It wasn’t that long ago (back in October 2010) when there was another Critical 0-day Vulnerability In Adobe Flash Player, Reader & Acrobat and Adobe were scrambling to fix it.

They are promising an out of band patch for this vulnerability as it’s marked as critical and has apparently been seen in the wild, but only in a few targeted attacks according to this blog post by Adobe:

Background on APSA11-01 Patch Schedule

Adobe Systems plans to release emergency patches for its Flash and Reader applications after learning a critical vulnerability is being exploited to install malware on vulnerable machines.

The out-of-cycle patches for Adobe Flash Player 10 and Acrobat and Reader versions 9, 10, and X will arrive during the week March 21, the company said on Monday. The updates will cover all versions of those programs except for Reader X for Windows, which ships with a security sandbox that blocks the exploits Adobe has observed so far.

The announcement comes after members of Adobe’s security team received reports of targeted attacks aimed “at a very small number of organizations and limited in scope” that “install persistent malware on the victim’s machine,” the company said in an advisory. The exploits wield a booby-trapped Flash file hidden inside a Microsoft Excel file attached to an email.

The attacks exploit an unspecified flaw in Flash Player for the Windows, Mac, Linux, Solaris and Android operating systems. Adobe security members are unaware of other types of attacks, such as those that plant the malicious Flash file in documents using the the PDF, or portable document format, specification.

It’s a pretty tricky attack with multiple layers, it seems like the Flash exploit itself is embedded in an Excel file attached to e-mails. It looks like corporate users of Reader X will be out of luck as there is no patch for that version. But then Adobe states as Reader X comes with a sandbox the exploit won’t actually function anyway.

The patch is slated to come out next week sometime, there are no specifics as of yet – I guess it depends how long it takes them to fix the problem reliably. They are looking to rush the patch out though rather than waiting for the next cycle.

“However, attackers have leveraged these type [sic] of Flash Player vulnerabilities in the past via .pdf files to attack the embedded authplay.dll component shipping with Adobe Reader and Acrobat v9,” Brad Arkin, Adobe’s senior director of product security and privacy, wrote. “Out of a preponderance of caution we took the decision to ship out-of-cycle updates for Adobe Reader and Acrobat v9, and Acrobat X to mitigate the risk of attackers shifting the attack from an .xls container to a .pdf container.”

The unscheduled patch won’t cover Reader X for Windows, because that recently released version of the program contains a Sandbox that isolates remotely supplied payloads from the OS’s core functions. As a result, the exploits Adobe has seen to date aren’t able to successfully execute on machines that run it. Many Reader users, particularly those in corporate settings, still run versions 10 or 9 of Reader, meaning they will remain vulnerable until the emergency patch is installed.

Excluding Reader X for Windows from the out-of-cycle release will allow Adobe engineers to publish it more quickly than it otherwise could. The fix for that version will be released on June 14, during Adobe’s next scheduled quarterly update.

The Security Bulletin from Adobe is here:

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

It has been assigned the CVE Number: CVE-2011-0609

Source: The Register

tl;dr version is something like this: Michal Zalewski writes a DOM fuzzer, fuzzes IE, finds flaws, Chinese dudes Google some .dll functions and find fuzzer results.

It could be some kind of weird coincidence, or you could read a whole conspiracy theory into it (unreleased tool, very specific search terms etc.).

Details concerning a potentially serious security vulnerability in fully patched versions of Microsoft’s Internet Explorer have been leaked to people in China, a researcher warned over the weekend.

Michal Zalewski, a security researcher at Google, blogged that data concerning at least one “clearly exploitable crash” in the Microsoft browser was inadvertently disclosed to people who were using a Chinese IP address. Details about the bug, which resides in the mshtml.dll component, were stored on a server that had accidentally been indexed by Google, Zalewski wrote elsewhere. On December 30, detailed search queries showed that the sensitive information, in addition to files for an unpublished security tool, had been retrieved by the unknown party.

“This pattern is very strongly indicative of an independent discovery of the same fault condition in MSIE by unrelated means,” Zalewski wrote. “Other explanations for this pair of consecutive searches seem extremely unlikely.”

The bug leads to arbitrary crashes in the EIP, or extended instruction pointer, of machines running the Microsoft browser. Zalewski said the flaw “is pretty much fully attacker-controlled.” It was uncovered using cross_fuzz, a security tool the researcher developed in his spare time more than two years ago to identify potential security vulnerabilities in IE, Firefox, and other browsers. Since its release, the tool has helped to identify nearly 100 various browser bugs.

You can find the complete history between MZ and Microsoft regarding both ref_fuzz and cross_fuzz here:

fuzzer_timeline.txt

As for the ‘discovery’ it does seem likely that someone else had already discovered the same vulnerability and were searching for further information about it and if it had been published/disclosed. The search logs are here:

known_vuln.txt

A statement attributed to Jerry Bryant, group manager in Microsoft’s Response Communications, said company researchers are working to reproduce the crash to see if the underlying vulnerability can be exploited by malicious hackers.

“At this point, we’re not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes,” Bryant said.

Zalewski provided this account of his communications with Microsoft, which started in May 2008. In it, he claims that on December 21, Microsoft researcher David Ross “confirms being able to reproduce crashes locally right away.”

Zalewski said that Microsoft researchers asked him to delay the release of cross_fuzz until they had more time to investigate the crashes. He published his warning on New Year’s Day, after he learned that the crash logs and related files had been downloaded.

“These search queries are looking for information on two MSHTML.DLL functions – BreakAASpecial and BreakCircularMemoryReferences – that are unique to the stack signature of this vulnerability, and had *absolutely* no other mentions on the internet at that time,” he said.

cross_fuzz has been released officially now by Zalewski after Microsoft have had some time to investigate the crashes further. The moral of the story is, once again don’t use Internet Explorer!

As right now, there is a potentially dangerous 0-day for IE in the wild and as we well known with Patch Tuesday it’ll be quite some time before it gets fixed.

Source: The Register

A zero-day for Windows 7 back in July of this year also bypassed Windows UAC.

Once again a serious zero-day has hit Windows, this time an unpatched vulnerability in the Kernel. So far it only seems to be a local exploit, for full devastating effect hackers will need to combine this with a remote zero-day to get access to the machine and then elevate their permissions and bypass UAC with this.

Microsoft is investigating reports of an unpatched vulnerability in the Windows kernel that could be used by attackers to sidestep an important operating system security measure.

One security firm dubbed the bug a potential “nightmare,” but Microsoft downplayed the threat by reminding users that hackers would need a second exploit to launch remote attacks.

The exploit was disclosed Wednesday — the same day proof-of-concept code went public — and lets attackers bypass the User Account Control (UAC) feature in Windows Vista and Windows 7. UAC, which was frequently panned when Vista debuted in 2007, displays prompts that users must read and react to. It was designed to make silent malware installation impossible, or at least more difficult.

“Microsoft is aware of the public posting of details of an elevation of privilege vulnerability that may reside in the Windows kernel,” said Jerry Bryant, a group manager with the Microsoft Security Response Center, in an e-mail. “We will continue to investigate the issue and, when done, we will take appropriate action.”

The bug is in the “win32k.sys” file, a part of the kernel, and exists in all versions of Windows, including XP, Vista, Server 2003, Windows 7 and Server 2008, said Sophos researcher Chet Wisniewski in a Thursday blog post.

Microsoft is aware of the flaw but has not yet issued a statement as to when they will be patching this, I’d imagine given their past that will wait for the next Patch Tuesday before pushing the patch out. And plus the fact it’s a kernel bug it, it may take a little more time to fix.

The security companies seem to be taking this one quite seriously as the publicly-released code is confirmed working across multiple versions of Windows.

There is a very slight chance that Microsoft might push an Out-of-band-patch for this, but I find it unlikely as it’s not a remote vulnerability.

Several security companies, including Sophos and Vupen, have confirmed the vulnerability and reported that the publicly-released attack code works on systems running Vista, Windows 7 and Server 2008.

Hackers cannot use the exploit to remotely compromise a PC, however, as it requires local access, a fact that Microsoft stressed. “Because this is a local elevation-of-privilege issue, it requires attackers to be already able to execute code on a targeted machine,” said Bryant.

“On its own, this bug does not allow remote code execution, but does enable non-administrator accounts to execute code as if they were an administrator,” added Wisniewski.

Although many Windows XP users, especially consumers and those in very small businesses, run the OS via administrator accounts, Microsoft added UAC to Vista and later operating systems as one way to limit user privileges, and thus malware’s access to the PC.

Attackers would have to combine the exploit with other malicious code that takes advantage of another vulnerability on the machine — not necessarily one in Windows, but in any commonly-installed application, such as Adobe Reader, for example — to hijack a PC and bypass UAC.

“This exploit allows malware that has already been dropped on the system to bypass [UAC] and get the full control of the system,” said Prevx researcher Marco Giuliani in an entry on that security company’s blog Thursday.

Prevx reported the vulnerability to Microsoft earlier in the week.

Microsoft has changed the way UAC functions before when it was demonstrated that it could be easily bypassed. The next patch cycle is due on Tuesday, Dec. 14 – which thankfully isn’t too long. I’d be expecting a kernel patch for this issue by then.

There is more info about the issue here:

Sophos – New Windows zero-day flaw bypasses UAC
Prevx – Windows 0-day exploit: Q&A session

Source: Network World

Ah finally a decent 0-day exploit tracker, one that isn’t underground and could be fairly useful to everyone.

0-day as basically stated in the article is an exploit not known publicly or available publicly well before any patches are available, some private groups often have exploits for a year or more before someone else discovers them, makes them public and they inevitably get fixed.

Like the famous remote exploit in Windows RPC, private groups had that for almost 2 years before it became public.

Scary eh?

Security firm eEye has created what’s described as the industry’s first site designed solely to track zero-day vulnerabilities, flaws where exploits are available prior to the release of security patches.

eEye’s zero-day tracking site provides detailed information on flaws and remediation strategies to users. The site will be maintained by security researchers at eEye Research, who have a track record of unearthing new security bugs, and is essentially an eEye gig rather than a cross-industry effort.

It’s a good idea even if it’s not an industry effort it’s solely an eEye effort, I’m glad someone has done it and eEye has a strong capable team, so it should be fairly relevant if it’s kept up to date.

However, eEye invites other interested parties to contribute suggestions on flaws that merit inclusion on its list. eEye said it created the site, which includes information on how long flaws have remained unfixed, in response to the growing number of zero-day exploits.

In other security tracking news, security notification firm Secunia has released a tool designed to determine insecure versions of popular software packages (such as browsers, IM clients, and media players) on consumer’s PC.

Secunia’s Software Inspector provides users with advice on what to do if they are running insecure software packages.

Both eEye zero-day tracking site and Secunia’s Software Inspector are available free of charge.

You can find the site here:

eEye Zero Day Tracker

Source: The Register