Thursday, December 11, 2014

Adobe Critical Security Updates For:
Acrobat, Reader and Flash
plus ColdFusion

--
Another second-Tuesday-of-the-month, another bunch of Adobe critical security updates.



I) Adobe Acrobat and Adobe Reader


Security Updates available for Adobe Reader and Acrobat

Details

Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. These updates address vulnerabilities that could potentially allow an attacker to take over the affected system.  Adobe recommends users update their product installations to the latest versions:

Users of Adobe Reader XI (11.0.09) and earlier versions should update to version 11.0.10.
Users of Adobe Reader X (10.1.12) and earlier versions should update to version 10.1.13.
Users of Adobe Acrobat XI (11.0.09) and earlier versions should update to version 11.0.10.
Users of Adobe Acrobat X (10.1.12) and earlier versions should update to version 10.1.13
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2014-8454, CVE-2014-8455, CVE-2014-9165).

These updates resolve heap-based buffer overflow vulnerabilities that could lead to code execution (CVE-2014-8457, CVE-2014-8460, CVE-2014-9159).

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2014-8449).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, CVE-2014-8461, CVE-2014-9158).

These updates resolve a time-of-check time-of-use (TOCTOU) race condition that could be exploited to allow arbitrary write access to the file system (CVE-2014-9150).

These updates resolve an improper implementation of a Javascript API that could lead to information disclosure (CVE-2014-8448, CVE-2014-8451).

These updates resolve a vulnerability in the handling of XML external entities that could lead to information disclosure (CVE-2014-8452).

These updates resolve vulnerabilities that could be exploited to circumvent the same-origin policy (CVE-2014-8453).  
Update Adobe Acrobat HERE:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Update Reader HERE:

https://get.adobe.com/reader/



II) Adobe Flash Player


Security updates available for Adobe Flash Player

Details

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:

Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.235.
Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.259.
Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.425.
Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to the current version.

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-0587, CVE-2014-9164).

These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2014-8443).

These updates resolve a stack-based buffer overflow vulnerability that could lead to code execution (CVE-2014-9163).

These updates resolve an information disclosure vulnerability (CVE-2014-9162).

These updates resolve a vulnerability that could be exploited to circumvent the same-origin policy (CVE-2014-0580). 
Download Flash Player HERE:
https://get.adobe.com/flashplayer/



III) ColdFusion


Security Update: Hotfixes available for ColdFusion

Details

Adobe has released security hotfixes for ColdFusion versions 11 and 10.  These hotfixes address a resource consumption issue that could potentially result in a denial of service (CVE-2014-9166).
Update instructions and further details are HERE:

ColdFusion 10 Update 15


ColdFusion 11 Update 3



--

Saturday, December 6, 2014

The Safari Security Update That Wasn't:
Whatever Happened to 8.0.1, 7.1.1 and 6.2.1???

~~
[UPDATE 2014-12-11: Apple has now released Safari 8.0.2, 7.1.2 and 6.2.2. I'll be writing them up as soon as their security document is posted online. In the meantime, I'm going to guess that the ~mysterious~ security document for 8.0.1, 7.1.1 and 6.2.1 applies.]
~~

It's a 
~mystery~


Dateline: December 3rd, 2014 at 5:01 pm EST. 


I received a notice by email that Apple had released security updates of Safari, versions 8.0.1, 7.1.1 and 6.2.1. Because I was using OS X 10.10.1 Yosemite at the time, I managed to get Safari 8.0.1 installed and running just before it suddenly...


~vanished~


...off the Internet. Gone too were 7.1.1 and 6.2.1. The trio have never been seen again!


And yet on December 4th, 2014, the security announcement I had received by email ~mysteriously~ appeared on the Internet and has remained there ever since as an ominous spectre reminding the reader of what was, but is not, but may someday be.

Brave readers can glimpse this ~mysterious~ document themselves, before it too...

~vanishes~


Don't bother searching the net for the three updates. They aren't there. They aren't anywhere! ...Except on one of my Yosemite volumes. I played with 8.0.1 for about an hour and sensed nothing wrong. I had no idea that I was playing with something DEAD. Never once did I intuit that I was surfing the net with something that didn't exist, not in life as we know it. Now I'm unsure if I should run 8.0.1 again. I'm scared!


If the authorities rediscover these updates in the corporeal world, I'll be examining them closely in order to determine if their security patches are the same as those that ~vanished~ or if they are instead 
doppelgängers!




~~

[BTW: I have to comment, isn't it soooo Apple to have a security update released, then wait days for its security document to be released on the net.... While here we have a security update release that Apple pulled, and yet its security document remains on the net?! Why can't Apple coordinate its security updates AND its security documents? Is that so hard? Is it Apple???]

~~

Tuesday, November 25, 2014

Yet Another November Critical
Adobe Flash Patch

--

Today, Adobe updated Flash to version 15.0.0.239. It is a critical second patch for CVE-2-14-8439, involving bad memory management code. Adobe's Security Bulletin is available here:

http://helpx.adobe.com/security/products/flash-player/apsb14-26.html

These updates provide additional hardening against a vulnerability in the handling of a dereferenced memory pointer that could lead to code execution (CVE-2014-8439).  A mitigation was previously introduced for this issue in the October 14, 2014 release. 
The update is available here:

http://get.adobe.com/flashplayer/


--


Monday, November 17, 2014

Security Patches: OS X 10.10.1, iOS 8.1.1
& Apple TV 7.0.2

--
Intro: I get all conflicted about what to do when ordinary old security updates are released. I don't want to write a diatribe. But I should highlight their release. So I decided to just announce them as they show up, without munificent exposition or graphical profundity (unless I feel like it).

Today Apple released software updates with the following security patches


OS X 10.10.1 Yosemite: 

APPLE-SA-2014-11-17-2 OS X Yosemite 10.10.1

OS X 10.10.1 is now available and addresses the following:

CFNetwork
Available for:  OS X Yosemite v10.10
Impact:  Website cache may not be fully cleared after leaving private browsing
Description:  A privacy issue existed where browsing data could remain in the cache after leaving private browsing. This issue was addressed through a change in caching behavior. 
CVE-ID
CVE-2014-4460

Spotlight
Available for:  OS X Yosemite v10.10
Impact:  Unnecessary information is included as part of the initial connection between Spotlight or Safari and the Spotlight Suggestions servers
Description:  The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user's approximate location before a user entered a query. This issue was addressed by removing this information from the initial connection and only sending the user's approximate location as part of queries. 
CVE-ID
CVE-2014-4453 : Ashkan Soltani

System Profiler About This Mac
Available for:  OS X Yosemite v10.10
Impact:  Unnecessary information is included as part of a connection to Apple to determine the system model
Description:  The request made by About This Mac to determine the model of the system and direct users to the correct help resources included unnecessary cookies. This issue was addressed by removing cookies from the connection.
CVE-ID
CVE-2014-4458 : Landon Fuller of Plausible Labs

WebKit
Available for:  OS X Yosemite v10.10
Impact:  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description:  A use after free issue existed in the handling of page objects. This issue was addressed through improved memory management. 
CVE-ID
CVE-2014-4459

iOS 8.1.1: 

APPLE-SA-2014-11-17-1 iOS 8.1.1
iOS 8.1.1 is now available and addresses the following:CFNetwork

Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  Website cache may not be fully cleared after leaving private browsing
Description:  A privacy issue existed where browsing data could remain in the cache after leaving private browsing. This issue was addressed through a change in caching behavior. 
CVE-ID
CVE-2014-4460

dyld
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  A local user may be able to execute unsigned code Description:  A state management issue existed in the handling of Mach-O executable files with overlapping segments. This issue was addressed through improved validation of segment sizes. 
CVE-ID
CVE-2014-4455 : @PanguTeam

Kernel
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. This issue was addressed through relocation of the metadata. 
CVE-ID
CVE-2014-4461 : @PanguTeam

Lock Screen
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  An attacker in possession of a device may exceed the maximum number of failed passcode attempts
Description:  In some circumstances, the failed passcode attempt limit was not enforced. This issue was addressed through additional enforcement of this limit.
CVE-ID
CVE-2014-4451 : Stuart Ryan of University of Technology, Sydney

Lock Screen
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  A person with physical access to the phone may be able to access photos in the Photo Library
Description:  The Leave a Message option in FaceTime may have allowed viewing and sending photos from the device. This issue was addressed through improved state management.
CVE-ID
CVE-2014-4463

Sandbox Profiles
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  A malicious application may be able to launch arbitrary binaries on a trusted device
Description:  A permissions issue existed with the debugging functionality for iOS that allowed the spawning of applications on trusted devices that were not being debugged. This was addressed by changes to debugserver's sandbox.
CVE-ID
CVE-2014-4457 : @PanguTeam

Spotlight
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  Unnecessary information is included as part of the initial connection between Spotlight or Safari and the Spotlight Suggestions servers
Description:  The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user's approximate location before a user entered a query. This issue was addressed by removing this information from the initial connection and only sending the user's approximate location as part of queries. CVE-ID
CVE-2014-4453 : Ashkan Soltani 
WebKit
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later Impact:  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description:  Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
CVE-ID
CVE-2014-4452
CVE-2014-4462

Apple TV 7.0.2: 
APPLE-SA-2014-11-17-3 Apple TV 7.0.2
Apple TV 7.0.2 is now available and addresses the following:

Apple TV
Available for:  Apple TV 3rd generation and later Impact:  An attacker with a privileged network position may cause an unexpected application termination or arbitrary code execution Description:  Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
CVE-ID
CVE-2014-4452
CVE-2014-4462

Apple TV
Available for:  Apple TV 3rd generation and later Impact:  A local user may be able to execute unsigned code Description:  A state management issue existed in the handling of Mach-O executable files with overlapping segments. This issue was addressed through improved validation of segment sizes.
CVE-ID
CVE-2014-4455 : @PanguTeam

Apple TV
Available for:  Apple TV 3rd generation and later Impact:  A malicious application may be able to execute arbitrary code with system privileges
Description:  A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. This issue was addressed through relocation of the metadata.
CVE-ID
CVE-2014-4461 : @PanguTeam

Security documents for all Apple security patches can be found (eventually) at:


https://support.apple.com/kb/HT1222


[Happy news! Apple has revamped the Apple Security Updates page. Hopefully, this means they will be taking it more seriously in the future. That would be a good thing.]




--

Tuesday, November 11, 2014

Another MASSIVE CRITICAL
Adobe Flash / AIR Security Patch
Plus Shockwave Patch!

--

Today ('Patch Tuesday') Adobe pushed out a MASSIVE security patch for Adobe Flash (v15.0.0.223) and AIR (v15.0.0.356). They also pushed out an update to Adobe Shockwave (v12.1.4.154). Whether the Shockwave update includes an update to its out-dated Flash support remains unknown. We can wish.

Here is Adobe's Security Bulletin:


http://helpx.adobe.com/security/products/flash-player/apsb14-24.html


The 18 CVE's patched:


CVE-2014-0573
CVE-2014-0574
CVE-2014-0576
CVE-2014-0577
CVE-2014-0581
CVE-2014-0582
CVE-2014-0583
CVE-2014-0584
CVE-2014-0585
CVE-2014-0586
CVE-2014-0588
CVE-2014-0589
CVE-2014-0590
CVE-2014-8437
CVE-2014-8438
CVE-2014-8440
CVE-2014-8441
CVE-2014-8442

Adobe's summary:
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2014-0576, CVE-2014-0581, CVE-2014-8440, CVE-2014-8441). 
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2014-0573, CVE-2014-0588, CVE-2014-8438). 
These updates resolve a double free vulnerability that could lead to code execution (CVE-2014-0574). 
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2014-0577, CVE-2014-0584, CVE-2014-0585, CVE-2014-0586, CVE-2014-0590). 
These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2014-0582, CVE-2014-0589).
These updates resolve an information disclosure vulnerability that could be exploited to disclose session tokens (CVE-2014-8437).
These updates resolve a heap buffer overflow vulnerability that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-0583). 
These updates resolve a permission issue that could be exploited to perform privilege escalation from low to medium integrity level (CVE-2014-8442).
Where to grab the updates:

https://get.adobe.com/flashplayer/

https://get.adobe.com/air/
https://get.adobe.com/shockwave/

Needless to say: 
Adobe freeware is some of the most DANGEROUS software you can install on your Mac. Just say NO unless you really need it. If you do need it, be happy that Apple has built into recent versions of OS X requirements that you update to the latest version. But to be extra safe, use a browser extension that keeps Flash and Shockwave content OFF until you personally approve it to run.

I am so sick of Adobe's security FAIL.
:-Q*****




--

Thursday, November 6, 2014

Wirelurker Malware's Butt Gets Kicked Good!
(Free Detection Script!)

--

Early this AM the net waves were abuzz about a discovery made by Palo Alto Networks. It's OS X malware named Wirelurker (aka 'MacHook') that is capable of cross-infecting both jailbroken AND non-jailbroken iOS devices. That's a new species of malware for the Apple community. 

Topher Kessler and Thomas Reed have excellent coverage of the Wirelurker malware at their websites:

New WireLurker malware infects Mac OS X and iOS

Apple responds to 'Wirelurker' threat, revokes developer certificates

What's great is how Apple responded and stomped this thing dead in less than 24 hours!

Free Wirelurker Detection

Palo Alto Networks has provided a FREE detection script that runs in the Terminal HERE.

If you're not used to working in the Terminal, please do not attempt this script. If you ARE used to working in the terminal, this is dirt easy. Be sure to read the ReadME first, follow the instructions and it starts cooking, seeking Wirelurker. It will likely take a few minutes as it searches through all your applications for infection. If you've got the bug, follow the result instructions.

The Moral Of The Story

There are two olde lessons to learn from Wirelurker:

1) Don't Install Warez
If the software you're downloading and installing has been compromised, you'll be compromised too. Welcome to infection. You've been Trojaned.

2) Don't Jailbreak Your iOS Gear!
Thanks to Apple's rapid response, all non-jailbroken iOS gear can no longer be infected with Wirelurker. HOWEVER, all jailbroken iOS gear is still susceptible to Wirelurker, as well as the handful of other jailbroken iOS malware out in-the-wild. If you care about the security of your iOS gear, you care not for jailbreaking software.

[UPDATE!] Here is a HIGHER VOLTAGE discussion of Wirelurker from Jonathan Zdziarski, for those interested. (Italics mine):

What You Need to Know About WireLurker
It would greatly behoove Apple to address this situation with more than a certificate revocation; I’m not scared of WireLurker, but I am concerned that this technique could be weaponized in the future, and be a viable means of attack on public and private sector machines. It could easily be attached to any software download in-transit across non-encrypted HTTP, such as an Adobe Flash download or other software download. Social engineering would also help to make juicy targets out of people likely to click on links from IT departments or install software on their Mac. There are a number of potentially more dangerous uses for WireLurker, and unfortunately many of them will go unnoticed by Apple in time to revoke a certificate. It would be a much better solution to address the underlying design issues that make this possible.



--

Monday, September 29, 2014

Coverage Of:
Apple's Bash 'ShellShock' Bugs Patchfest

--
[UPDATES:
-> 2014-09-29 at 9:00 pm EDT. Some language altered. 'SCORE KEEPING!' section added.
-> 9:30 pm EDT. Updated CVE data and links in 'SCORE KEEPING!' section.
-> 2014-09-30 at 6:45 pm EDT. Added the 'FURTHER INFORMATION!' section with links to two SANS presentations on the Bash bugs. Added the 'ALERT' section with advice to server and client Mac users and a link to Rich Mogul's relevant article. Also added: A link to Adam Engst's 'How to Test Bash for Shellshock Vulnerabilities.']

ALERT: Active exploits are in-the-wild for Bash bug CVEs that have NOT yet been patched by Apple! These exploits are specific to UNIX (including OS X) servers exposed to the Internet. All admins should be applying every latest official Bash patch relevant to their servers as they are released. This is imperative. 

Client Mac users, however, generally have no major worries (as of yet). Nonetheless, here is an excellent strategy to help prevent potential exploits (with thanks to Rich Mogul):

1) Have your OS X Firewall running! Its tab is located in the Security & Privacy System Preferences pane.
2) Turn OFF Guest User access in the Users & Groups System Preferences pane.
3) Turn OFF Remote Login in the Sharing System Preferences pane.
~4) Not so critical, but useful: Check ON 'Block all incoming connections'. This setting is located in the Security & Privacy System Preferences pane, under the Firewall tab, under the 'Firewall Option' button. Note Apple's warning when you activate this setting! It will block ALL sharing services, which will itself cause problems on your LAN (local area network). If you aren't using a LAN, check it on.

Welcome to the Patchfest! 

This is where I'll be listing all the Bash 'ShellShock' Bugs CVEs and Apple patches as they are released.

1) 2014-09-29, 6:30 pm:

Apple has released its FIRST patch for the Bash security bugs. It patches two out of six known and published Bash security flaws. As such, expect further Apple Bash patchs in the very near future.

Here is Apple's Security Report, which includes links to the first available patches. I've added formatting and bolding to provide focus points.
APPLE-SA-2014-09-29-1 OS X bash Update 1.0
OS X bash Update 1.0 is now available and addresses the following:

Bash

Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5,  OS X Mavericks v10.9.5

Impact: In certain configurations, a remote attacker may be able to execute arbitrary  shell commands

Description: An issue existed in Bash's parsing of environment variables. This issue was  addressed through improved environment variable parsing by better detecting the end of  the function statement.

This update also incorporated the suggested CVE-2014-7169 change, which resets the  parser state.

In addition, this update added a new namespace for exported functions by creating a  function decorator to prevent unintended header passthrough to Bash. The names of all  environment variables that introduce function definitions are required to have a  prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via  HTTP headers.

CVE-ID
CVE-2014-6271 : Stephane Chazelas
CVE-2014-7169 : Tavis Ormandy

OS X bash Update 1.0 may be obtained from the following webpages:
http://support.apple.com/kb/DL1767 – OS X Lion
http://support.apple.com/kb/DL1768 – OS X Mountain Lion
http://support.apple.com/kb/DL1769 – OS X Mavericks

To check that bash has been updated:
* Open Terminal
* Execute this command:
bash --version
* The version after applying this update will be:
OS X Mavericks:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
OS X Mountain Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12)
OS X Lion:  GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222
NOTE: Not all currently knows Bash CVEs have been patched! The remaining CVEs must wait to be patched another day...

You can look up CVE reports using links under the 'Friends of Mac-Security' on the right of this page. But I will be providing links to CVE reports as the become known to me. Check out the 'SCORE KEEPING!' section below.

~ ~ ~ ~ ~ 

SCORE KEEPING!

[Last updated 2014-09-29 at 9:30 pm EDT]

Here is the current list of Bash bug CVEs. I'll be updating it as I learn more and as Apple patches each CVE. Note that this list is 'to the best of my knowledge'. CVEs not yet listed at NIST remain nebulous, strange and abstract in the aether, unverifiable by mere mortals on planet Earth. So don't hold me to them.

CVE-2014-6271 (√ Patched by Apple 2014-09-29)
http://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

CVE-2014-7169 (√ Patched by Apple 2014-09-29)
http://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

CVE-2014-6278 (Unpatched. No description. Not yet listed at NIST)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-6278

~ ~ ~ ~ ~

FURTHER INFORMATION!

-> Today (2014-09-30) the SANS Institute posted and updated a 13 minute video presentation by Johannes B. Ullrich, Ph.D., about the Bash bugs situation (as of this moment). SANS offer:
- An audio presentation.
- A video presentation at YouTube with audio and slides.
- A PDF of notes.
- PowerPoint slides.
All are available HERE.

-> Wednesday (2014-10-01) at 3:00 EDT (19:00:00 UTC) SANS will be offering a 'webinar' with Johannes Ullrich and Chris Wysopal. It is entitled "Shell Shock - What you need to know." Here is the notification they sent out on Tuesday afternoon:


***************  Sponsored By Veracode  ***************

Shell Shock - What you need to know:
Wednesday, October 01 at 3:00 PM EDT (19:00:00 UTC) - There is speculation that Shellshock, the latest vulnerability in a long line of major discoveries, will be more catastrophic than Heartbleed. During this webinar, Johannes Ullrich, SANS and Chris Wysopal, co-founder and CTO of Veracode, will outline what you need to know about Shellshock. They will also explain how you can respond to this specific vulnerability and what you can do to prepare for the inevitable future vulnerability discoveries.


************************************************************

-> Adam Engst of TidBITS has created a great page entitled "How To Test Bash for Shellshock Vulnerabilities". It is an elaboration upon the work on my Bash coverage here. He will be updating it if/when further Bash CVEs are made public. Thank you Adam!

I wrote to Adam Engst tonight about what a terrific gestalt of helpful people we have within the Mac community, including himself and Rich Mogul. Links to a lot of other helpful Mac gestalt members are listed under 'Friends of Mac-Security' on the right of this page.

Share and Enjoy,


:-Derek
--