Category Archives: Security

aka infosec

‘Impervious’ Adobe Reader X/XI is actually vulnerable

A working exploit for the latest versions of Adobe’s PDF Reader software (X and XI) is being made available to malicious hackers for $50,000 via underground forums.

Starting with Version X, Adobe’s Reader software has employed a ‘sandbox’ that supposedly insulates the operating system from attacks originating in Reader content. The exploit code reportedly gets around the sandbox.

Adobe is investigating, but no patches are available yet. Since this threat is active, anyone using Adobe Reader X or XI should exercise extreme caution when opening PDF documents or clicking links to PDF documents from unknown sources. Another option is to uninstall the Adobe software and use an alternative like Foxit Reader.

More details from KrebsOnSecurity.

Vulnerabilities in Sophos anti-malware products

Security researcher Tavis Ormandy has discovered several security vulnerabilities in Sophos security products. The holes were patched within a few weeks of the initial reports, but Ormandy maintains that Sophos’ response was too slow. The vulnerabilities, if unpatched, can allow attackers to gain full control of computers running affected Sophos software.

Regardless of whether you agree with Ormandy’s conclusions about Sophos, it’s clear that if you run Sophos security products, you should make sure they are fully patched.

Adobe Flash security updates

Yesterday, Adobe announced a new version of Flash that includes fixes for several security holes in earlier versions. Anyone who uses Flash to view web-based video, which includes anyone who uses YouTube, should install the latest version of Flash as soon as possible.

The latest version of Flash for Windows is 11.5.502.110. Adobe also made available updates for older versions of Flash that address the same security vulnerabilities, but we recommend updating to the latest version.

A new version of Google Chrome, also announced yesterday, includes these security fixes. A similar patch for Internet Explorer 10 in Windows 8 was made available by Microsoft.

These updates resolve buffer overflow vulnerabilities that could lead to code execution, memory corruption vulnerabilities that could lead to code execution, and a security bypass vulnerability that could lead to code execution.

ZeroAccess botnet growing rapidly

Growth of the ZeroAccess botnet is unfortunately showing no signs of slowing down. darkReading reports “2.2 million infected with fraudulent ad-click botnet’s malware“. The perpetrators make money by using infected computers to fraudulently ‘click’ on web-based ads.

Most current anti-malware software can detect and disable ZeroAccess-related malware. Make sure your anti-malware software is up to date, and run regular scans.

Java still vulnerable even with recent batch of security fixes

We were wondering whether the recent Java updates addressed the security holes reported by Adam Gowdiak of Security Explorations. Well, Mr. Gowdiak tested the most recent Java in various browsers, and the answer is no, they do not.

Gowdiak went even further, developing a simple fix for the vulnerability. Oracle is unimpressed, saying that a proper fix will involve a lot more testing than the 30 minutes Gowdiak spent on it. They are sticking to their original estimate, that an official fix will not be available until the February 2013 Critical Patch Update.

So Java, despite the recent patches, is still vulnerable to exploits using the hole reported by Gowdiak. We continue to recommend disabling Java in web browsers.

Java on the desktop: safe or not?

Java is increasingly the focus of both malware developers and security researchers. Many malware packages include Java code, and drive-by malware infections often use known Java vulnerabilities to trigger web browser-based infections. Java releases are filled with fixes for security vulnerabilities. Security researchers find new Java holes with alarming frequency.

ARS Technica recently asked their readers to talk about Java and how they use it. The resulting article outlines the results of this informal survey and makes some recommendations to users.

On typical Windows computers, Java is installed as a browser plugin, allowing Java code on web sites to be run seamlessly within the browser. This should not be confused with Javascript, which is also used within web browsers, but despite its name, is a totally separate thing.

Many Windows computers also contain the Java Runtime Environment (JRE), which allows standalone Java applications to run without a web browser. Many system administration tools are developed in Java, since this allows the same code to run on many different operating systems. There are also plenty of Java games, including the hugely popular Minecraft. Although Minecraft can be run from within a web browser, the full version of the game runs in the JRE.

Java vulnerabilities exist both in Java browser plugins and in the JRE. However, Java code that runs in the JRE must be explicitly downloaded and installed by the user. For example, to play the full version of Minecraft, the user must go to the Minecraft web site, buy the game, download the installer, install the game on their computer, then run the game. On the other hand, Java code on a malicious or hacked web site can run automatically and invisibly the moment a user visits that web site – if their browser has a functioning Java plugin.

Clearly, Java web browser plugins present a much greater security risk than standalone Java. Our recommendations – echoed by the ARS Technica article – remain the same: you should seriously consider disabling Java plugins in your web browser, but it’s okay to leave the JRE installed on your computer.

Critical Patch Update fixes 30 Java security issues

Oracle has released updates for all of its Java packages. The updates include a variety of bug and security fixes across all the affected Java products.

You can download the Java Runtime Environment (JRE) or Java Developer Kit (JDK) appropriate for your computing environment from the Java downloads page.

Java browser plugins that are not updated as part of a JRE update will require separate updates, in some cases from the web browser developer (Chrome, Internet Explorer).

It is unclear whether these updates include fixes for the vulnerabilities reported in late September 2012. Update 2012-Oct-25: Apparently they do not, according to security researcher Adam Gowdiak.

Firefox 16.0 pulled due to vulnerability

Update 2012Oct12: Version 16.0.1 of Firefox has just been released. The new version fixes the vulnerability that caused version 16.0 to be pulled from the Firefox download site yesterday. All users are encouraged to upgrade to 16.0.1 as soon as possible.

Firefox 16.0 has been removed from the Mozilla web site due to a new vulnerability. Users who have already upgraded to the new version should either downgrade to version 15.0.1 or exercise extreme caution before visiting any unfamiliar or suspicious web site. The new vulnerability makes it possible for web sites to access information that is normally protected by the browser.

Update 2012Oct12: No exploits using this vulnerability have yet been seen in the wild, but a proof of concept has been published. The POC demonstrates the vulnerability with a few lines of Javascript code that could be embedded on a web site. Now that this POC has been made public, it’s reasonable to assume that similar code will start appearing on hacked and malicious web sites in the very near future.