Posts Tagged: adobe


11
Jun 13

Adobe, Microsoft Patch Flash, Windows

Patch Tuesday is again upon us: Adobe today issued updates for Flash Player and AIR, fixing the same critical vulnerability in both products. Microsoft‘s patch bundle of five updates addresses 23 vulnerabilities in Windows, Internet Explorer, and Office, including one bug that is already being actively exploited.

crackedwinA majority of the vulnerabilities fixed in Microsoft’s June patch batch — 19 of them — are addressed in a cumulative update for Internet Explorer (MS13-047). The other fix that Microsoft called specific attention to is MS13-051, which tackles a flaw in Office that “could allow remote code execution if a user opens a specially crafted Office document..or previews or opens a specially crafted email message in Outlook while using Microsoft Word as the email reader.”

This Office flaw, which is present in the latest versions of Office 2003 and Microsoft Office for Mac 2011, is already being exploited in targeted attacks, Microsoft said. According to the company’s advisory, this vulnerability was reported by Google. These attacks fit the profile of previous zer0-day incidents, which use targeted email lures and previously unknown vulnerabilities to break into high-value targets.

“When Google encounters flaws that exploit users’ computers, even when the flaws are in other companies’ software, we take strong action to mitigate those attacks,” a Google spokesperson said in response to a request for comment. “Based on the exploit and the way it has been utilized by attackers, we strongly believe the attacks to be associated with a nation-state organization.”

Adobe’s Flash and AIR updates also fix a critical bug that was reported by Google’s security team, although Adobe says it is not aware of any exploits or attacks in the wild against the vulnerability address in its update. The latest Flash version is 11.7.700.224 for Windows and 11.7.700.225 for Mac OS X.  This link will tell you which version of Flash your browser has installed. IE10 and Chrome should auto-update their versions of Flash. If your version of Chrome is not yet updated to v. 11.7.700.225, you may just need to restart the browser.

Continue reading →


14
May 13

Microsoft, Adobe Push Critical Security Updates

Microsoft and Adobe today each released updates to fix critical security holes in their software. Microsoft’s patch batch tackles at least 33 vulnerabilities in Windows and other products, including a fix for a zero-day vulnerability in Internet Explorer 8 that attackers have been exploiting. Separately, Adobe pushed security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

crackedwinMicrosoft’s Patch Tuesday bundle includes two separate updates for Internet Explorer; the first (MS13-037) is a cumulative update for Internet Explorer. The second is a fix (MS13-038) specifically for a critical bug in IE 8 that miscreants and malware have been using to break into Windows computers. Other, slightly less severe holes were fixed in Microsoft Publisher, Word, Visio and Windows Essentials.

Last week, Microsoft released a stopgap “Fix-it” tool to help blunt the threat from the IE8 zero-day flaw. If you installed that interim fix, Microsoft recommends taking a moment to disable it before applying today’s patches.

<soapbox>On a side note..Dear Microsoft: Please stop asking people to install Silverlight every time they visit a Microsoft.com property. I realize that Silverlight is a Microsoft product, but it really is not needed to view information about security updates. In keeping with the principle of reducing the attack surface of an operating system, you should not be foisting additional software on visitors who are coming to you for information on how to fix bugs and vulnerabilities in Microsoft products that they already have installed. </soapbox>

Silverlight required? C'mon, Microsoft!

Silverlight required? C’mon, Microsoft!

As it usually does on Microsoft’s Patch Tuesday, Adobe used the occasion to push its own security updates. A new version of Flash (v. 11.7.700.202 for Mac and Windows systems) fixes 13 vulnerabilities.  IE 10 and Google Chrome automatically update themselves to fix Flash flaws. This link should tell you which version of Flash your browser has installed. If your version of Chrome is not yet updated to v. 11.7.700.202, you may need to just restart the browser.

Continue reading →


20
Feb 13

Critical Security Updates for Adobe Reader, Java

Adobe and Oracle each released updates to fix critical security holes in their software. Adobe’s patch plugs two zero-day holes that hackers have been using to break into computers via Adobe Reader and Acrobat. Separately, Oracle issued updates to correct at least five security issues with Java.

javaiconThe Java update comes amid revelations by Apple, Facebook and Twitter that employees at these organizations were hacked using exploits that attacked Java vulnerabilities on Mac and Windows machines. According to Bloomberg News, at least 40 companies were targeted in malware attacks linked to an Eastern European gang of hackers that has been trying to steal corporate secrets.

Oracle’s update brings Java on Windows systems to Java SE 7 Update 15, and Java 6 Update 41. Most consumers can get by without Java installed, or least not plugged into the browser. Because of the prevalence of threats targeting Java installations, I’d urge these users to remove Java or unplug it from the browser. If this is too much trouble, consider adopting a dual-browser approach, keeping Java unplugged from your main browser, and plugged in to a secondary browser that you only use to visit sites that require the plugin. To find out if you have Java installed, visit java.com and click the “Do I have Java?” link below the big red button. Existing users can update Java from the Java Control Panel, clicking the Update tab and then the “Update Now” button.

Apple has issued an update that brings Java up-to-date on security patches but also disables the Java plugin from Web browsers on the system. Apple also issued a malware removal tool that it said should remove from Macs the most common variants of malware that used the most recent Java exploits. Continue reading →


7
Feb 13

Critical Flash Player Update Fixes 2 Zero-Days

Adobe today pushed out an emergency update that fixes at least two zero-day vulnerabilities in its ubiquitous Flash Player software — flaws that attackers are already exploiting to break into systems. Interestingly, Adobe warns that one of the exploits in use is designed to drop malware on both Windows and Mac OS X systems.

brokenflash-aAdobe said in an advisory that one of the vulnerabilities — CVE-2013-0634 - is being exploited in the wild in attacks delivered via malicious Flash content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment.

Adobe also warned that a separate flaw – CVE-2013-0633 – is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash content. The company said the exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows (i.e. Internet Explorer users).

Updates are available for Windows, Mac, Linux and Android users. The latest Windows and Mac version is v. 11.5.502.149, and is available from this link. Those who prefer a direct link to the OS-specific downloads can grab them here. To find out if you have Flash installed and what version your browser may be running, check out this page.

flash115502149

Flash Player installed with Google Chrome should automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player v. 11.5.31.139 for Windows, Macintosh and Linux. Likewise, Internet Explorer 10 for Windows 8 also includes an auto-update feature, which should bring Flash to version 11.3.379.14 for Windows.

Adobe’s advisory notes that the vulnerability that has been used to attack both Mac and Windows users was reported with the help of the Shadowserver Foundation, the federally funded technology research center MITRE Corporation, and aerospace giant Lockheed Martin‘s computer incident response team. No doubt there are some interesting stories about how these attacks were first discovered, and against whom they were initially deployed.


8
Jan 13

Adobe, Microsoft Ship Critical Security Updates

Adobe and Microsoft today separately issued updates to fix critical security vulnerabilities in their products. Adobe pushed out fixes for security issues in Acrobat, Adobe Reader and its Flash Player plugin. Microsoft released seven patches addressing at least a dozen security holes in Windows and other software, although it failed to issue an official patch for a dangerous flaw in its Internet Explorer Web browser that attackers are now actively exploiting.

Two of the patches that Microsoft issued today earned a “critical” rating, signifying that these vulnerabilities could be exploited to fully compromise vulnerable Windows systems without any help from users. Microsoft called special attention to two critical bugs in its XML Core Services component; the company said it is likely that malware or miscreants will figure out a way to exploit these flaws in active attacks sometime within the next 30 days.

Unfortunately, Microsoft did not offer an official fix for a critical Windows flaw that malware and miscreants are already exploiting. In late December, Microsoft acknowledged that attackers were using a previously undocumented security hole in Internet Explorer versions 6 through 8 to break into Windows PCs. Microsoft later issued a stopgap “FixIt” tool to help lessen the vulnerability on affected systems, but researchers last week demonstrated that the FixIt tool only blocked some methods of attacking the flaw, leaving other ways unguarded. Meanwhile, a working copy of the exploit has been folded into Metasploit, a free penetration testing tool.

Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys, said the zero-day IE vulnerability affects 90% of the IE install base at this time.

“Microsoft is not providing a patch today, though they have provided a Fix-It for the issue,” Kandek wrote in a blog post. “The vulnerability should be tracked closely, as a large percentage of enterprises still run the affected versions.”

Users who wish to continue browsing the Web with IE should upgrade to IE9 if possible (IE10 on Windows 8 also is not vulnerable). Users still on Windows XP will not be able to update to IE9, but may be able to derive some protection from the FixIt tool and by using Microsoft’s EMET tool. XP users may be better off, however, browsing with Firefox or Chrome with some type of script blocking and/or sandbox in place. More information on how to use EMET and script blocking options is available in my Tools for a Safer PC primer. More details about today’s updates from Microsoft can be found at the Microsoft Security Response Center blog and in the security bulletin summaries for each patch.

The Adobe Flash patch fixes at least one critical vulnerability in the media player plugin. Updates are available for all supported versions of Flash, including for Windows, Mac, Linux and Android. See the chart below for the latest version number broken down by operating system.

Continue reading →


11
Dec 12

Critical Updates for Flash Player, Microsoft Windows

Adobe and Microsoft have each released security updates to fix critical security flaws in their software. Microsoft issued seven update bundles to fix at least 10 vulnerabilities in Windows and other software. Separately, Adobe pushed out a fix for its Flash Player and AIR software that address at least three critical vulnerabilities in these programs.

A majority of the bugs quashed in Microsoft’s patch batch are critical security holes, meaning that malware or miscreants could exploit them to seize control over vulnerable systems with little or no help from users. Among the critical patches is an update for Internet Explorer versions 9 and 10 (Redmond says these flaws are not present in earlier versions of IE).

Other critical patches address issues with the Windows kernel, Microsoft Word, and Microsoft Exchange Server. The final critical bug is a file handling vulnerability in Windows XP, Vista and 7 that Microsoft said could allow remote code execution if a user browses to a folder that contains a file or subfolder with a specially crafted name. Yikes. Updates are available through Windows Update or via Automatic Updates.

Continue reading →


14
Aug 12

Critical Security Fixes from Adobe, Microsoft

Adobe and Microsoft each issued security updates today to fix critical vulnerabilities in their software. Adobe’s fixes include a patch for a Flash Player flaw that is actively being exploited to break into Windows computers. Microsoft’s Patch Tuesday release includes nine patch bundles — more than half of them rated critical — addressing at least 27 security holes in Windows and related software.

The most pressing of the updates Adobe released today is the Flash Player patch, which fixes a critical flaw (CVE-2012-1535) in the ubiquitous media player software. Adobe says there are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious Microsoft Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.

Continue reading →


9
Jul 12

How to Break Into Security, Grossman Edition

I recently began publishing a series of advice columns for people who are interested in learning more about security as a craft or profession. For the third installment in this series, I interviewed Jeremiah Grossman, chief technology officer of WhiteHat Security, a Web application security firm.

A frequent speaker on a broad range of security topics, Grossman stressed the importance of coding, networking, and getting your hands dirty (in a clean way, of course).

BK: How did you get started in computer security?

Grossman: For me it was…I could hack stuff and I did it in my spare time and someone offered me a job — which was Yahoo. But before that, I was just a UNIX admin. I was thinking about this question a lot, and what occurred to me is that I don’t know too many people in infosec who chose infosec as a career. Most of the people who I know in this field didn’t go to college to be infosec pros, it just kind of happened. They followed opportunity.

BK: You might have seen that the last two experts I asked had somewhat different opinions on this question, but how important is it that someone interested in this field know how to code?

Grossman: It’s tough to give solid advice without knowing more about a person. For instance, are they interested in network security or application security? You can get by in IDS and firewall world and system patching without knowing any code; it’s fairly automated stuff from the product side. But with application security, it is absolutely mandatory that you know how to code and that you know software. So with Cisco gear, it’s much different from the work you do with Adobe software security. Infosec is a really big space, and you’re going to have to pick your niche, because no one is going to be able to bridge those gaps, at least effectively.

BK: So would you say hands-on experience is more important that formal security education and certifications?

Grossman: The question is are people being hired into entry level security positions straight out of school? I think somewhat, but that’s probably still pretty rare. There’s hardly anyone coming out of school with just computer security degrees. There are some, but we’re probably talking in the hundreds. I think the universities are just now within the last 3-5 years getting masters in computer security sciences off the ground. But there are not a lot of students in them.

BK:  What do you think is the most important qualification to be successful in the security space, regardless of a person’s background and experience level?

Grossman: The ones who can code almost always [fare] better. Infosec is about scalability, and application security is about scalability. And if you can understand code, you have a better likelihood of being able to understand how to scale your solution. On the defense side, we’re out-manned and outgunned constantly. It’s “us” versus “them,” and I don’t know how many of “them,” there are, but there’s going to be too few of “us “at all times.  So whatever your solution is or design criteria, you’re going to have to scale it. For instance, you can imagine Facebook…I’m not sure many security people they have, but…it’s going to be a tiny fraction of a percent of their user base, so they’re going to have to figure out how to scale their solutions so they can protect all those users.

Continue reading →


8
May 12

Adobe, Microsoft Push Critical Security Fixes

Adobe and Microsoft today each issued updates to address critical security flaws in their software. Adobe’s patch plugs at least five holes in its Shockwave Player, while Microsoft has released a bundle of seven updates to correct 23 vulnerabilities in Windows and other products.

Microsoft’s May patch batch includes fixes for vulnerabilities that could be exploited via Web browsing, file-sharing, or email. Eight of the 23 flaws earned Microsoft’s “critical” rating, meaning no user interaction is required for vulnerable systems to be hacked. At least three of the flaws were publicly disclosed before today.

According to Microsoft, the two updates are the most dire: The first is one related to a critical flaw in Microsoft Word (MS12-029); the second is an unusually ambitious update that addresses flaws present in Microsoft Office, Windows, .NET Framework and Silverlight. In a blog post published today, Microsoft explained why it chose to patch all of these seemingly disparate products all in one go. But the short version is that Microsoft is addressing the ghost of Duqu, a sophisticated malware family discovered last year that was designed to attack industrial control systems and is thought to be related to the infamous Stuxnet worm. A patch Microsoft issued last year addressed the underlying Windows vulnerability exploited by Duqu, but the company found that the same vulnerable code resided in a slew of other Microsoft applications.

Continue reading →


14
Feb 12

Critical Fixes from Microsoft, Adobe

If you use Microsoft Windows, it’s time again to get patched: Microsoft today issued nine updates to fix at least 21 security holes in its products. Separately, Adobe released a critical update that addresses nine vulnerabilities in its Shockwave Player software.

Four of the patches earned Microsoft’s most dire “critical” rating, meaning that miscreants and malware can leverage the flaws to hijack vulnerable systems remotely without any help from the user.  At least four of the vulnerabilities were publicly disclosed prior to the release of these patches.

The critical patches repair faulty components that can lead to browse-and-get-owned scenarios; among those is a fix for a vulnerability in Microsoft Silverlight, a browser plugin that is required by a number of popular sites — including Netflix — and can affect multiple browsers and even Mac systems. Microsoft believes that attackers are likely to quickly devise reliable exploits to attack at least a dozen of the 21 flaws it is fixing with this month’s release.

Continue reading →