Adobe has released two security bulletins to address vulnerabilities in Adobe Acrobat, Reader, and Flash Player.
The first bulletin, APSB10-06, is a security update for Adobe Flash Player and Adobe AIR that addresses a critical vulnerability. Exploitation of these vulnerabilities may allow an attacker to make unauthorized cross-domain requests. The bulletin indicates that the update also addresses a potential denial-of-service issue.
The second bulletin, APSB10-07, is a security advisory for Adobe Reader and Acrobat. This advisory indicates that Adobe is planning to release updates for Adobe Reader and Acrobat on February 16, 2010 to address critical security issues.
US-CERT encourages users and administrators to review Adobe Bulletins APSB10-06 and APSB10-07 and apply any necessary updates to help mitigate the risks.
US-CERT will provide additional information as it becomes available.
Tag Archives: patch
Apple releases patches for OS X security flaws
Filed under Security News
Tagged as 10.5, 10.6, Flash, holes, images, OpenSSL, OS X, patch, security, update
Tagged as 10.5, 10.6, Flash, holes, images, OpenSSL, OS X, patch, security, update
Vulnerabilities in OS X 10.5 and 10.6 were addressed in Apple's first security update of 2010, patching a dozen known security holes in the Mac operating system.
While five of the vulnerabilities were inherent in Apple's own software, the other seven were found in Adobe's Flash Player plug-in, which could lead to remote code execution and other serious issues. Experts say that Flash Player is fast developing a reputation as one of the most popular targets for would-be cyber criminals.
Media functionality was at the heart of the remaining problems as well, as Apple fixed vulnerabilities to maliciously crafted .mp4 audio files, .dng images, and .tiff images. The company's latest round of patches also fixed a months-old vulnerability in OpenSSL, which could have allowed attackers to breach network security and alter protected internet sessions.
PC Magazine security blogger Larry Seltzer questions the timing of the OpenSSL patch, since OpenSSL itself released a fix for the problem "almost immediately" after the discovery of the vulnerability. "It's not clear what took Apple so long," writes Seltzer.
While five of the vulnerabilities were inherent in Apple's own software, the other seven were found in Adobe's Flash Player plug-in, which could lead to remote code execution and other serious issues. Experts say that Flash Player is fast developing a reputation as one of the most popular targets for would-be cyber criminals.
Media functionality was at the heart of the remaining problems as well, as Apple fixed vulnerabilities to maliciously crafted .mp4 audio files, .dng images, and .tiff images. The company's latest round of patches also fixed a months-old vulnerability in OpenSSL, which could have allowed attackers to breach network security and alter protected internet sessions.
PC Magazine security blogger Larry Seltzer questions the timing of the OpenSSL patch, since OpenSSL itself released a fix for the problem "almost immediately" after the discovery of the vulnerability. "It's not clear what took Apple so long," writes Seltzer.
Security flaw in IE used to target U.S. firms in cyber attack
Filed under Security News
Tagged as attack, Cyber, IE, off-cycle, patch, repair, update, vulnerability
Tagged as attack, Cyber, IE, off-cycle, patch, repair, update, vulnerability
Microsoft announced yesterday that the cyber criminals who launched a large-scale assault on network security at multiple American firms did so via a vulnerability in the company's Internet Explorer browser software.
A security alert released by the company said that IE 6 installations running on some less commonly used versions of Windows were vulnerable, as well as IE 6, 7, and 8 installations on Windows XP, Vista, Server 2003/2008, and Windows 7. Microsoft has said that it is working on a solution and could release an off-cycle update to repair the vulnerability.
CNET reports that source code was stolen from over 30 U.S. firms targeted in the attack, including Adobe, Yahoo, Symantec, and Dow Chemical, though only Adobe has issued an official confirmation that it was attacked.
Experts say that setting IE's security features to maximum prevents the attack from gaining access to valuable personal or company data. According to PC Magazine, this implies the exploit targets IE's unprivileged context, outside of which it is unlikely to cause many problems.
A security alert released by the company said that IE 6 installations running on some less commonly used versions of Windows were vulnerable, as well as IE 6, 7, and 8 installations on Windows XP, Vista, Server 2003/2008, and Windows 7. Microsoft has said that it is working on a solution and could release an off-cycle update to repair the vulnerability.
CNET reports that source code was stolen from over 30 U.S. firms targeted in the attack, including Adobe, Yahoo, Symantec, and Dow Chemical, though only Adobe has issued an official confirmation that it was attacked.
Experts say that setting IE's security features to maximum prevents the attack from gaining access to valuable personal or company data. According to PC Magazine, this implies the exploit targets IE's unprivileged context, outside of which it is unlikely to cause many problems.
FreeBSD hit with local root vulnerability, patch rushed into service
Filed under Security News
Tagged as code, Critical, exploit, flaw, FreeBSD, Full Disclosure, Kingcope, local, malicious, patch, root, security, vulnerability
Tagged as code, Critical, exploit, flaw, FreeBSD, Full Disclosure, Kingcope, local, malicious, patch, root, security, vulnerability
The makers of open-source operating system FreeBSD released a hurried patch to correct what has been described as a critical security flaw affecting its local root system. The flaw could allow malicious code to be executed with full administrative rights on affected systems.
An exploit for the flaw, published on the Full Disclosure computer security mailing list, was created by a Full Disclosure user known by the online handle Kingcope. Kingcope writes that the "bug resides in the Run-Time Link Editor (rtld)" whose security provisions can be circumvented relatively simply.
Colin Percival, FreeBSD's security officer, recently announced the availability of an emergency patch, which fixes the vulnerability. Percival did warn, however, that due to the immediate need for a patch, the project was conducted with an eye to speed rather than accuracy, and emphasizes that downloading and using the patch is at the user's own risk.
The exploit is one of the first in recent memory published for an open-source OS; most recent published exploits have targeted Microsoft or Google products.
An exploit for the flaw, published on the Full Disclosure computer security mailing list, was created by a Full Disclosure user known by the online handle Kingcope. Kingcope writes that the "bug resides in the Run-Time Link Editor (rtld)" whose security provisions can be circumvented relatively simply.
Colin Percival, FreeBSD's security officer, recently announced the availability of an emergency patch, which fixes the vulnerability. Percival did warn, however, that due to the immediate need for a patch, the project was conducted with an eye to speed rather than accuracy, and emphasizes that downloading and using the patch is at the user's own risk.
The exploit is one of the first in recent memory published for an open-source OS; most recent published exploits have targeted Microsoft or Google products.
Apple patches Flash security vulnerability in Snow Leopard
Filed under Security News
Tagged as 10.6.1, Apple, Flash, Mac OS X, patch, Snow Leopard, vulnerability
Tagged as 10.6.1, Apple, Flash, Mac OS X, patch, Snow Leopard, vulnerability
Apple updated its Snow Leopard operating system, just released to much fanfare, to patch a security vulnerability in an older version of Adobe Flash Player that had shipped with the OS.
Apple published the update, Mac OS X v10.6.1, to bring Snow Leopard’s version of Flash up to 10.0.32.18, the latest and most secure version. Security researchers had warned that using the older version of Flash left Mac users vulnerable to malware attacks.
"Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted website," Apple said in its security bulletin.
Flash is responsible for running much of the video and animated content on websites.
Users can update to the latest Snow Leopard by visiting the Software Update window, then select the items to install and click Install.
Initial reports from Snow Leopard users indicated that compatibility issues were a problem for some users of HP printers. The Snow Leopard update fixes these compatibility issues and includes fixes for other minor problems, CNET News reported.
Apple published the update, Mac OS X v10.6.1, to bring Snow Leopard’s version of Flash up to 10.0.32.18, the latest and most secure version. Security researchers had warned that using the older version of Flash left Mac users vulnerable to malware attacks.
"Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted website," Apple said in its security bulletin.
Flash is responsible for running much of the video and animated content on websites.
Users can update to the latest Snow Leopard by visiting the Software Update window, then select the items to install and click Install.
Initial reports from Snow Leopard users indicated that compatibility issues were a problem for some users of HP printers. The Snow Leopard update fixes these compatibility issues and includes fixes for other minor problems, CNET News reported.
Apple patches Safari web browser security flaws
Apple issued six security bulletins on Tuesday for its Safari web browser, version 4.0.3, including a flaw in Top Sites that could allow an attacker to insert malicious sites in the browser for a phishing attack.
Safari 4's Top Sites feature allows users to see their favorite websites previewed within the browser. Apple said a security flaw in this feature could allow a malicious website to promote arbitrary sites into the Top Sites view through automated actions, including sites designed for stealing personal information in a phishing attack.
Apple said it addressed the issue by preventing automated website visits from affecting the Top Sites list.
"Only websites that the user visits manually can be included in the Top Sites list," Apple said in its security bulletin. "As a note, Safari enables fraudulent site detection by default. Since the introduction of the Top Sites feature, fraudulent sites are not displayed in the Top Sites view."
Another flaw in WebKit, the browser engine that drives Safari, could allow attackers to insert look-alike characters in URLs to direct users to phishing websites.
Last week, the company issued patches for Mac OS X 10.5.8, called Leopard. That update contained several non-security fixes for technical errors to the Safari web browser version 4.0.2.
Safari 4's Top Sites feature allows users to see their favorite websites previewed within the browser. Apple said a security flaw in this feature could allow a malicious website to promote arbitrary sites into the Top Sites view through automated actions, including sites designed for stealing personal information in a phishing attack.
Apple said it addressed the issue by preventing automated website visits from affecting the Top Sites list.
"Only websites that the user visits manually can be included in the Top Sites list," Apple said in its security bulletin. "As a note, Safari enables fraudulent site detection by default. Since the introduction of the Top Sites feature, fraudulent sites are not displayed in the Top Sites view."
Another flaw in WebKit, the browser engine that drives Safari, could allow attackers to insert look-alike characters in URLs to direct users to phishing websites.
Last week, the company issued patches for Mac OS X 10.5.8, called Leopard. That update contained several non-security fixes for technical errors to the Safari web browser version 4.0.2.
Adobe fixes Flash flaws caused by bad Microsoft code
Adobe issued web security patches yesterday for flaws in Flash Player and Shockwave that were caused by vulnerable code in the Microsoft Active Template Library (ATL), a code library included with Visual Studio for developing software.
Adobe said the flaws could allow a remote attacker to take control of a system. Adobe is making updates available for Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX to fix the security bugs. Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows are also affected.
Microsoft earlier this week had patched the critical bugs in Visual Studio, which were related to an errant ampersand (&) in the code. But any software developed using the code remained vulnerable to attacks.
"We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL," Adobe's security response team said on its blog.
Only Internet Explorer plug-ins are vulnerable to the Flash bug, so people using Flash Player within the Firefox browser or other Windows browsers are not vulnerable, Adobe said.
Hackers have actively targeted the Flash security holes using drive-by download or "browse-and-get-owned" attacks hosted on compromised websites.
Adobe said the flaws could allow a remote attacker to take control of a system. Adobe is making updates available for Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX to fix the security bugs. Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows are also affected.
Microsoft earlier this week had patched the critical bugs in Visual Studio, which were related to an errant ampersand (&) in the code. But any software developed using the code remained vulnerable to attacks.
"We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL," Adobe's security response team said on its blog.
Only Internet Explorer plug-ins are vulnerable to the Flash bug, so people using Flash Player within the Firefox browser or other Windows browsers are not vulnerable, Adobe said.
Hackers have actively targeted the Flash security holes using drive-by download or "browse-and-get-owned" attacks hosted on compromised websites.
Out-of-band patch coming for flaws in IE, Visual Studio
Microsoft alerted customers on Friday that it will be issuing web security patches on Tuesday for two critical vulnerabilities in Internet Explorer and Visual Studio, a suite of developer tools for creating web applications.
The fixes are "out of band," meaning Microsoft is issuing the patches outside of its normal monthly security update cycle.
On the company's security response center blog, Microsoft's Mike Reavey did not elaborate on the vulnerabilities, but said the Internet Explorer fix is designed to "address attack vectors related to the Visual Studio bulletin, as well as fixes for unrelated vulnerabilities that are rated Critical."
The Visual Studio fix relates to vulnerabilities affecting certain applications, Reavey said.
Customers who are up to date on security patches are protected from the vulnerabilities related to this patch, the company said.
Microsoft came under fire recently when it was revealed that the company had failed to disclose for more than a year a major security flaw in the Video ActiveX Control in IE, which IBM researchers warned the company about in spring 2008.
The fixes are "out of band," meaning Microsoft is issuing the patches outside of its normal monthly security update cycle.
On the company's security response center blog, Microsoft's Mike Reavey did not elaborate on the vulnerabilities, but said the Internet Explorer fix is designed to "address attack vectors related to the Visual Studio bulletin, as well as fixes for unrelated vulnerabilities that are rated Critical."
The Visual Studio fix relates to vulnerabilities affecting certain applications, Reavey said.
Customers who are up to date on security patches are protected from the vulnerabilities related to this patch, the company said.
Microsoft came under fire recently when it was revealed that the company had failed to disclose for more than a year a major security flaw in the Video ActiveX Control in IE, which IBM researchers warned the company about in spring 2008.
Mozilla plugs Firefox web browser security hole
Filed under Security News
Tagged as 3.5.1, Firefox, hole, Mozilla, patch, security, update, vulnerability
Tagged as 3.5.1, Firefox, hole, Mozilla, patch, security, update, vulnerability
Mozilla yesterday released an update to its web browser, Firefox 3.5.1, that patches a critical web security flaw that hackers could exploit in a browse-and-get-owned scenario.
"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," Mozilla said on its blog.
Firefox 3.5 users will receive an automated update notification within 24 to 48 hours or can click on the "check for updates" tab under help, Mozilla said. Users who are still using older versions of Firefox are urged to download the updated browser from firefox.com.
Some web security experts raised questions about whether Mozilla had pushed out Firefox 3.5 too soon. When Firefox 3.5 was released at the end of June, it already had several known bugs.
"[The] goal of this release should be a quick turnaround that fixes topcrashes and bugs we almost held ship for," Mozilla said in notes when it released Firefox 3.5, according to Computerworld.com.
Andreas Gal, a Mozilla contributor, posted a comment on the vulnerability's Bugzilla entry stating that it appeared the hacker had created the attack after spotting discussions and test cases on Bugzilla.
"Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier," Gal said.
"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," Mozilla said on its blog.
Firefox 3.5 users will receive an automated update notification within 24 to 48 hours or can click on the "check for updates" tab under help, Mozilla said. Users who are still using older versions of Firefox are urged to download the updated browser from firefox.com.
Some web security experts raised questions about whether Mozilla had pushed out Firefox 3.5 too soon. When Firefox 3.5 was released at the end of June, it already had several known bugs.
"[The] goal of this release should be a quick turnaround that fixes topcrashes and bugs we almost held ship for," Mozilla said in notes when it released Firefox 3.5, according to Computerworld.com.
Andreas Gal, a Mozilla contributor, posted a comment on the vulnerability's Bugzilla entry stating that it appeared the hacker had created the attack after spotting discussions and test cases on Bugzilla.
"Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier," Gal said.