All Posts

534 posts

New Adobe Flash Addresses Attacks on Firefox

Adobe released a new version of their Flash player fixing three vulnerabilities. The new version should be installed as soon as possible, as Adobe is aware on attacks occurring in the wild against two of the vulnerabilities. Interestingly Adobe found these attack to be directed against Firefox and bypassing the Firefox Sandbox:

"Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target Flash Player in Firefox."
We recommend updating your installation of Flash as soon as possible even if you are not using  Mozilla’s Firefox browser.
Microsoft has updated KB2755801 for Internet Explorer 10 (IE10) which indicates that IE10 users are getting a new version of the browser as well. On Tuesday Microsoft had made IE10 available to all Windows 7 users as an optional download, bringing enhanced speed and security to Windows 7.
Adobe states that Google Chrome users will also see automatic updates to their browser:
"Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.171 for Windows, Macintosh and Linux."
but I have not seen the update come out yet. Stay tuned – we will update the post as soon as we hear news on Chrome.

Chrome Beta 25 Promoted to Production

Yesterday Google promoted Chrome 25 from beta to production status and fixed nine high severity vulnerabilities. Google also disabled the MathML extension indicating that it is not ready for production use yet.

Earlier this week, Mozilla came out with Firefox 19, that now includes its own PDF reader making the installation of the often attacked Adobe Reader unnecessary and fixing a number of vulnerabilities in the release.
Two weeks ago, Microsoft published a new version of Internet Explorer that addressed a record number of 12 critical vulnerabilities. 
I believe all of them are shoring up defenses for the upcoming CanSecWest conference on March 6-8 in Vancouver, where the ZDI Initiative will hold its annual PWN2OWN competition, in which some of the world’s leading vulnerability and exploitation specialists compete for the fastest and most elegant way to break through browser defenses and take away the top prize of up to US$ 100,000 for browsers and US$ 75,000 for plug-ins, which are under fire for the first time in this competition.

Oracle updates the Java February 2013 CPU

Oracle released today Java 7 update 15, which fixes an additional five vulnerabilities (three critical) compared to the initial Java February Critical Patch Update (CPU). On February, 1 Oracle had anticipated the release of Java 7 update 13, that was originally planned for today, to address vulnerabilities that were being attacked in the wild.

Java 6 was also released and is now at update 41. Apple has released APPLE-SA-2013-02-19-1 that patches Java 6 for Mac OS X. While Apple does maintain Java 6 for the Mac, Java 7 is maintained directly by Oracle and Mac users need to go to Oracle to install Java 7.
Oracle has scheduled the next update for April 16, in addition to the original schedules of June and October 2013.

Adobe Reader 0-day – Update 3 – patched

Update 3:
Today, February 20, Adobe released the patch APSB13-07 for Adobe Reader and Acrobat. It addresses 2 CVEs (CVE-2013-0640, CVE-2013-0641) and should be rolled out immediately due to the attacks in the wild. Excellent turn-around time by Adobe.

Update 2:
Adobe announced a patch for Adobe Reader and Acrobat for next week, the week of February 18.

Users of the newest version of Adobe Reader, XI can enable "Protected View" to mitigate the attack by going to Preferences, Security (Enhanced). Protected View opens the file in an additional Sandbox that disables most Adobe Reader XI advanced features, but should be sufficient to read normal PDF documents.


Adobe has acknowledged reports of a new 0-day for its Adobe Acrobat and Adobe Reader line. According to the initial report by FireEye researchers that detected the attack all currently supported versions 9, 10 and 11 are affected.

There is currently no information on workarounds available, short of not using PDF documents. Stay tuned for more updates.

February 2013 Patch Tuesday

The second Patch Tuesday of 2013 has a much higher volume than usual. There are 12 bulletins, five of which are critical, addressing a total of 57 vulnerabilities. But the majority are concentrated in two bulletins, one covering Internet Explorer (IE), the other one the Windows Kernel driver win32k.sys.

The two bulletins affecting IE are the highest priority. One of them, MS13-009, is referred to as the "core" IE update by Microsoft because it addresses a number of vulnerabilities directly in IE. It covers 13 bugs with all but one of them being Remote Code Execution vulnerabilities that can be used by an attacker to gain control over a user’s machine via drive-by-download. That type of attack is common and is easily accomplished by surreptitiously installing malware on a Web surfer’s computer when he or she visits a page with malicious code on it.

The second bulletin also affecting IE, MS13-010, addresses a vulnerability in an ActiveX Dynamic-Link Library (DLL). It is rated critical and quite urgent to fix because the vulnerability is being exploited in the wild. The bug is in the VML (Vector Markup Language) DLL, the ActiveX control for the largely unused XML-based standard format for two-dimensional Vector graphics. VML has been patched twice before in 2007 and 2011 and it would probably be safest to delete it altogether, but there does not seem to be a way to do this short of disabling all ActiveX processing. Both IE updates, core and VML, should be installed as quickly as possible.

Speaking of patching quickly: after last week’s Flash release from Adobe to address two 0-day vulnerabilities, today they released again a new version (APSB13-05) of its Flash plug-in, this time addressing 17 vulnerabilities. Users of IE 10 and Google Chrome will get updated automatically, because these two browsers integrate Adobe Flash in their sandboxes. By the way, Qualys' free MS13-012. It addresses vulnerabilities in the popular Outlook Web Access (OWA) component of Microsoft Exchange caused by the inclusion of the Oracle Outside-In libraries in Exchange. Attackers could exploit this vulnerability by sending a malicious document to a user. If the user opens it through OWA, the act of rendering the document infects the mail server as it uses the vulnerable libraries. It is not the first time that the Oracle libraries have caused this problem in Exchange, and attackers might be quick in exploring this vulnerability. As a result, we recommend to schedule a patch as quickly as possible.

Here are a couple of other updates of note:

  • MS13-020 is a critical bulletin that affects only installations of Windows XP, which is on its way to becoming obsolete. If you are still running XP, you should make this patch a high priority and start planning for its replacement as its end-of-life is set for April 2014.
  • MS13-011 is the last critical bulletin and fixes an issue in Windows that can only be exploited when a certain codec popular in Asian countries is installed. There is public PoC code available, so if you are in the target group you should prioritize accordingly.
  • MS13-016 is where the bulk of this month vulnerabilities reside. Security researcher j00ru from Google reported 30 new vulnerabilities in a Microsoft kernel driver, all of which can be used to gain system privileges on a machine that the attacker already has some control over. BTW, j00ru is also on the team that is credited with 15 vulnerabilities found in Adobe Flash.

February 2013 Patch Tuesday Preview

Today Microsoft published its Advance Notice for this month’s Patch Tuesday. But more importantly Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild on both Windows and Mac OS X. Update your Flash installations as quickly as possible – Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.

Now back to Microsoft itself. We are looking at a little bit heavier Patch Tuesday with 12 bulletins that will address a total of 57 vulnerabilities. Five of the bulletins have a severity of critical, including bulletin 1 and bulletin 2, which both address Internet Explorer vulnerabilities affecting all versions of IE from 6 – 10, including on Windows RT running on the Surface tablet. Bulletin 3 is a critical Operating System level bulletin for Windows XP, 2003 and Vista, whereas users of the newer versions of Windows will not be affected. Bulletin 4 is the expected Patch to Microsoft Exchange, which uses the Outside-In software library from Oracle that contains critical vulnerabilities and that Oracle updated in last month’s Critical Patch Update (CPU). The last critical vulnerability is covered by Bulletin 12 and affects only Windows XP, so again, users of the newer versions of Windows will be spared from having to apply that patch.

The remaining bulletins are all rated important and are mostly "Local Elevation of Privilege" type of vulnerabilities, meaning that one already has to be on the targeted computer to be able to attack them. One exception is Bulletin 5, which can be used for Remote Code Execution. It affects the FAST Indexing server for Sharepoint and it also caused by Oracle’s update of the Outside In libraries that are used by Microsoft for document conversion processes.

Oracle releases early CPU for Java 7

Acknowledging active exploit code in the wild for Java v7, Oracle decided to anticipate the release of the Java Critical Patch Update (CPU) February 2013. Kudos to Oracle for deciding to release the CPU earlier rather than sticking to the original schedule of February 19th – definitely the right move having the security of its users' in mind.

Apple had earlier blacklisted Java 7 Update 11 with an update to its xprotect mechanism.
Java 7 is now on on version update 13 and incorporates patches for over 50 vulnerabilities, with 44 patches addressing client side vulnerabilities, which have been the focus of much of the security issues over the last month. If you run Java on the desktop, please deploy as fast as possible.
Java 6 is now on version update 39, but is not at it is end of life. Java 6 users should urgently prepare their update to Java 7, as Java 6 will not receive any further updates.