A security researcher, known only by his nom de guerre “Cupidon-3005,” disclosed a new zero-day bug in Windows Server Message Block (SMB) on Monday. Opting for full disclosure, the security researcher posted exploit code for the vulnerability that, according to Secunia, can be exploited “to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.” Hit the jump for Microsoft’s statement acknowledging the flaw.
Microsoft had a slight breather in September after it delivered a record 14 security bulletins on Patch Tuesday in August. The company was actually preserving its energy for an even more hectic Patch Tuesday in October, which, according to the Security Bulletin Advance Notification, will include 16 updates to patch 49 vulnerabilities – a new record. Out of the 16 security bulletins, four are labeled “critical,” ten “important,” and the remaining two “moderate.” Ten of the security updates address flaws that could allow remote code execution.
Microsoft today issued an out-of-band security update to tackle a bug in ASP.NET that is being exploited in the wild. Following a public report of the vulnerability, the Redmond outfit confirmed the bug in a Security Advisory (2416728) on September 17. MS, in its advisory, had expressed concerns that hackers could use the Windows Web server flaw to “view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config.”
"Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers, as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," the company told the IDG News Service.
The fix covers all supported Windows versions. The update is currently only available through the company's download center, and not through Windows Update, meaning that it can only be installed manually.
"This is the first time we've released [an] update this way, but due to the nature of the active attacks and the severity of the potential loss of data, we are releasing the security update to the Microsoft Download Center first so customers (specifically large enterprises, hosting providers and ISVs) can begin updating their systems.”
Good news, Twitter junkies, it's now safe to return to your normal 140-character microblogging about whatever's on your mind without fear of falling prey to a nasty XSS attack that was running rampant yesterday.
"The exploit is fully patched," Twitter announced in a status update early this morning.
Prior to the patch, a flaw existed that allowed messages to pop-up and third-party websites to open just by moving your cursor over a link. The mischievous mouseover bug was widely being exploited, redirecting visitors of hacked accounts to hardcore porn sites. It was also being used to "auto-tweet" more mouseover links, affecting thousands of Twitter users before Twitter plugged the gaping security hole.
Microsoft this week updated one of its Security Advisory (2416728) detailing a vulnerability in ASP.NET that could allow hackers to sniff through your data.
"Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config," the Security Advisory reads. "This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. Microsoft is aware of limited, active attacks at this time."
The security hole affects all versions of the .NET Framework and several versions of Windows, including Windows 7, Vista, XP, Server 2003, Server 2008, and Server 2008 R2.
As of right now, there really isn't anything you can do, at least until Microsoft completes its investigation. When it does, the Redmond outfit said it may provide an out-of-cycle security update.
If you run a 64-bit version of Linux, take note, your system may be vulnerable to attack. Red Hat recently announced an exploit that would allow a local, unprivileged user to escalate their privileges, and while there are published workarounds, they may not completely plug up the security hole.
"The published workarounds that we've seen, including the workaround recommended by Red Hat, can themselves be worked around by an attack to still exploit the system," Jeff Arnold, CEO of Ksplice, said in a blog post. "For now, to be responsible and avoid helping attackers, we don't want to provide those technical details publicly; we've contacted Red Hat and other vendors with the details and we'll cover them in a future blog post, in a few weeks."
In the mean time, Ksplice -- which isn't a free service, but does offer a free trial -- can be used to receive advance notice of upcoming patches.
"Although it might seem self-serving, I do know of one sure way to fix this vulnerability right away on running production systems, and it doesn’t even require you to reboot: you can (for free) download Ksplice Uptrack and fully update any of the distributions that we support (We support RHEL, CentOS, Debian, Ubuntu, Parallels Virtuozzo Containers, OpenVZ, and CloudLinux," Arnold explains. "For high profile updates like this one, Ksplice optionally makes available an update for your distribution before your distribution officially releases a new kernel). We provide a free 30-day trial of Ksplice Uptrack on our website, and you can use this free trial to protect your systems, even if you cannot arrange to reboot anytime soon. It’s the best that we can do to help in this situation, and I hope that it’s useful to you."
Keep in mind that if an attacker has already comprised one of your Linux rigs, updating the system won't do a lick of good by itself since the exploit installs a backdoor. You can use this test tool to find out for sure.
Adobe on Monday issued another security advisory warning users of yet another zero-day bug in its software. This is the second time this month that the San Jose-based software developer has warned of a critical bug that is reportedly being exploited in the wild. While the first advisory, issued only a few days ago, warned of a critical bug in Reader and Acrobat, the latest warning pertains to a critical vulnerability in its Flash player.
“A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh,” the bug-inured company warned in the advisory.
“This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.”
The company expects to provide patches for both the vulnerabilities within the next three weeks.
We know it's hard to believe, but your Adobe Reader and/or Acrobat software is in need of some patching. That's according to Adobe, which is warning users of a critical vulnerability affecting Reader and Acrobat versions 9.3.4 and earlier.
That's the bad news. The even even worse news is that the vulnerability, when exploited, could crash your machine and potentially allow an attacker to seize control, Adobe says. And the really bad news is that this vulnerability is being actively exploited in the wild.
Ready for the good news? Not so fast, we haven't covered the no-good terrible news. This nasty security hole -- the one the bad guys know about and are currently exploiting -- can't yet be plugged, though if it's any consolation, Adobe promises it's "in the process of evaluating the schedule for an update to resolve this vulnerability." Comforting, isn't it?
Alright, we're finally ready for some good news, and here it is. You don't have to use Adobe products to read those PDF files. One of our favorite free alternatives is Foxit's free Reader program available here.
What do you use to read PDF documents? Hit the jump and let us know.
This, in fact, is a revised version of the report. As per the original, Google was the company with the highest percentage of unpatched flaws in H1 2010. However, Google was quick to dispute IBM's claim that it had left 33 percent of critical and high-risk bugs in its software unpatched: “We learned after investigating that the 33% figure referred to a single unpatched vulnerability out of a total of three — and importantly, the one item that was considered unpatched was only mistakenly considered a security vulnerability due to a terminology mix-up. As a result, the true unpatched rate for these high-risk bugs is 0 out of 2, or 0%.”
But this wasn't the lone mistake in the original, which also erroneously rated Oracle-owned Sun as the vendor with the highest percentage of unpatched vulnerabilities in the first half of 2010. But that honor now belongs to Microsoft.
“After we released our trend report this week, we received feedback from two software vendors regarding the severity and remedy information for some of the vulnerabilities behind this chart,” IBM said in a blog post.“As a consequence of this feedback, we have manually reassessed the CVSS scoring, remedy information, and vendor information for every vulnerability that impacted the percentages that appear in this chart.”
Security researcher HD Moore thought he had let the cat out of the bag when he referred to a widespread Windows vulnerability in a tweet on Wednesday. But as it turns out, Moore may have failed to fully gauge the scale of the issue, which he thought affected “about 40 different apps, including the Windows shell.” Mitja Kolsek, CEO of Slovenian security company Arcos, reckons that “most every Windows application has this vulnerability.” Moore had linked to a security advisory issued by Arcos in his tweet.
"We examined a bunch of applications, more than 220 from about 100 leading software vendors, and found that most every one had the vulnerability,” Kolsek told Computer World. “These vulnerabilities' critical impact and relative ease of exploitation present a serious threat to basically all Windows machines.”
The “remote binary planting” vulnerability can be exploited quite easily using malicious files, according to Kolsek. “The main enabler for this attack is the fact that Windows includes the current working directory in the search order when loading executables."
Both Kolsek and Moore fear that the affected applications might have to be patched individually, as patching Windows could disrupt existing applications.