November 12, 2013

Microsoft today issued security updates to fix at least 19 vulnerabilities in its software, including a zero-day flaw in Internet Explorer browser that is already being actively exploited. Separately, Adobe has released a critical update that plugs at least two security holes in its Flash Player software.

crackedwinThree of the eight patches that Microsoft released earned its most dire “critical” label, meaning the vulnerabilities fixed in them can be exploited by malware or miscreants remotely without any help from Windows users. Among the critical patches is an update for Internet Explorer (MS13-088) that mends at least two holes in the default Windows browser (including IE 11). MS13-089 is a critical file handling flaw present in virtually every supported version of Windows.

The final critical patch — MS13-090 — fixes essentially another IE flaw (ActiveX) that showed up in targeted attacks late last week. Microsoft says attackers used a second, “information disclosure” vulnerability in tandem with the ActiveX flaw, but that the company is still investigating that one. It noted that its Enhanced Mitigation Experience Toolkit (EMET) tool successfully blocked the ActiveX exploit.

Nevertheless, it’s important for IE users to apply these updates as quickly as possible. According to Rapid7, exploit code for the ActiveX vulnerability appeared on Pastebin this morning.

“It was known to be under some targeted exploitation, but that will probably expand now that the exploit is public,” said Ross Barrett, senior manager of security engineering at Rapid7. “I would call patching this issue priority #1.” For what it’s worth, Microsoft agrees, at least according to this suggested patch deployment chart.

Today’s patch batch from Redmond did not include an official patch for yet another zero-day vulnerability that has been under active exploitation, although Microsoft did release a stopgap Fix-It tool last week to help blunt the threat. The company also is once again advising Windows users to take another look at EMET.

Check out Microsoft’s Technet blog for more information on these and other updates that the company released today.

brokenflash-aIn a separate patch release, Adobe issued a fix for its Flash Player software for Windows, Mac, Linux and Android devices. The Flash update brings the ubiquitous player to v. 11.9.900.152 on Mac and Windows systems. Users browsing the Web with IE10 or IE11 on Windows 8.x should get the new version of Flash (11.9.900.152) automatically; IE users not on Windows 8 will need to update manually if Flash is not set to auto-update.

To check which version of Flash you have installed, visit this page. Direct links to the various Flash installers are available here. Be aware that downloading Flash Player from Adobe’s recommended spot — this page — often includes add-ons, security scanners or other crud you probably don’t want. Strangely enough, when I visited that page today with IE10 , the download included a pre-checked box to install Google Toolbar and to switch my default browser to Google Chrome.

Speaking of Chrome, it’s high time to address a sore spot for me these past few months. When Chrome first began shipping auto-updates for Flash, Google often quietly fixed new Flash vulnerabilities in its browser even before Adobe issued its patch advisories — sometimes days in advance. Increasingly over the past year, however, Google has lagged behind in this department. In September 2013, for example, it took Google more than a week to update its browser to fix the latest Flash flaws, leaving users dangerously exposed. A Google spokesperson attributed that one-week delay to “a bug in Chrome on Windows 8 Metro” that prompted the Google to “halt the update” while it investigated the root cause. But the company never fully explained why the rollout of that Flash update was suspended for users on other versions of Windows.

I’m happy to see that Chrome appears to be back on its game: the latest version of Chrome (31.0.1650.48) includes this Flash update (v. 11.9.900.152). If you’re using Chrome and see the latest version, you may simply need to close and restart the browser.

Finally, while Adobe says it is not aware of any exploits or active attacks against either of the Flash flaws, the company may have fixed something of a zero-day today. Among the other patches Adobe released is a set of fixes for ColdFusion, its Web application platform. Not long ago, researcher Alex Holden of Hold Security pinged Adobe that the same attackers who stole the company’s source code for ColdFusion, Acrobat, Reader and Photoshop also were using a zero-day flaw in ColdFusion which, according to Adobe may result in access files remotely without authorization. That flaw was one of two vulnerabilities that Adobe fixed in today’s updates for ColdFusion.

Holden maintains this flaw was being used by attackers prior to today. “Hold Security identified an attack attempt against a ColdFusion version 8 resource by the same hackers behind breaches like LexisNexis, Adobe, and others,” Holden said. “Unaware of the possible effectiveness of this attack, Hold Security reached out to Adobe. While Adobe did not find the precise attack effective against any of supported CF versions, they did identify a critical flaw in the same resource which led to the patch issued today.

For its part, Adobe says they are unaware of any zero-day attacks against the now-patched vulnerability, and that the vulnerability they credited Holden with fixing was present only in ColdFusion version 10.

Update: 8:29 p.m. ET: Added statement from Hold Security.


46 thoughts on “Zero-Days Rule November’s Patch Tuesday

  1. Brad Wood

    Do you have any additional information on the CF 0-days? Adobe’s bulletin today didn’t go in any details. In the past they have released the CVE before the fix.

    1. Brad Wood

      I see the ColdFusion bit at the end has been updated to reflect that the claim of the ColdFusion vuln being exploited is disputed. Can you clarify if Adobe is claiming that no attacks existed in the wild, or are they claiming that they had fixed the vuln in a previous update and therefore it was a 1-day and not a 0-day? I noticed you referred to the vuln as “something of a zero-day” so I’m unsure of what that means.

  2. Chris Thomas

    Instead of Google Chrome, I use Comodo Dragon. This uses Adobe versions of Flash and Reader.

    BTW, Dragon also allows the user to force https on pages where there is mixed secure and non-secure content.

  3. Alex Holden

    The situation with CVE-2013-5328 is a bit complicated. While investigating this cyber gang, we saw them attacking thousands of systems with known flaws. When we removed all the “patched” exploit attempts, there were very few other ColdFusion attack patterns left. This particular one was relayed to Adobe for investigation.
    Their analysis resulted in the advisory posted today.
    In my opinion, it is fair to conclude that a single observed attack against a specific resource that resulted in unanticipated response from a system is a previously undiscovered flaw.
    It would be unsubstantiated to claim that this flaw resulted in any breaches but we can draw our own conclusions on the timing and aim of the attack. After all, the hackers targeted the resource that turned out to have a serious vulnerability.

    1. Brad Wood

      Alex, thank you for the helpful reply.

      So if I understand correctly, you noticed an attack pattern which was not documented in an existing CVE, and Adobe released a critical fix soon after you reported. Therefore, your assumption is that the unknown attack pattern represented a 0-day and Adobe just fixed it.

      That does sounds reasonable. The one thing that gives me pause however is that Adobe religiously releases notices when there is a 0-Day present and they didn’t do that this time, which leads me to believe it wasn’t, or at least they didn’t think it was.

      Very interesting, but not enough information for me to make any conclusive decisions on. Thank you for reporting it and I hope more information comes to light soon.

  4. Nate

    “However, an Adobe spokesperson said disputes that claim.”

    Hey Brian, I think this sentence is a bit lacking. Love the site. Thanks for doing what you do.

  5. Lysergic Acid Diethylamide

    Microsoft Security Essentials™ was also updated to version 4.4 …

    1. Neej

      MSSE has been doing really poorly in AV comparisons for quite a while now despite a good showing earlier on.

      This may have changed recently however I’ve elected to stop using it some time ago. It’s better than nothing but malware creators seem to have it’s measure.

      Better than nothing of course.

    2. CoolAC

      Thankyou, I just checked for updates again and sure enough there it is 4.4

      I use MSE along with Avast thanks to this blog.

      Any virus scanner can be deemed useless nowdays, it really doesn’t matter…..but last year MSE did find a virus I believe I got through a pc video game. Which I didn’t realize till I saw it in the vault… A word was mispelled so the company denies it came from them….but yep MSE is definitely better then nothing…

  6. The Oregano Router

    Eight patches? I had 17 on my Windows 8 machine which would include Flash and Office 2010 updates.

  7. Stratocaster

    I too was pleased that Google has addressed the “sore spot” and already shipped Chrome 31 with the Flash Player update. Which is more than I can say for Adobe’s own auto-update or notification services….

  8. d

    What is the current title of the latest Flash Player version for Mac? When I click the direct link, I see various versions, but not a 11.9 for Mac.

    1. SeymourB

      I search for “Flash Player MSI Download” and select the Adobe.com link that shows up (pay attention to the link, occasionally “advertisements” show up at the top of the search list that aren’t actually adobe.com). Technically anyone who signs up for the redistribution program isn’t supposed to share the link, but it’s been in search engines for years now, so I figure helping you find it the same way everyone else did isn’t the end of the world.

      That site always has the latest non-beta versions available, which includes OS X.

      The last couple versions have had two OSX downloads available, one is for “system administrators” that I haven’t yet determined what the difference is. It’s probably something in the install script.

      1. d

        Thanks, but I am looking for a DMG, not an MSI. For mac, we can download it and install it ourselves, instead of doing with Adobe three-step method.

        1. SeymourB

          How about searching for that term and look at the page before dismissing it out of turn.

          MSIs are purely a Windows thing. They don’t apply to Macs (or Linux, for that matter). Which is why there are two .dmg files on that page for Intel Macs.

          It takes 10 seconds to run the search and load the page. You couldn’t spare 10 seconds?

          1. d

            I did not dismiss your suggestion out of term. You said: I search for “Flash Player MSI Download” … (Yes, I did say I was a Mac user, so I know I don’t want that type of installer.)

            When I did a google search, the first few results are links to adobe’s sites that offer a three-prong approach to installing flash. I do not know whether you use a mac or not, but a DMG file offers all I need. With it, I get the flash program without all the trash (add-ons). I can just download the file, and install it without it calling “home.”

            I gather Adobe is changing its links, and maybe, what it calls the flash program. In the past, I simply downloaded a file titled “install_flash_player_osx.dmg.” I see FLASH PROFESSIONAL links for various versions when I click the link in the article above. However, none of the links says “install_flash_player_osx.dmg.” And, in addition, I am not using a professional product, hence, these versions of flash are excessively huge for what I am used to getting.

            I have located the latest update. I just had to go to a Mac site to get it. I prefer to get the DMG download from Adobe, but maybe that might be a thing of the past.

            1. SeymourB

              When I perform a search with Google on both Mac and Windows systems the very first result is the same link to the correct page in question.

              http://www.adobe.com/special/products/flashplayer/fp_distribution3.html‎

              I don’t know what search engine you’re using that it doesn’t provide the same result, but I suggest you consider changing search engines since the one you’re using obviously doesn’t return relevant results. Adobe doesn’t provide MSI downloads through any other link, so if they’re giving you different links, they’re not giving you a result relevant to your search.

              I frequently perform that very same search the exact same way to “remember” the page in question since it doesn’t exactly roll off the fingers, and barring the occasional advertisement the first link is always that page. The platform used has been irrelevant across the hundreds of systems I’ve performed this action on.

              Ideally you should bookmark or otherwise store that URL someplace since Adobe is extremely punctual about posting updates to it.

  9. Likes2LOL

    Could someone venture to explain the version numbering schemes of the Flash plugins, browsers, etc.?

    The new version of Flash is 11.9.900.152, the last one was 11.9.900.117 — what happened to …118 through …151? And why so many segments?

    The 4 place numbering scheme is pretty widespread, too: there’s Chrome 31.0.1650.48, Opera 17.0.1241.53, Maxthon 4.1.3.5000, and my all time favorite Microsoft .NET .MESS Framework versions 1.0.3705.0, 1.1.4322.573, 2.0.50727.42, 3.0.4506.30, 3.5.21022.8, 4.0.30319.1, and 4.5.50709.17929

    Somehow, Firefox seems to get by with 1 decimal after the major version number, e.g., 26.0 — what’s up with that?

    So, what’s with all the numbers? Do they really mean something, or are they just random digits? Inquiring minds would like to know… 😉

    1. Neej

      It’s just a system that the vendors use to track changes they make to the code. There’s really nothing to explain other than it’s pretty arbitary depending on which developer is making the product.

      It doesn’t follow any kind of standard or indicate anything relative to other software.

    2. Brad Wood

      What @Neej said is basically true- vendors can do whatever they want with version numbers. I’ve seen software skip entire numbers. But to answer your question a bit more, the 4-part version number often represents major.minor.patch.build.

      Build is a number that auto-increments every time a developer commits code and re-compiles. Therefore, the build is often a larger number and makes larges jumps between releases.

    3. BrianKrebs Post author

      There really is no rhyme or reason to it, or if there is the vendors rarely share that information. I should note that I don’t blog about all updates to programs like Flash; only those with security fixes. Usually, about every other update is a cosmetic and/or bug fix release, and does not include any security patches.

    4. timeless

      The last number is typically a “build number”.

      Imagine I start writing software:

      I want to release version 0.9.0. The first build I make might be 0.9.0.1, but then some coders make some changes and I build my program again, that’s 0.9.0.2.

      Mozilla did have a build number, but usually it used a date stamp (including the year, month, day, and hour). In that model many builds never exist even though the numbers were “reserved”.

      The reason for the fairly large jump in build numbers is that most builds are never sent to customers. Typically build systems make new builds after every change, or hourly. But very few products release every build. Instead only builds which have all the features requested by management and have passed sufficient testing by QA and possibly fit with a release cycle will be released to customers.

      Some products will reset the build number each time they increase a larger digit, so if I shipped 0.9.0.421, I might start working on 1.0.0.1.

      Generally, the first digit is a “major version” (big feature improvements), the second is a “minor version” (interim scheduled improvements / minor bug fixes), the next field is often reserved for security releases, so I might only make a 0.9.1 if there was a security vulnerability in my 0.9.0 release.

      Typically when talking about a product, one doesn’t talk about the build number since there should only be one specific build for a given version and platform that reaches end users.

      But testers need to be able to report the quality of the specific build, so the number is often included in filenames, and it’s included in version resources.

    1. CoolAC

      Tyvm, this didn’t even come up in windows updates.

      That April 3rd date is around when MSE found a virus on my machine 🙂

    2. arbee

      > Meanwhile EMET 4.1 has been released
      What about installing over v4.0? (I may be jumping the gun about a future post….) Two comments in the EMET v4.1 User’s Guide (pg 22 & pg 38). Both are about an existing v3.0 installation. I found nothing about installing over v4.0.

      1. BillC

        I’m no authority, but I just installed 4.1 over 4.0 on one machine, and over 3.0 on another. Worked fine.

      2. Paul

        The installer for 4.1, unlike previous installers, recognises a previous installation and offers you the choice of keeping or resetting your settings. No need to uninstall the older version first.

  10. IL

    What is strange about Microsoft Security Essentials is they ceased to respond on submitted samples via Malware Protection Center https://www.microsoft.com/security/portal/submission/submit.aspx both for files suspected containing malware and false alarms. Nearly 30 of my submissions since May 25, 2012 (some since Apr 03, 2012) must have been resolved a long time ago, their status is received instead. Do you have any idea why?

  11. Cool-AC

    Thanks Lysergic and IL. I use MSE ,avast and EMET thanks to this blog.

    The first two weeks of April 2012 was horrible. I remember it well, because That is the week Punkbuster got hacked offline for over a week I believe. ….and I happened to notice a virus in my MSE virus vault I didn’t know was there that was found right around that date! Which referred to battlelog, at the same time BF3 released a patch after they were also hacked that week, but EA denied it came from them because a letter was missing in one of the words.

    Even though its hard for any virus scanner to keep up with all the new malware nowadays, no matter what it is, MSE is still Definitely better then nothing!

    1. BrianKrebs Post author

      You use two antivirus? I think if one were a cloud provider like Immunet or Panda that might be okay, but why two host-based AV solutions? Seems like asking for a system drag to me.

      1. Coolac

        As long as I can game ok. I sometimes shut off real time protection on Mse because it likes to randomly scan in the middle of a game but its not so bad.

        But they got me again this year BK :(… 2 pcs died in the same week. One the psu is burnt and another the vid card and who knows about the mobo, and laptop keeps crashing now. Every dam year around this time. Has anybody heard of something like this happening to somebody?

        Why own a pc if I can’t game online? I don’t even download commercial mp3s. I believe I have one of those bad bios virus that just kill my pc every year at this time. Am I considered a perv or pedo for watching porn, or is this just some anti Christian or American thing? Is it a virus I have for life until I move?? Lol. Or just somebody who has no life…

        Maybe I shouldn’t post on your blog anymore BK. It’s time for me to just abandon pcs like most Americans have already. I’ll still be reading though keep up the good work.

        1. Coolac

          My vid card got bricked on patch Tuesday, my old pc of I gave my parents died a week earlier and my grandfathers laptop is getting bsods now. It’s not the
          NSA or FBI and its not our fault for browsing the web, or playing games or me talking trash online. It’s been happening my whole life. Just a new batch of losers.

          1. Coolant

            I know many people don’t believe it’s possible but I felt I should post that the easiest hardware for this virus to infect is the DVD drive, then they try to ruin Your monitor through the vid card and then your vid card itself then the mobo. In that order. A full format on the hdd does nothing. Buying a new one doesn’t help either if the mobo bios is already infected.

            Normal people can not replace every network device in their home, which means wireless

            It’s Actually very common and what did it for me on my pc

          2. Cool

            Which means all phones printers Maybe even the fios boxes etc…

            This is something that has only gotten more sophisticated and worse over the years for American families, not better which is a myth.

            Also to add the mistake that put me over the top was tying to burn DVD rw in Linux for the first time with that buggy firmware which is alwAys the first symptom. I might of been safer only using that drive in windows. Maybe the RIAA puts these viruses on wild who knows. The main targets are def dvd drives and mOnitors. or just some rich kid with nothing better to do and hackers who can systematically destroy or shorten lifespans of every piece of hardware you have. they do still exist and ruin newer hardware even easier!!

            Thanks for putting up with all my spam over the past year.

  12. ted

    Link to Flash v11.9.900.152 sends me to Microsoft technet blog.

  13. meh

    Anybody know any better updaters than PSI? I’m sick of critical updates getting held up on machines to select ‘English’ for the 53rd time… Their product is not very good at all for machines that the admin doesn’t live on, which is kind of the point for auto updaters isn’t it?

    1. JimV

      FileHippo isn’t bad, but with some of its offerings (particularly Flash Player and Java) it just proffers a stub installer rather than the full-installer download and those stub installers can also bundle various other things (“crapware” in my lexicon, but that bundling-in-the-background apparently provides a revenue source of financial support for their website). You can click on the “technical” tab to confirm the download file size for any of the FH offerings, and for those apps which should be pretty large (e.g., both of the above examples) if it’s just a 1-2Mb file or less then you’ll recognize it as a stub installer. In many cases, someone will leave a comment on that tab with a link to the full-installer file download.

    2. Robert

      FWIW. You don’t mention what version of PSI you are using – you might have better success with another version. I use version 2 on some machines, version 3 on others. Why? Because sometimes a different version will play nicer with a particular machine.

      Good luck!

      1. meh

        Used the last few versions of 3 and it isn’t very good at keeping the machine up to date. In particular they have held up a critical adobe reader patch for months now because of language selection which is stupid. I haven’t tried 2 but given their support and overall design I am not too hopeful it is much better, mostly all I need is something you can install on machines that admins rarely touch that will keep a few of the things that windows update ignores patched. I don’t see why there aren’t more options in this area, for corporate environments in particular the best practice is to run as a limited user, which means the user can’t do these updates and the admin is rarely going to go around doing them either.

        1. Paul

          For a smaller environment without the budget for larger deployment tools you’d either be deploying through Active Directory or using WSUS with the Local Publisher addon.

          PSI is only for personal use anyway, you’d use CSI for a corporate environment.

        2. meh

          Well that is part of the problem, I am not the admin of the work network and CSI requires WSUS integration (fail) and is also basically the same thing as PSI, also for home users such as grandma/the computer illiterate aunt it is nice to have something that auto patches their machine so they aren’t using the administrator account. I have 9 different windows machines at home, I would like something that just does the updates without asking what language 40 times or dumping unwanted adware/malware on there.

          1. Robert

            I hear you, I’m in a very similar situation.

            PSI has been good but one cannot rely on it to patch unattended 100% of the time. Still, (in answer to your original good question) it’s the best I know of & the price is right. 🙂

            Have you considered dumping Adobe reader & using another PDF viewer? (I use Foxit Reader, very happy). It won’t necessarily solve the updating problem. I can’t remember for sure but it seems that at least some of my machines are updating Foxit automatically via PSI.

            I’m switching Dad to a Chromebook, hopefully Google will do a good job….

  14. Alvar kresh

    A card skimming incident happened to me in 2011, on a weekend, & it was on an outsider pump at Racetrac station. It while I was using the debit function.
    It appeared to accept my PIN giving me error message to see clerk inside, I just went somewhere else & paid cash at another station as I was in the middle of moving.
    within hours the perpetrator ordered about 36 dollars of food online from Pizza Hut & tried to obtain prepaid phone later for over $82! Since there wasn’t a lot of cash in the account that failed, but not before Bank Of America’s Fraud alert disabled my card!
    They had also tried to contact me by their security unit of the suspicious activity. in all the bad guys got about $45 out of my account after reporting it to them, they issued new card to me & gave me conditional refund after paperwork/affidavit filled out.
    I hope their investigations got somebody, tried to contact the local racetrack by phone , but nobody answered.
    Now I am careful to look at the card slots & pay for gas by credit instead of debit.

Comments are closed.