They’ve had to patch 4 times in the past 2 months – that’s a total of 6 times in 2011 so far – with 5 out of those 6 being for critical bugs.

It seems like Flash has become a major target for hackers in the past 6 months or so, despite the fact that Adobe has worked with Google to sandbox Flash in the Chrome browser.

Hackers are aggressively exploiting a just-patched Flash vulnerability, serving attack code “on a fairly large scale” from compromised sites as well as from their own malicious domains, a security researcher said Friday. The attacks exploit the critical Flash Player bug that Adobe patched June 14 with its second “out-of-band,” or emergency update, in nine days.

“CVE-2011-2110 is being exploited in the wild on a fairly large scale,” said Steven Adair, a researcher with the Shadowserver Foundation, a volunteer-run group that tracks vulnerabilities and botnets. “In particular this exploit is showing up as a drive-by in several legitimate websites, including those belonging to various NGOs [non-government organizations], aerospace companies, a Korean news site, an Indian government Web site, and a Taiwanese university.”

CVE-2011-2110 is the identifier for the Flash vulnerability assigned by the Common Vulnerabilities and Exposures database. Attackers are also using the exploit in “spear phishing” attacks aimed at specific individuals, said Adair on the Shadowserver site. Adair called the attacks “nasty” because the exploit “happens seamlessly in the background,” giving victims no clue that their systems have been compromised.

The CVE ID for this vulnerability is – CVE-2011-2110 with the NVD listing stating:

Adobe Flash Player before 10.3.181.26 on Windows, Mac OS X, Linux, and Solaris, and 10.3.185.23 and earlier on Android, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, as exploited in the wild in June 2011.

Sounds pretty nasty, at least the patch is out for it – but as usual, how many people will apply it in a timely fashion?

When Adobe patched the vulnerability last week, it conceded that exploits were already in use.

Adair also said there’s been an increase in Flash-based attacks. “There has been an ongoing assault against Flash Player for several years now, but especially so in the last three months,” Adair said.

Adobe has patched Flash Player four times in the last two months, and six times so far this year. Of the six updates, five addressed “zero-day” bugs that attackers were already exploiting at the time the patches were issued.

Brad Arkin, Adobe’s director of product security and privacy, acknowledged the problems in keeping ahead of attackers, but blamed the popularity of Flash Player for the attention.

“The installed base [of Flash Player] is a real big part of it,” said Arkin. “It’s such a widely distributed technology that attackers find it worthwhile to invest the time to carry out some kind of malicious activity. They’re making an investment for the biggest return possible.”

Arkin also argued that attackers get more bang for their buck by rooting out Flash vulnerabilities than they do looking for bugs in individual browsers because virtually every personal computer has the Flash plug-in installed. “Flash is the code [used in the browser] that has the highest market penetration,” he said.

According to Adair, the exploit of CVE-2011-2110 has been in use since June 9, five days before Adobe issued its latest security update. Arkin corroborated that timeline.

Adobe does claim to be more pro-active about patching than Microsoft – which honestly isn’t really hard is it? Brad Arkin the head of security said:

“I think we’re more aggressive than Microsoft, basically, if we have information about attacks in the wild, or if the information is out there on a mailing list — which means attacks are imminent — that tends to be a trigger for us to think about an out-of-band.”

Do note they said ‘think’ about a patch though and not ‘issue’ one.

Source: Network World

It wasn’t that long ago (back in October 2010) when there was another Critical 0-day Vulnerability In Adobe Flash Player, Reader & Acrobat and Adobe were scrambling to fix it.

They are promising an out of band patch for this vulnerability as it’s marked as critical and has apparently been seen in the wild, but only in a few targeted attacks according to this blog post by Adobe:

Background on APSA11-01 Patch Schedule

Adobe Systems plans to release emergency patches for its Flash and Reader applications after learning a critical vulnerability is being exploited to install malware on vulnerable machines.

The out-of-cycle patches for Adobe Flash Player 10 and Acrobat and Reader versions 9, 10, and X will arrive during the week March 21, the company said on Monday. The updates will cover all versions of those programs except for Reader X for Windows, which ships with a security sandbox that blocks the exploits Adobe has observed so far.

The announcement comes after members of Adobe’s security team received reports of targeted attacks aimed “at a very small number of organizations and limited in scope” that “install persistent malware on the victim’s machine,” the company said in an advisory. The exploits wield a booby-trapped Flash file hidden inside a Microsoft Excel file attached to an email.

The attacks exploit an unspecified flaw in Flash Player for the Windows, Mac, Linux, Solaris and Android operating systems. Adobe security members are unaware of other types of attacks, such as those that plant the malicious Flash file in documents using the the PDF, or portable document format, specification.

It’s a pretty tricky attack with multiple layers, it seems like the Flash exploit itself is embedded in an Excel file attached to e-mails. It looks like corporate users of Reader X will be out of luck as there is no patch for that version. But then Adobe states as Reader X comes with a sandbox the exploit won’t actually function anyway.

The patch is slated to come out next week sometime, there are no specifics as of yet – I guess it depends how long it takes them to fix the problem reliably. They are looking to rush the patch out though rather than waiting for the next cycle.

“However, attackers have leveraged these type [sic] of Flash Player vulnerabilities in the past via .pdf files to attack the embedded authplay.dll component shipping with Adobe Reader and Acrobat v9,” Brad Arkin, Adobe’s senior director of product security and privacy, wrote. “Out of a preponderance of caution we took the decision to ship out-of-cycle updates for Adobe Reader and Acrobat v9, and Acrobat X to mitigate the risk of attackers shifting the attack from an .xls container to a .pdf container.”

The unscheduled patch won’t cover Reader X for Windows, because that recently released version of the program contains a Sandbox that isolates remotely supplied payloads from the OS’s core functions. As a result, the exploits Adobe has seen to date aren’t able to successfully execute on machines that run it. Many Reader users, particularly those in corporate settings, still run versions 10 or 9 of Reader, meaning they will remain vulnerable until the emergency patch is installed.

Excluding Reader X for Windows from the out-of-cycle release will allow Adobe engineers to publish it more quickly than it otherwise could. The fix for that version will be released on June 14, during Adobe’s next scheduled quarterly update.

The Security Bulletin from Adobe is here:

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

It has been assigned the CVE Number: CVE-2011-0609

Source: The Register

It’s a pretty serious bug and it seems hackers have been maliciously exploiting it in the wild for over a month. The Stuxnet malware has been using this vulnerability to gain access to machines then download further attack files including a root kit.

Microsoft on Friday warned that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives.

The bug admission is the first that affects Windows XP Service Pack 2 (SP2) since Microsoft retired the edition from support , researchers said. When Microsoft does fix the flaw, it will not be providing a patch for machines still running XP SP2. In a security advisory , Microsoft confirmed what other researchers had been saying for almost a month: Hackers have been exploiting a bug in Windows “shortcut” files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs.

“In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware,” Dave Forstrom, a director in Microsoft’s Trustworthy Computing group, said in a post Friday to a company blog . Stuxnet is a clan of malware that includes a Trojan horse that downloads further attack code, including a rootkit that hides evidence of the attack.

Forstrom characterized the threat as “limited, targeted attacks,” but the Microsoft group responsible for crafting antivirus signatures said it had tracked 6,000 attempts to infect Windows PCs as of July 15.

Limited but targeted attacks are the worst kind as they can really burrow through corporate defenses. A lot of companies are taking this seriously, including all the main players in the anti-virus arena.

You have to wonder if Microsoft will break their patch tuesday policy and issue an emergency out-of-band patch for this.

Especially since more virus writers are picking up on this flaw meaning it’s becoming more widespread.

On Friday, Siemens alerted customers of its Simatic WinCC management software that attacks using the Windows vulnerability were targeting computers used to manage large-scale industrial control systems used by major manufacturing and utility companies. The vulnerability was first mentioned on June 17 in an alert issued by VirusBlokAda , a little-known security firm based in Belarus. Other security organizations, including U.K.-based Sophos and SANS Institute’s Internet Storm Center , picked up on the threat Friday. Security blogger Brian Krebs , formerly with the Washington Post, reported on it Thursday.

According to Microsoft, Windows fails to correctly parse shortcut files, identified by the “.lnk” extension. The flaw has been exploited most frequently using USB flash drives. By crafting a malicious .lnk file, hackers can hijack a Windows PC with little user interaction: All that’s necessary is that the user views the contents of the USB drive with a file manager like Windows Explorer.

Chester Wisniewski, a senior security advisory with Sophos, called the threat “nasty,” and said his tests showed that the exploit works even when AutoRun and AutoPlay — two functions that have previously been used by attackers to commandeer PCs using infected flash drives — are disabled. The rootkit also bypasses all security mechanisms in Windows, including the User Account Control (UAC) prompts in Vista and Windows 7 , said Wisniewski in a blog entry Friday.

I’m sure they’ll come up with some reason for not patching this sooner rather than later. The scary part is the attack can still be carried out even if AutoRun and AutoPlay are disabled.

The rootkit also bypasses the security mechanisms in Windows 7 and Vista making this a very dangerous attack.

You can find a temporary workaround in the Microsoft Security Advisory here:

Microsoft Security Advisory: Vulnerability in Windows Shell could allow remote code execution

And Microsoft has stated they are working on a patch.

Source: Network World

Ah Microsoft is treating this one seriously after France and Germany advised users to avoid IE.

The current strain being exploited only targets IE6 users, but one security company has developed an exploit for IE8 which also bypasses DEP (Data Execution Prevention).

It was rumoured this was the exploit used last week to compromise Google and various other high profile networks. Although I am skeptical as to why anyone was using IE inside Google? Perhaps doing cross browser testing for development, who knows.

Microsoft will release an out-of-band patch Jan. 21 to fix the Internet Explorer vulnerability at the center of recent attacks on Google and other enterprises.

According to Microsoft, the patch is slated to be ready around 1 p.m. EST. If all goes according to plan, the patch will close a hole that has prompted France and Germany to advise users to avoid IE and the U.S. State Department to demand answers from China. Attackers have used the vulnerability to hit IE 6. Microsoft so far has said it has only seen limited, targeted attacks using the vulnerability.

Meanwhile, security researchers have continued to uncover information about the origin of the attack. Joe Stewart, director of malware research for SecureWorks’ Counter Threat Unit, said his analysis of the code for the main Trojan involved in the attacks shows a more direct link to China.

It’s very rare for them to push an out-of-band patch for anything but I guess there are still a LOT of IE users out there and this is a serious flaw.

It does seem to originate from China with the only discussions about the technical parts of the flaw and implementation being discussed on Chinese language sites.

As can be seen by a Google search here (“crc_ta[16]“), after the first few English news sites reporting the flaw the rest of the results are in Chinese.

According to Stewart, the code includes a CRC (cyclic redundancy check) algorithm implementation released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers.

“This CRC -16 implementation seems to be virtually unknown outside of China, as shown by a Google search for one of the key variables, ‘crc_ta[16],’” Stewart noted in a SecureWorks blog post Jan. 20. “At the time of this writing, almost every page with meaningful content concerning the algorithm is Chinese.”

Up until this finding, Stewart told eWEEK, the factors leading people to point to China were patterns similar to previous Chinese malware.

“Unfortunately, when investigating malware, nothing is conclusive because digital evidence can be forged,” he said. “However, I believe the use of the Chinese algorithm certainly gives more credence to the attack code being Chinese in origin.”

They really have no choice but to release this patch when faced with government pressure, you should see it hitting your Windows Update sometime today (Jan 21st).

Let’s hope this patch has been tested properly and doesn’t subject users to another black screen of death.

It’s good to see some proactive initiatives by Microsoft, I hope they continue through 2010.

Source: eWeek

Now this doesn’t happen all that often, it must be really serious! An Out-of-Band patch from Microsoft (since it’s famous ‘Patch Tuesday‘ it only releases patches on the second Tuesday of each month) has been released for a new RPC flaw.

I’d imagine it’s similar to the RPC flaw that spawned such disasters as Blaster and Sasser in 2003/4.

Microsoft Security Bulletin MS08-067 – Critical

Microsoft has released an emergency security update for a broad swath of its users that patches a critical security hole that is already being exploited in the wild.

The vulnerability – which has been subjected to “limited, targeted attacks” – could allow miscreants to create wormable exploits that remotely execute malicious code on vulnerable machines, Microsoft said. No interaction is required from the end user. It was the first patch released outside Microsoft’s regular update cycle in 18 months.

“This is a remote code execution vulnerability,” Microsoft’s out-of-band advisory warned. “An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely.”

There is an active piece of malware in the wild using this, F-secure has already detected it and has a signature for Trojan-Spy:W32/Gimmiv.A.

This may have been running around in the wild for some time, perhaps in the underground community. There are always true remote exploits that are unknown to the mass community used by certain higher level groups.

This is the sixth time Microsoft has issued and out-of-band security update since October 2004 when it implemented its policy of releasing patches on the second Tuesday of each month, a company spokesman said. The last time an unscheduled patch update was issued was in April 2007 when it moved to fix a critical bug in the ANI animated cursor feature of Windows.

Thursday’s bulletin also marked the second time Microsoft has offered additional vulnerability details to security providers in advance. About an hour before the patch was released publicly, members of the Microsoft Active Protections Program (MAPP) received a briefing that allowed them to create signatures that detect exploits in anti-virus software and intrusion prevention systems.

Microsoft also offered a stunning amount of detail about the vulnerability to regular Joes here.

It’s only the 6th time this has happened since October 2004 (around 4 years) so you can see that it’s serious and you better install it across any networks you administer.

The update will require a reboot (as usual..).

Source: The Register