Tag Archives: Patches

Adobe fixes critical vulnerability in Flash

0
Posted by Tech Paranoia on February 12, 2010 – 10:04 am
Filed under Patches, Software
Tagged as ,

Security updates 10.0.45.2 for the Adobe Flash Player and 1.5.3.1930 for AIR fix a critical security vulnerability which allows Flash applets to circumvent certain security functions in order to access other websites without obtaining the user’s permission. A specially crafted Flash file on a malicious web page could read data, including banking data or similar, displayed in other open browser windows.

Normally, Flash applications are only permitted to access resources on the server from which they have been loaded. In order to allow content to be loaded more flexibly, since version 7, the Flash framework has allowed ‘cross domain requests’. Sites serving Flash applets can create a crossdomain.xml file which specifies which external sites or servers the Flash applets are permitted to make requests from without requiring a warning to be displayed in Flash Player.

These are usually specified very tightly, with the website operator entering only domains operated by partners and other trusted websites. The current vulnerability appears to allow these restrictions to be circumvented so that a crafted Flash file can access objects on any website without requiring user clearance. Users should therefore not hold back in installing the Flash update as soon as possible.

The update also fixes a denial of service (DoS) vulnerability, no further details of which are given. Further tests are needed to determine whether this is the vulnerability which has been unpatched for several months for which Adobe recently apologised. The vendor originally intended to fix this vulnerability in the next major release, 10.1.

Source: The H Security

Microsoft: Emergency IE Patch Coming

0
Posted by Tech Paranoia on January 19, 2010 – 9:02 am
Filed under Patches, exploit
Tagged as , , , , ,

Microsoft has started dropping broad hints that an emergency patch for Internet Explorer will be released very soon to counter targeted attacks and the publication of exploit code for a “browse and you’re owned” vulnerability in its flagship Web browser.

The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows. This could happen as early as this weekend.

The decision to ship the IE patch outside of Microsoft’s scheduled Patch Tuesday releases follows the release of exploit code into the Metasploit attack tool.

The Metasploit code only works against Internet Explorer 6 but there are claims in the security research community that the vulnerability has been successfully exploited on IE7 (Windows Vista) as well as IE6 and on Windows XP.

The vulnerability was discovered during zero-day attacks against several big-name U.S. companies, including Google, Adobe and Juniper Networks. During those attacks, data-stealing malware exploited the flaw against systems running IE6 on Windows XP.

Microsoft says the ongoing attacks remain “targeted to a very limited number of corporations” and are only effective against Internet Explorer 6. However, with the exploit code now in Metasploit, malware purveyors could begin tinkering with exploits geared to newer versions of the browser.

Now, Microsoft is imploring its customers to upgrade immediately to IE 8. A special guidance page has been published to offer information on how to mitigate this vulnerability and avoid attacks.

Microsoft’s Security Research & Defense team has created and released a one-click “Fix It” tool to allow users to enable DEP (Data Execution Prevention) on older versions of the browser. DEP, a crucial anti-exploit mitigation, is enabled by default on IE8 only.

Source: ThreatPost

Oracle starts year with hefty patch update

0
Posted by Tech Paranoia on January 11, 2010 – 2:00 pm
Filed under Patches
Tagged as ,

IT administrators could be busy next Tuesday, after enterprise software giant Oracle announced a major monthly patch update, with 24 new security vulnerability fixes set to be released across hundreds of its products.

The news comes just days after Microsoft announced that it would be starting the year with one of its smallest Patch Tuesday releases ever – just one patch to fix a critical vulnerability in Windows 2000.

Advertisement

Oracle has listed 10 fixes for vulnerabilities in the Oracle Database, two of which may be remotely exploited without authentication, and three fixes for the Oracle Application Server.

Also at risk are the Oracle Applications Suite, with three new security fixes, the PeopleSoft and JD Edwards Suite, Primavera Products Suite, and BEA Products Suite, which has five new fixes lined up.

The highest CVSS 2.0 base score for vulnerabilities in this Critical Patch Update is 10.0 for vulnerabilities affecting Listener for Oracle Database Server, Oracle Secure Backup and Oracle JRockit, said the firm.

“This Critical Patch Update contains 24 new security vulnerability fixes across hundreds of Oracle products. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products,” noted a pre-release announcement by Oracle.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”

Source: v3.co.uk

Juniper fixes router DoS vulnerability

0
Posted by Tech Paranoia on January 8, 2010 – 10:00 am
Filed under Firewalls, Patches
Tagged as , ,

Networking supplier Juniper has released an update to fix a DoS vulnerability in its routers. The vulnerability can reportedly be exploited to force a router reboot using specially crafted TCP packets. For a successful attack, the packet must include a specific combination of TPC options and must be addressed to a service that is running on the router. However, the first TCP packet sent apparently already triggers the flaw. A full 3-way handshake is not required. Transient packages which are only being forwarded don’t cause the router to crash and reboot.

Since Juniper only makes advisories available to its customers and partners, no further details have officially become available. The independent “Praetorian Prefect” blog, however, offers information about the vulnerable versions. According to the blog, routers running JUNOS 9.x, 8.x or 7.x with a release date before the 28th of January 2009 are vulnerable. While versions 3.x, 4.x, 5.x and 6.x are also thought to be affected, these versions are no longer officially supported by the vendor.

No fully functional workaround apart from installing the update is said to be available – simply filtering TCP packets via the firewall is reportedly insufficient. Juniper recommends that customers implement anti-spoofing measures to detect packets with a bogus sender address. Various ISPs reportedly already updated their core routers at the beginning of January.

Source: H Online

Winamp 5.57 eliminates vulnerabilities

0
Posted by Tech Paranoia on December 19, 2009 – 1:10 pm
Filed under Software
Tagged as ,

Nullsoft has released version 5.57 of Winamp, the popular media player, closing several critical vulnerabilities that could be exploited to compromise a user’s system and fixing a number of bugs. According to security services provider Secunia, many of the problems were caused by boundary errors in the Module Decoder Plug-in (IN_MOD.DLL) that can be exploited to cause heap-based buffer overflows using a specially crafted “Impulse Tracker” file. For an attack to be successful, a victim must first open a manipulated media file.

Other vulnerabilities include an error when parsing PNG or JPEG data files, leading to memory corruption and an issue when parsing Oktalyzer files, leading to a heap-based buffer overflow. All versions up to and including 5.56 are reportedly affected.

Source: The H Online

PHP 5.2.12 closes security holes

0
Posted by Tech Paranoia on December 18, 2009 – 10:00 am
Filed under Software
Tagged as ,

The PHP developers have released version 5.2.12 of their popular programming language, fixing over 60 bugs mainly to increase stability, but also closing some security holes. While PHP 5.3 has been available since mid 2009, backwards compatibility issues with various popular PHP applications have prevented many users from upgrading. Since, as a result, the 5.2 branch is still used on numerous systems, the developers continue to update this branch.

The current update particularly prevents attackers from bypassing the safe_mode and open_basedir security functions in connection with the tempnam() and posix_mkfifo() functions. The new max_file_uploads option prevents potential DoS attacks when uploading files by limiting the number of files per upload request. Furthermore, the $_SESSION variable is now less susceptible to manipulations, and the htmlspecialchars() PHP function for converting special characters in HTML code offers enhanced string checking.

Source: H-Online

Adobe to Patch Zero-Day Flaw on Jan 12

0
Posted by Tech Paranoia on December 16, 2009 – 3:30 pm
Filed under Hacks
Tagged as , , ,

Update to the ongoing story regarding the Adobe Acrobat/Reader exploit. Adobe is set to release a patch on January 12th, which is much too far away as the exploit code is already available via Metasploit and there are reported cases of this exploit being used in the wild.

Remember to Kill JavaScript in Adobe Reader to keep yourself safe.

Mozilla addresses critical bugs with Firefox 3.5.6

0
Posted by Tech Paranoia on December 16, 2009 – 1:00 pm
Filed under Patches, Software
Tagged as ,

The Mozilla developers have released version 3.5.6 of their open source Firefox web browser to address a total of seven vulnerabilities, three of them critical. According to Mozilla, the release “is a short-cycle security and sustained engineering release to fix several top crashing bugs”.

The update fixes a critical vulnerability in the browser engine used in Firefox that could cause a crash, possibly leading to memory corruption and the execution of arbitrary code. The other two critical bugs in liboggplay and the Theora video library could also lead to a crash and potentially execute arbitrary code on a victim’s computer. Additionally, one high risk vulnerability in which “NTLM credentials from one application could be forwarded to another arbitary application via the browser”, two moderate risk issues related to the location bar and the chrome window.opener, and one low risk vulnerability, have been closed.

Mozilla has also released an update for the 3.0.x branch of Firefox, which will receive security and stability updates until January of 2010.

Mozilla Firefox

Source: The H Online

Microsoft knew of just-patched IE zero-day for months

0
Posted by Tech Paranoia on December 11, 2009 – 12:30 pm
Filed under Patches
Tagged as , , ,

Microsoft may not have hustled as fast as researchers thought when the company patched a zero-day bug in Internet Explorer (IE) just 18 days after exploit code went public.

According to VeriSign iDefense, Microsoft had information about the browser bug nearly six months before the researcher dubbed “K4mr4n” posted attack code to the Bugtraq security mailing list on Nov. 20.

iDefense’s Zero Day Initiative (ZDI), one of the two best-known bug bounty programs, reported the vulnerability to Microsoft on June 9, 2009, iDefense noted in an advisory published Wednesday.

IE6 and IE7, two versions of Microsoft’s browser that collectively accounted for approximately 39% of all browsers used last month, were the only editions affected by the vulnerability. The ancient IE 5.01 and the new IE8 were immune from the threat.

Three days after K4mr4n publicized the exploit proof-of-concept, Microsoft confirmed that the attack code worked, and issued a security advisory that provided some information about the bug. At no time, however, did it acknowledge it knew of the vulnerability, only going as far as to say it was investigating the issue.

Source: Computerworld

Two New Flaws Haunt Linux Kernel

0
Posted by Tech Paranoia on December 11, 2009 – 12:00 pm
Filed under Patches, Security
Tagged as ,

A pair of new kernel vulnerabilities are threatening the security of systems running current versions of several Linux distributions. One of the flaws gives a remote attacker the ability to crash vulnerable systems and the other leads to root privileges for a local attacker.

The most serious of the new vulnerabilities is a remote denial-of-service bug in the Linux kernel related to the way that the system handles large packets. During the IPv4 defragmentation process, the Linux kernel fails to handle oversized packets correctly, which causes the system to crash. A remote attacker could exploit this vulnerability to crash systems running the vulnerable versions of Linux.

There is also another Linux kernel bug that gives a local user the ability to gain root privileges on an affected system. The problem is in the Ext4 file system, which in some instances doesn’t check permissions correctly, and could allow a local user to overwrite files on the system and gain root access to the machine.

Ubuntu has released a new package, fixing these flaws, and Red Hat also has released updates to its affected Fedora versions.

Source: ThreatPost