Adobe has issued a security advisory about an as-yet unpatched vulnerability in its popular Flash Player software, affecting users of Windows, Mac, Linux, Solaris and even Google Android.
The critical security hole could allow an attacker to take control of your computer and run malicious code.
The firm also confirmed that the vulnerability also affects Adobe Reader 9.3.4 for Windows, Mac and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Mac. The reason that Acrobat and Reader are also affected is because the programs support Flash content inside PDF files
The new warnings follow closely after news last week of another vulnerability in Reader and Acrobat that was being exploited by malware authors.
Adobe has announced that an update for Flash Player tackling the latest vulnerability is expected to be available during the week of September 27, and an update for Acrobat and Reader will be available the following week.
Last month, Sophos blogger Chet Wisniewski interviewed Brad Arkin, Adobe’s Senior Director of Product Security and Privacy, about the firm’s security strategy and their upcoming sandboxing technology.
You can also download the interview directly in MP3 format.
If you’re a user of Windows or Flash (and I would imagine that covers the vast majority of you) then it’s time to roll out the latest critical security patches, as Microsoft and Adobe have released updates to their software.
First up is Microsoft, who have released a bumper bundle of fixes as part of their regular “Patch Tuesday” cycle, issuing 14 bulletins to remedy 34 security holes in Windows, Internet Explorer, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block.
Eight of the bulletins have been Microsoft’s highest severity rating of “critical”, with the rest being labelled “important”.
The good news, as Chet Wisniewski explains, is that we haven’t yet seen any malware spreading by exploiting these vulnerabilities – but that may only be a matter of time.
Separately, Microsoft has also issued an advisory about a zero-day vulnerability, which could allow untrusted code to run on a user’s machine by exploiting a weakness in the Windows Service Isolation feature.
Meanwhile, another platform commonly targeted by malicious hackers has been updated to defend against security vulnerabilities.
Adobe has identified critical vulnerabilities in Adobe Flash Player version 10.1.53.64 and earlier, and urged users to update their installations of Flash and Adobe Air.
If you’re not sure which version of the Adobe Flash Player you have installed, visit the About Flash Player page. Remember that if you use more than one browser on your computer you should check the version number on each.
Since confirmed by Microsoft, there exists a vulnerability in versions of Windows which allows a maliciously-crafted Windows shortcut file (.lnk) run a malicious DLL file, simply by being viewed on a USB stick.
Furthermore, the attack can be initiated automatically by viewing an affected USB storage device via Windows Explorer, even with AutoRun and AutoPlay are disabled. The Microsoft Security Response Center (MSRC) says that the security hole can also be remotely exploited via WebDAV and network shares.
You can watch the following YouTube video where Chet shows the attack in action:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
In this case, the DLL executed carries a rootkit – helping hide the infection from prying eyes.
What is of particular concern, of course, is that other malicious hackers might try to exploit the vulnerability – as it would certainly be a useful tool in any malware’s arsenal. The chances of that occurring has increased over the weekend, as a hacker called Ivanlef0u published proof-of-concept code onto the internet.
In the past we’ve seen worms (Conficker is perhaps the most famous example) spread successfully via USB devices, which prompted many firms to disable AutoPlay.
There is a real risk that more malware will take advantage of the zero-day exploit now the code is “out there”, taking things to a whole new level.
So far, Microsoft has not made a patch available for the problem and has given no timeline as to when a proper fix will be available. However, I’m sure they are feverishly working on a security update for this critical vulnerability.
Adobe has issued a security bulletin detailing critical vulnerabilities that have been discovered in the current versions of Adobe Flash Player for Windows, Macintosh, Solaris and Linux.
An update issued by Adobe claims to resolve 32 vulnerabilities in Flash Player – which if left unpatched could leave open a door for hackers to infect innocent users’ computers. Some of the security holes are already being exploited by malicious hackers.
Adobe is recommending that users upgrade to Adobe Flash Player 10.1.53.64.
If you’re not sure which version of the Adobe Flash Player you have installed, visit theAbout Flash Player page. Remember that if you use more than one browser on your computer you should check the version number on each.
Adobe further recommends that users of Adobe AIR version 126.96.36.19930 and earlier versions update to Adobe AIR 2.02.12610.
It is becoming more and more common for cybercriminals to exploit vulnerabilities in Adobe’s software – so it would be a very good idea for everyone to update vulnerable computers as soon as possible.
Whether you own a Windows or Mac OS X computer, if you’re a user of Apple’s Safari browser, it’s time to update your computer against a swarm of security vulnerabilities.
With the attention of most Apple devotees diverted this week towards the sleek new iPhone 4, some may have missed that the Cupertino-based company has also issued a brand new version of its web browser, Safari.
Most interestingly to us, however, is the news that Safari 5.0 not only includes new functionality, but also plugs at least 48 different security vulnerabilities that (if left unpatched) could be exploited by hackers.
Mac OS X version 10.4 users (which Safari 5 doesn’t support) aren’t left in the lurch either. Apple has issued Safari version 4.1 for those customers, which addresses the same set of security issues.
A researcher has found a critical security flaw on Facebook that could be exploited by hackers to expose sensitive information about users.
M J Keith, a senior security analyst with security firm Alert Logic, discovered the vulnerability which could lead to private information being exposed, or users’ Facebook pages being maliciously defaced.
IDG security reporter Robert McMillan has explained the problem well:
The bug has to do with the way that Facebook checked to make sure that browsers connecting with the site were the ones they claimed to be. Facebook's servers use code called a "post_form_id" token to check that the browser trying to do something -- liking a group, for example -- was actually the browser that had logged into the account. Facebook's servers check this token before making any changes to the user's page, but Keith discovered that when he simply deleted the token from messages, he could change many settings on any Facebook account.
This is called a CSRF (Cross-site request forgery attack), which – if left unpatched – would allow hackers to set up malicious webpages that could submit instructions to the victim’s Facebook account without validation.
The consequence? Well, a hacker could make your hitherto private information public, or force your profile to “like” a Facebook group that you may find embarrassing.
M J Keith reports on AlertLogic’s website that he informed Facebook of the problem on the 11th of May, and that the problem has now been fixed.
However, IDG has reported that the security hole is still present.
Hopefully, if it’s not already patched, this privacy flaw – which comes at an embarrassing time for Facebook – will be removed soon.
If you’re a regular user of Facebook, you could do a lot worse than join the Sophos page on the site to ensure you are kept up-to-date with the latest security news. Oh, and remember to be careful about clicking on suspicious links..
By Graham Cluley, Sophos
It was “Patch Tuesday” yesterday, which means another parcel of security updates for computer users to unwrap, and this time the fixes aren’t just from Microsoft, but from Adobe too.
First on the menu is Microsoft, which has served up two security bulletins detailing vulnerabilities that could be exploited by hackers to execute malicious code (such as a worm) on your computer.
The first of these security holes exists in Outlook Express, Windows Mail, and Windows Live Mail. Microsoft’s Security Research & Defense blog goes into some detail about the vulnerability, explaining that although the security hole is given a “critical rating” on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008, it is considered less serious for Windows 7 users as Windows Live Mail is not installed by default on that platform.
The other patch from Microsoft addresses a vulnerability in Visual Basic for Applications, a component used by Microsoft Office and other third-party products. Microsoft has given this security update its highest possible rating – “Critical” – for all supported versions of Microsoft Visual Basic for Applications SDK and third-party applications that use Microsoft Visual Basic for Applications. It is also rated “Important” for all supported editions of Microsoft Office XP, Microsoft Office 2003, and the 2007 Microsoft Office System.
Next up is Adobe, who have released patches to squash over 20 security vulnerabilities in its Shockwave and ColdFusion products.
The critical vulnerabilities identified in Adobe Shockwave Player 188.8.131.526 and earlier versions impact both Windows and Macintosh users, and could allow attackers to run malicious code on your computer.
Adobe recommends that users update their version of Adobe Shockwave Player to version 184.108.40.2069.
Details of the ColdFusion vulnerabilities, classed as “important”, are provided in Adobe Security Bulletin APSB10-11.
Enough of waffle. Download and install the patches if your computer is affected.
By Graham Cluley, Sophos
Facebook has taken down its instant messaging-style system which allows members to chat real-time with each other after claims that the system suffers from a serious security problem.
According to a report by TechCrunch, a security flaw allows your Facebook friends to secretly spy on your private live chats as well as any see any pending friend requests that you have made.
In the past Facebook has insisted that privacy is its “highest priority”, but there isgrowing concern that the site has played fast and loose with the personal information of its 400 million users, encouraging them to share too much private data online and changing privacy settings to be more “open”.
A video has been posted on YouTube which allegedly demonstrates the security hole:
The news that Facebook has disabled its chat system suggests that they are working on fixing the security problem. Hopefully it will be resolved quickly.
But even if this security issue is fixed promptly there are other security issues on Facebook, as with any other social network, that need to be considered if you plan on continuing to use the site. Make sure you read our guidelines for better security and privacy on Facebook.
Oh, and you might want to become a Fan of Sophos on Facebook too to ensure you are kept up-to-date with the latest security news.
by Graham Cluley, Sophos
On Tuesday April 13th it’s not only the regular appointment for system administrators around the world to expect the latest bunch of monthly security updates from Microsoft, it will also be time for a scheduled quarterly update from Adobe for its reader and Acrobat products.
Adobe says that its upcoming update to Adobe Reader and Acrobat 9.3.2 and 8.2.2 will utilise its new updater technology on Windows and Mac – previously only enabled for selected beta-testers.
Windows users will find an option to “Automatically install updates” on their Preferences/Updater tab. Alternatively they can select “Automatically download updates, but let me choose when to install them” or “Do not download or install updates automatically” (These last two options are the only choices presently available on the Mac version).
Adobe’s Steve Gottwals describes the new updating feature as a demonstration that user security is a key priority for the company. It is hoped that in the future Adobe’s PDF-handling software will include a screen prompting end-users to select auto-update to ensure further updates occur automatically behind the scenes.
The majority of attacks we are seeing are exploiting software installations that are not up-to-date with the latest security fixes. We therefore believe that the automatic update option is the best choice for most end-users. We are currently evaluating options for the best long-term solution for users, which could involve presenting the user with an opt-in screen for the automatic update option as part of the next phase in the roll-out.
Chances are that these new update preferences will be more eagerly welcomed amongst home users than corporations – as firms often wish to test security updates before rolling them out across their entire organisation.
But the security community as a whole should probably give this new Adobe feature a thumbs-up – if the new feature works as advertised it sounds like it will definitely be a step in the right direction. Let us hope that more of Adobe’s customers will do a better job of keeping their systems up-to-date as a result of this enhancement.
It’s also of note that there is no news yet of an auto-updating facility for Flash – another Adobe technology that is frequently exploited by hackers. Lets hope that that isn’t too far away.
Although Tuesday’s Adobe updates will resolve critical security issues in its Acrobat and Reader products, it is not yet known if the currently high profile PDF /Launch security hole will be amongst them.
By Graham Cluley, Sophos
Mozilla has responded to concern about a critical security vulnerability in Firefox 3.6, by releasing version 3.6.2 of its popular browser ahead of schedule.
Firefox 3.6.2 fixes a vulnerability first discovered by security researcher Evgeny Legerov last month, which could allow hackers to launch malicious code on users’ computers.
As I blogged yesterday, concern about the bug was so high that the likes of the German government had advised internet users to switch to an alternative browser until a fix from Mozilla was available (at the time that fix was not scheduled until March 30th).
However, concern about the severity of the security flaw encouraged Mozilla to accelerate its timetable for release and speed up the schedule.
If you are a Firefox 3.6 user, go to the Help menu and choose “Check for Updates” to update your installation of Firefox to the latest version. You can also visit www.getfirefox.com if you wish to download the full version.
By Graham Cluley, Sophos