Saturday, June 18, 2016

Help Us Stop the Updates to Rule 41
-EFF Calls for a Day of Action on June 21st-

This issue is critical to all US citizen computer users.
Therefore, I'm posting about it here to bring it to everyone's attention.

From the Electronic Frontier Foundation

"U.S. government agents want to use an obscure procedure to radically expand their use of hacking techniques. We need to stop them.

"The change to Rule 41 would make it easier for U.S. government agents to break into our computers, take data, and use hacking techniques.

"The rule change especially impacts people using privacy-protective technologies, including Tor and VPNs.

"The United States Congress never approved this expansion of the FBI’s powers. But now, Congress is our last chance to stop the change from taking effect."
Please reject the changes to Rule 41 of the Federal Rules of Criminal Procedure by passing the Stopping Mass Hacking Act (S.2952, H.R.5321). These amendments would lead to a vast expansion of government hacking, a largely unregulated law enforcement technique that makes us all less secure. 

Why you should care

"We’ve written a detailed explanation of the changes to Rule 41, which explains why this update will result in a dramatic increase in government hacking. Here’s an overview of some of the main reasons we are concerned:

"Government agents hacking into computers more frequently is a recipe for disaster. Law enforcement will increase their exploitation of security vulnerabilities in common software products, meaning vulnerabilities that could affect millions will be left open instead of patched.

"Law enforcement will forum shop, finding government-friendly magistrate judges to sign off on warrants with a loose connection to the judicial district.

"Law enforcement will pressure judges to sign off on remote searches of thousands of computers with a single warrant—a direct violation of the Fourth Amendment and a pattern we’re already seeing.

"This rule change especially impacts people using privacy protective technologies like Tor or VPNs, which is why we’re asking privacy tools to join us in standing up for users on June 21."

"The proposal comes from the advisory committee on criminal rules for the Judicial Conference of the United States. The amendment [PDF] would update Rule 41 of the Federal Rules of Criminal Procedure, creating a sweeping expansion of law enforcement’s ability to engage in hacking and surveillance. The Supreme Court just passed the proposal to Congress, which has until December 1 to disavow the change or it becomes the rule governing every federal court across the country.  This is part of a statutory process through which federal courts may create new procedural rules, after giving public notice and allowing time for comment, under a “rules enabling act.”


Thursday, June 16, 2016

Adobe Flash Has Another In-The-Wild Exploit:
Flash and AIR Updates
Plus Other Adobe Security Updates

Adobe Flash and AIR Updates:

Adobe was supposed to release a security update of Adobe Flash, and therefore AIR, on Tuesday, June 14th. But a Flash zero-day exploit was discovered and Adobe delayed the update until today, Thursday, June 16th. Adobe kindly posted a warning Security Bulletin to that effect. If this sounds familiar, the same scenario played out in May as well. (0_o)

The new versions are Flash v22.00.192 and AIR v22.0.0.153.

You can find the current versions of Adobe Flash and AIR here:

- -

Adobe Flash v22.00.192 update:

Vulnerability Details
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-4144, CVE-2016-4149).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148).

These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2016-4135, CVE-2016-4136, CVE-2016-4138).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171).

These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4140).

These updates resolve a vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2016-4139). 
The CVE currently being exploited In-The-Wild is CVE-2016-4171, bolded above. If you'd like to know more about this exploit, have a read of Dan Goodin's article on the subject:

Critical Adobe Flash bug under active attack currently has no patch
Exploit works against the most recent version; Adobe plans update later this week.

Adobe AIR v22.0.0.153 Update:

Vulnerability Details

This update resolves a vulnerability in the directory search path used by the Air (sic) installer that could lead to code execution (CVE-2016-4116).
Note that this is actually a vulnerability found in the previous installer for AIR.
~ ~ ~ ~ ~

The other Adobe security updates from Tuesday, June 14th:

Adobe ColdFusion Hotfixes available:

Vulnerability Details

These hotfixes resolve an important input validation issue (CVE-2016-4159) that could be exploited to conduct cross-site scripting attacks.
Adobe Creative Cloud Desktop Application v3.7.0.272 Update:

Vulnerability Details

This update resolves a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4157).

This update resolves an unquoted service path enumeration vulnerability in the Creative Cloud Desktop Application(CVE-2016-4158).

Adobe Brackets v1.7 Update:

Vulnerability Details
This update resolves a JavaScript injection vulnerability, which could be abused in a cross-site scripting attack (CVE-2016-4164).

This update resolves an input validation vulnerability in the extension manager (CVE-2016-4165).

Adobe DNG Software Development Kit (SDK) 1.4 (2016 release) Update:

Vulnerability Details

This update resolves a memory corruption vulnerability (CVE-2016-4167).
~ ~ ~ ~ ~

And some HaPPy news!

In Safari 10, set to ship with macOS Sierra, Apple plans to disable common plug-ins like Adobe Flash, Java, Silverlight, and QuickTime by default in an effort to focus on HTML5 content and improve the overall web browsing experience. . . .

. . . When a website offers both Flash and HTML5 content, Safari will always deliver the more modern HTML5 implementation. On a website that requires a plug-in like Adobe Flash to function, users can activate it with a click. . . .

Safari 10 will also include a command to reload a page with installed plug-ins activated to give users additional options for controlling the content that's displayed, and there are preferences for choosing which plug-ins are visible to which websites in Safari's Security preferences. . . .
One more nail in the coffin of poorly written Internet plugins. (^_^)