Posts Tagged: adobe

Latest Warnings / The Coming Storm24 Comments
14
Mar 11

Adobe: Attacks on Flash Player Flaw

Adobe warned today attackers are exploiting a previously unknown security flaw in all supported versions of its Flash Player software. The company said the same vulnerability exists in Adobe Reader and Acrobat, but that it hasn’t yet seen attacks targeting the flaw in those programs.

In an advisory released today, Adobe said malicious hackers were exploiting a critical security hole in Flash (up to and including the latest version of Flash. The software maker warned the vulnerability also exists in Adobe Flash player 10.2.152.33 and earlier versions for Windows, Mac, Linux and Solaris operating systems (10.2.154.13 and earlier for Chrome users), Flash Player 101.106.16 and earlier for Android. In addition, Adobe believes the bug lives in the “authplay.dll” component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Mac systems.

Adobe warns that the security hole is currently being exploited via Flash (.swf) files embedded in a Microsoft Excel document delivered as an email attachment. Why someone would need to embed a Flash file in an Excel document is anyone’s guess.

Continue reading →

Latest Warnings / Time to Patch35 Comments
8
Mar 11

Patch Tuesday, Etc.

Microsoft has issued security updates to fix at least four security holes in its Windows operating system and other software. Not exactly a fat Patch Tuesday from Microsoft, but depending on how agile you are in updating third-party applications like Flash, iTunes and Shockwave, you may have some additional patching to do.

One of the updates from Microsoft earned a “critical” rating, meaning Redmond believes it could be exploited to break into vulnerable systems with little to no help from users. That flaw, a bug in the way Windows Media Player and Media Center process certain types of media files, could be leveraged by convincing a user to open a tainted video file. This flaw affects Windows XP, Vista and Windows 7.

Continue reading →

Latest Warnings / Time to Patch32 Comments
9
Feb 11

Adobe, Microsoft, WordPress Issue Security Fixes

Talk about Patch Tuesday on steroids! Adobe, Microsoft and WordPress all issued security updates for their products yesterday. In addition, security vendor Tipping Point released advisories detailing 21 unpatched vulnerabilities in products made by CA, EMC, HP, Novell and SCO.

Microsoft’s bundle includes a dozen updates addressing at least 22 security flaws in its Windows operating system and other software. Five of the vulnerabilities earned a “critical” rating, Redmond’s most serious. Six of the Windows flaws fixed in today’s release have been public for some time, although security experts at Symantec say they’re only aware of one of the flaws being actively exploited in the wild — a bug in the way Internet Explorer handles cascading style sheets. Updates are available through Windows Update or Automatic Update.

Microsoft also issued an update that changes the default behavior in Windows when users insert a removable storage device, such as a USB or thumb drive. This update effectively disables “autorun,” a feature of Windows that has been a major vector for malware over the years. Microsoft released this same update in February 2009, but it offered it as an optional patch. The only thing different about the update this time is that it is being offered automatically to users who patch through Windows Update or Automatic Update.

Update, Feb. 18, 11:56 a.m. ET: As F-Secure notes in a useful blog post, Microsoft has once again failed to disable auto-run, because this update is not offered by default, as Microsoft previously indicated.

Original story:

Adobe released an update for its Acrobat and free PDF Reader software that that fixes at least 29 security problems with these products. Adobe is urging users of Adobe Reader X (10.0) and earlier versions for Windows and Macintosh to update to Adobe Reader X (10.0.1), available now. Adobe says that an update to fix these flaws in UNIX installations of its products is expected to be available by the week of February 28, 2011.

Continue reading →

Security Tools12 Comments
7
Dec 10

Rap Sheets on Top Software Vendors

A new online resource aims to make it easier to gauge the relative security risk of using different types of popular software, such as Web browsers and media players.

Last month, I railed against the perennial practice of merely counting vulnerabilities in a software product as a reliable measure of its security: Understanding the comparative danger of using different software titles, I argued, requires collecting much more information about each, such as how long known flaws existed without patches. Now, vulnerability management firm Secunia says its new software fact sheets try to address that information gap, going beyond mere vulnerability counts and addressing the dearth of standardized and scheduled reporting of important security parameters for top software titles.

Secunia "fact sheet" on Adobe Reader security flaws.

“In the finance industry, for example, key performance parameters are reported yearly or quarterly to consistently provide interested parties, and the public, with relevant information for decision-making and risk assessment,” the company said.

In addition to listing the number of vulnerabilities reported and fixed by different software vendors, the fact sheets show the impact of a successful attack on the flaw; whether the security hole was patched or unpatched on the day it was disclosed; and information about the window of exploit opportunity between disclosure and the date a patch was issued.

The fact sheets allow some useful comparisons — such as between Chrome, Firefox, Internet Explorer and Opera. But I’m concerned they will mainly serve to fan the flame wars over which browser is more secure. The reality, as shown by the focus of exploit kits like Eleonore, Crimepack and SEO Sploit Pack, is that computer crooks don’t care which browser you’re using: They rely on users browsing the Web with outdated software, especially browser plugins like Java, Adobe Flash and Reader (all links lead to PDF files).

A Little Sunshine / Web Fraud 2.069 Comments
11
Oct 10

Java: A Gift to Exploit Pack Makers

I have long urged readers who have no need for Java to remove the program, because failing to keep this software updated with the latest security patches exposes users to dangerous, ubiquitous attacks. In this blog post, I’ll show readers how attacks against Java vulnerabilities have fast emerged as the top moneymaker for authors of the best-selling “exploit kits,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities.

Take one look at the newest kit on the block — “Blackhole” — and it is obvious that Java vulnerabilities continue to give attackers the most mileage and profit, and have surpassed Adobe flaws as the most successful exploit vehicles.

I spoke briefly via instant message with the developer of this Blackhole kit (pictured at right), and he assured me that these images were taken from a working installation. The screen shot here shows the administration panel for this exploit pack, which lists the number of hits (хиты) and downloads (загрузки). The statistics show that on average this kit finds a working exploit that it can use to install malicious software on a visiting host about 10 percent of the time.

Granted, as exploit pack administration pages go, this one is very young (13,289 hits at the time this screen shot was taken), but already some patterns emerge from the data. For example, we can see that Java vulnerabilities are by far the most useful, comprising more than 90 percent of all successful exploits.

This pattern is not confined to Blackhole. Have a look at the following three screen shots, taken from the exploit results pages of three different working installations of SEO Sploit Pack, another common exploit kit. All three screen shots clearly show Java vulnerabilities are the most productive, accounting for between 50 and 65 percent of malware installs or “loads” (thanks to Malwaredomainlist.com for help on this).

Continue reading →

Latest Warnings / Time to Patch24 Comments
20
Sep 10

Security Fix for Critical Adobe Flash Flaw

Adobe Systems Inc. today rushed out a software update to remedy a dangerous security hole in its ubiquitous Flash Player that hackers have been exploiting to break into vulnerable systems.

Adobe recommends users of Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.1.85.3, and users of Adobe Flash Player 10.1.92.10 for Android update to Adobe Flash Player 10.1.95.1. Updates are available from this link.

Adobe’s advisory on this flaw is here. The same security vulnerability also exists in the latest versions of Adobe Reader and Acrobat, although Adobe says it doesn’t plan to fix this vulnerability in those products until the week of Oct. 4.

Note that if you use both Internet Explorer and non-IE browsers, you’re going to need to apply this update at least twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera or Safari. Google Chrome users can update to Chrome 6.0.472.62 to grab this latest Flash update. To check which version of Flash you have installed, visit this link.

Also, unless you want some “free” software — like McAfee Security Scan or whatever browser toolbar Adobe is bundling with Flash player this month — remember to uncheck that option before you agree to download the software.

Latest Warnings26 Comments
8
Sep 10

Attackers Exploiting New Acrobat/Reader Flaw

Adobe warned today that hackers appear to be exploiting a previously unknown security hole in its PDF Reader and Acrobat programs.

In an advisory published Wednesday, Adobe said a critical vulnerability exists in Acrobat and Reader versions 9.3.4 and earlier, and that there are reports that this critical vulnerability is being actively exploited in the wild. The company says its in the process of evaluating the schedule for an update to plug the security hole.

Meanwhile, an evil PDF file going around that leverages the new exploit currently is detected only by about 25 percent of the anti-virus programs out there (the Virustotal scan results from today are here, and yes it’s a safe PDF).

Adobe’s advisory doesn’t discuss possible mitigating factors, although turning off Javascript in Reader is always a good first step. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

Better yet, consider using an alternative PDF reader that isn’t quite so heavily targeted as Adobe’s, such as Foxit, Sumatra, or Nitro PDF.

Time to Patch9 Comments
25
Aug 10

Adobe, Apple Issue Security Updates

Both Adobe and Apple have released security updates or alerts in the past 24 hours. Adobe pushed out a critical patch that fixes at least 20 vulnerabilities in its Shockwave Player, while Apple issued updates to correct 13 flaws in Mac OS X systems.

The Adobe patch applies to Shockwave Player 11.5.7.609 and earlier on Windows and Mac operating systems. Adobe recommends that users upgrade to Shockwave Player 11.5.8.612, available at this link. But before you do that, you might want to visit this link, which will tell you whether or not you need to update, and indeed whether you currently have Shockwave installed at all. If you visit it and don’t see an animation, then you don’t have Shockwave (and probably aren’t missing it either).

One other note about Shockwave: Firefox users may notice a “Shockwave Flash” entry when they click “Tools,” “Add-0ns,” and then the “Plugins” tab. For reasons that are too complicated to explain in one breath, this is actually Adobe’s name for its regular Flash player, which most people probably do want installed because can be difficult to browse and use the Internet without it.  By the way, if you haven’t updated your Flash Player in a while, Adobe issued a new version of that software on Aug 10 that plugged a half dozen security holes.

Apple’s update affects Mac OS X Server 10.5, Mac OS X 10.5.8 , Mac OS X Server 10.6 , Mac OS X 10.6.4 and is available via Software Update or from Apple Downloads.

Latest Warnings / Time to Patch39 Comments
10
Aug 10

Critical Updates for Windows, Flash Player

Microsoft issued a record number of software updates today, releasing 14 update bundles to plug at least 34 security holes in its Windows operating system and other software. More than a third of flaws earned a “critical” severity rating, Microsoft’s most serious. Separately, Adobe released an update for its Flash Player that fixes a half-dozen security bugs.

Microsoft tries to further emphasize which critical patches should be applied first, and it does this largely by assessing which of the flaws appear to be the easiest and most reliable to attack. According to an analysis posted on the Microsoft Security Response Center blog, the most dangerous of the critical flaws patched this month involve media file format and Office bugs.

Specifically, Microsoft pointed out a critical flaw in Microsoft Silverlight and its .NET Framework, as well as bugs in the Microsoft MPEG-Layer 3 and Cinepak codecs. All of these media format vulnerabilities are critical and could be exploited merely by loading a tainted media file, either locally or via a Web browser, Redmond said.

The software giant also urged customers to quickly deploy a patch that fixes at least four vulnerabilities in Microsoft Office, the most severe of which could lead to users infecting their PCs with malware simply by opening or viewing a specially-crafted e-mail.

Continue reading →

Time to Patch16 Comments
8
Aug 10

Foxit Fix for “Jailbreak” PDF Flaw

One of the more interesting developments over the past week has been the debut of jailbreakme.com, a Web site that allows Apple customers to jailbreak their devices merely by visiting the site with their iPhone, iPad or iTouch. Researchers soon learned that the page leverages two previously unknown security vulnerabilities in the PDF reader functionality built into Apple’s iOS4.

Adobe was quick to issue a statement saying that the flaws were in Apple’s software and did not exist in its products. Interestingly, though, this same attack does appear to affect Foxit Reader, a free PDF reader that I often recommend as an alternative to Adobe.

According to an advisory Foxit issued last week, Foxit Reader version 4.1.1.0805 “fixes the crash issue caused by the new iPhone/iPad jailbreak program which can be exploited to inject arbitrary code into a system and execute it there.” If you use Foxit, you grab the update from within the application (“Help,” then “Check for Updates Now”) or from this link.

Obviously, from a security perspective the intriguing aspect of a drive-by type jailbreak is that such an attack could easily be used for more nefarious purposes, such as seeding your iPhone with unwanted software. To be clear, nobody has yet seen any attacks like this, but it’s certainly an area to watch closely. F-Secure has a nice Q&A about the pair of PDF reader flaws that allow this attack, and what they might mean going forward. Apple says it plans to release an update to quash the bugs.

I’m left wondering what to call these sorts of vulnerabilities that quite obviously give users the freedom that jailbreaking their device(s) allows (the ability to run applications that are not approved and vetted by Apple) but that necessarily direct the attention of attackers to very potent vulnerabilities that can be used to target jailbreakers and regular users alike. It’s not quite a “featureability,” which describes an intentional software component that opens up customers to attack even as the vendor insists the feature is a useful, by-design ability rather than a liability.

I came up with a few ideas.

- “Apptack”

- “Jailbait” (I know, I know, but it’s catchy)

- “Freedoom”

Maybe KrebsOnSecurity readers can devise a better term? Sound off in the comments below if you come up with any good ones.

Finally, I should note that while Adobe’s products may not be affected by the above-mentioned flaws, the company said last week that it expects to ship an emergency update on Tuesday to fix at least one critical security hole present in the latest version of Adobe Reader for Windows, Mac and Linux systems.

Adobe said the update will fix a flaw that researcher Charlie Miller revealed (PDF!) at last month’s Black Hat security conference in Las Vegas, but it hinted that the update may also include fixes for other flaws. I’ll have more on those updates when they’re released, which should coincide with one of the largest Microsoft Patch Tuesdays ever: Redmond said last week that it expects to issue at least 14 updates on Tuesday. Update, Aug. 10, 5:06 p.m. ET:Adobe won’t be releasing the Reader update until the week of Aug. 16.

← Older Entries
Newer Entries →