MAAS History
Archives
Friday
Feb262010

Intevydis Releases Firefox Exploit for 3.6

DateFriday, February 26, 2010 at 07:32AM

Intevydis, a security research firm, has released to its customers a very effective zero-Day which can be used to exploit a buffer overflow in Firefox 3.6. It is unclear if the exploit affects Mac OSX and it has not been made public yet. Usually if an exploit is found for a framework you can rest assure that other criminal elements will find out all then can about it and try to duplicate it or chain it within their own methods.

If the recent attacks against Google, Intel and other companies clearly demonstrates that attackers effectively leverage various exploits in a chain to defeat security. Each packet sent in an attack is a resource, an effective attacker goal is to develop a process that leverages the least amount of resources against the least resistant target. To counter this the security professional has to engineer a system that layers defenses to increase the cost of resources to the attacker to the point that they will move on. It is important to keep that in mind when zero-Day exploits are announced but not released. Yes they are dangerous but a layered defense can make the cost to high for the criminal of opportunity.

Mac administrators and users should never perform web surfing as an administrator account. Run No-Script, Click to Flash, Flash Block and set Preview.app to open PDF files. Also make sure that you only open files from trusted sources that presents evidence to validate that trust. For example use email with PGP to confirm the identity of the sender. Passwords should be complex, never shared, never used across systems, especially public systems and change at least every 2 months.

(Please note all cool buzz names have been removed, I have had too many meetings using buzz topics the last couple of months. I hoped at one time Web 2.0 would die and still people use it without knowing it was created to describe a host of technologies, no one writes Web 2.0 code. Sorry about the side bar but after reading "The Four Forces Shaping Cyber Security by William W. Agresti in IEEE Computer magazine which states that we should now use the term CyberSecurity exclusively to allow the public to get a better understanding. I am in the camp that Cyber anything is a bad idea but what do I know.)

AuthordrStrangeP0rk | CommentPost a Comment | Reference2 References |
in , , ,
Friday
Feb192010

Design Flaw in AdobeUpdater.app can be Exploited by an Attacker

DateFriday, February 19, 2010 at 09:52AM

It is being reported by Aviv Raff and now confirmed on the Adobe Security Blog that an issue exist with the Adobe Download Manager which could allow an attacker to force a download and installation of an Adobe product or of a malicious piece of software. He first reported to Adobe an issue related to the Download Manager which allowed an attacker to force the installation of an Adobe Product that has been removed.

Aviv Raff took this one step further and discovered a remote code execution flaw which allowed an attacker to install any malicious software using the Adobe Download Manager. It appears that the Adobe Download Manager does not use SSL which means that you expose yourself to a zero-day attack if you download an update from Adobe site.

Currently the exploit he has reported is not published but his posting on his site provides an outline of the exploit reported to Adobe. While his discovery is related to the AdobeDownloadManager for Windows systems. I have confirmed that the AdobeUpdate6.app for the Mac platform may also have this flaw. The Adobe Update6.app sends information over port 80 which can be exploited in a man-in-the middle attack. The Adobe Updater6.app does not use SSL properly so it is possible to alter the file to download and install files from an un-trusted source.

Users may want to turn off auto updates for Adobe products until more information become available. 

AuthordrStrangeP0rk | CommentPost a Comment | Reference2 References |
in ,
Thursday
Feb182010

Mozilla Updates Older Versions of Firefox, Thunderbird and SeaMonkey

DateThursday, February 18, 2010 at 08:17AM

Firefox has updated older versions to address vulnerabilities related to memory corruption forcing users to disable Javascript. Version 3.6 is already patched and these updates only affect older versions such as 3.5X, 3.01X. Why update older version you say, well many companies update cycles are different and if they have internal web applications which have not been tested on the newer version they are hesitant to perform the upgrade right away. Home users should perform the upgrade right away.

Users should apply the patches, more importantly they should make sure they are running the latest version which can be found here.  

AuthordrStrangeP0rk | CommentPost a Comment | Reference1 Reference |
in ,
Friday
Feb122010

Pre-announcement of Acrobat and Reader Update Related to 0day

DateFriday, February 12, 2010 at 07:37AM

The release of the recent Flash update has resulted in providing a template for attackers to exploit a 0day in Acrobat and Reader. Adobe's pre-announcement states they attend to make the update available February 16, 2010. 

Users should make sure that Preview.app is the default application for PDF files. There is very little reason to use Acrobat Reader for PDF files. In addition users should install Click to Flash which is available for Safari and Chrome. If you update to he latest Beta of Chrome you can install Extensions, one which we like is Flash Block which as the name suggest blocks Flash content.

The lesson is there is always residual and new risk in any update cycle, your process and policies should deal with this risk. Information Assurance is all about risk management.

AuthordrStrangeP0rk | CommentPost a Comment | Reference2 References |
in , , , ,
Thursday
Feb112010

Adobe Issues Critical Flash and Air Update

DateThursday, February 11, 2010 at 08:04PM

Adobe has issued a update for both Flash Player 10.0.42.34 and Air 1.5.4.1920 to address a critical vulnerabilities CVE-2010-0186 and CVE-2010-0187 which an attacker could subvert the domain sandbox and conduct unauthorized cross-domain requests. Users can visit the About Flash page to determine the version they are currently using. The download can be acquired from Flash Download Page.

To determine the version of Adobe Air is becomes a bit more complicated.

  • Inside the /Library/Frameworks/Adobe AIR.framework/Versions directory, you’ll find a numbered folder which represents the main version of the AIR runtime installed (for example 1.0
  • For more detailed information, open the/Library/Frameworks/AIR.framework/Versions/1.0/Resources/Info.plist text file and locate the <key>CFBundleVersion</key> entry, the corresponding string entry represents the version of AIR, for example: <string>1.5.3.9120</string>

The latest version of Air can be acquired here. After the user installs the updated version of Flash Player they should visit their setting panel to ensure that none of their privacy settings have changed. 

Currently it is the recommendation of Magmatic not to install Flash Player or any Adobe product on Mac OSX Server which includes Air, Flash, Acrobat or Acrobat Reader. If Adobe products are installed on systems users should never use a privileged account to access them. In addition for PDF users should set Preview.app as the default to open pdf files. 

 

AuthordrStrangeP0rk | CommentPost a Comment | Reference3 References |
in , , , ,
Page 1 ... 25 26 27 28 29 ... 46 Next 5 Entries ยป