Tag Archive | Adobe Flash Player

April Security Updates: Critically Patching Windows, Flash Player, and Shockwave Player

vulnerability

As usual for Patch Tuesday, many security updates were issued. I’m here to provide all the details for these critical updates. Not only did Windows get patched, but Adobe Flash and Shockwave Players did too.

Microsoft released a span of nine patch bundles, plugging security holes in Windows and other products. Separately, Adobe did its usual thing, and took part in Patch Tuesday as well for updates to Adobe Flash and Shockwave Players.

A cumulative update was made to Internet Explorer, which fixed two critical vulnerabilities present in almost all versions of Internet Explorer (in history). It should be noted that this includes IE 9 and 10.

There were many other updates for Windows worth noting.

Either you will receive Automatic Updates, if you’ve set Windows up to do so. Otherwise, go to Start, search Windows Update. Or for Windows 8, search for Windows Update on the Start screen.

 

Other than that, Adobe brings an update to Adobe Flash Player for Windows and Mac to v. 11.7.700.169. Linux should be updated to 11.2.202.280. Android 4.x+: 11.1.115.54 and 2.x-3.x: 11.1.111.50.

Keep in mind that Google Chrome and Internet Explorer 10 (Windows 8) automatically update Flash Player on their own.

Shockwave Player should be updated as well to v. 12.0.0.122! For these updates, go to www.Adobe.com

You should be able to update to Adobe AIR, which will help secure your computer even further from vulnerability. If you have Adobe AIR installed, which is required for quite a few programs that are built on its architecture (such as Tweetdeck, Pandora Internet Radio, games, etc.). AIR should automatically prompt to update.

Urgent Security Fixes Issued for Windows, Adobe Flash Player & AIR

myupdates

Windows

The usual round of updates are in. As today is Patch Tuesday, Windows and Adobe Flash and Air were issued security updates. Microsoft had seven update bundles containing 20 total vulnerabilities in Windows and other Windows software. Adobe released updates for Flash and Air.

Microsoft had four critical patches, and three other updates. A total of seven today.

The critical patches address bugs in Windows, Internet Explorer, Microsoft Silverlight, Microsoft Office and Microsoft SharePoint. Updates are available for Windows XP, Vista, Windows 7, Windows 8, Windows Server 2003, 2008 and 2012.

Either you will receive Automatic Updates, if you’ve set Windows up to do so. Otherwise, go to Start, search Windows Update. Or for Windows 8, search for Windows Update on the Start screen.

Adobe Flash Player/AIR

Adobe has sent updates for Flash Player, now at 11.6.602.180. This is the version for Windows and Mac OS X based systems. Four security flaws were identified, which prompted this fix. No current attacks/exploits have been identified.

Keep in mind that Google Chrome and Internet Explorer 10 (Windows 8) automatically update Flash Player on their own. The update may not be issued for Chrome just yet, but should be soon, we hope.

If you have Adobe AIR installed, which is required for quite a few programs that are built on its architecture (such as Tweetdeck, Pandora Internet Radio, games, etc.). AIR should automatically prompt to update.

Here is the update table for Adobe Flash Player and AIR:

flash-air

 

Pwn2Own (2013) Contest a Blast – FULL Results

pwn2own

CanSecWest is a conference, and 2013’s conference once again involved the Pwn2Own contest for hackers, an elite (1337) competition. The concept remained simple and will always that if you pwn a fully-patched browser running on a fully-patched laptop, you get to keep the laptop.

However, different rules applied this year. It involved successfully demonstrating the exploit, providing the sponsor (HP) the fully functioning exploit, and all details involved with the vulnerability used in the attack. If there were many vulnerabilities, multiple reports are needed, etc.

The work couldn’t be sold to anyone else, and proof of concept would belong to HP once sold. Basically, HP buys the winning exploits for own use. Their idea of reward money was the following:

  • Google Chrome on Windows 7 = $100,000
  • IE10 on Windows 8 = $100,000 or IE9 on Windows 7 = $75,000.
  • Mozilla Firefox on Windows 7 = $60,000
  • Apple Safari on Mac OS X Mountain Lion = $65,000
  • Adobe Reader XI and Flash Player = $70,000
  • Oracle Java = $20,000

It was assuredly a blast at the competition, no doubt about it.

DAY ONE: Java, Chrome, IE10, and Firefox PWNED!!!

(Where’s Safari, right? It survived!)

The idea behind each attack is the ability to browse to an untrusted website where you’re able to inject and run arbitrary code outside of the browsing environment.

Of course, one of the rules is: “A successful attack … must require little or no user interaction and must demonstrate code execution… If a sandbox is present, a full sandbox escape is required to win.”

ie-ff-chrIn addition to Chrome, Firefox, and IE10 being pwned, Java was pwned three times on the first day. Once by James Forshaw, Joshua Drake, and VUPEN Security. VUPEN Security also led a lot of the pack of issues by successfully exploiting IE10 and Firefox as well.

The only other exploit was by Nils & Jon, where both successfully exploited Chrome.

The day after the first day of Pwn2Own, Mozilla and Google patched the exploits that were pushed out. Amazingly fast, Firefox went on to version 19.0.2 (which you should’ve been updated automatically), and Chrome went on to version 25.0.1364.160 (effectively patching 10 vulnerabilities).

“We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users,” said Michael Coates, Mozilla’s director of security assurance, in a Thursday blog.

Microsoft has decided to wait until next week’s Patch Tuesday run of updates to push out the fix for the Internet Explorer exploit on IE10.

DAY TWO: Adobe Reader and Flash Player PWNED!!! Java PWNED AGAIN!!!

The last day of Pwn2Own 2013 went with a BANG!fl-ar-ja

Flash Player…exploited by VUPEN Security (any surprise?). Adobe Reader PWNED by George Hotz. Java once again was exploited, this time proxied by Ben Murphy.

Who’re the overall prize winners?

  • James Forshaw, Ben Murphy, and Joshua Drake for Java – each $20,000
  • VUPEN Security for IE10 + Firefox + Java + Flash – $250,000
  • Nils & Jon for Google Chrome – $100,000
  • George Hotz for Adobe Reader – $70,000

Of course, George Hotz is best known for jailbreaking the iPhone and PlayStation 3. He’s still in progress with a lawsuit with Sony over the issue for PS3.

It’s amazing to see that Java was PWNED 4 times in just two days, but is it any surprise based on the number of vulnerabilities Oracle has dealt with for Java?

Now in its eighth year, Pwn2Own contest had $480,000 in payouts, a record year. Amazing!

Got any vibe on this issue? Post comment below! 🙂

Adobe Flash Player Critically Affected Again! Two Bugs Resolved!

vulnerability

Adobe has published another update now, fixing three vulnerabilities. Two of these three vulnerabilities are currently being exploited in the wild.

Adobe has introduced the Flash Player sandbox a year ago protecting Firefox users from vulnerabilities in Flash Player. This sandbox is being actively targeted for attacks.

“Adobe is aware of reports that CVE-2013-0643 and CVE 2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content,” the company wrote in a security bulletin.

Adobe classifies the update at priority rating of 1 for Windows and Mac (which means super-critical: PATCH NOW!), and 3 for Linux (not as critical for Linux).

Google automatically patches for Chrome Browser. Microsoft automatically patches for Internet Explorer 10 for Windows 8 (note for Internet Explorer 10 for Windows 7, you have to patch).

The following issues are resolved:

  • Permissions issue with the Flash Player Firefox sandbox (CVE-2013-0643)
  • ExternalInterface ActionScript feature (CVE-2013-0648)
  • Buffer overflow in Flash Player broker service (CVE-2013-0504).

Update link for Windows and Mac

Update link for all other versions

To see version information about Flash Player or what browser/OS you’re running, check out the following.

Remember, when updating, UNCHECK McAfee | Security Scan Plus, unless you really want to scan your computer. It is pre-checked, so you have to uncheck it.

 

Two Zero-Day Bugs Found in Adobe Flash Player; Fixed with Update

vulnerability

Recently, two zero-day vulnerabilities were found in Adobe Flash Player, in which Adobe – today, issued an emergency update to solve. Adobe said in its advisory over the issue that one of the vulnerabilities, CVE-2013-0634, is being exploited in the wild.

The currently exploited vulnerability is being delivered as an attack via malicious Flash content, which is hosted on sites that target Flash Player in Firefox or Safari on the Mac OS platform. There are also attacks found for Windows users that trick users into opening a Microsoft Word document delivered as an email attachment. No surprise?

The second flaw, CVE-2013-0633, is being exploited in the wild in targeted attacks, doing the same with malicious Microsoft Word documents being implanted in email attachments.

Updates are available for the following platforms:

  • Windows, 11.5.502.149, download
  • Macintosh, 11.5.502.149, download
  • Linux, 11.2.202.262, download
  • Android 4.x, 11.1.115.37, download
  • Android 2.x-3.x, 11.1.111.32, download
  • Google Chrome, 11.5.31.139, automatic update
  • Internet Explorer 10, Windows 8, 11.3.379.14, automatic update

To see version information about Flash Player or what browser/OS you’re running, check out the following.

Remember, when updating, UNCHECK McAfee | Security Scan Plus, unless you really want to scan your computer. It is pre-checked, so you have to uncheck it.

 

Get protection from vulnerabilities now:

Adobe Issues Critical Security Updates for Flash and AIR

vulnerability

Election Day brings Adobe’s critical updates for Flash and AIR, so update today to fix seven (7) vulnerabilities.

Updates are currently available as follows:

FLASH

  • Windows & Mac – 11.5.502.110
  • Linux – 11.2.202.251
  • Android 4.* – 11.1.115.27
  • Android 3.* & 2.* – 11.1.111.24
  • Google Chrome automatically updates the Flash version built in.

AIR

  • Windows, Mac, SDK for iOS and Android – 3.5.0.600

 

Be sure to download the Flash updates for both Internet Explorer, and then for Firefox/Safari/Opera/Other browsers.

See advisory

 

Also, note Windows Update will help install the updates in Windows 8/IE 10, reference here

October is National Cyber Security Awareness Month

NCSAM official image (Department of Homeland Security)

Cyber security awareness is so important, and we’re going to display a few things you should be aware of this month, for you to try to make capable changes to your personal or business security perspective. You will notice some of the information below is linked to different posts here on the blog. This should help you understand each topic better! Please don’t be afraid to use each of the links below to learn more about protecting your system(s).

  • Email is one of the biggest attack methods. Since users are still highly dependent on email, it is so critical that email systems get fixed. Spam can be so cunning that it may disguise itself as your friend, someone you trust, or a bank. The main target in these spam attacks is phishing, which will allow an attacker to trick you into doing something or giving away personally identifiable information.The goal is to also download malware on to your computer, which can be used to take control of your computer and steal much more personal information. Some emails may claim to be a legitimate organization sending you an attachment, but it’s purpose is to distributed malware on your computer. It is best to secure email systems against spam. This can be done using a variety of products whether hardware or software. Make sure to secure your system(s) with the latest spam fighting utilities. Also, securing Outlook or Windows Live Mail is beneficial.
  • Instant Messaging still seems to be a vector for malware attacks. Just when people drop their guard about IM security, a new band of threats affects users. Most IM attacks come in the form of spam, a message from an apparent trusted friend, or a phishing attempt/scam from a legitimate looking company. A lot of the time, when the message appears from a trusted friend, it usually means that person’s IM account or email account has been hacked and the attacker has mined the email addresses or IM addresses in order to send you these attacks. It is important to have a good Internet Security product that protects against IM attacks along with network defense.
  • Exploits are the most common cause of infections on computers these days. Many of the exploits have been caused by out-of-date Java plugins or Adobe Flash Player plugins (or even fake Flash Player), among other types of plugins for your browser. Other exploits come in the form of advertisements that are catered to your interests, by the use of tracking cookies, which when you click on the ads it can lead to a site that will immediately download malware and attempt to take control of your computer.Those are just a couple of examples of why you need Internet Security protection as declared just above in the explanation for IM security. Also, having a second-opinion malware scanner can make sure that things don’t get missed, giving you maximum protection. Working on a defense-in-depth strategy for your computer can be a great way to avoid exploits.
  • Downloading and installing untrusted software products is a good way to get infected with viruses, spyware, and other threats and malware. Using tools such as Web-of-Trust for your browsers is a key idea in managing whether a site is safe. Also, reading reviews for the product you are getting ready to download and purchase will help you make an informed decision. It is important to have Total Internet Security protection, as stated above in IM security. Please refer to the “Internet Security product” link for more information on securing your system(s) with protection mechanisms.

There are many more vectors of cyber security problems. It is important to use the methods described above as well to secure your system(s) from attacks from cybercriminals.

Summary of mitigating most attacks:

LifeLock

%d bloggers like this: