Perhaps motivated by Duke Nukem Forever shipping after a decade-and-a-half of development and delays, Microsoft decided to finally patch a vulnerability dating back to the 1990s. Included in yesterday's Patch Tuesday bulletin bonanza is a little nugget listed as CVE-2011-1871, which according to ComputerWorld.com is a fix for the dreaded 'Ping of Death,' or at least it was dreaded some two decades ago.
Adobe has patched an “important’ vulnerability in the recently released Flash Player 10.3.181.16 and all previous versions for Windows, Macintosh, Linux and Solaris, the San Jose-based company said on Sunday. It has issued a security bulletin (APSB11-13) to address the important vulnerability (CVE-2011-2107), which also affects Flash Player 10.3.185.22 and earlier versions for Android. Hit the jump for more.
Outdated browser plugins pose a considerable security threat. According to a report published earlier this year by security and compliance management company Qualys, 80 percent of all browser vulnerabilities stem from outdated plugins. The company behind the browser security analysis tool BrowserCheck, Qualys has just ranked different browser plugins based on their affinity for remaining outdated.
Adobe kicked off the week with a security advisory warning users of its Flash Player about a zero-day bug that is reportedly “being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.” The vulnerability has also been confirmed to affect the auth.dll component that accompanies certain versions of Reader and Acrobat X, but the company has yet to come across any exploits targeting them.
Hit the jump to find out more about the vulnerability, including when exactly Adobe hopes to have it patched.
A security researcher, known only by his nom de guerre “Cupidon-3005,” disclosed a new zero-day bug in Windows Server Message Block (SMB) on Monday. Opting for full disclosure, the security researcher posted exploit code for the vulnerability that, according to Secunia, can be exploited “to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.” Hit the jump for Microsoft’s statement acknowledging the flaw.
Microsoft had a slight breather in September after it delivered a record 14 security bulletins on Patch Tuesday in August. The company was actually preserving its energy for an even more hectic Patch Tuesday in October, which, according to the Security Bulletin Advance Notification, will include 16 updates to patch 49 vulnerabilities – a new record. Out of the 16 security bulletins, four are labeled “critical,” ten “important,” and the remaining two “moderate.” Ten of the security updates address flaws that could allow remote code execution.
Microsoft today issued an out-of-band security update to tackle a bug in ASP.NET that is being exploited in the wild. Following a public report of the vulnerability, the Redmond outfit confirmed the bug in a Security Advisory (2416728) on September 17. MS, in its advisory, had expressed concerns that hackers could use the Windows Web server flaw to “view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config.”
"Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers, as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," the company told the IDG News Service.
The fix covers all supported Windows versions. The update is currently only available through the company's download center, and not through Windows Update, meaning that it can only be installed manually.
"This is the first time we've released [an] update this way, but due to the nature of the active attacks and the severity of the potential loss of data, we are releasing the security update to the Microsoft Download Center first so customers (specifically large enterprises, hosting providers and ISVs) can begin updating their systems.”
Good news, Twitter junkies, it's now safe to return to your normal 140-character microblogging about whatever's on your mind without fear of falling prey to a nasty XSS attack that was running rampant yesterday.
"The exploit is fully patched," Twitter announced in a status update early this morning.
Prior to the patch, a flaw existed that allowed messages to pop-up and third-party websites to open just by moving your cursor over a link. The mischievous mouseover bug was widely being exploited, redirecting visitors of hacked accounts to hardcore porn sites. It was also being used to "auto-tweet" more mouseover links, affecting thousands of Twitter users before Twitter plugged the gaping security hole.
Microsoft this week updated one of its Security Advisory (2416728) detailing a vulnerability in ASP.NET that could allow hackers to sniff through your data.
"Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config," the Security Advisory reads. "This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. Microsoft is aware of limited, active attacks at this time."
The security hole affects all versions of the .NET Framework and several versions of Windows, including Windows 7, Vista, XP, Server 2003, Server 2008, and Server 2008 R2.
As of right now, there really isn't anything you can do, at least until Microsoft completes its investigation. When it does, the Redmond outfit said it may provide an out-of-cycle security update.
If you run a 64-bit version of Linux, take note, your system may be vulnerable to attack. Red Hat recently announced an exploit that would allow a local, unprivileged user to escalate their privileges, and while there are published workarounds, they may not completely plug up the security hole.
"The published workarounds that we've seen, including the workaround recommended by Red Hat, can themselves be worked around by an attack to still exploit the system," Jeff Arnold, CEO of Ksplice, said in a blog post. "For now, to be responsible and avoid helping attackers, we don't want to provide those technical details publicly; we've contacted Red Hat and other vendors with the details and we'll cover them in a future blog post, in a few weeks."
In the mean time, Ksplice -- which isn't a free service, but does offer a free trial -- can be used to receive advance notice of upcoming patches.
"Although it might seem self-serving, I do know of one sure way to fix this vulnerability right away on running production systems, and it doesn’t even require you to reboot: you can (for free) download Ksplice Uptrack and fully update any of the distributions that we support (We support RHEL, CentOS, Debian, Ubuntu, Parallels Virtuozzo Containers, OpenVZ, and CloudLinux," Arnold explains. "For high profile updates like this one, Ksplice optionally makes available an update for your distribution before your distribution officially releases a new kernel). We provide a free 30-day trial of Ksplice Uptrack on our website, and you can use this free trial to protect your systems, even if you cannot arrange to reboot anytime soon. It’s the best that we can do to help in this situation, and I hope that it’s useful to you."
Keep in mind that if an attacker has already comprised one of your Linux rigs, updating the system won't do a lick of good by itself since the exploit installs a backdoor. You can use this test tool to find out for sure.