches, available via Windows Update and Automatic Update, address security holes in Excel, Office, Windows Server and SharePoint. None of the flaws earned Redmond’s most dire “critical” rating, but it’s a mistake to let too much time go by before installing these updates.

    Adobe’s patches for Reader and Acrobat correct critical vulnerabilities in the programs that could be exploited by attackers just by convincing users to open a booby-trapped file. Updates are available for Adobe Reader X (10.1) and earlier versions for Windows, Macintosh, Adobe Reader 9.4.2 and earlier versions for UNIX, and Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh.

    Acrobat users should check out the Adobe security advisory. Heads up for users of older versions of Reader and Acrobat: support for Adobe Reader 8.x and Acrobat 8.x for Windows and Macintosh will end on November 3, 2011.

    As always, please leave a note in the comments section below if you experience any issues resulting from the installation of these updates.

    Time to Patch14 Comments
    10
    Aug 11

    Updates for Adobe Flash, Shockwave, AIR

    Adobe has shipped patches to fix a slew of critical security flaws in its products, including Flash, Shockwave Player and Adobe AIR.

    The Flash update corrects at least 13 critical vulnerabilities present in versions 10.3.181.36 and earlier for Windows, Mac, Linux and Solaris machines (the bugs exist in Flash versions 10.3.185.25 and earlier for Android devices). Windows, Mac, Linux and Solaris users should upgrade to version 10.3.183.5, and Android users should update to v. 10.3.186.2.

    To find out which version of Flash you have, visit this page. Windows users who browse the Web with anything other than Internet Explorer will need to apply the Flash update twice, once using IE and again with the other browser (Google Chrome users should already have the latest version of Flash). To avoid using Adobe’s annoying Download Manager, IE users can grab the latest update directly from this link; the direct link for non-IE browsers is here.

    Continue reading →

    Other / Time to Patch31 Comments
    9
    Aug 11

    22 Reasons to Patch Your Windows PC

    Microsoft today released 13 software updates to fix at least 22 security flaws in its Windows operating systems and other software. Two of the flaws addressed in the August patch batch earned Microsoft’s most dire “critical” rating, meaning that attackers can exploit them to break into systems without any help from users.

    Among the critical updates is a cumulative patch for Internet Explorer that plugs at least five security holes in the browser. The update is considered critical for IE versions 7, 8 and 9 (oddly enough, it earned an overall “important” rating on the insecure IE6).

    The other critical patch fixes a serious problem with the DNS server built into Windows Server 2003 and Windows Server 2008 systems (consumer systems such as Windows XP, Vista and Windows 7 are not affected by the flaw). Although the DNS bug is rated critical, Microsoft considers it unlikely that attackers will develop functioning code to exploit the flaw.

    Nine other flaws earned Microsoft’s important rating, and six of those ranked high on Microsoft’s exploitability index, meaning the company believes it is likely that attackers will develop code designed to exploit them to break into Windows PC

    As always, if you experience any issues during or after applying the updates, please leave a note in the comment section about it. A summary of all patches released today is available at this link.

    Security Tools / Time to Patch4 Comments
    18
    Jul 11

    Apple’s i-Patches Fix Critical iOS Flaws

    Apple has issued a software update that fixes at least three serious security holes in supported versions of its iPhone, iPad, iPod and iPod Touch devices.

    The patch targets security weaknesses in the way iOS devices render PDF files. Experts have been warning that attackers could leverage the flaws to install software without warning or permission if users were to merely browse to a malicious site. The update fixes the same vulnerabilities that jailbreakme.com has been using to help people jailbreak Apple’s i-devices.

    The Apple update — iOS 4.2.9 or iOS 4.3.4, depending on your device — can be downloaded only from within iTunes. If you are planning to jailbreak your device, visit jailbreakme.com, and then apply the unofficial patch that the Dev-Team released to help jailbreakers protect their phones from further abuse of the vulnerabilities.

    Latest Warnings / Security Tools / Time to Patch10 Comments
    12
    Jul 11

    Microsoft Fixes Scary Bluetooth Flaw, 21 Others

    Microsoft today released updates to fix at least 22 security flaws in its Windows operating systems and other software. The sole critical patch from this month’s batch addresses an unusual Bluetooth vulnerability that could let nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network.

    Bluetooth is a wireless communications standard that allows electronic devices — such as laptops, mobile phones and headsets — to communicate over short distances (the average range is between 30 to 100 meters, but that range can be extended with specialized tools). To share data, two Bluetooth-enabled devices normally need to “pair” with one another, a process that involves the exchange of a passkey between the two devices.

    But Microsoft today shipped a patch to fix a flaw in its Bluetooth implementation on Windows Vista and Windows 7 computers that it said attackers could use to seize control over a vulnerable system without any action on the part of the user.  The assailant’s computer would need to be within a short distance of the victim’s PC, and the target would merely need to have Bluetooth turned on.

    Joshua Talbot    , security intelligence manager for Symantec Security Response, said the vulnerability could be exploited without any alerts being sent to the victim PC.

    “An attacker would exploit this by sending specific malicious data to the targeted computer while establishing a Bluetooth connection,” Talbot said. “Because of a memory corruption issue at the heart of this vulnerability, the attacker would then gain access to the computer. All this would happen before any notification alerts the targeted user that another computer has requested a Bluetooth connection.”

    Although it is unlikely, such a vulnerability could be used to power a computer worm that spreads from one Bluetooth-enabled Windows laptop to another, Talbot said.

    Continue reading →

    Time to Patch19 Comments
    15
    Jun 11

    Microsoft Patches Fix 34 Security Flaws

    Microsoft on Tuesday released 16 software updates to fix at least 34 security vulnerabilities in its Windows operating systems and other software. More than half of the updates address flaws Microsoft rates “critical,” meaning the bugs can be exploited with little to no user interaction.

    For organizations that need to test patches before deploying them, Microsoft said four of the updates deserve priority:

    • MS11-042 (DFS). This bulletin resolves two privately reported issues affecting all versions of Windows.
    • MS11-043 (SMB Client). This bulletin resolves one privately reported issue affecting all versions of SMB Client on Windows.
    • MS11-050 (Internet Explorer). This security bulletin resolves 11 privately reported issues in Internet Explorer.
    • MS11-052 (Windows). This bulletin resolves one privately reported issue in Windows and is also Critical.

    Another update, labeled “important,” fixes at least eight security problems in all versions of Microsoft Excel, including Office for Mac.

    More information on this week’s updates is available at this summary. Updates are available from Windows Update and via Automatic Updates. You may want to set aside some time for this update package: Among the critical patches is an update for Microsoft’s .NET software, and .NET updates are typically bulky. If you experience problems after applying any of the updates, please leave a note about it in the comments below.

    Time to Patch43 Comments
    14
    Jun 11

    Adobe Ships Security Patches, Auto-Update Feature

    Adobe today issued more than a dozen security updates for its Acrobat and PDF Reader programs, including a feature update that will install future Reader security updates automatically. In addition, Adobe has shipped yet another version of its Flash Player software to fix a critical security flaw.

    No doubt some will quibble with Adobe’s move toward auto-updating Reader: There is always a contingent in the user community who fear automatic updates will at some point force a faulty patch. But for better or worse, Adobe’s Reader software is the PDF reader software of choice for a majority of Windows computers in use today. Faced with incessant malware attacks against outdated versions of these programs, it seems irresponsible for Adobe to do anything other than offer auto-update capability to to Reader users more aggressively.

    Adobe debuted this feature in April 2010, but at that the time Adobe decided to continue to honor whatever update option users had selected (the default has always been “download all updates automatically and notify me when they are ready to be installed”). With this latest update, Adobe will again prompt users to approve an auto-update choice, except this time the option pre-selected will be “Install Updates Automatically.”

    Continue reading →

    Latest Warnings / Time to Patch13 Comments
    7
    Jun 11

    Java Patch Plugs 17 Security Holes

    Oracle today released an update to its ubiquitous Java software that fixes at least 17 security vulnerabilities in the program.

    The company is advising users to apply this update as soon as possible; it looks like most — if not all — of the vulnerabilities addressed by this new version may be exploited remotely without authentication.

    The latest version is Java 6 Update 26 (v. 1.6.0.26), and is available either through the updater built in to Java (accessible from the Windows control panel) or by visiting java.com. If you’re not sure which version you have or whether you’ve got the program installed at all, click the “Do I have Java” link below the red download button on the Java homepage.

    Java’s broad install base has made it a major target for computer crooks. It certainly does not help that so many users fail to keep this very powerful program updated. If you have no use for Java, my advice is to get rid of it. If you can’t bring yourself to do that, consider disabling the Java plug-in(s) in your browser of choice unless and until you need  the program.

    Latest Warnings / Time to Patch16 Comments
    5
    Jun 11

    Flash Player Patch Fixes Zero-Day Flaw

    Adobe released an emergency security update today to fix a vulnerability that the company warned is being actively exploited in targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

    The vulnerability — a cross-site scripting bug that could be used to take actions on a user’s behalf on any Web site or Webmail provider, exists in Flash Player version 10.3.181.16 and earlier for Windows, Macintosh, Linux and Solaris. Adobe recommends users update to version 10.3.181.22 (on Internet Explorer, the latest, patched version is 10.3.181.23).  To find out what version of Flash you have, go here.

    Google appears to have already pushed out an update that fixes this flaw in Chrome. Adobe says it will ship an update to fix this flaw on Android sometime this week.

    Adobe said it is still investigating whether this is exploitable in Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions of Adobe Reader and Acrobat for Windows and Macintosh operating systems, and that it is not aware of any attacks targeting Adobe Reader or Acrobat in the wild.

    Remember that if you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox and Opera. Updates are available by browsing with the appropriate browser to the Flash Player Download Center. Bear in mind that updating via the Download Center involves installing Adobe’s Download Manager, which may try to foist additional software. If you’d prefer to update manually, the direct installers for Windows are available at this link. If you run into problems installing this update, you’ll want to uninstall previous versions of Flash Player and then try again.

    ← Older Entries
    Newer Entries →