Adobe kicked off the week with a security advisory warning users of its Flash Player about a zero-day bug that is reportedly “being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.” The vulnerability has also been confirmed to affect the auth.dll component that accompanies certain versions of Reader and Acrobat X, but the company has yet to come across any exploits targeting them.
Hit the jump to find out more about the vulnerability, including when exactly Adobe hopes to have it patched.
A security researcher, known only by his nom de guerre “Cupidon-3005,” disclosed a new zero-day bug in Windows Server Message Block (SMB) on Monday. Opting for full disclosure, the security researcher posted exploit code for the vulnerability that, according to Secunia, can be exploited “to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.” Hit the jump for Microsoft’s statement acknowledging the flaw.
If you're one of the unlucky few who tried to log into Facebook yesterday only to find that your account had mysteriously been disabled, you can relax, everything should be back to normal, CNet reports.
"Earlier today, we discovered a bug in a system designed to detect and disable likely fake accounts," Facebook wrote in an email on Tuesday. "The bug, which was live for a short period of time, caused a very small percentage of Facebook accounts to be mistakenly disabled."
The bug appears to have only affected female accounts, at least according to the complaints on Facebook Twitter, all of which either came from female users, or male users posting on behalf of a female.
According to Facebook, the bug affected a system designed to obtain owner verification from flagged accounts.
Microsoft had a slight breather in September after it delivered a record 14 security bulletins on Patch Tuesday in August. The company was actually preserving its energy for an even more hectic Patch Tuesday in October, which, according to the Security Bulletin Advance Notification, will include 16 updates to patch 49 vulnerabilities – a new record. Out of the 16 security bulletins, four are labeled “critical,” ten “important,” and the remaining two “moderate.” Ten of the security updates address flaws that could allow remote code execution.
Microsoft today issued an out-of-band security update to tackle a bug in ASP.NET that is being exploited in the wild. Following a public report of the vulnerability, the Redmond outfit confirmed the bug in a Security Advisory (2416728) on September 17. MS, in its advisory, had expressed concerns that hackers could use the Windows Web server flaw to “view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config.”
"Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers, as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," the company told the IDG News Service.
The fix covers all supported Windows versions. The update is currently only available through the company's download center, and not through Windows Update, meaning that it can only be installed manually.
"This is the first time we've released [an] update this way, but due to the nature of the active attacks and the severity of the potential loss of data, we are releasing the security update to the Microsoft Download Center first so customers (specifically large enterprises, hosting providers and ISVs) can begin updating their systems.”
Last week, a joint experiment of the RIPE NCC (Reseaux IP Europeens Network Coordination Centre) and Duke University researchers had to be stopped abruptly after nearly 1 percent of the internet went out of kilter in its wake. As part of their experiment, the researchers used RIPE NCC's systems to distribute experimental BGP (Border Gateway Protocol) data – routers use it to make efficient data routing decisions.
Although the experimental BGP data relayed by RIPE NCC's Routing Information Service (RIS) was “correct and complied to all standards,” it nonetheless destabilized 3,500 prefixes, or announced blocks of Internet Protocol addresses – the Internet has around 333,000 prefixes in all, causing a partial internet blackout that affected many networks in more than 60 countries. RIPE NCC blamed certain router types for “incorrectly modifying the experimental attribute and then further announcing the malformed route to their peers.”
Security researcher HD Moore thought he had let the cat out of the bag when he referred to a widespread Windows vulnerability in a tweet on Wednesday. But as it turns out, Moore may have failed to fully gauge the scale of the issue, which he thought affected “about 40 different apps, including the Windows shell.” Mitja Kolsek, CEO of Slovenian security company Arcos, reckons that “most every Windows application has this vulnerability.” Moore had linked to a security advisory issued by Arcos in his tweet.
"We examined a bunch of applications, more than 220 from about 100 leading software vendors, and found that most every one had the vulnerability,” Kolsek told Computer World. “These vulnerabilities' critical impact and relative ease of exploitation present a serious threat to basically all Windows machines.”
The “remote binary planting” vulnerability can be exploited quite easily using malicious files, according to Kolsek. “The main enabler for this attack is the fact that Windows includes the current working directory in the search order when loading executables."
Both Kolsek and Moore fear that the affected applications might have to be patched individually, as patching Windows could disrupt existing applications.
It's that time of the month again when Microsoft plugs some of the holes in its software. If the sheer number of vulnerabilities a Patch Tuesday addresses is the best way to gauge its significance, it does not get any bigger than this: MS is slated to release 14 security bulletins covering 34 vulnerabilities in Windows, Internet Explorer, Office and Silverlight.
But the record number of security bulletins will not include a fix for a recently revealed bug in the Windows kernel driver. The zero-day bug was reported by Gil Dabah (aka Arkon), an Israeli security researcher, who also published proof-of-concept exploit code on his site RageStorm.com. According to Jerry Bryant, Microsoft's group manager of response communications: "Microsoft is investigating reports of a possible vulnerability in Windows Kernel. Upon completion of the investigation, Microsoft will take appropriate actions to protect customers."
“This issue is caused by a buffer overflow error in the 'CreateDIBPalette()' function within the kernel-mode device driver 'Win32k.sys' when using the 'biClrUsed' member value of a 'BITMAPINFOHEADER' structure as a counter while retrieving Bitmap data from the clipboard, which could be exploited by malicious users to crash an affected system or potentially execute arbitrary code with kernel privileges,” reads an advisory issued by French security research firm VUPEN.
Microsoft has already addressed 13 Windows kernel bugs in 2010. According to security researcher Tavis Ormandy, who recently infuriated Redmond by hastily exposing a critical zero-day Windows bug, the company has been vulnerable to public kernel flaws for most of this year.
Microsoft has no interest in joining the bug-bounty wars, according to ThreatPost.com. Mozilla recently increased the cash reward it offers to security researchers for nailing vulnerabilities in its software, only for Google to follow suit a few days later. All this was enough to fuel rumors of Microsoft, which doesn't have a bug-bounty program, finally getting sucked into the bug-bounty battle.
But such rumors have now been put to rest by MS. "We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update," Microsoft's Jerry Bryant told ThreatPost in an email.
The company seems satisfied with its current practice of honoring talented security researchers by enlisting their services: “We’ve had several influential folks from the researcher community join our security teams as Microsoft employees. We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC.”
This will not go down well with a growing number of security researchers that discourage fellow researchers from making free disclosures and advocate more bug-buying programs. Don't be surprised if you witness a spike in publicly-disclosed critical bugs in Microsoft software – the company openly discourages security researchers from making public disclosures?
So here it is, folks, the first of what is likely to be many bugs affecting unpatched versions of Windows XP Service Pack 2 (SP2), which of course will remain unpatched since Microsoft cut off support for XP SP2 and earlier.
According to a security advisory (2286198), "the vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives," Microsoft says.
While disabling AutoPlay lessens the risk, users with an infected USB thumb drive can still fall prey the attack if they were to manually browse to the root folder. And because it can run when AutoPlay and AutoRun are disabled, Sophos senior security advisor, Chester Wisniewski, warns that the bug is particularly "nasty," pointing out in a blog post that "it bypasses all Windows 7 security mechanisms, including UAC, and doesn't require administrative privilege to run."