New Critical Adobe Shockwave Patch Released

Adobe has just released a new version of their Adobe Shockwave Player.  Adobe Shockwave Player 11.5.8.612 addresses 20 vulnerabilities and is rated Critical.

Adobe Shockwave 11.5.7.609 versions and earlier should be patched as soon as possible.  More information regarding this patch can be found on Adobe Security Bulletin APSB10-20.

– Jason

Microsoft Security Advisory 2269637 Released

Microsoft released a new security advisory yesterday regarding the DLL hijacking issue that has been widely discussed lately.  Unlike most Microsoft Security Advisories, this advisory is providing a non-security update to help protect your systems against attack.  In the past, Microsoft has issued temporary workarounds in lieu of a security bulletin/patch.  These are known as Fix-It patches.

A vulnerability exists if software was programmed with unsecure methods.  The tool will help mitigate the risk on your systems by preventing the loading of DLLs from certain directories.

This issue is not only a Microsoft issue.  Other 3rd party software vendors could be affected by this vulnerability.  Microsoft is reaching out to third party vendors to work with them on fixing this vulnerability.  We will be seeing security bulletins from third party vendors in the near future.

In addition, Microsoft will be investigating their products.  Last year, Microsoft released a security bulletin for the ATL issue in Visual Studio.  Microsoft subsequently issued patches for their software affected by the vulnerability.  This is a similar scenario with this advisory.

Review the MSRC blog, security advisory and SRD blog posting for more information regarding this advisory.

Shavlik customers can protect their networks with the non-security tool.  We have just released new XML files with the tool.  You can find this tool in the non-security patch MSWU-435.

– Jason Miller

Adobe Reader Release Update

Adobe just announced they will be releasing a critical update for Adobe Reader and Acrobat on Thursday, August 19th.  Previously, Adobe announced they will be releasing the update at some point this week.  Mark your calendars and patch your Adobe installations this Thursday.  More details can be found on their security advisory page:  APSB10-17

– Jason Miller

Adobe Joining Patch Tuesday?

We noticed Adobe released new versions of their Flash Player for version 9 and 10 today.  The previous version of Flash was 10.1.53.64 and 9.0.277.0.  Two new versions are available on their website today:  9.0.280.0 and 10.1.82.76.  As of now, there are no bulletin pages available from Adobe.  The only known planned release for Adobe is for Reader as it was announced last week.  This update is scheduled for the week of August 16th.

We will keep monitoring Adobe to see if this release was a security release or a maintenance release.

**UPDATE**

Adobe just updated their bulletin page by releasing the following security bulletins:

APSB10-016

  • Affects Adobe Flash Player 10.1.53.64, Adobe Flash Player 9.0.277.0, Adobe Air 2.0.2.12610.
  • Fixes 6 vulnerabilities
  • Rated critical

APSB10-019

  • Affects Flash Media Server 3.5.3 and Flash Media Server 3.0.5
  • Fixes 4 vulnerabilities
  • Rated Critical

APSB10-018

  • Affects ColdFusion 8.0, 8.0.1, 9.0 and 9.0.1
  • Fixes 1 vulnerability
  • Rated Important

 

– Jason Miller

August 2010 Patch Tuesday Overview

Microsoft has released their planned 14 bulletins fixing 34 vulnerabilities today.  There are 4 bulletins that administrators should look at patching as soon as possible.

MS10-052 and MS10-055 both affect media files and are rated as Critical.  Opening a malicious media file can lead to remote code execution.  Downloading and playing media files is becoming more prevalent today as social interaction is moving to video.  This makes these vulnerabilities prime targets for attacks.

MS10-056 affects Microsoft Word and is rated as Critical.  Opening a malicious document can lead to remote code execution.  In addition to Microsoft Word, Microsoft Outlook 2007 can also play a part in exploitation.  In Outlook 2007, simply opening an email with a malicious attachment can lead to remote code execution.  This version of Outlook can be affected by viewing the document in the reading pane as Outlook 2007 uses Microsoft Word as the default email reader.  RTF documents are extremely common and are typically not blocked by companies as attachments.  We can expect malicious RTF documents in users email boxes in the coming weeks.

MS10-060 affects Silverlight.  This patch fixes a vulnerability that can lead to remote code execution.  Microsoft has patched Silverlight in the past, but this patch is more critical than past patches.  An attacker only needs to entice a user to visit a malicious website in order to deliver a payload.  The Silverlight install is amazingly easy, so you can assume that a lot of your computers currently have this program installed.  I have not heard of any Silverlight exploits, but I expect to see more with the release of this patch.

There are a couple of other bulletins this month that also require extra attention.

MS10-054 affects the SMB service on Microsoft Windows.  Normally, alarms would be going off for security researchers as typical SMB vulnerabilities can lead to worm based attacks. With this vulnerability though, there are some factors that will make it a lower risk.  In newer versions of the Microsoft operating system (Windows 2003 and newer) require the attacker to be authenticated.  This instantly lowers the risk of a worm as most attacks need to be unauthenticated.  In older operating systems (Windows XP), the attack can be unauthenticated.  The vulnerability itself would be very difficult to exploit as the attacker cannot control the outcome of the exploit on the machine.  The most likely result will be a denial of service attack as the system will become unresponsive and reboot.

MS10-047 affects the Windows Kernel.  Although this bulletin has a lower severity rating, it is imperative to test this patch before deploying to your computers.  Patching the Windows Kernel can at times leave the system completely unusable.  We’ve seen this with machines infected by rootkits in the past.  Microsoft has taken steps since that time to ensure the Kernel will not be adversely affected by the patch, but you should still apply this patch to a set of test systems before deploying.

MS10-046 was released out-of-band on August 2nd.  Some organizations were waiting to deploy this patch until the regularly scheduled patch day.  This bulletin should be addressed right away as well as there are currently exploits for the vulnerability.  If you have applied the workaround for the vulnerability, it is important to remember to unapply the workaround. Users will be happy to see their icons on their desktops and start menus return to normal.

This large patch month will affect all of your systems, workstations or desktops.  This many patches can increase network bandwidth, increase the time for the system to run each patch and require reboots.  Be sure to take the time and review the bulletin summaries and have a clear plan of a patch attack.

– Jason Miller

New Adobe Security Advisory Released

Adobe just released a new security advisory:  APSB10-17

Adobe Reader 9.3.3 and Adobe Reader 8.2.3 contain a critical vulnerability (CVE-2010-2862) that was discussed at Black Hat USA 2010.  Adobe is planning on releasing a security update for the affected software the week of August 16, 2010.  As this is an out of band release, this update should only contain the fix for the single vulnerability.

Adobe’s PSIRT group is not aware of any exploits currently in the wild for the vulnerability.  Stay tuned to their blog as this may change in the coming weeks.

– Jason Miller

August 2010 Patch Tuesday Preview

Microsoft just announced their August 2010 patch day advanced notification.  They are planning on releasing a mammoth amount of security bulletins.  The 14 planned bulletins will address 34 vulnerabilities.  The amount of bulletins in one release is the largest ever for Microsoft.  The previous high was 13 released last February.  The 34 vulnerabilities addressed match the all time high set in June of this year.

August Patch Tuesday Overview

  • 8 bulletins are rated Critical
  • 6 bulletins are rated Important
  • 10 bulletins address Remote Code Execution vulnerabilities
  • 4 bulletins address Elevation of Privilege vulnerabilities
  • 10 bulletins affect the Microsoft Windows Operating System
  • 2 bulletins affect Microsoft Office
  • 1 bulletin affects Microsoft Silverlight
  • 1 bulletin affects Internet Explorer

 

– Jason Miller

Microsoft Releases Out-Of-Band With MS10-046

Microsoft has just released an out-of-band security bulletin as announced last Friday.  This bulletin addresses one zero day vulnerability that is currently being exploited in the wild.  The MSRC found a new, particularly nasty, virus exploiting the vulnerability.  Sality.AT has seen an uptick in infections in the past few days.  MS10-046 affects all supported operating systems.  If you have applied the workarounds suggested by Microsoft, you should remove them as soon as your systems are patched.  I am sure people will enjoy having their icon images back on their Start Menu and Desktop.

Microsoft releasing a security bulletin out-of-band is not uncommon.  The most surprising aspect of this release is how close we are to the regularly scheduled patch Tuesday.  In previous out-of-band releases, you can see the timing is typically in-between patch Tuesdays.

  • MS09-034:  July 28, 2009 – Two weeks prior to scheduled patch day
  • MS09-035:  July 28, 2009 – Two weeks prior to scheduled patch day
  • MS10-002:  January 21, 2010 – One and a half weeks prior to scheduled patch day
  • MS10-018:  March 30, 2010 – Two weeks prior to scheduled patch day

With a release this close to Patch Tuesday, it is safe to assume you should patch this security bulletin immediately.

While patching MS10-046, you should take a look at patching your Apple Safari browser installations.  Apple released a security update last Thursday addressing 15 vulnerabilities.

– Jason Miller