Chrome has been updated to include the latest Flash, itself recently updated (outside the normal monthly update cycle) to fix a critical vulnerability. Luckily, if you use Chrome with Flash enabled, you don’t have to do anything; it will update itself.
Yesterday, Adobe released an update for the recently-discovered Flash security vulnerability CVE-2015-7645. Kudos to Adobe for acting quickly to fix this bug, which is being actively exploited on the web.
The new version of Flash (126.96.36.199) addresses the CVE-2015-7645 vulnerability and two others. Additional details are available in the associated security bulletin. Other changes in this version of Flash are described in a post on the Flash runtime announcement site.
As usual, Internet Explorer on newer versions of Windows will get the new version of Flash via Windows Update, and Chrome will update itself via its own auto-updater.
If you’re still using Flash in a web browser, you need to install this update as soon as possible.
Security researchers at Trend Micro have identified a new Flash exploit being used in targeted attacks against various government agencies. The exploit takes advantage of a previously unknown vulnerability in all versions of Flash, including the most recent, 188.8.131.52. It seems likely that the exploit will be used more widely in the near future.
Adobe quickly confirmed the vulnerability and announced in a security bulletin that a patch will be made available some time next week.
At this point one wonders whether there’s any code left in Flash that hasn’t been afflicted with security vulnerabilities at some point.
As always, if you can possibly live without Flash enabled in your browser, just disable it. If you need to use it, your best option is to configure your browser to always ask before displaying Flash content.
It’s a relatively light month for Microsoft, with only six bulletins, and associated updates affecting Windows, Windows Server, Internet Explorer, Office, and the new Windows 10 browser Edge. Three of the bulletins are flagged as Critical. The bulletin summary has all the details, and it includes a link to Microsoft’s Security Advisories page for 2015, which may be of some interest.
Meanwhile, Adobe’s contribution to this month’s patch pile is more updates for Flash and Reader/Acrobat. The new version of Flash is 184.108.40.206, and it addresses thirteen vulnerabilities. The release notes get into the details of what was changed, which includes a few bug fixes unrelated to security. As always, Chrome will update itself and Internet Explorer on newer versions of Windows will get the new Flash via Windows Update.
The newest versions of Adobe Reader are 11.0.13 for Reader XI, and 2015.009.20069 for Acrobat Reader DC. At least fifty-six vulnerabilities are addressed in these updates. Check out the related security bulletin for additional information.
A rogue version of the iPhone development tool XCode was found to have added malicious code to almost 500 legitimate apps. Those apps were published on the Apple App Store, and were subsequently installed by millions of iPhone and iPad users.
In other Apple-related news, a simple bypass for the Gatekeeper process, that protects Mac OS X users from malicious software, was discovered.
This month’s Flash updates prompted Brian Krebs to take another look at Adobe Shockwave. He found that even the most recent versions of Shockwave still contain very out of date versions of Flash, and strongly recommends that you remove Shockwave from all your computers.
A series of exploits against the Imgur and 8chan sites caused little damage, despite their enormous potential. The true goals of the hack are still in question, and the associated vulnerabilities on the affected sites have been fixed.
A researcher discovered several serious vulnerabilities in popular security software from Kaspersky Labs. While there’s no evidence of exploits in the wild, this is rather alarming. Anti-malware software typically has access to core system functionality, making working exploits very valuable to attackers. Kaspersky Labs acted quickly to fix the bugs, but this isn’t the first time security software has been found vulnerable, and likely won’t be the last.
A new botnet called Xor.DDoS is using compromised Linux computers to perform DDoS attacks against a variety of web sites, probably at the request of paying customers. The Linux computers hosting the botnet appear to have been compromised via weak root passwords. So far, most of the targets are in Asia. This marks a shift in platform for botnet developers, which previously focused almost exclusively on Windows.
There’s a new version of Flash. Version 220.127.116.11 addresses almost two dozen security vulnerabilities in previous versions. Yes, as fast as Adobe can plug one hole, another opens up. Happily, the web is already moving away from Flash. With any luck, five years from now Flash will be a distant memory.
If you still use a web browser with Flash enabled, you need to update Flash and any related browser extensions as soon as possible.
As usual, Internet Explorer on newer versions of Windows will get its own Flash updates via Windows Update, and Chrome will auto-update itself with the latest Flash.
Last month in security and privacy news…
A weakness was discovered in the open BitTorrent protocol, rendering torrent software vulnerable to being used to initiate DDoS attacks. The BitTorrent protocol flaw was quickly updated, and patches for affected software were developed and distributed.
Malvertising continued to spread, most recently affecting popular sites like weather.com, drudgereport.com, wunderground.com, and eBay. Anyone visiting those sites with an unpatched browser may have inadvertently caused their computer to be compromised. Needless to say, the malicious ads were built with Flash.
It was a bad month for Android, as one of the updates released by Google that were intended to fix the Stagefright flaw turned out to be faulty, leaving some devices still vulnerable, and forcing Google back to the drawing board. Security researchers also discovered a flaw in Android’s Admin program that allows apps to break out of the security ‘sandbox’ and access data that should be inaccessible. Two flaws in fingerprint handling were also found in many Android devices, leaving both stored fingerprints and the fingerprint scanner itself vulnerable. And finally, new research exposed the predictability of Android lock patterns, making this particular form of security much less effective.
Lenovo’s hapless blundering continued, with the discovery that many of their PCs were using a little-known BIOS technology to ensure that their flawed, insecure crapware gets installed even when the operating system is reinstalled from scratch. Will these bozos ever learn?
Jeff Atwood reported on a new danger: compromised routers. If an attacker gains control of your router, there’s almost no limit to the damage they can inflict. Worse, there are no tools for detecting infected routers. If your router is compromised, no amount of malware scanning on your network’s computers will help. You’re vulnerable until you realize that the router is the problem and replace it or re-flash its firmware.
Mozilla offered more details on planned changes to Firefox that are expected to improve the browser’s security, stability, and performance. These changes are likely to benefit Firefox users, but will come at a cost: many existing browser add-ons will become obsolete. Add-on developers will be forced to make big changes or retire their software. Certain types of add-ons may not even be possible with the changes Mozilla plans.
In privacy news, the Electronic Freedom Foundation (EFF) released version 1.0 of Privacy Badger, a Chrome and Firefox add-on that blocks tracking mechanisms used on the web. The add-on initially doesn’t block anything, but learns as you browse, detecting cookies that are used on more than one site and blocking them.
And in other EFF news, a new malware campaign uses spearphishing techniques to get targets to visit what is supposed to be an EFF web site but is in fact a source of virulent malware.
Google announced upcoming changes to Chrome that will prevent extension developers from using deceptive practices to trick users into installing their software. Specifically, the ‘inline installation’ process will no longer work for extensions that are associated with these deceptive techniques. This is a good example of a software maker (Google) backing away from a feature that improved usability at the cost of security.
Google also firmed up plans to prevent most Flash media from being displayed by default in Chrome. Flash media won’t be blocked, but users will be required to click on each embedded video before it will play. Google’s official reason for doing this is to improve Chrome’s performance, but the change should reduce the spread of malvertising as well. Of course, Google’s own advertising network still allows Flash-based ads, and those ads will still auto-play. Google’s advice to advertisers is to switch from Flash-based ads to HTML5-based ads, or move to Google’s ad network.
And finally, Ars Technica posted a useful overview and instructions for encrypting your desktop, laptop and mobile devices. Be warned, total device encryption is not for the faint-hearted and comes with certain risks. For example, if you forget to tell your IT person that your hard drive is encrypted and they try to recover your computer from a failure, you may lose everything, even if your data is backed up.
Ah, Patch Tuesday. Of all the tasks we have to perform, there’s nothing quite like it: it’s both tedious and critically important. I’m starting to consider enabling automatic updates, but given Murphy’s Law, no doubt the moment I do that, Microsoft will issue a catastrophic update.
This month we have fourteen updates from Microsoft, affecting the usual culprits (Windows, Internet Explorer, Office, Silverlight, .NET), plus a few new ones: Lync and Edge, the new web browser in Windows 10. Four of the updates are flagged as critical. The updates address a total of 58 vulnerabilities. The update for Silverlight brings its version to 5.1.40728.0. Several of the updates apply to Windows 10. One of the updates addresses a nasty bug that could allow an attacker to execute malicious code from a USB thumb drive.
Adobe is once again tagging along this month, releasing a new version of Flash (18.104.22.168) that addresses a whopping thirty-four vulnerabilities. Needless to say, you should install the new version as soon as possible if you still use Flash in any web browser. Internet Explorer 10 and 11 in Windows 8.x will receive the Flash update via Windows Update, as will the new Edge browser in Windows 10. Chrome will update itself to use the new version.
Adobe is trying desperately to keep Flash viable. In July, they announced structural changes that are expected to strengthen Flash’s overall security. The changes are so far only available in the most recent versions of Chrome, but they are expected to find their way into the other major browsers in August.
Asprox botnet status
There’s an interesting (though technical) overview of recent changes in the behaviour of the Asprox botnet over on the SANS Handler’s Diary. Apparently the botnet is no longer sending malware attachments, and is instead sending pornography and diet-related spam. Comparing my inbox contents with the samples in the linked article, it looks like most of the spam I currently receive is thanks to Asprox. Hopefully Asprox will be targeted by the anti-botnet heavy hitters in the near future.
Flaw in BIND could cause widespread issues
BIND is one of the most common pieces of software on Internet-facing servers. It translates human-readable addresses like ‘boot13.com’ into IP addresses. A bug in version 9 of BIND causes it to crash when a specially-crafted packet is sent to it. Attackers could exploit this bug to execute an effective Denial of Service (DoS) attack against a server running BIND9. Patches have been created and distributed, but any remaining unpatched servers are likely to be identified and attacked in the coming months. Update 2015Aug05: As expected, this bug is now being actively exploited.
Mobile versions of IE are vulnerable
Current, patched versions of Internet Explorer running on mobile devices were recently reported to have four flaws that could allow attackers to run code remotely. Exploits were published, although none have yet been seen in the wild. The vulnerabilities were disclosed by the HP/TippingPoint researchers who discovered them, six months after they privately reported them to Microsoft. Microsoft has yet to patch these vulnerabilities; they apparently feel that vulnerabilities are too difficult to exploit for them to be dangerous.
Stagefright vulnerability on Android devices
A flaw in Stagefright, a core Android software library that processes certain types of media, makes almost all Android phones and tablets vulnerable. The flaw can be exploited as easily as sending a specially-crafted text (MMS) message to a phone, but also by tricking the user into visiting a specific web site. Successful attackers can then access user data and execute code remotely. Unfortunately for users, it’s up to individual manufacturers to develop and provide patches, and this process may take months in some cases. There’s not much users can do to mitigate this problem until patches arrive. Update 2015Aug05: Google is working with its partners to push updates to affected mobile devices.
Mediaserver vulnerability on Android devices
More bad news for Android users: the mediaserver service apparently has difficulty processing MKV media files, and can render a device unusable when it encounters one on a malicious web site. In most cases, the device can be brought back to life by powering it down and back up again.
Android spyware toolkit widely available
And the hits just keep on coming for Android devices. Among the information revealed in the recent Hacking Team breach was the source code for an advanced Android spyware toolkit called RCSAndroid. Like everything else taken from Hacking Team’s systems, this has now been published, and no doubt malicious persons are working on ways to use the toolkit. There’s no easy way to protect yourself from this toolkit, aside from keeping your device up to date with patches. From Trend Micro: “Mobile users are called on to be on top of this news and be on guard for signs of monitoring. Some indicators may come in the form of peculiar behavior such as unexpected rebooting, finding unfamiliar apps installed, or instant messaging apps suddenly freezing.”