We here at Maximum PC usually don’t cover drones, except for the ones that can be controlled using generic Android- or iOS-based smartphones and tablets. But we are left with little choice but to venture into Aviation Week territory when a story about military drones also features hackers, zero-day vulnerabilities and malware. You get the drift, don’t you? Hit the jump for more.
While it's not unusual for companies to promise a variety of things “in time for the holidays,” a patch for a zero-day bug being exploited in the wild is usually not one of them. But that’s something you can look forward to if you have Adobe Reader and/or Acrobat 9.x for Windows. In a security advisory issued on Tuesday, Adobe warned of a “critical” vulnerability in Adobe Reader and Acrobat that is being exploited in the wild. Hit the jump for more.
After analyzing data from more than 600 million systems around the globe, Microsoft has determined that zero-day vulnerabilities aren't nearly as worrisome as malware based on traditional techniques, such as social engineering and unpatched security holes. It's not that zero-day threats aren't inherently dangerous, it's just that hardly anyone's exploiting them, at least comparatively.
Google Chrome has amassed quite a favorable reputation for security with both users and security researchers. To its credit, it is the only web browser to have never been hacked at the annual Pwn2Own hacking competition. In fact, on the first day of this year’s Pwn2Own contest (Mar 9-11), Google even offered a $20,000 cash prize to anybody who could circumnavigate the browser’s sandbox “using vulnerabilities purely present in Google-written code.” While no one managed to claim the prize back then, researcher from French security firm VUPEN now claim to have finally “Pwnd Google Chrome and its sandbox.” Hit the jump for more.
Adobe kicked off the week with a security advisory warning users of its Flash Player about a zero-day bug that is reportedly “being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.” The vulnerability has also been confirmed to affect the auth.dll component that accompanies certain versions of Reader and Acrobat X, but the company has yet to come across any exploits targeting them.
Hit the jump to find out more about the vulnerability, including when exactly Adobe hopes to have it patched.
Microsoft today issued an out-of-band security update to tackle a bug in ASP.NET that is being exploited in the wild. Following a public report of the vulnerability, the Redmond outfit confirmed the bug in a Security Advisory (2416728) on September 17. MS, in its advisory, had expressed concerns that hackers could use the Windows Web server flaw to “view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config.”
"Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers, as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," the company told the IDG News Service.
The fix covers all supported Windows versions. The update is currently only available through the company's download center, and not through Windows Update, meaning that it can only be installed manually.
"This is the first time we've released [an] update this way, but due to the nature of the active attacks and the severity of the potential loss of data, we are releasing the security update to the Microsoft Download Center first so customers (specifically large enterprises, hosting providers and ISVs) can begin updating their systems.”
Adobe on Monday issued another security advisory warning users of yet another zero-day bug in its software. This is the second time this month that the San Jose-based software developer has warned of a critical bug that is reportedly being exploited in the wild. While the first advisory, issued only a few days ago, warned of a critical bug in Reader and Acrobat, the latest warning pertains to a critical vulnerability in its Flash player.
“A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh,” the bug-inured company warned in the advisory.
“This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.”
The company expects to provide patches for both the vulnerabilities within the next three weeks.
Security researcher HD Moore thought he had let the cat out of the bag when he referred to a widespread Windows vulnerability in a tweet on Wednesday. But as it turns out, Moore may have failed to fully gauge the scale of the issue, which he thought affected “about 40 different apps, including the Windows shell.” Mitja Kolsek, CEO of Slovenian security company Arcos, reckons that “most every Windows application has this vulnerability.” Moore had linked to a security advisory issued by Arcos in his tweet.
"We examined a bunch of applications, more than 220 from about 100 leading software vendors, and found that most every one had the vulnerability,” Kolsek told Computer World. “These vulnerabilities' critical impact and relative ease of exploitation present a serious threat to basically all Windows machines.”
The “remote binary planting” vulnerability can be exploited quite easily using malicious files, according to Kolsek. “The main enabler for this attack is the fact that Windows includes the current working directory in the search order when loading executables."
Both Kolsek and Moore fear that the affected applications might have to be patched individually, as patching Windows could disrupt existing applications.
Forget about a woman scorned, it's an anonymous group of pissed off researchers that's directing their fury at Microsoft. The group, whose members wish to remain anonymous, formed the "Microsoft-Spurned Researcher Collective," and one of their first acts of business was to publish information detailing an unpatched Windows bug as a way of avenging alleged mistreatment of a colleague.
"Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective," the message read. "MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."
It doesn't take a rocket scientist to figure out that the name of the group is a jab at the Microsoft Security Response Center (MSRC), which is responsible for sniffing out vulnerabilities. But if they're looking to rattle Microsoft's cage, it doesn't appear to be working.
"Our intial analysis of the Proof-of-Concept code supplied has determined that an attacker must be able to log on locally or already have code running on the target system in order to cause a local Denial of Service," said Jerry Bryant, a group manager with the company's MSRC.
Last week’s cyber attacks, that targeted Google and several other large U.S. companies, has certainly gotten Microsoft’s attention. The attack was orchestrated, in part, through a zero-day flaw in Internet Explorer (IE). The flaw seems to be obscure, and restricted to IE 6 and IE 7, but that hasn’t stopped Microsoft from releasing an out-of-cycle patch for IE.
Microsoft has acknowledgde the flaw, and says the “vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”
Microsoft, in an announcement posted today, says the confusion surrounding this particular attack has compelled Microsoft to act now. Microsoft’s primary advice: upgrade to IE 8, which is not affected by this flaw. If you don’t plan to upgrade, then updates for earlier versions will be made available, with specific timing of the updates to be announced tomorrow. In the meantime, Microsoft suggests using the workarounds and mitigations provided in Security Advisory 979352.