Security Advisory Posted for Adobe Flash Player
On April 5, 2016, Adobe released security advisory
APSA16-01 (CVE number: CVE-2016-1019) for a vulnerability in the
Adobe Flash
Player . The vulnerability affects the player on Microsoft Windows, Apple OS
X, Linux, and Google's Chrome OS. The vulnerability affects all versions of
Windows from Windows 10 backwards through Windows XP. The vulnerability
exists in Adobe Flash Player 21.0.0.197 and earlier versions. The
vulnerability is currently being exploited "in the wild", i.e.,
malefactors are already taking advantage of the vulnerability to
compromise vulnerable systems. The vulnerability allows malefactors
to crash a system and even potentially gain remote control of the
system. The vulnerability is being used by the Magnitude Exploit Kit
to spread
Locky ransomware -
see
Zero-Day Attack Discovered in Magnitude Exploit Kit Targeting
CVE-2016-1019 in Older Versions of Adobe Flash Player.
A software change Adobe made in version 21.0.0.182 will prevent the
exploit from being successful, so users who have at least that version should
be safe from the exploit allowing their systems to be compromised, since on
versions 21.0.0.182 and 21.0.0.197, it will only cause a
crash1. But I would advise users to
upgrade to the current version of the Adobe Flash Player, which is
version 21.0.0.213. If you use multiple web browsers on a system,
you should ensure that each of them have the latest version of an Adobe
Flash Player plug-in, if you have Adobe Flash Player support
installed for the browser. You can check the version
of the Flash Player being used by a browser by visiting
Adobe's
www.adobe.com/software/flash/about/ page. Alternate methods for
checking the version of the Flash Player on Apple OS X systems can be
found at Determining the version of
Adobe Flash on an OS X system.
References:
-
Zero-Day Attack Discovered in Magnitude Exploit Kit Targeting
CVE-2016-1019 in Older Versions of Adobe Flash Player
Posted: APril 7, 2016
Simply Security News, Views and Opinions from Trend Micro, Inc
-
A Look Into Adobe Flash Player CVE-2016-1019 Zero-Day Attack
Posted: April 8, 2016
Simply Security News, Views and Opinions from Trend Micro, Inc
[/security/vulnerabilities/multios]
permanent link
Shellshock Vulnerability on OS X Systems
You can test a system to determine if it may be vulnerable to being
exploited through the
shellshock, aka bashdoor, vulnerability using the command
env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
.
If it is vulnerable, you will see the commands executed that appear after
the semicolon. On vulnerable systems,
Bash is
executing commands that are concatenated at the end of function
definitions stored in the contents of environment variables.
When I checked a MacBook Pro running, OS X 10.8.4, I saw output indicating
it was vulnerable, i.e., I saw "vulnerable" displayed when the command was run.
The check can be performed by opening a Terminal window and entering the code.
The terminal application is in Applications/Utilities.
$ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
vulnerable
this is a test
A bash shell prompt could be otained by a malicious remote user
if Remote Login was enabled and Guest Access was also enabled,
though, hopefully, if Remote Login was enabled, Guest Access would
not be enabled. Of course, a malicious person could also gain access to the
system remotely if Remote Login is enabled and a weak password is present
for an account on the system that is allowed remote access.
A OS X system could also be vulnerable if it is functioning as a web
server and there are scripts present on the server that would allow an
attacker to provide any input he wishes that could be executed as code by the
script.
Apple released a fix for the vulnerability for OS X systems on September
29, 2014.
After the laptop was upgraded to OS X 10.8.5 and security updates were
applied, I didn't see "vulnerable" displayed when the code was executed.
$ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
this is a test
And when I tested the related vulnerability
CVE-2014-7169, the date was no longer displayed.
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: No such file or directory
A system that has been patched for both
CVE-2014-6271 and CVE-2014-7169 will simply echo
the word "date" and the file "echo" will not be created, as shown above.
References:
-
Shellshock Vulnerability: What Mac OS X users Need to Know | The Mac
Security Blog
By
Derek Erwin
Date: September 26, 2014
Intego - Mac Antivirus & Security
-
Shellshock (software bug)
Wikipedia
[/security/vulnerabilities/multios]
permanent link
OpenSSL Vulnerabilities up to Version 0.9.7c
OpenSSL is an
Open Source toolkit which
implements the
Secure
Sockets Layer (SSL v2/v3) and
Transport
Layer Security (TLS v1) protocols and provides a full-strength general
purpose cryptography library. Versions of OpenSSL prior to 0.9.6k and 0.9.7c are
vulnerable to Denial of Service (DoS) attacks or could theoretically allow
remote execution of arbitrary code.
OpenSSL version |
Applicable advisories
|
Effect |
0.9.6d and earlier |
30-Jul-2002
|
Practical to run arbitrary code remotely |
0.9.6e-h and 0.9.7 |
19-Feb-2003
|
Practical (LAN) attack to recover frequently repeated plaintext such
as passwords |
0.9.6i and 0.9.7a |
17-Mar-2003
19-Mar-2003 |
Practical (LAN) attacks to obtain or use secret key |
0.9.6j and 0.9.7b |
30-Sep-2003
|
Denial of Service, and theoretically possible run arbitrary code
remotely |
0.9.6k and 0.9.7c |
|
Clean at present |
Some attacks may not be feasible except from systems on the same
LAN as the attacked system,
since a very fast connection between the attacker and target may be needed
to make the attack practicable. If a webserver is in a datacenter with
perhaps dozens or even hundreds of other systems, a compromised system within
the datacenter could be used by an attacker to exploit these vulnerabilities
on other servers within the same datacenter, however.
If you need to determine which version of OpenSSL you are running, you
can use the command openssl version
. You may need to specify
the full path to the command if it isn't in your default path. For a Solaris
10 system, you can use the following path:
# /usr/sfw/bin/openssl version
OpenSSL 0.9.7d 17 Mar 2004
For Solaris 7, use /usr/local/ssl/bin/openssl version
.
References:
-
Vulnerable versions of OpenSSL apparently still widely deployed on commerce
sites
Netcraft
November 3, 2003
-
ESB-2003.0871 -- Sun Alert Notification -- OpenSSL Vulnerabilitiyes in Sun
Grid Engine 5.3
Australian Computer Emergency
Response Team (AusCERT)
December 24, 2003
[/security/vulnerabilities/multios]
permanent link