Tuesday, October 27, 2015

Critical Adobe Shockwave Update v12.2.1.171


I personally don't see the point in bothering to have the Adobe Shockwave Internet plug-in installed at this point in time. I recommend UNinstalling it and leaving it that way. Adobe is constantly behind in keeping it's instance of Adobe Flash up-to-date, making Shockwave dangerous.

But if you have to have the Shockwave plug-in, here you go. A new critical update, released 'out-of-band', meaning that this it is important to install it NOW, if you're going to bother.

Here is Adobe's Security Bulletin for Shockwave v12.2.1.171:


Vulnerability Details 
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2015-7649). 
The CVE is not listed at Mitre.org at this time.

Here is Adobe's Shockwave download page: 



Friday, October 16, 2015

IMPERATIVE Adobe Flash Security Update v19.0.0.226
No updates yet for AIR or Shockwave



Adobe provided an emergency release of Flash v19.0.0.226 today, which patches the current zero-day exploit going on in-the-wild. You can read the Adobe Security Bulletin about it here:

Vulnerability Details 
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2015-7645, CVE-2015-7647, CVE-2015-7648).
Whether you want to actually reinstall Flash is another matter.

CVE-2015-7645 was the security vulnerability being actively exploited on the Internet.

NOTE: Adobe AIR and Shockwave have NOT yet been updated with this patched version of Flash! Therefore, Do No Use AIR or SHOCKWAVE at this time.

As usual: Keep in mind that Adobe AIR and Shockwave both integrate Flash and remain vulnerable to its security exploits until they too are updated. In the case of Shockwave, Adobe has been outrageously lax in keeping it up-to-date. I highly recommend trashing Shockwave permanently and doubt you're going to miss it.

~ ~ ~ ~ ~

Here's something ScARy for Halloween!
Check this out.
It's from 2009.
But may be just as true today.

Happy PWNing!


Wednesday, October 14, 2015

Zero-day Exploit In-The-Wild


[UPDATE: Adobe has provided a Security Bulletin regarding this zero-day exploit. As of yet there is NO replacement for Flash. So follow the instructions from Adobe linked below in order to remain safe. A patched version of Flash/AIR is promised for the week of October 19th.

The new Adobe Security Bulletin is available HERE.

A critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks.  Adobe expects to make an update available during the week of October 19.   
Keep in mind that the affected versions of Flash are ALSO integrated into Adobe AIR. Therefore, be certain to delete/update them BOTH.

As for Adobe Shockwave: It ALSO integrates Flash! My personal advice is to trash Shockwave and never re-install it again. It's essentially dead on the Internet at this point. Unless you run into something, somehow requiring Shockwave, just keep it OUT of your /Library/Internet Plug-ins/ folder forever more.

I'll post further as this situation evolves.

:-Derek ]
~ ~ ~ ~ ~

What happened:

New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries
- October 13, 2015 at 11:57 am, Trend Micro
Trend Micro researchers have discovered that the attackers behind Pawn Storm are using a new Adobe Flash zero-day exploit in their latest campaign. Pawn Storm is a long-running cyber-espionage campaign known for its high-profile targets and usage of the first Java zero-day we’ve seen in the last couple of years. The affected vulnerability has since been assigned the CVE number CVE-2015-7645. . . .
New Flash flaw lets you beat White House and NATO security
Flaw flings phish Pawn Storm gang tried to get past the great and the good
- 14 Oct 2015 at 05:18 GMT, Richard Chirgwin, The Register 
Trend's analysts reckon the zero-day works on Adobe Flash Player versions and, the latter meaning the vulnerability is present in the most current version of the hopefully-soon-to-be-lamented piece of bugware.

The company emphasises that just because other versions aren't listed doesn't mean they're not vulnerable.

Phishing messages sent to “several ministries of foreign affairs” have links to exploit sites, the company says, warning people to look out for the following subject lines:

  • Suicide car bomb targets NATO troop convoy Kabul
  • Syrian troops make gains as Putin defends air strikes
  • Israel launches airstrikes on targets in Gaza
  • Russia warns of response to reported US nuke buildup in Turkey, Europe
  • US military reports 75 US-trained rebels return Syria
The URLs involved in the latest exploit are, Trend says, similar to those Pawn Storm tried against NATO and the White House in April. ®
Note that yesterday's NEW version of Flash is affected, that being Flash v19.0.0.207. Therefore, AIR v19.0.0.213 is also affected.

Also note: It is possible to run non-Internet downloaded Flash and AIR content without worry. But be wary of using either on anything from the Internet.

It's going to be interesting how Apple responds to this situation. They're going to, at long last, have to deactivate Flash on all supported versions of OS X, with NO safe version to replace it. Steve Jobs must by laughing in the aether.

No doubt, Adobe is scrambling today to get out another patched version of Flash to replace their dangerous current version. What a mess.

Uninstall instructions from Adobe:

Uninstall Flash Player | Mac OS

Removing Adobe AIR

After uninstalling Flash and AIR, RESTART your running web browsers,

Please do this RIGHT NOW. If you have more than one Mac, be certain to dump Flash and AIR there as well. 

Keep an eye out for Adobe's next update, or dump Flash and AIR entirely.



Tuesday, October 13, 2015

It's Adobe Critical Updates Day!
Flash & AIR have 13 CVE patches,
Acrobat & Reader have 51 patches!!!


[URGENT UPDATE: These new, current versions of Adobe Flash and AIR have a zero-day vulnerability out-in-the-wild! DO NOT USE FLASH AT ALL at this point in time! Seriously! I'm going to post an article after this one that provides some information. In the meantime: UNINSTALL FLASH NOW please!

Uninstall instructions from Adobe:

Uninstall Flash Player | Mac OS

Removing Adobe AIR

After uninstalling Flash and AIR, RESTART your running web browsers,

Please do this RIGHT NOW. If you have more than one Mac, be certain to dump Flash and AIR there as well. 

More to follow.]
~ ~ ~ ~ ~

It's the second-Tuesday-of-the-month, which means it's time for a bombardment of Adobe security patches! This month's pile of patches is truly astonishing. Keep in mind that this isn't the only day of the month Adobe provides security updates. This past month, Adobe pushed out two separate groups of security updates.

Here are today's Adobe security bulletins:

Adobe Flash and AIR

Adobe Acrobat and Reader

Here are the linked Adobe updates:

Adobe Flash, Desktop v19.0.0.207

Adobe Flash, Extended Support v18.0.0.252 (Scroll down to 'Flash Player Archives')

Adobe AIR v19.0.0.213

Adobe Acrobat DC and DC Reader 'Continuous' v2015.009.20069

Adobe Acrobat DC and DC Reader 'Classic' v2015.006.30094
Adobe Acrobat and Reader XI Desktop v11.0.13
Adobe Acrobat and Reader X Desktop v10.1.16

CVE Patches:

[I'm not linking the listed CVEs (Common Vulnerabilities and Exposures) this month as the list is massive and I'm rather busy at my end at the moment. The link to look up CVEs is at the right of this page.]

Adobe Flash and AIR
Vulnerability Details

These updates resolve a vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2015-7628).

These updates include a defense-in-depth feature in the Flash broker API (CVE-2015-5569).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-7629, CVE-2015-7631, CVE-2015-7643, CVE-2015-7644).

These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2015-7632).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-7625, CVE-2015-7626, CVE-2015-7627, CVE-2015-7630, CVE-2015-7633, CVE-2015-7634).
Adobe Acrobat and Reader
Vulnerability Details

These updates resolve a buffer overflow vulnerability that could lead to information disclosure (CVE-2015-6692).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-6689, CVE-2015-6688, CVE-2015-6690, CVE-2015-7615, CVE-2015-7617, CVE-2015-6687, CVE-2015-6684, CVE-2015-6691, CVE-2015-7621, CVE-2015-5586, CVE-2015-6683).

These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-6696, CVE-2015-6698).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-6685, CVE-2015-6693, CVE-2015-6694, CVE-2015-6695, CVE-2015-6686, CVE-2015-7622).

These updates resolve memory leak vulnerabilities (CVE-2015-6699, CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, CVE-2015-6704, CVE-2015-6697).

These updates resolve security bypass vulnerabilities that could lead to information disclosure (CVE-2015-5583, CVE-2015-6705, CVE-2015-6706, CVE-2015-7624).

These updates resolve various methods to bypass restrictions on Javascript API execution (CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-7614, CVE-2015-7616, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, CVE-2015-7623, CVE-2015-6713, CVE-2015-6714, CVE-2015-6715).

As ever, running software over the Internet can be dangerous. The most dangerous software to use are the Adobe Flash, Adobe Shockwave and Oracle Java browser plug-ins. If you don't need them, either trash them or pull them out of your system and put them intp a 'disabled' folder. You can find all of these plug-ins here:

/Library/Internet Plug-ins/

Adobe Acrobat and Reader can be dangerous if you're using them to read PDF files you've downloaded from the Internet. The safest way to run either of these programs is with 'Enhanced Security' (Security 'Enhanced') turned ON in their preferences. Even then, as noted in the CVE list above, that may not protect you from malicious PDF files.

Also dangerous, for the same reason, are the Adobe PDF Viewer plug-ins for web browsers. As with the other dangerous plug-ins noted above, either trash them or put them into a 'disabled' folder. If you have a specific reason to use the Viewer plug-ins, then you're stuck with them. However, for the vast majority of people there is NO reason to use them. All web browsers have their own built-in PDF viewer functions. You can find the Adobe PDF Viewer plug-ins here:

/Library/Internet Plug-ins/AdobePDFViewer.plugin

/Library/Internet Plug-ins/AdobePDFViewerNPAPI.plugin

~ ~ ~ ~ ~

As usual:

The #1 Rule of Computing and Security is:


Backups allow you to restore your computer back to health if it gets PWNed (zombied/botted) or otherwise compromised on the Internet.

There are many articles on the Internet about computer backup strategies. Here are a three articles and two ebooks specific to Mac backups:

Bulletproof backups: When you absolutely can't lose any data

Apple: Backing up your Mac hard drive

Apple Support Communities: Most commonly used backup methods

Backing Up Your Mac: A Joe On Tech Guide

TAKE CONTROL OF Security for Mac Users

Stay safe out there kids!