Tuesday, July 14, 2015

Adobe Flash Security Concerns Peak:
Drama Online

--

[Update 2015-07-16: I added a Wired article link and two fun images with links to "Flash Sucks" items currently available from Zazzle. (^_^) ]

Due to the recent stream of zero-day exploits of Adobe Flash, the concerns within the security community have reached a peak. This is a listing of some of the commentary going on around the net. You know my opinion. Here are some others:















--

FOUR CRITICAL Adobe Updates:
Flash 18.0.0.209
Shockwave Player 12.1.9.159
Acrobat & Reader 2015.008.20082

--

[Update 2015-07-15: I added download page links for Adobe Acrobat and the non-cloud version of Adobe Reader. Thanks to my collaborator Al for assistance!]

Adobe has released FOUR CRITICAL updates today. Below I list each of the updates, link to their Security Bulletins and link to where you can download them. I've also added a list of CVEs patched in each update. A total of 50 CVEs have been patched in these updates. I believe that's a record for Adobe.

Adobe Flash Player 18.0.0.209

Adobe Security Bulletin

Download Page

CVEs Patched
CVE-2015-5122: "A use-after-free vulnerability that could lead to code execution."
CVE-2015-5123: "A memory corruption vulnerability that could lead to code execution."

Adobe Shockwave Player 12.1.9.159

Adobe Security Bulletin

Download Page

CVEs Patched
CVE-2015-5120 - "Memory corruption vulnerabilities that could lead to code execution"
CVE-2015-5121 - "Memory corruption vulnerabilities that could lead to code execution"

*Neither CVE is yet listed at Mitre.org

Adobe Acrobat & Reader:
DC v2015.008.20082 and v11.0.12

Adobe Security Bulletin

Adobe Reader DC Download Page

Adobe Reader (non-cloud) v11.0.12 Download Page

Adobe Acrobat Pro and DC Pro Download Page

CVEs Patched
CVE-2014-0566 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2014-8450 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-3095 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-4435 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4438 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4441 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4443 - “Null-pointer dereference issues that could lead to a denial-of-service condition.”
CVE-2015-4444 - “Null-pointer dereference issues that could lead to a denial-of-service condition.”
CVE-2015-4445 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4446 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-4447 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4448 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-4449 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-4450 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-4451 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4452 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-5085 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-5086 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-5087 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5088 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-5089 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-5090 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-5091 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-5092 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-5093 - "A buffer overflow vulnerability that could lead to code execution."
CVE-2015-5094 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5095 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5096 - "Heap buffer overflow vulnerabilities that could lead to code execution."
CVE-2015-5097 - “Integer overflow vulnerabilities that could lead to code execution.”
CVE-2015-5098 - "A buffer overflow vulnerability that could lead to code execution."
CVE-2015-5099 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5100 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5101 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5102 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5103 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5104 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5105 - "A buffer overflow vulnerability that could lead to code execution."
CVE-2015-5106 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-5107 - "An information leak vulnerability."
CVE-2015-5108 - “Integer overflow vulnerabilities that could lead to code execution.”
CVE-2015-5109 - “Integer overflow vulnerabilities that could lead to code execution.”
CVE-2015-5110 - "A stack overflow vulnerability that could lead to code execution."
CVE-2015-5111 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5113 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5114 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5115 - "Memory corruption vulnerabilities that could lead to code execution."

* CVEs not linked above have not yet been listed at Mitre.org.

--

Sunday, July 12, 2015

Adobe Flash:
TWO MORE new Zero-Day Exploits!
Just Kill Flash NOW

--

A further two zero-day exploits of Adobe Flash are in-the-wild. This makes the most recent Flash update DANGEROUS to use. So don't.

Security Advisory for Adobe Flash Player
Summary 
Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  
WHAT TO DO

1) Go to /Library/Internet Plug-ins/ and throw away:
- Flash Player.plugin
- flashplayer.xpt

2) Restart your web browsers.

Do It NOW.

Don't use Flash until Adobe has patched the thing, yet again, again.

We theoretically will see a patched version of Flash on Tuesday, July 14th.

Or, we could all just leave Flash in the Trash and never bother with the piece of crapcode again.

And yes folks. This easily means that, at the moment, Adobe Flash is the single most dangerous software we can run over the Internet on our Macs. Move aside Oracle Java.

--

Wednesday, July 8, 2015

Then This Happened:
Adobe Warns Of July 14
Security Update of Acrobat/Reader

--

Apparently, fallout from the hacking of a professional hacking company continues to plague Adobe. They put out a warning today that they're going to provide a security update of Adobe Acrobat and Reader on Tuesday, July 14th. That's their regular 'in-band' monthly release date, the second Tuesday of each month.

That's all Adobe announced. No CVE was listed. No warning of anything in-the-wild. *Suspense*

https://helpx.adobe.com/security/products/acrobat/apsb15-15.html

So, we get to wait for that delightful bundle of security joy to arrive.

:-Q

--

Lousy Adobe Flash Updated To v18.0.0.203
Lousy Adobe AIR Updated To v18.0.0.180
CRITICAL Security Patches

--
The updates, patching ACTIVE in-the-wild EXPLOIT CVE-2015-5119, are out and available.

Adobe just bothered to catch up and release the accompanying security bulletin:

https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

If you're still using Adobe Flash and Air, you can go for the updates:

https://get.adobe.com/flashplayer/

https://get.adobe.com/air/

Because Adobe is so incredibly obtuse these days, when you visit the get Air page, all you're going to see listed is "Version 18". IOW, tough luck if you want to know the actual version number. We little peon customers are too stupid to care about such vital things, right? But I've verified that what they're currently offering really is Air v18.0.0.180, which is what we want. Proof:


Meanwhile, Adobe already has the beta of Flash version 18.0.0.205 in preparation for their 'in-band' release of Flash on the second-Tuesday-of-the-month, July 14th. Keep an eye out for that one, if you care. (-_-) zzz

WHAT ELSE GOT PATCHED?

Hold on to your proverbial hats. This is an incredible list of security flaws patched in Flash and AIR:
Vulnerability Details

These updates improve memory address randomization of the Flash heap for the Window 7 64-bit platform (CVE-2015-3097).

These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431).

These updates resolve null pointer dereference issues (CVE-2015-3126, CVE-2015-4429). 
These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2015-3114).

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119).

These updates resolve vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116).
I marked our pal, in-the-wild exploit CVE-2015-5119 in red. That's 36 security flaws patched in Flash and AIR. Yes, Flash (and therefore AIR) really is crap code. And no doubt, it has many more security flaws waiting to be exploited. I read an article last week claiming that Adobe Flash is now the #1 most dangerous software you can run on the Internet, surpassing awful Oracle Java plug-in. Astounding. It takes some seriously bad coding to surpass Java's horrendous security problems.

If you don't need Flash/AIR or Java running over the Internet, then get rid of their Internet Plug-ins. Please.

:-Derek


--

Adobe Flash:
New UNPATCHED Zero-Day Exploit
Kill Flash Plug-in NOW

--

Thanks to the hacking of a professional hacking company, it has been revealed that there is an ACTIVE zero-day exploit of Adobe Flash in-the-wild. It is being exploited right now. Therefore, it is critical to Stop Using Flash until the exploit is patched.

Critical Adobe Flash, Windows zero-days leak from Hacking Team raid
Security teams scramble to patch serious flaws
From what we've seen so far, inside the leaked source code lies an Adobe Flash exploit for which no patch exists: it can be used against Internet Explorer, Firefox, Chrome and Safari, and affects Flash Player 9 to the latest version, 18.0.0.194.
. . . 
Adobe told us in a statement today that it is working on a patch, which it hopes to release by the end of the week. The vulnerability is present in its plugin software for Windows, OS X and Linux. 
Security Advisory for Adobe Flash Player (APSA15-03)
A critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.   
Adobe is aware of reports that an exploit targeting this vulnerability has been published publicly. Adobe expects to make updates available on July 8, 2015.
Note: As of this posting, CVE-2015-5119 remains unlisted at CVE.Mitre.org. Therefore, I cannot provide a link to its description.

Meanwhile,
SOLUTIONS:

Remove the Adobe Flash plug-in from your Mac NOW.

For those with an administrator password, this is how:

1) Open the root level Internet Plug-Ins folder, found here:

/Library/Internet Plug-Ins/

2) Locate these two files:
  • Flash Player.plugin
  • flashplayer.xpt
3) Select them both and choose to "Move to Trash", either from the Finder File menu or the contextual menu. (Alternatively, you can move them both to a created holding folder, such as 'Internet Plug-Ins (Disabled). 

4) Quit all your web browsers.

5) Reboot your web browsers. 

- - EXCEPT Chrome! Do Not Use Google Chrome! Why? Because Google embedded Adobe Flash into Chrome. It's stuck there, and you can't get rid of it. 

But, if you're desperate to use Chrome, there are two workarounds:
A) Use Chromium (of any flavor) instead. It does NOT include Flash. Everything else about it (except the default surveillance of your web behavior) is the same as Chrome. 
OR 
B) Follow Google's instructions for turning OFF Flash in Chrome:
  1. Type chrome:plugins in the address bar to open the Plug-ins page.
  1. On the Plug-ins page that appears, find the "Flash" listing. To enable Adobe Flash Player, click the Enable link under its name. To disable Adobe Flash Player completely, click the Disable link under its name.
After you've freed yourself from Adobe Flash, either stay that way (highly recommended) or keep an eye out of a new Adobe Flash update. Watch for a version of Flash higher than 18.0.0 194. That's the current bad version. Do not reinstall that thing again.

I'll also be posting another article here when Adobe fixes this latest zero-day exploit.

:-Derek

--

Tuesday, June 23, 2015

Adobe Flash Zero-Day Attack!
Update To v18.0.0.194 NOW

--

Adobe Flash has yet-another active zero-day exploit out-in-the-wild. Adobe has therefore pushed out an 'out-of-band' update of Flash to the world today. Get it and install it NOW.

It is version 18.0.0.194.

Apparently, Adobe has not yet finished an update to AIR, which always requires updating whenever Flash is updated. AIR incorporates Flash. Therefore, watch for an AIR update in the very near future.

WHAT'S GOING ON THIS TIME:

From Adobe's Security Bulletin for this update: 
Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets. 
. . . 
These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2015-3113).  
At this point in time, the CVE's description, beyond what Adobe provides above, is blank. This happens while a developer is working to stop the CVE (Common Vulnerabilities and Exposures) and doesn't want to hand hackers any further clues to its exploitation.

Adobe's details don't note an exploit for OS X. But Adobe provides an OS X Flash update typically because the same exploit is possible on OS X as well.


Me Grumbling

This is what it's like on the bleeding edge of these situations:

This morning I learned that Adobe had finished and released Flash v18.0.0.194. But I couldn't get it via the usual method of going to Adobe's website and clicking the 'Flash Player' link in the bottom right of the page. Adobe kept telling me I was already up-to-date. But I wasn't.

So I went to the System Preferences pane for Flash Player, clicked the 'Updates' tab, then clicked the 'Check Now' button. It too told me I was up-to-date. But I wasn't.

I downloaded what was linked on the Adobe Flash update page anyway. What I got was a barely functional installer that just sat there and did nothing. My guess is that I was running the installer at the time Adobe was pulling down the old update and putting up the new update. Therefore, there was nothing for the installer to download and install.

So I waited around then went back to the Flash update page.  Finally, the Adobe website noted that version 18.0.0.194 was available. But as usual, Adobe said nothing about why the update was available on their update page. I hate that.

Therefore, I went over to Adobe's Security Bulletins page:
https://helpx.adobe.com/security.html

But there was no new security bulletin for Flash v18.0.0.194. All they had was the older bulletin from their second-Tuesday-of-the-month update, which was not related. So I waited a few hours and went back again. There, at last, was the relevant security bulletin. It took them long enough! 

Summary: Adobe announced the release of v18.0.0.194 before anyone could download it. When it was available to download, there was no security bulletin to tell you what the update was for. I hate that.

Apple has, in the past, done the same sort of blundering. It's a lack of coordination within a company. If this messing about was regarding some minor feature update, who cares? But when the update is all about blocking an exploit in the wild, we users deserve everything to 'just work' in a hurry. Waiting around for a company to get their security release and explanation together is not professional, at least not IMHO. So Adobe, please get your act together for the benefit of your victims, oops I mean users.

BTW: The usual warning

Adobe Flash is the second most dangerous software you can run on your Mac over the Internet. It's second only to Oracle's ruined version of Java for the Internet. If you don't need to run either of these Internet plugins, uninstall them and trash them.


--