iPhone Ransom Message – WSWiR Episode 109

Iranian Social Hackers, XP Patch Hack, and iPhone Ransom Notes

Did you have time to follow security mailings lists, check out infosec news sites, or find that latest patches this week? If not, don’t worry. This weekly video blog will cover the top three computer security news items each Friday for you. Subscribe to this blog or the YouTube channel to stay informed.

This episode covers an Iranian hacking campaign where attackers pose journalists on social media sites, shares a tip about a Windows XP registry hack that could give you security updates until 2019, and highlights a recent iCloud attack that attackers are using to hold iPhones for ransom. Click play for the details, and check out the reference section for other stories.

(Episode Runtime: 7:38)

Direct YouTube Link: https://www.youtube.com/watch?v=sa-2RLe_sr4

Episode References:

• iPhone’s held ransom via iCloud – Help Net Security
• Registry hack allows for more XP security updates – Betanews
  • Microsoft warns against using the hack – MaximumPC
• Iranian hackers pose as journalists on social media to get info from targets – CNN

Extras:

• Spotify network suffers small breach, likely via android app – Spotify
• Pirated WatchDogs game contains bitcoin mining malware – Darknet.org
• Lawful intercept surveillance software contains backdoor – Ars Technica
• CryptoDefense (crytolocker copycat) uses Java exploit for DbD – TechWorld
• Ebay suffers from another vulnerability (less critical) – Gizmodo
• Zberp malware is a combination of Zeus and Carberp source – SC Magazine
• Chrome security improved by restricting extensions to Chrome store only – The Register
• Weird, mysterious post saying TrueCrypt is unsafe to use – Ars Technica
  • Follow up on weird TrueCrypt post – Ars Technica
• Microsoft launches MyBulletin for customized security patch info – Microsoft.com
• China retaliates to hacking accusation by fingering IBM – ComputerWorld
• POS botnet allegedly infecting lots of retailers – CBR Online
• HeartBleed issue targets Androids on Wifi – The Verge

— Corey Nachreiner, CISSP (@SecAdept)

New Releases: Fireware XTM 11.9 and Dimension 1.2

WatchGuard has posted major new software releases this month. We are pleased to announce that Fireware 11.9, WSM 11.9, and Dimension 1.2 are now available to download. WatchGuard’s newest releases give WatchGuard NGFW and UTM appliances – including XTM Series and Firebox T10 models – a host of new features. Highlights include:

APT Blocker – WatchGuard’s newest security module. Networks are vulnerable to advanced malware that relies on highly sophisticated detection evasion to hide their attacks. APT Blocker uses a cloud-based sandbox with full system emulation (CPU and memory) to detect and block advanced malware and zero day attacks that signature-only solutions miss.

WatchGuard Dimension™ is the award-winning security intelligence and visibility solution that is included at no charge with all WatchGuard network security solutions. Dimension 1.2 includes new reports for APT Blocker, performance enhancements, and translation into local languages.

Traffic Management: Fireware 11.9 enables administrators to preserve expensive Internet bandwidth connections for those business-critical applications that truly need it, with the ability to control and limit bandwidth use for applications, application categories, IP addresses, and VLANs.

Gateway Wireless Controller:  A new interactive, graphical wireless coverage map helps administrators to quickly achieve the optimal arrangement and configuration of wireless access points in their buildings.

Plus many, many more enhancements including IPv6 dynamic routing, custom DLP rules, Q-Radar SIEM integration, and custom network zones. Full details including screenshots are provided in the presentations: What’s New in 11.9 and What’s New in Dimension 1.2.

Does This Release Pertain to Me?

This release applies to the Firebox^® T10 and all XTM appliances, except XTM 21/21-W, 22/22-W, and 23/23-W appliances. Please read the Fireware 11.9 Release Notes and Dimension 1.2 Release Notes before you upgrade, to understand what’s involved and to see the complete list of all resolved issues and new enhancements in the software.

How Do I Get the Release?

XTM and Firebox T10 appliance owners who have a current LiveSecurity^® Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

• U.S. End Users: 877.232.3531
• International End Users: +1.206.613.0456
• Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller

Ebay Pwned – WSWiR Episode 108

Ebay Data Breach, IE8 0Day, and Alleged Chinese Hackers

With all the information security (InfoSec) news coming out each week, it’s hard to believe anyone can keep up with it; let alone an already busy IT professional with other things on his plate. If that sounds like you, rather than worrying about finding the most important security news you can let my weekly summary video fill you in.

Today’s episode covers the 145M record Ebay breach, and new zero day Internet Explorer (IE) 8 vulnerability released early by the supposedly good guys, and the Department of Justice’s official charges against five alleged Chinese government hackers. Check out the video below for the details, and peruse the Reference section for links to other InfoSec stories.

If you’re in the USA, enjoy your extended holiday weekend. See you next time…

(Episode Runtime: 8:00)

Direct YouTube Link: https://www.youtube.com/watch?v=Ib7nI1H13P8

Episode References:

• Ebay user data stolen in a network breach – Forbes
• ZDI Discloses IE8 0day since MS takes too long to patch – ZDI
  • Microsoft’s EMET tool – Microsoft
• US charges Chinese PLA members with hacking
  • US Accuses Chinese Military of Hacking… Hypocrisy? – The Register
  • Another view on the subject – TechCrunch
  • Meet the alleged Chinese PLA hackers – Telegraph
  • The actual DoJ release – Justice.gov

Extras:

• DHS warns of a successful SCADA attack to a US Public Utility – ICS Cert
• FBI cracks down on Blackshades (used for webcam peeping) trojan users – Malwaretech
• Apple release security update for Safari – Apple
• Remode code execution flaw fixed in MSN, Oragne, and Yahoo – CyberDefense Magazine
• Sweet Orange exploit kit distributing from GoDaddy subdomains in Russia – Dynamoo Blog
• Watch out for a somewhat sophisticated Google Drive phishing campaign – Help Net Security
• Hackers rumored to have defeated “Find my iPhone” – Intego
• Red Bull’s Racing website hacked and defaced – CyberWar Zone
• Miniduke (APT) still duking it out – WeLiveSecurity
• Filipino Anonymous hacktivists deface many Chinese sites – The Hacker News
• FBI wants to hire hackers, but too many smoke pot – WSJ
• Global botnet infecting POS systems – Computer World
• Pentagon announces “Hacker proof” drone (bad omen… nothing is hacker proof) – Naked Security

— Corey Nachreiner, CISSP (@SecAdept)

This Month’s Apple Updates Fix Mavericks and iTunes Security Flaws

As much as Apple would like you to think otherwise, their products are not immune to security vulnerabilities. If you use OS X Mavericks or iTunes, you’d best update.

This week, Apple released two security updates to fix vulnerabilities in OS X Mavericks and iTunes. The updates fix a wide range of vulnerabilities, including memory corruption flaws attackers could use to execute code. If you use OS X Mavericks or iTunes, you should download and install Apple’s updates immediately, or let their automatic Software Updater do it for your.

See the links below for more information about each update:

• May OS X Mavericks Security Update
• May iTunes 11.2 Security Release

If you’d like to keep up with Apple’s latest security updates, be sure to bookmark their Security page, and you can find links to all their patches on the Download page.— Corey Nachreiner, CISSP (@SecAdept)

TAO Hijack Routers – WSWiR Episode 107

Tons of Patches, NSA Booby-Trapped Routers, and Alleged Iranian Hackers

If you don’t have time to follow all the information security stories popping up each week, you can let our weekly video and blog post summarize the important stuff for you.

In today’s show, I recite the big list of security patches you need to get this week, talk about how the NSA is intercepting and hacking routers to foreigners, and weigh in on whether or not the security industry is blaming advanced attacks on “nation-state” actors a bit too freely. Press play on YouTube for all the details, and don’t forget to check out the Reference section for links to other interesting InfoSec stories.

Hope you have a great weekend, and be careful shopping online!

(Episode Runtime: 8:25)

Direct YouTube Link: https://www.youtube.com/watch?v=LdOHsV88z4Y

Episode References:

• Microsoft’s May Patch Day Summary – WGSC
  • May’s Internet Explorer (IE) alert – WGSC
  • Consolidated Office security alert – WGSC
  • Consolidated Windows security alert – WGSC
• Adobe’s May Patch Day Summary – WGSC
• Latest Chrome update fixes three critical vulnerabilities – ThreatPost
• Apple’s Patch Day Summary – WGSC
• More details on NSA’s TAO team intercepting and booby-trapping routers – The Guardian
• Fireeye’s Saffron Rose report on alleged Iranian nation-state sponsered hacking [PDF] – Fireeye
• Krypt3ia’s blog post saying Operation “Flying Kittens” is more likely normal hacktivists – Krypt3ia’s blog

Extras:

• Research on fake SSL certs used in MitM attacks (most actually security devices decrypting SSL)  – Linshunghuang.com
• Bitly shares details about breach, and promises two token authentication – Bitly
• Vulnerabilities found in Estonia’s online voting system – PCWorld
• Snowden explains why he asked Putin tough questions – The Guardian
• Teenager responsible for Krebs’ SWAT attacks arreseted – KrebsonSecurity
• DayZ developers network breached, source code allegedly stolen – Segmentnext.com
• Old EoP flaw finally fixed in Linux kernel – Ars Technica
• Main Dogecoin wallet temporarily shuts down due to breach – ITPortal
• GCHQ being sued for alleged mobile hacking – The Register
• Mozilla capitulates to DRM in Firefox – The Guardian
• CC skimmers found on stamp vending machines – KrebsonSecurity
• General Hayden accidentally admits that they kill using metadata – Youtube
• Google Docs click jacking flaw – M-austin Blog
• Elderwood gand still releasing more 0day IE exploits – ComputerWorld
• Fake AV found in Google and Microsoft’s online app markets – NetworkWorld

— Corey Nachreiner, CISSP (@SecAdept)

Four Windows Bulletins Fix Group Policy, .NET, and iSCSI Flaws

Severity: Medium

Summary:

• These vulnerabilities affect: All current versions of Windows (and related components like .NET Framework)
• How an attacker exploits them: Multiple vectors of attack, though most require authenticated attackers to do things locally
• Impact: In the worst case, an authenticated attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released four security bulletins describing five vulnerabilities in Windows and related components, such as the .NET Framework. An authenticated attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS14-025: Group Policy Preferences Password Elevation of Privilege Flaw

Group Policy is the Windows feature that allows administrators to push configuration and settings to other Windows computers throughout their network. Group Policy Preferences are simply an extension of settings you can push via Group Policy. Microsoft’s alert describes a vulnerability in the way Active Directory sends password information with certain Group Policy Preferences. If you use Group Policy to set system administrator accounts, map drives, or run scheduled tasks—all things that require privileges—Group Policy stores an encrypted version of the password or credential needed for this task on the local computer. Local, authenticated attackers can then use that information to crack the password, and perhaps elevate their privileges. For instance, if you use your domain administrator account to run a particular scheduled task on every Windows computer network when it boots, local Windows users may have the information they need to crack your domain administrator account. That said, attackers would need valid credentials to log into one of your windows computers in order to exploit this flaw. So this primarily poses an insider risk.

Microsoft rating: Important

• MS14-026:  .NET Framework Elevation of Privilege Vulnerability

The .NET Framework is a software framework used by developers to create custom Windows and web applications. Though it only ships by default with Windows Vista, you’ll find it on many Windows computers.

The .NET Framework suffers from an unspecified elevation of privilege vulnerability. If an authenticated attacker can send specially crafted data to an app that uses .NET Remoting, he can exploit this flaw to execute code on that system with full system privileges.

Microsoft rating: Important

• MS14-027:  Windows Shell Elevation of Privilege Vulnerability

The Windows Shell is the primary GUI component for Windows. It suffers from a vulnerability having to do with its ShellExecute Application Programming Interface (API). If a local attacker can log in to one of your Windows systems and run a specially crafted program, he can exploit this flaw to execute code with local administrator privileges, thus gaining full control of the computer.

Microsoft rating: Important

• MS14-028:  Two iSCSI DoS Vulnerabilities

iSCSI is a standard that supports network based storage devices. The Windows iSCSI component suffers from two Denial of Service (DoS) vulnerabilities. By sending a large amount of specially crafted packets to the iSCSI service (TCP 3260), an attacker could exploit this flaw to cause the iSCSI service to stop responding. Of course, the attacker needs access to the iSCSI service, which most administrator might block with their firewall.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them. I especially recommend you test the Group Policy Preference update before deploy it, as it may slightly change the way Group Policy Preferences work.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

• MS14-025
• MS14-026
• MS14-027
• MS14-028

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as blocking TCP port 3260), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS14-025
• Microsoft Security Bulletin MS14-026
• Microsoft Security Bulletin MS14-027
• Microsoft Security Bulletin MS14-028

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

---

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Office Updates Include Patches for SharePoint Vulnerabilities

Severity: High

Summary:

• These vulnerabilities affect: Microsoft Office and related products like SharePoint Server
• How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents, or interacting with web resources
• Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a number of vulnerabilities in Office, SharePoint, and related components. We summarize these security bulletins below, in order from highest to lowest severity.

• MS14-022: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both multiple remote code execution vulnerabilities and a cross-site scripting (XSS) flaw. The remote code execution flaws pose the most risk, and involve several unspecified input sanitation vulnerabilities in a number of SharePoint pages. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges. Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. If you run SharePoint servers, you should patch this as quickly as you can.

Microsoft rating: Critical

• MS14-023: Office Remote Code Execution Flaw
  

Various Office components suffer from two publicly reported vulnerabilities. The worst is a remote code execution flaw involving the way Office’s “Grammar Checker” feature loads Dynamic Link Libraries (DLL). However, the flaw only affects Grammar Checker when the language is set to Chinese (Simplified). If a remote attacker can convince you to open an Office document that resides in the same directory (local or over a network) as a malicious DLL, she could exploit this flaw to execute code with your privileges. If you have local administrative access, the attacker gains complete control of your computer. However, this flaw will likely primarily affect Chinese Office users, which somewhat limits its impact. Office also suffers from something call a “token reuse” flaw, but it poses a lesser risk that the remote code execution one.

Microsoft rating: Important

• MS13-086:  MCCOMCTL ASLR Bypass Vulnerabilities
  

Office (and many other Microsoft products) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Office’s MSCOMCTL component doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. This update fixes the ASLR bypass hole.

Microsoft rating: Important

Solution Path:

Microsoft has released Office and SharePoint-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

• MS14-022
• MS14-023
• MS14-024

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS14-022
• Microsoft Security Bulletin MS14-023
• Microsoft Security Bulletin MS14-024

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

---

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

May’s IE Update Corrects Two New Memory Corruptions

Summary:

• This vulnerability affects: All current versions of Internet Explorer
• How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
• Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
• What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you

Exposure:

In a security bulletin released today as part of Patch Day, Microsoft describes two new vulnerabilities that affect all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Though the two vulnerabilities differ technically, they share the same general scope and impact, and involve memory corruption flaws having to do with how IE handles certain HTML objects. If an attacker can lure one of your users to a web page containing malicious web code, he could exploit either of these memory corruption vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges. In that case, the attacker could exploit these flaws to gain complete control of the victim’s computer.

Technical differences aside, the memory corruption flaws in IE pose significant risk. You should download and install the IE cumulative patch immediately. Also note, this IE cumulative patch also includes a fix for the zero day IE flaw Microsoft fixed earlier, in an out-of-cycle update. If, for some reason, you haven’t applied that update yet, this is a good time to fix that serious zero day flaw.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block the memory corruption vulnerabilities described in Microsoft’s alert:

• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0310)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1815)

Your XTM appliance should get this new IPS 4.414 signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

• MS Security Bulletin MS14-029

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Patches for IE, Sharepoint, Office, and Windows

Calling all Microsoft administrators! It’s Microsoft Patch Day, and their security updates are available for download.

You know the drill by now. As they do every second Tuesday of the month, Microsoft has released May’s important security updates. You can find this month’s Patch Day highlights in Microsoft’s summary post, but here’s what you really need to know:

• Microsoft released eight bulletins, two rated Critical and the rest Important.
• The affected products include
  • Windows
  • Office
  • Internet Explorer (IE)
  • and Sharepoint Server.
• Attackers are apparently exploiting some of the Windows and IE vulnerabilities in the wild already, in what Microsoft calls “limited, targeted attacks.
• As expected, Windows XP users aren’t getting patches this month (or from hereafter).

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can. You can also let Windows’ Automatic Update do it for you. While I don’t recommend Automatic Update on servers (due to potential patch bugs), I do think you should enable it on your clients computers. As always, concentrate on installing the Critical updates as soon as you can (especially the IE one this month), and handle the others later.

I’ll share more details about today’s patches on the blog throughout the day, though these posts may be slightly delayed due to my participation in WatchGuard’s US Partner Summit.  — Corey Nachreiner, CISSP (@SecAdept).

Adobe Patch Day: Reader, Flash, and Illustrator Security Patches

Severity: High

Summary:

• These vulnerabilities affect: Reader and Acrobat, Flash Player, and Illustrator (CS6)
• How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
• Impact: Various results; in the worst case, an attacker can gain complete control of your computer
• What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released or updated three security bulletins that describe vulnerabilities in four of their popular software packages; Reader and Acrobat X, Flash Player, and Illustrator.

 

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the Adobe security bulletins below:

• APSB14-15: Multiple Reader and Acrobat Code Execution Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 11 vulnerabilities that affect Adobe Reader and Acrobat XI 11.0.06 and earlier, running on Windows and Macintosh.  Adobe only describes the flaws in minimal technical detail, but they do share that many of the flaws involve memory corruption issues that attackers could exploit to execute code. Most of these memory corruption flaws share the same scope and impact. If an attacker can entice one of your users into opening a specially crafted PDF file, he can exploit these issues to execute code on that user’s computer, inheriting the user’s privileges. If your users have root or system administrator privileges, the attacker gains complete control of their computer. If you use Reader, you should patch soon.

Adobe Priority Rating: 1 (Patch within 72 hours)

• APSB14-14: Half a Dozen Flash Player (and Air) Vulnerabilities

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android. It is also built into certain browsers, like Google and Internet Explorer (IE) 11.

Adobe’s bulletin describes six flaws in Flash Player 13.0.0.206 and earlier for all platforms. The vulnerabilities differ technically, and in scope and impact, but the worst could allow attackers to execute code on your users computers. Specifically, Flash Player suffers from a “use after free” vulnerability – a type of memory corruption flaw that attackers can leverage to execute arbitrary code. If an attacker can lure you to a web site, or get you to open documents containing specially crafted Flash content, he could exploit this flaw to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer. Though not as severe as the use after free flaw, the remaining flaws are all security bypass issues that could also help attackers further elevate their privileges after an attack.

Adobe Priority Rating: 1 (Patch within 72 hours)

• APSB14-011: Illustrator (CS6) Buffer Overflow Vulnerability

Illustrator is a very popular vector drawing program that ships with Adobe’s popular Creative Suite. It suffers from an unspecified buffer overflow vulnerability. Adobe doesn’t describe the flaw in technical detail, but we presume that it has something to do with handling specially crafted Illustrator files. If that’s the case, opening specially crafted files in Illustrator could allow attackers to execute code on your machine with your privileges. Attackers don’t often target Illustrator, so we don’t expect this vulnerability to get exploited much in the wild. Nonetheless, if you use Illustrator, you ought to patch it at your convenience.

Adobe Priority Rating: 3 (Patch at your discretion)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

• APSB14-15: 
  • Adobe Reader XI 11.0.07
    • For Windows
    • For Mac
  • Adobe Acrobat XI 11.0.07
    • Standard and Pro for Windows
    • Pro Extended for Windows
    • Pro for Mac
• APSB14-14: Download the latest Flash Player
• APSB14-11: Install the Illustrator Update [PDF instructions for update]

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

• Adobe Reader/Acrobat Security Update APSB14-15
• Adobe Flash Player Security Update APSB14-14
• Adobe Illustrator Security Update APSB14-11

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).