Qualys Blog

494 posts

0-day for Adobe Flash and Reader – Updated

Adobe has published the patches for Flash and AIR as bulletin ABSB11-05. Patches for Adobe Reader can be found as bulletin ABSB11-06

Adobe just published a security advisory (APSA11-001) for a critical vulnerability in Adobe Flash that can be used to take control of the attacked machine. Adobe Flash is embedded in Adobe Acrobat and Reader, so both of these software packages are also vulnerable to the attack.

Adobe is aware of exploits for the vulnerability being used in the wild, with a known attack vector through a Flash file embedded in an Excel spreadsheet.

Adobe will release a fix for the Windows, Mac OS X and Linux/Unix operating systems during the week of March, 21st,

Users of Adobe Reader X are not vulnerable to the exploit as the sandboxing technology included in Reader X prevents the code from executing. We recommend installing/updating your installations of Adobe Reader to this newest version, as this occurrence highlights the increased robustness gained from the sandboxing.

CanSecWest results – day 1

This week at the CanSecWest security conference in Vancouver, TippingPoint holds its PWN2OWN contest, where security researchers compete in attacking operating systems and browsers. The winner takes home the owned machine plus a cash price, TippingPoint collects the vulnerabilities and discloses them to the vendors.

Here is the full schedule, but so far two setups have been compromised:

  • 64 bit Mac OS X and Safari – by VUPEN
  • 64 bit Windows 7 and IE8 – by Stephen Fewer

Ryan Naraine has more details and updated coverage at Zero Day blog.

Patch Tuesday March 2011

Microsoft is releasing a relatively low number of three security bulletins covering four vulnerabilities in March’s Patch Tuesday 2011.

Of the three bulletins, only one is of critical severity: MS11-015. It addresses a vulnerability in Windows Media Player that can be exploited when playing a specially crafted media file of type "dvr-ms". Microsoft normally rates this type of file format vulnerabilities as only "important" because user interaction is required. However this particular flaw has a component that allows for an attack through a browser link and allows its exploitation in automated "drive-by" fashion. We recommend patching immediately for MS11-015.

The remaining three vulnerabilities are all of the DLL pre-loading type and fix problems in DirectShow (MS11-015), Microsoft Office Groove 2007 (MS11-016) and RDP client (MS11-017). This current strain of DLL pre-loading vulnerabilities was first identified in August of 2010 and plagues a large number of software packages, some from Microsoft and many from third party vendors. Addressing all of the vulnerabilities is a daunting task and will not be completed any time soon, so we recommend implementing the guidelines laid out in KB2269637 that provide an additional safety-net on the operating systems for all Windows applications.

If this Patch Tuesday has left you with some time to spare, consider evaluating your installed base of Internet Explorer 6. At its web site, Microsoft is now actively campaigning for you to discontinue IE6: http://www.ie6countdown.com/ with the goal to get the current figure of 12% down to 1%. We still see much higher numbers in our scans with Q4 2010 still showing over 26% of machines sporting IE 6.

Patch Tuesday March 2011 – Preview

Next Tuesday, March 8, Microsoft will release three security bulletins in their monthly patch cycle. One of the bulletins is rated as critical while the other two are rated important. This is a small update as compared to February in which there were a dozen updates.

The critical update affects Windows XP, Vista and Windows 7 while Windows Sever 2003 and Server 2008 are not affected. One of the important updates affects all Windows operating systems and we expect it to be for the MHTML Information Disclosure issue, which was left un-patched in last month’s patch cycle (2501696). The other important update patches the little known Office Groove 2007 software.

Overall we expect this month’s patch Tuesday to be easy for deployment for organizations and individuals.

-Amol Sarwate, Manager, Vulnerability Research Lab, for Qualys