SANS Internet Storm Centre has upgraded their Infocon threat rating from green to yellow, in response to the recent zero-day vulnerabilities in Flash. From the associated post:
“Our reasoning is that the Adobe Flash Player is very widely installed, the vulnerability affects multiple platforms, remote code execution gives the attacker complete control of the system, the patch is not yet available, it affects both organizational IT systems as well as home or soho users, a crimeware kit is actively exploiting the vulnerabilities, people might mistakenly believe that the patch from yesterday fixes all of the issues, and last but not least mitigation through the use of EMET or other tools/means is not normally feasible for home users or quick deployment in enterprise environments without testing. In short, the high impact of these vulnerabilities being exploited warrants raising the Infocon from now until Monday.”
The Infocon rating is displayed in the left sidebar of this web site.
Microsoft needs to understand that it’s on the wrong side of this battle. Vulnerabilities must be patched quickly, and absent any incentive, big companies like Microsoft, Oracle and Adobe will take increasingly long periods of time to produce patches. Ninety days is plenty of time.
VLC is one of the most popular media players; it’s cross-platform, and has a reputation for being able to play almost any kind of media. Given its popularity, unpatched vulnerabilities in VLC are likely to make attractive targets to malicious hackers.
Two vulnerabilities in VLC, CVE-2014-9597 and CVE-2014-9598, have yet to be acknowledged by VLC’s developers. Both are memory corruption bugs that can allow attackers to execute arbitrary commands on target systems.
Note that these vulnerabilities only affect VLC running on Windows XP, and only FLV and M2V files.
If you use VLC, you should exercise extreme caution when playing media from sources not known to be safe.
On Thursday, Adobe announced an update that addresses a recently-discovered vulnerability in Flash. According to Adobe, the vulnerability addressed by Flash 16.0.0.287 is CVE-2015-0310.
Anyone using a web browser with Flash enabled should install the new Flash as soon as possible.
Apparently there is at least one additional vulnerability in Flash that affects even the most current version (16.0.0.287) and is currently being exploited in the wild. This zero-day vulnerability is identified as CVE-2015-0311. According to Adobe, they are working on a patch, which should be available in the next few days.
SANS has a useful summary of the recent updates and vulnerabilities related to Flash.
The latest version of Google’s web browser includes fixes for a whopping 62 security issues. Chrome should update itself to version 40.0.2214.91 automatically.
Users are being encouraged to upgrade from Java 7 to Java 8. The download page now offers Java 8 instead of Java 7. Computers configured for Java auto-updates will be automatically upgraded from 7 to 8. And according to Oracle, Java 7 will see its final updates in April 2015.
Even up to date installations of Flash are currently vulnerable to a new zero-day exploit that’s showing up in the wild. The exploit has already been added to at least one exploitation kit, which means attacks using this exploit are likely to increase rapidly. The exploit can be used to gain unauthorized access to affected computers.
Anyone using a web browser with Flash enabled should be extremely cautious when browsing web sites not known to be safe. The safest course of action is to disable Flash in your browser.
I personally use Firefox with Flash enabled, but I have the Flash add-on configured to always ‘Ask to activate’. That way any time I visit a web site that wants to display Flash content, I can avoid any danger by leaving Flash disabled for that site.
The latest version of Firefox fixes several security issues and other bugs. Firefox 35 also includes improvements to the new search interface and the built-in ‘Hello’ chat feature.
Anyone who uses Firefox should install the new version as soon as possible.
The latest version of Google’s web browser includes the latest version of Flash (16.0.0.257) as well as some other bug fixes. Anyone using an older version of Chrome should update to version 39.0.2171.99 as soon as possible.
As usual, Google Chrome will update its embedded Flash automatically, and updates for the embedded Flash in Internet Explorer on Windows 8.x will be available via Windows Update.
Anyone using a web browser with Flash enabled should install the new Flash as soon as possible.
Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.
Close
Ad-blocker not detected
Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.
boot13