Adobe released a new version of their Flash player fixing three vulnerabilities. The new version should be installed as soon as possible, as Adobe is aware on attacks occurring in the wild against two of the vulnerabilities. Interestingly Adobe found these attack to be directed against Firefox and bypassing the Firefox Sandbox:
Yesterday Google promoted Chrome 25 from beta to production status and fixed nine high severity vulnerabilities. Google also disabled the MathML extension indicating that it is not ready for production use yet.
Oracle released today Java 7 update 15, which fixes an additional five vulnerabilities (three critical) compared to the initial Java February Critical Patch Update (CPU). On February, 1 Oracle had anticipated the release of Java 7 update 13, that was originally planned for today, to address vulnerabilities that were being attacked in the wild.
Today, February 20, Adobe released the patch APSB13-07 for Adobe Reader and Acrobat. It addresses 2 CVEs (CVE-2013-0640, CVE-2013-0641) and should be rolled out immediately due to the attacks in the wild. Excellent turn-around time by Adobe.
Users of the newest version of Adobe Reader, XI can enable "Protected View" to mitigate the attack by going to Preferences, Security (Enhanced). Protected View opens the file in an additional Sandbox that disables most Adobe Reader XI advanced features, but should be sufficient to read normal PDF documents.
Adobe has acknowledged reports of a new 0-day for its Adobe Acrobat and Adobe Reader line. According to the initial report by FireEye researchers that detected the attack all currently supported versions 9, 10 and 11 are affected.
There is currently no information on workarounds available, short of not using PDF documents. Stay tuned for more updates.
The second Patch Tuesday of 2013 has a much higher volume than usual. There are 12 bulletins, five of which are critical, addressing a total of 57 vulnerabilities. But the majority are concentrated in two bulletins, one covering Internet Explorer (IE), the other one the Windows Kernel driver win32k.sys.
The two bulletins affecting IE are the highest priority. One of them, MS13-009, is referred to as the "core" IE update by Microsoft because it addresses a number of vulnerabilities directly in IE. It covers 13 bugs with all but one of them being Remote Code Execution vulnerabilities that can be used by an attacker to gain control over a user’s machine via drive-by-download. That type of attack is common and is easily accomplished by surreptitiously installing malware on a Web surfer’s computer when he or she visits a page with malicious code on it.
The second bulletin also affecting IE, MS13-010, addresses a vulnerability in an ActiveX Dynamic-Link Library (DLL). It is rated critical and quite urgent to fix because the vulnerability is being exploited in the wild. The bug is in the VML (Vector Markup Language) DLL, the ActiveX control for the largely unused XML-based standard format for two-dimensional Vector graphics. VML has been patched twice before in 2007 and 2011 and it would probably be safest to delete it altogether, but there does not seem to be a way to do this short of disabling all ActiveX processing. Both IE updates, core and VML, should be installed as quickly as possible.
Speaking of patching quickly: after last week’s Flash release from Adobe to address two 0-day vulnerabilities, today they released again a new version (APSB13-05) of its Flash plug-in, this time addressing 17 vulnerabilities. Users of IE 10 and Google Chrome will get updated automatically, because these two browsers integrate Adobe Flash in their sandboxes. By the way, Qualys' free MS13-012. It addresses vulnerabilities in the popular Outlook Web Access (OWA) component of Microsoft Exchange caused by the inclusion of the Oracle Outside-In libraries in Exchange. Attackers could exploit this vulnerability by sending a malicious document to a user. If the user opens it through OWA, the act of rendering the document infects the mail server as it uses the vulnerable libraries. It is not the first time that the Oracle libraries have caused this problem in Exchange, and attackers might be quick in exploring this vulnerability. As a result, we recommend to schedule a patch as quickly as possible.
Here are a couple of other updates of note:
- MS13-020 is a critical bulletin that affects only installations of Windows XP, which is on its way to becoming obsolete. If you are still running XP, you should make this patch a high priority and start planning for its replacement as its end-of-life is set for April 2014.
- MS13-011 is the last critical bulletin and fixes an issue in Windows that can only be exploited when a certain codec popular in Asian countries is installed. There is public PoC code available, so if you are in the target group you should prioritize accordingly.
- MS13-016 is where the bulk of this month vulnerabilities reside. Security researcher j00ru from Google reported 30 new vulnerabilities in a Microsoft kernel driver, all of which can be used to gain system privileges on a machine that the attacker already has some control over. BTW, j00ru is also on the team that is credited with 15 vulnerabilities found in Adobe Flash.
Today Microsoft published its Advance Notice for this month’s Patch Tuesday. But more importantly Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild on both Windows and Mac OS X. Update your Flash installations as quickly as possible – Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.
Now back to Microsoft itself. We are looking at a little bit heavier Patch Tuesday with 12 bulletins that will address a total of 57 vulnerabilities. Five of the bulletins have a severity of critical, including bulletin 1 and bulletin 2, which both address Internet Explorer vulnerabilities affecting all versions of IE from 6 – 10, including on Windows RT running on the Surface tablet. Bulletin 3 is a critical Operating System level bulletin for Windows XP, 2003 and Vista, whereas users of the newer versions of Windows will not be affected. Bulletin 4 is the expected Patch to Microsoft Exchange, which uses the Outside-In software library from Oracle that contains critical vulnerabilities and that Oracle updated in last month’s Critical Patch Update (CPU). The last critical vulnerability is covered by Bulletin 12 and affects only Windows XP, so again, users of the newer versions of Windows will be spared from having to apply that patch.
The remaining bulletins are all rated important and are mostly "Local Elevation of Privilege" type of vulnerabilities, meaning that one already has to be on the targeted computer to be able to attack them. One exception is Bulletin 5, which can be used for Remote Code Execution. It affects the FAST Indexing server for Sharepoint and it also caused by Oracle’s update of the Outside In libraries that are used by Microsoft for document conversion processes.
Acknowledging active exploit code in the wild for Java v7, Oracle decided to anticipate the release of the Java Critical Patch Update (CPU) February 2013. Kudos to Oracle for deciding to release the CPU earlier rather than sticking to the original schedule of February 19th – definitely the right move having the security of its users' in mind.