Tuesday, July 14, 2015

Adobe Flash Security Concerns Peak:
Drama Online

--

[Update 2015-07-16: I added a Wired article link and two fun images with links to "Flash Sucks" items currently available from Zazzle. (^_^) ]

Due to the recent stream of zero-day exploits of Adobe Flash, the concerns within the security community have reached a peak. This is a listing of some of the commentary going on around the net. You know my opinion. Here are some others:















--

FOUR CRITICAL Adobe Updates:
Flash 18.0.0.209
Shockwave Player 12.1.9.159
Acrobat & Reader 2015.008.20082

--

[Update 2015-07-15: I added download page links for Adobe Acrobat and the non-cloud version of Adobe Reader. Thanks to my collaborator Al for assistance!]

Adobe has released FOUR CRITICAL updates today. Below I list each of the updates, link to their Security Bulletins and link to where you can download them. I've also added a list of CVEs patched in each update. A total of 50 CVEs have been patched in these updates. I believe that's a record for Adobe.

Adobe Flash Player 18.0.0.209

Adobe Security Bulletin

Download Page

CVEs Patched
CVE-2015-5122: "A use-after-free vulnerability that could lead to code execution."
CVE-2015-5123: "A memory corruption vulnerability that could lead to code execution."

Adobe Shockwave Player 12.1.9.159

Adobe Security Bulletin

Download Page

CVEs Patched
CVE-2015-5120 - "Memory corruption vulnerabilities that could lead to code execution"
CVE-2015-5121 - "Memory corruption vulnerabilities that could lead to code execution"

*Neither CVE is yet listed at Mitre.org

Adobe Acrobat & Reader:
DC v2015.008.20082 and v11.0.12

Adobe Security Bulletin

Adobe Reader DC Download Page

Adobe Reader (non-cloud) v11.0.12 Download Page

Adobe Acrobat Pro and DC Pro Download Page

CVEs Patched
CVE-2014-0566 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2014-8450 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-3095 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-4435 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4438 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4441 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4443 - “Null-pointer dereference issues that could lead to a denial-of-service condition.”
CVE-2015-4444 - “Null-pointer dereference issues that could lead to a denial-of-service condition.”
CVE-2015-4445 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4446 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-4447 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4448 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-4449 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-4450 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-4451 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-4452 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-5085 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-5086 - “Methods to bypass restrictions on JavaScript API execution.”
CVE-2015-5087 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5088 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-5089 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-5090 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-5091 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-5092 - "Security bypass vulnerabilities that could lead to information disclosure."
CVE-2015-5093 - "A buffer overflow vulnerability that could lead to code execution."
CVE-2015-5094 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5095 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5096 - "Heap buffer overflow vulnerabilities that could lead to code execution."
CVE-2015-5097 - “Integer overflow vulnerabilities that could lead to code execution.”
CVE-2015-5098 - "A buffer overflow vulnerability that could lead to code execution."
CVE-2015-5099 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5100 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5101 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5102 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5103 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5104 - "Memory corruption vulnerabilities that could lead to code execution."
CVE-2015-5105 - "A buffer overflow vulnerability that could lead to code execution."
CVE-2015-5106 - “Validation bypass issues that could be exploited to perform privilege escalation from low to medium integrity level.”
CVE-2015-5107 - "An information leak vulnerability."
CVE-2015-5108 - “Integer overflow vulnerabilities that could lead to code execution.”
CVE-2015-5109 - “Integer overflow vulnerabilities that could lead to code execution.”
CVE-2015-5110 - "A stack overflow vulnerability that could lead to code execution."
CVE-2015-5111 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5113 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5114 - "Use-after-free vulnerabilities that could lead to code execution."
CVE-2015-5115 - "Memory corruption vulnerabilities that could lead to code execution."

* CVEs not linked above have not yet been listed at Mitre.org.

--

Sunday, July 12, 2015

Adobe Flash:
TWO MORE new Zero-Day Exploits!
Just Kill Flash NOW

--

A further two zero-day exploits of Adobe Flash are in-the-wild. This makes the most recent Flash update DANGEROUS to use. So don't.

Security Advisory for Adobe Flash Player
Summary 
Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  
WHAT TO DO

1) Go to /Library/Internet Plug-ins/ and throw away:
- Flash Player.plugin
- flashplayer.xpt

2) Restart your web browsers.

Do It NOW.

Don't use Flash until Adobe has patched the thing, yet again, again.

We theoretically will see a patched version of Flash on Tuesday, July 14th.

Or, we could all just leave Flash in the Trash and never bother with the piece of crapcode again.

And yes folks. This easily means that, at the moment, Adobe Flash is the single most dangerous software we can run over the Internet on our Macs. Move aside Oracle Java.

--

Wednesday, July 8, 2015

Then This Happened:
Adobe Warns Of July 14
Security Update of Acrobat/Reader

--

Apparently, fallout from the hacking of a professional hacking company continues to plague Adobe. They put out a warning today that they're going to provide a security update of Adobe Acrobat and Reader on Tuesday, July 14th. That's their regular 'in-band' monthly release date, the second Tuesday of each month.

That's all Adobe announced. No CVE was listed. No warning of anything in-the-wild. *Suspense*

https://helpx.adobe.com/security/products/acrobat/apsb15-15.html

So, we get to wait for that delightful bundle of security joy to arrive.

:-Q

--

Lousy Adobe Flash Updated To v18.0.0.203
Lousy Adobe AIR Updated To v18.0.0.180
CRITICAL Security Patches

--
The updates, patching ACTIVE in-the-wild EXPLOIT CVE-2015-5119, are out and available.

Adobe just bothered to catch up and release the accompanying security bulletin:

https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

If you're still using Adobe Flash and Air, you can go for the updates:

https://get.adobe.com/flashplayer/

https://get.adobe.com/air/

Because Adobe is so incredibly obtuse these days, when you visit the get Air page, all you're going to see listed is "Version 18". IOW, tough luck if you want to know the actual version number. We little peon customers are too stupid to care about such vital things, right? But I've verified that what they're currently offering really is Air v18.0.0.180, which is what we want. Proof:


Meanwhile, Adobe already has the beta of Flash version 18.0.0.205 in preparation for their 'in-band' release of Flash on the second-Tuesday-of-the-month, July 14th. Keep an eye out for that one, if you care. (-_-) zzz

WHAT ELSE GOT PATCHED?

Hold on to your proverbial hats. This is an incredible list of security flaws patched in Flash and AIR:
Vulnerability Details

These updates improve memory address randomization of the Flash heap for the Window 7 64-bit platform (CVE-2015-3097).

These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431).

These updates resolve null pointer dereference issues (CVE-2015-3126, CVE-2015-4429). 
These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2015-3114).

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119).

These updates resolve vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116).
I marked our pal, in-the-wild exploit CVE-2015-5119 in red. That's 36 security flaws patched in Flash and AIR. Yes, Flash (and therefore AIR) really is crap code. And no doubt, it has many more security flaws waiting to be exploited. I read an article last week claiming that Adobe Flash is now the #1 most dangerous software you can run on the Internet, surpassing awful Oracle Java plug-in. Astounding. It takes some seriously bad coding to surpass Java's horrendous security problems.

If you don't need Flash/AIR or Java running over the Internet, then get rid of their Internet Plug-ins. Please.

:-Derek


--

Adobe Flash:
New UNPATCHED Zero-Day Exploit
Kill Flash Plug-in NOW

--

Thanks to the hacking of a professional hacking company, it has been revealed that there is an ACTIVE zero-day exploit of Adobe Flash in-the-wild. It is being exploited right now. Therefore, it is critical to Stop Using Flash until the exploit is patched.

Critical Adobe Flash, Windows zero-days leak from Hacking Team raid
Security teams scramble to patch serious flaws
From what we've seen so far, inside the leaked source code lies an Adobe Flash exploit for which no patch exists: it can be used against Internet Explorer, Firefox, Chrome and Safari, and affects Flash Player 9 to the latest version, 18.0.0.194.
. . . 
Adobe told us in a statement today that it is working on a patch, which it hopes to release by the end of the week. The vulnerability is present in its plugin software for Windows, OS X and Linux. 
Security Advisory for Adobe Flash Player (APSA15-03)
A critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.   
Adobe is aware of reports that an exploit targeting this vulnerability has been published publicly. Adobe expects to make updates available on July 8, 2015.
Note: As of this posting, CVE-2015-5119 remains unlisted at CVE.Mitre.org. Therefore, I cannot provide a link to its description.

Meanwhile,
SOLUTIONS:

Remove the Adobe Flash plug-in from your Mac NOW.

For those with an administrator password, this is how:

1) Open the root level Internet Plug-Ins folder, found here:

/Library/Internet Plug-Ins/

2) Locate these two files:
  • Flash Player.plugin
  • flashplayer.xpt
3) Select them both and choose to "Move to Trash", either from the Finder File menu or the contextual menu. (Alternatively, you can move them both to a created holding folder, such as 'Internet Plug-Ins (Disabled). 

4) Quit all your web browsers.

5) Reboot your web browsers. 

- - EXCEPT Chrome! Do Not Use Google Chrome! Why? Because Google embedded Adobe Flash into Chrome. It's stuck there, and you can't get rid of it. 

But, if you're desperate to use Chrome, there are two workarounds:
A) Use Chromium (of any flavor) instead. It does NOT include Flash. Everything else about it (except the default surveillance of your web behavior) is the same as Chrome. 
OR 
B) Follow Google's instructions for turning OFF Flash in Chrome:
  1. Type chrome:plugins in the address bar to open the Plug-ins page.
  1. On the Plug-ins page that appears, find the "Flash" listing. To enable Adobe Flash Player, click the Enable link under its name. To disable Adobe Flash Player completely, click the Disable link under its name.
After you've freed yourself from Adobe Flash, either stay that way (highly recommended) or keep an eye out of a new Adobe Flash update. Watch for a version of Flash higher than 18.0.0 194. That's the current bad version. Do not reinstall that thing again.

I'll also be posting another article here when Adobe fixes this latest zero-day exploit.

:-Derek

--