It is time for Patch Tuesday April 2016, and we have some insight into what is coming at us already. Last week Adobe had to anticipate their monthly Adobe Flash Player (APSB16-10) patch to help their users defend against a 0-day that was being exploited in the wild and a couple of weeks ago we heard of the “Badlock” vulnerability from the Samba development team – both Windows and Samba on Linux/Unix are affected.
Update: Adobe has released a new version of its Flash Player in APSB16-10. It addresses 22 critical vulnerabilities which can be used to gain code execution and 2 vulnerabilities that can be retrieve memory address information and to bypass a security feature. One of the vulnerabilities CVE-2016-1019 is currently being attacked in the wild in Exploit Kits.
This release is Adobe’s April Patch Tuesday release. We do not expected another release this month. You should patch as quickly as possible, especially on machines that are still running a pre-March version of Flash as these are vulnerable to CVE-2016-1019.
Oracle published a new version of Java today. The new version Java v8 update 77 addresses a single critical vulnerability with CVE code CVE-2016-0636. This vulnerability had been disclosed publically 2 weeks ago on the fulldisclosure list by Adam Gowdiak, CEO of Security Explorations, a security research company, as a variant of an issue (CVE_2013-5838) that he reported to Oracle in 2013 and that was not fully fixed in Oracle’s patch.
Security Explorations has a technical document describing the issue and POC code for an exploit published on their website. They affirm that Java v7 and Java v9 are also affected by the vulnerability.
Since Oracle chose to fix this vulnerability out of band, we can assume that a workable exploit of the vulnerability based on the published information is relatively easy to come up with. You should give this fix high priority and address as soon as possible.
Today Adobe released an critical update for their Flash Player APSB16-08 that addresses 23 vulnerabilities. The update had been expected on Tuesday already, but had been held back due to the last-minute inclusion of CVE-2016-1010, a vulnerability that is currently under targeted attack in the wild. A successful exploit of this vulnerability gives the attacker Remote Code Execution on the target machine. Attack vector includes malicious websites set up for the purpose of attack using Search Engine Poisoning, “normal” websites that have been hacked and are under the control of the attacker, and e-mailed documents (Word, PDF) that include a malicious Flash component.
The vulnerability was found at Kaspersky Labs, by Anton Ivanov.
Microsoft also released this delayed Flash as an out-of-band update to its Patch Tuesday lineup as MS16-036. With that, we are changing our ranking for the security bulletins for this month – MS16-036 now takes the highest priority followed by MS16-023 for Internet Explorer.
March Patch Tuesday 2016 comes right after a busy week at the RSA USA 2016 conference, where we discussed security and privacy with our industry peers and customers. We participated in numerous discussions around encryption and its function in the protection of privacy and its impact on law enforcement. On Thursday we talked with Chairman McCaul of the committee for Homeland Security about these issues. He said that US Congress is aware of the problems and is working on legislation that would balance both privacy and access to data. On Tuesday we had a Q&A session with Rami Malek, who plays the cyber vigilante Elliot Alderson on the USA Network show Mr. Robot. Rami gave us insight on the amount of work that goes into the writing, acting and production to assure that the computer scenes are as realistic as possible. The huge turnout at this session confirmed how successful the producers have been with this strategy.
Last week, Fermin Serna from Google posted a report of a critical vulnerability in the glibc library used in very fundamental level in almost all Linux systems. The vulnerability CVE-2015-7547 is in the getaddrinfo() function and can be used to gain Remote Code Execution.
A malicious DNS server provides an overlong, specially formatted answer to a normal address query, which overflows a statically allocated internal 2K buffer with data. The data is then executed within the getaddrinfo() function.
Cisco published this week an advisory for the critical vulnerability CVE-2016-1287 in its ASA line of firewalls that have IKEv1/2 VPNs configured. An exploit for the vulnerability would allow an unauthenticated, remote attacker to execute code on the device. A technical breakdown of the vulnerability can be found in the blog post at Exodus Intelligence who reported the vulnerability to Cisco. Exodus Intelligence is a 0-day research company, so this showcases some of their capabilities, while at the same time raises the question as to why they would publish the vulnerability rather than add it to their portfolio.