Posts Tagged: Shavlik


10
May 16

Adobe, Microsoft Push Critical Updates

Adobe has issued security updates to fix weaknesses in its PDF Reader and Cold Fusion products, while pointing to an update to be released later this week for its ubiquitous Flash Player browser plugin. Microsoft meanwhile today released 16 update bundles to address dozens of security flaws in Windows, Internet Explorer and related software.

Microsoft’s patch batch includes updates for “zero-day” vulnbrokenwindowserabilities (flaws that attackers figure out how to exploit before before the software maker does) in Internet Explorer (IE) and in Windows. Half of the 16 patches that Redmond issued today earned its “critical” rating, meaning the vulnerabilities could be exploited remotely through no help from the user, save for perhaps clicking a link, opening a file or visiting a hacked or malicious Web site.

According to security firm Shavlik, two of the Microsoft patches tackle issues that were publicly disclosed prior to today’s updates, including bugs in IE and the Microsoft .NET Framework.

Anytime there’s a .NET Framework update available, I always uncheck those updates to install and then reboot and install the .NET updates; I’ve had too many .NET update failures muddy the process of figuring out which update borked a Windows machine after a batch of patches to do otherwise, but your mileage may vary.

On the Adobe side, the pending Flash update fixes a single vulnerability that apparently is already being exploited in active attacks online. However, Shavlik says there appears to be some confusion about how many bugs are fixed in the Flash update. Continue reading →


13
Apr 16

‘Badlock’ Bug Tops Microsoft Patch Batch

Microsoft released fixes on Tuesday to plug critical security holes in Windows and other software. The company issued 13 patches to tackle dozens of vulnerabilities, including a much-hyped “Badlock” file-sharing bug that appears ripe for exploitation. Also, Adobe updated its Flash Player release to address at least two-dozen flaws — in addition to the zero-day vulnerability Adobe patched last week.

Source: badlock.org

Source: badlock.org

The Windows patch that seems to be getting the most attention this month remedies seven vulnerabilities in Samba, a service used to manage file and print services across networks and multiple operating systems. This may sound innocuous enough, but attackers who gain access to private or corporate network could use these flaws to intercept traffic, view or modify user passwords, or shut down critical services.

According to badlock.org, a Web site set up to disseminate information about the widespread nature of the threat that this vulnerability poses, we are likely to see active exploitation of the Samba vulnerabilities soon.

Two of the Microsoft patches address flaws that were disclosed prior to Patch Tuesday. One of them is included in a bundle of fixes for Internet Explorer. A critical update for the Microsoft Graphics Component targets four vulnerabilities, two of which have been detected already in exploits in the wild, according to Chris Goettl at security vendor Shavlik.

Just a reminder: If you use Windows and haven’t yet taken advantage of the Enhanced Mitigation Experience Toolkit, a.k.a. “EMET,” you should definitely consider it. I describe the basic features and benefits of running EMET in this blog post from 2014 (yes, it’s time to revisit EMET in a future post), but the gist of it is that EMET helps block or blunt exploits against known and unknown Windows vulnerabilities and flaws in third-party applications that run on top of Windows. The latest version, v. 5.5, is available hereContinue reading →


10
Feb 16

Critical Fixes Issued for Windows, Java, Flash

Microsoft Windows users and those with Adobe Flash Player or Java installed, it’s time to update again! Microsoft released 13 updates to address some three dozen unique security vulnerabilities. Adobe issued security fixes for its Flash Player software that plugs at least 22 security holes in the widely-used browser component. Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks.

brokenwindowsOne big critical update from Redmond mends more than a dozen security problems with Internet Explorer. Another critical patch addresses flaws Microsoft Edge — including four that appear to share the same vulnerability identifiers (meaning Microsoft re-used the same vulnerable IE code in its newest Edge browser). Security vendor Qualys as usual has a good roundup of the rest of the critical Microsoft updates.

Adobe issued an update for Flash Player that fixes a slew of security problems with Flash, a very powerful yet vulnerable piece of software that is also unfortunately ubiquitous. After all, as Chris Goettl at Shavlik reminds us, fixing Flash on a modern computer can be a complicated affair: “You need to update Adobe Flash for IE, Flash for Google Chrome, and Flash for Firefox to completely plug all of these 22 vulnerabilities.” Thankfully, Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version). Continue reading →


8
Sep 15

Microsoft Pushes a Dozen Security Updates

Microsoft today released a dozen security updates for computers running supported versions of its Windows operating system. Five of the patches fix flaws that could get PCs compromised with little to no help from users, and five of the bulletins have vulnerabilities that were publicly disclosed before today (including one that reportedly has been detected in exploits in the wild). Separately, Adobe is pushing a security update for its Shockwave Player – a browser plugin that I’ve long urged readers to junk.

brokenwindowsAccording to security firm Shavlik, the patches that address flaws which have already been publicly disclosed include a large Internet Explorer (IE) update that corrects 17 flaws and a fix for Microsoft Edge, Redmond’s flagship replacement browser for IE; both address this bug, among others.

A critical fix for a Windows graphics component addresses flaws that previously showed up in two public disclosures, one of which Shavlik says is currently being exploited in the wild (CVE-2015-2546).  The 100th patch that Microsoft has issued so far this year — a salve for Windows Media Player – fixes two different vulnerabilities that were publicly disclosed before today (CVE-2015-2509 and CVE-2015-2504).

In other important patch news today, Adobe has released a security update for its Shockwave Player browser plugin. If you need this program, then update it; the latest version is v. 12.2.0.162. But in my experience, most users don’t need it and are better off without it. For more on what I say that, see Why You Should Ditch Adobe Shockwave.

Not sure whether your computer has Shockwave installed? If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or in the case of Google Chrome for some reason just automatically downloads the installer), then you don’t have Shockwave installed. To remove Shockwave, grab Adobe’s uninstall tool here. Mozilla Firefox users should note that the presence of the “Shockwave Flash” plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave Player.


10
Mar 15

Microsoft Fixes Stuxnet Bug, Again

Microsoft today shipped a bundle of security updates to address more than three dozen vulnerabilities in Windows and associated software. Included in the batch is a fix for a flaw first patched in 2010 — the very same vulnerability that led to the discovery of the infamous cyberweapon known as Stuxnet. Turns out, the patch that Microsoft shipped to fix that flaw in 2010 didn’t quite do the trick, leaving Windows users dangerously exposed all this time.

brokenwindowsOn this, the third Patch Tuesday of 2015, Microsoft pushed 14 update bundles to address at least 43 separate vulnerabilities in Internet Explorer, Exchange, Office and a host of other components.

Five of the the patches released today fix flaws that Microsoft has assigned its most serious “critical” label, meaning the vulnerabilities these patches fix can be exploited to compromise vulnerable systems through little or no action on the part of the user — save for perhaps opening a booby-trapped file or visiting a hacked/malicious Web site.

One of the more curious critical fixes is MS15-020, which according to HP’s Zero Day Initiative researchers addresses the same vulnerability that Microsoft patched in August 2010. That vulnerability — first revealed in a post on this blog July 15, 2010 — was later discovered to have been one of four zero-day flaws used in Stuxnet, a weapon of unprecedented sophistication that is now widely considered to have been a joint U.S. and Israeli project aimed at delaying Iran’s nuclear ambitions. The folks at HP TippingPoint have published a blog post on their work in uncovering the failed fix, and how the original 2010 patch missed the mark. For more on Stuxnet, check out Kim Zetter‘s excellent new book, Countdown To Zero Day. Continue reading →


11
Nov 14

Adobe, Microsoft Issue Critical Security Fixes

Adobe and Microsoft today each issued security updates to fix critical vulnerabilities in their software. Microsoft pushed 14 patches to address problems in Windows, Office, Internet Explorer and .NET, among other products. Separately, Adobe issued an update for its Flash Player software that corrects at least 18 security issues.

brokenwindowsMicrosoft announced 16 bulletins, but curiously two of those are listed as pending. Topping the list of critical updates from Microsoft is a fix for a zero-day vulnerability disclosed last month that hackers have been using in targeted cyber espionage attacks. Another critical patch targets 17 weaknesses in Internet Explorer, including a remotely exploitable vulnerability in all supported versions of Windows that earned a CVSS score of 9.3 (meaning it is highly likely to be exploited in drive-by attacks, and probably soon).

That flaw is a rare “unicorn-like” bug according to IBM X-Force, which discovered and reported the issue privately to Microsoft. In a blog post published today, IBM researchers described how the vulnerability can be used to sidestep the Enhanced Protected Mode sandbox in IE11, as well as Microsoft’s EMET anti-exploitation tool that Microsoft offers for free.

“In this case, the buggy code is at least 19 years old, and has been remotely exploitable for the past 18 years,” writes IBM researcher Robert Freeman. “Looking at the original release code of Windows 95, the problem is present. In some respects this vulnerability has been sitting in plain sight for a long time, despite many other bugs being discovered and patched in the same Windows library (OleAut32).”

Freeman said while unpatched Internet Explorer users are most at risk from this bug, the vulnerability also could be exploited through Microsoft Office files. “The other attack vectors this vulnerability could work with are Microsoft Office with script macros, for example in Excel documents,” Freeman told KrebsOnSecurity. “Most versions of Office (since about 2003) have macros disabled by default so the user would have to enable them (which can be a fairly mindless YES click at the top of the screen). Or if a user is using an old enough version of Office, the macros will be enabled by default.”

macrosms

Continue reading →