Adobe Releases A New Security Update For Flash Player

Adobe has released a new security update for Flash Player that fixes several critical security vulnerabilities in the product. The vulnerabilities affect all platforms Flash Player is available on. Affected software versions are Adobe Flash Player 11.1.102.55 and earlier for Windows, Macintosh, Linux and Solaris operating systems, as well as Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x.

Adobe users can test the version of their Flash Player installation at the about page on the Adobe website. There they see the installed version and the latest version available. Flash Player needs updating if the installed version is lower than the most recent version.

Android users can verify the version of Flash Player by going to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

Adobe recommends to update Flash Player to the latest version as soon as possible to protect the system from attacks targeting the vulnerabilities.

The patch fixes vulnerabilities that could allow an attacker to cause a crash on the system to take control of it, and a single cross-site scripting vulnerability that could allow an attacker to take actions on ” a user’s behalf on any website or webmail provider, if the user visits a malicious website”. Adobe notes that the cross-site scripting vulnerability is actively exploited by attackers who try to trick users into clicking on a malicious link in email messages.

Google Chrome users have received the update automatically. A download at the official Flash Player download center is recommended for all other desktop operating systems. Android users find the latest Flash Player version on Android Market.

Flash Player users who cannot update to Flash Player 11 can download a patch for Flash Player 10.x from this Knowledge Base article.

Java 6 and 7 Security Updates Released

Oracle today has released a critical patch update for JAVA SE that includes both patches for security vulnerabilities and non-security fixes. The company asks all Java users to update their versions of Java SE as soon as possible to protect the underlying systems from attacks exploiting those vulnerabilities.

The patch advisory for February 2012 lists the following Java SE products and versions as vulnerable to the security vulnerabilities addresses by the critical patch update:

• JDK and JRE 7 Update 2 and earlier
• JDK and JRE 6 Update 30 and earlier
• JDK and JRE 5.0 Update 33 and earlier
• SDK and JRE 1.4.2_35 and earlier
• JavaFX 2.0.2 and earlier

The Oracle Java SE Risk Matrix lists 14 unique vulnerabilities of which five have received the highest possible base score of 10. This score assumes that users running Java on the system have administrative privileges. If that is not the case, the base score would lower the base score considerably.

All 14 vulnerabilities can be remotely exploited without authentication, for instance over a network with the need for a username or password.

Users who are not sure which Java version – if any – they are running on their system should open the Java test page that checks the version for them.

The latest Java SE versions can be downloaded from this page over at the Java website. If you have Java 7 installed, you need to click on the JRE download link next to Java SE 7u3, and if you have Java SE 6 installed, you need to click on the JRE download link there to download the update to your computer.

Updates are provided for all supported operating systems, including Windows 32-bit and 64-bit versions, Macintosh and Linux.

You can furthermore access the Java SE 7 Update 3 release notes on this page, and the release notes for the Java SE 6 Update 31 on this.

SSL Traffic Analysis Reveals What You Are Looking At On Google Maps

The general consensus is that https connections to web sites protect your data from being spied at by users in the same network. That’s why all major web services such as Facebook, Twitter or Google have started to enforce the use of https on their websites.

Most users do not know that it may still be possible to find out what a user is looking at on a specific website, even if https is enabled.

Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang of Microsoft research released a paper titled Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow back in 2010 that mentioned this threat to user privacy.

Vincent Berg a few days ago published a proof of concept demonstration (in form of a video) on the IOActive Labs Research that showed how Google Maps was vulnerable to SSL Traffic Analysis.

He first analyzed the JavaScript used by Google Maps using Firefox and the excellent Firebug extension to discover that google Maps was using “a grid system in which PNG images are laid out”. These PNG images had different file sizes which were added to a database.

Vincent Berg then built a tool that was able to approximate the sizes of images by monitoring the encrypted traffic. The software then tried to match the estimated size with the size in the database to find a matching region in the world. Several city profiles were created, as it was not realistically possible to create database information for all map tiles.

The video below demonstrates the workings of the tool on the right side, and the user actions on Google Maps on the left. It basically shows how both Paris and Berlin were identified correctly by the program.

Not all web applications can by analyzed with SSL Traffic Analysis, but those that do can pose a privacy and maybe even security risk for users thinking they are safe since they are connecting to the service via https.

Users could protect their connection by connecting to an encrypted virtual private network like VyprVPN. Even that may however be prone to analysis according to the author of the blog post.

Microsoft Security Bulletins For February 2012 Released

Microsoft today has released this month’s security updates. A total of nine security bulletins have been released, of which four address vulnerabilities with a maximum severity rating of critical. This means that at least one Microsoft product is affected critically by the vulnerability. Six bulletins fix issues in the Windows operating system, two in Microsoft Office and one each in Internet Explorer, Microsoft Server Software, Microsoft Silverlight and the Microsoft .Net Framework.

Both Windows 7 and Windows Vista are affected by four critical and one important vulnerability each, while Windows XP is only affected by three critical and two important vulnerabilities.

Here are the bulletins for February 2012:

• MS12-008 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465) – This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if a user visits a website containing specially crafted content or if a specially crafted application is run locally. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website.
• MS12-010 – Cumulative Security Update for Internet Explorer (2647516) – This security update resolves four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS12-013 – Vulnerability in C Run-Time Library Could Allow Remote Code Execution (2654428) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted media file that is hosted on a website or sent as an email attachment. An attacker who successfully exploited the vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS12-016 – Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2651026) – This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted web page using a web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS12-009 – Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege (2645640) – This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to a user’s system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.
• MS12-011 – Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2663841) – This security update resolves three privately reported vulnerabilities in Microsoft SharePoint and Microsoft SharePoint Foundation. These vulnerabilities could allow elevation of privilege or information disclosure if a user clicked a specially crafted URL.
• MS12-012 – Vulnerability in Color Control Panel Could Allow Remote Code Execution (2643719) – This security update resolves one publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .icm or .icc file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS12-014 – Vulnerability in Indeo Codec Could Allow Remote Code Execution (2661637) – This security update resolves one publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .avi file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS12-015 – Vulnerabilities in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2663510) – This security update resolves five privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

You can access the bulletin summary here on this page.
Windows Update has already picked up the new updates. You may need to run a manual check for updates though. Windows Vista and Windows 7 users can open the control panel either by pasting Control Panel\All Control Panel Items\Windows Update into an Explorer window, or by searching for Windows Update in the start menu.

A click on Check for Updates there retrieves the most recent update information from Microsoft.

Users who do not want to or cannot update via Windows Update find all security updates at Microsoft’s official download repository.

Update: Microsoft has posted the Bulletin Deployment Priority chart and the Severity and Exploitability Index. Images below.

You can read up on this month’s bulletins at the Microsoft Security Response Center.

Update: The February 2012 Security Release ISO Image is available now as well.

Avast 7 Public Betas Available, New Features Included

Avast! has just released the first public beta version of the company’s 2012 security lineup. Interested users can download Avast Free, Avast Pro and Avast Internet Security from the official beta announcement thread in the Avast forum.

First thing that users notice is the new installer. Avast notes that the beta versions can be installed over existing Avast 6 installations, or separately on the system. The custom installation provides options to install a typical, minimal or custom version of the security software on the system. Especially the latter option should appeal to security interested computer users, as it allows them to block modules from being installed on their computer. Here it is possible to disable any module that you do not want to use, and not only some which seems to be more common in custom installers. This can for instance be useful if those modules are not needed or interfering with other security software installed on the system.

Avast 7 Beta is compatible with all recent 32-bit and 64-bit versions of the windows operating system and the Windows 8 Developer Preview version released last year. The program interface has received a facelift as well. Core program features are available in the side bar menu.

The Real-Time Shields display for instance displays visual information about each security module installed on the system.

One of the new features that Avast has integrated into the beta versions is a cloud based reputation service which improves the decision making process of the program.

Here is the full list of new features:

• New installer
• UI facelift
• FileRep service (cloud based)
• Streaming updates
• Sandbox & Autosandbox improvements
• Browser protection improvements
• Remote assistance feature to help your friends with computer troubles
• Support tool
• Export/Import settings
• Screensaver facelift
• runs on Win8 Developer Preview

It is recommended to check the known issues before installing the beta software on a system.

- In some cases, WebRep Chrome plugin is not installed correctly
- The Safezone browser is opening each time when you switch back and to the Safezone
- Plugins for Outlook 2k3 and 2k7 show “runtime error” message
- Sometimes autosandbox toaster does not close correctly
- Problems with avast sounds on Win 7 and Win Vista
- Remote assistance feature sometimes crashes on Win 7 32b, Win Vista 64b
- avast! account functionality is disabled

Avast’s Auto Sandbox feature sounds like a real winner, if Avast gets the detection right. It puts suspicious processes automatically in a sandbox to prevent them from damaging the underlying operating system, other programs and files.

I would not recommend running the beta version in a productive environment though. It is likely that Avast will release the final version of the program in the coming months. (via Vishal)

Symantec’s pcAnywhere Source Code Published

Back in 2006 hackers managed to download source codes of Symantec software after successfully gaining access to Symantec’s infrastructure. The hackers managed to obtain Norton Antivirus Corporate Edition, Norton Utilities, Norton GoBack, pcAnywhere and Norton Internet Security source codes during the operation.

The incident came to light only recently, when hackers started to upload code sneak peeks and information to the Internet.

Symantec by then asked users of pcAnywhere to stop using the software to analyze and mitigate any arising risks. Symantec later on released a security recommendations whitepaper that described possible risk scenarios.

• The encoding and encryption elements within pcAnywhere are vulnerable, making users susceptible to man-in-the-middle attacks, depending on the configuration and use of the product. If a man-in-the-middle attack should occur, the malicious user could steal session data or credentials.
• A secondary risk: If a malicious user obtains the cryptographic key, they can launch unauthorized remote control sessions and thus access systems and sensitive data.
• If the cryptographic key itself is using Active Directory credentials, it is also possible for attackers to perpetrate other malicious activities on the network.
• In an internal pcAnywhere environment, if a network sniffer was in place on a customer’s internal network and the attacker had access to the encryption details, the pcAnywhere traffic could be intercepted and decoded. This implies that a customer either has a malicious insider who planted the network sniffer or has an unknown Botnet operating in their environment. As always, security best practices are encouraged to mitigate this risk.
• Since pcAnywhere exchanges user login credentials, the risk exists that a network sniffer or Botnet could intercept this exchange of information, though it would still be difficult to actually interpret the data even if the pcAnywhere source code is released.
• For environments with remote users, this credential exchange introduces an additional level of exposure to external attacks.

These information where later removed from the whitepaper after a patch had been issued.

The hackers in the meantime have released email correspondence on PasteBin. Here it gets a bit blurry as both sides apparently tried to broker a deal that would prevent the source codes from being released to the public. According to Symantec, it was a sting operation from the very beginning. The hackers on the other hand stated that they tried to “humiliate them” further.

A torrent of the source code has since then been released on the popular Bittorrent indexing site The Piratebay where it quickly climbed into the top 5 seeded files of the Misc category.

The hackers have already announced that they will also release the Norton Antivirus source code.

Should Norton and Symantec customers be worried about the source code release? Symantec stated that user’s who have upgraded the products to the latest version have nothing to worry about.

Kaspersky WindowsUnlocker Removes System Blocking Malware

You may have heard about so called ransom ware before. This is a type of malware that tries to extort money from computer users by making the system or data inaccessible until the money has been paid. This can be a serious issue, especially if you need access to the data immediately.

Kaspersky WindowsUnlocker is a free program by Russian security company Kaspersky that you can use to remove the effects of malware that is blocking you from accessing parts or all of the system.

The program ships as an ISO image that you need to burn on CD or copy to an USB device before you can make use of it. The program itself runs independently from the Windows operating system so that the malware has lesser options to block it from doing its deeds.

You can use Kaspersky’s USB Rescue Disk Maker to copy the contents on a USB device, or a CD burner like ImgBurn if you prefer to burn the program to CD.

Once copied or burned, you need to configure the target computer to boot first from CD or USB. You will see the Kaspersky Rescue Disk boot screen if that operation was successful.

You are then asked to select one of the available interface languages. Available are roughly 20 different languages from English and German to Swedish and Dutch.

Select graphic mode on the next screen. You can alternatively boot the program in text mode, display hardware information, reboot or boot from the hard disk instead.

Click on the start button and select Kaspersky WindowsUnlocker from the available selection. The program runs automatically now and starts disinfecting the Registry. Results are displayed directly in the program window so that you can keep an eye on what’s happening on your computer.

A log file is generated in the /var/kl or /var/tmp/ folder for each program run. Once you have finished the operation, reboot your computer, change the startup device to hard drive and boot into the Windows operating system.

If everything worked out, you should have access to your system again. And while this does not resolve all situations you may run into, it certainly can help you if ransom ware locked you out of your own computer (thanks Raymond)