Guest blog: Adobe, make my day. Disable JavaScript by default

 

Users around the world will be pleased to learn that Adobe has managed to release an accelerated security update for Adobe Reader and Acrobat (APSB10-15) before the planned release date (13th July). The latest version of Adobe Acrobat and Reader for Windows is now 9.3.3.

 

The security update includes fixes for 17 vulnerabilities, which means that the guys from Adobe PSIRT have been working very hard in the last month or so.

 

From the malware protection point of view the most important vulnerability patched with the latest update is CVE-2010-1297 which has been actively exploited since its discovery on June 5th.

 

Although the vulnerability affected Adobe Flash, the main vehicle for delivering malicious payloads were PDF files. A booby-trapped PDF file would contain a Flash animation which would trigger the vulnerability, JavaScript code which would be used to create memory layout to allow the exploit to successfully launch shellcode and ultimately, an encrypted executable payload which would deliver the final functionality. This exploit is more complex than the usual exploits we have become used to in the last few years and it may mark a new trend in the direction of writing exploits and shellcode.

 

The common thread in most, if not all, Adobe exploits is the requirement for JavaScript as exploits will work correctly only if JavaScript is enabled. This is why we recommend all users disable JavaScript in Adobe Acrobat and Reader.

 

Read More…

 

Critical Firefox security hole fixed – have you updated?

Mozilla has responded to concern about a critical security vulnerability in Firefox 3.6, by releasing version 3.6.2 of its popular browser ahead of schedule.

 

Firefox 3.6.2 fixes a vulnerability first discovered by security researcher Evgeny Legerov last month, which could allow hackers to launch malicious code on users’ computers.

 

As I blogged yesterday, concern about the bug was so high that the likes of the German government had advised internet users to switch to an alternative browser until a fix from Mozilla was available (at the time that fix was not scheduled until March 30th).

 

However, concern about the severity of the security flaw encouraged Mozilla to accelerate its timetable for release and speed up the schedule.

 

If you are a Firefox 3.6 user, go to the Help menu and choose “Check for Updates” to update your installation of Firefox to the latest version. You can also visit www.getfirefox.com if you wish to download the full version.

 

I would also strongly recommend that all Firefox users consider using NoScript, the Firefox addon that provides a higher level of protection by allowing you to choose which websites are allowed to run active content (such as JavaScript).

 

By Graham Cluley, Sophos

 

 

Microsoft user? Adobe user? Update your systems now

As part of its regular “Patch Tuesday” cycle, Microsoft has released a number of fixes for a number of its widely deployed products to patch critical security vulnerabilities.

 

Eight of the critical patches, addressing vulnerabilities in Windows, Microsoft Office, Internet Explorer, Silverlight, SQL Server, Forefront, Visual Studio, and other products, aim to stop hackers dead in their tracks from launching malicious attacks remotely.

 

A further five of the patches are classified as “important.”

 

In total, 34 security holes are fixed in what is Microsoft’s largest ever bundle of Patch Tuesday security updates.

 

Microsoft’s security response center has also released a chart, showing the severity of each vulnerability. “Red” means “critical” – in other words, that’s as bad as thing gets.

 

So the amount of “red” you see below should be a good indication of how serious these vulnerabilities are. If any more underlining of the importance were necessary, bear in mind that functioning code which exploits some of the vulnerabilities addressed by Microsoft’s patches has already been published.

 

You can learn much more about the patches in an advisory posted on Microsoft’s website.

 

Meanwhile, Adobe has also issued advice regarding critical vulnerabilities in Adobe Reader and Adobe Acrobat. Unlike the patches released by Microsoft, Adobe’s fixes cover Windows, Apple Mac OS X, and Unix/Linux.

 

In total, the Adobe fixes patch a stonking 29 vulnerabilities. Sophos has already seen malware which exploits some of the vulnerabilities affecting the Adobe PDF file format.

 

Over on his blog, Chet has some interesting things to say about these latest patches – looking in greater detail at some of the vulnerabilities, and questioning whether Adobe could learn a thing or two from Microsoft when it comes to responding to flaws in their code.

 

Whether you agree with Chet or not, one thing is clear – if you’re an affected Microsoft or Adobe user, you need to roll these patches out as a matter of priority.

 

by Graham Cluley, Sophos

September Patch Tuesday Fixes 5 Vulnerabilities, Leaves One Open

Microsoft’s monthly patch cycle for September has come out, and it’s something of a mixed bag for users. While there were only 5 advisories, all of them were rated as Critical by Microsoft, because if exploited all five could be used to execute arbitrary code on user systems.

 

The patches fix vulnerabilities in the JScript Scripting Engine (MS09-045), the DHTML Editing Component ActiveX control (MS09-46), the Windows Media Format runtime (MS09-47), the TCP/IP stack (MS09-48), and the Wireless LAN AutoConfig service (MS09-49). The following Microsoft operating systems are covered by at least one of the said bulletins: Windows 2000, Windows XP, Server 2003, Server 2008, and Vista. The final versions of Windows 7 and Server 2008 R2 are not affected by any of these vulnerabilities.

 

The MS09-45 and -46 vulnerabilities could affect users that visit malicious/compromised Web sites; MS09-47 affects users who open specially crafted media files. Meanwhile, MS09-48 and -49 affects users who are directly sent malicious data. Microsoft has rated MS09-45 and -47 as 1 on their Exploitability Index, which indicates that they believe that exploit code can be consistently produced for these vulnerabilities by cybercriminals in the future.

 

However, Windows users are not out of the woods just yet. A separate vulnerability has been found in both Vista and Server 2008’s implementation of the Server Message Block (SMB) protocol, which is largely used to share files and printers. According to the official Microsoft bulletin, the vulnerability could be used to take complete control over affected systems, although to date the proof-of-concept code encountered can only crash and restart affected systems. Like the vulnerabilities patched during Patch Tuesday, final versions of both Windows 7 and Server 2008 R2 are not affected. (The Windows 7 Release Candidate is, however, affected.)

 

Microsoft has so far not issued a patch to cover this latest security flaw; it is not known either if such a patch will be issued out-of-cycle, or be held until next month’s regular update schedule.

 

Users should run Windows Update and see if their systems have been patched to protect against these vulnerabilities. For most systems, this should have taken place automatically, but it’s still an excellent idea to double-check.

 

Trend Micro OfficeScan users with the Intrusion Defense Firewall plugin installed should apply the recent filter update (IDF09-027). This version contains protection from attacks exploiting the five patched vulnerabilities, as well as other potential security risks.

 

by Jonathan Leopando from Trendmicro