Adobe and Microsoft Issue Critical Security Updates
Microsoft Security Updates:
As of yesterday, Microsoft has issued two critical, three important, and one moderate-rated security patches in the July edition of Microsoft’s Patch Tuesday. The security updates address 29 severe vulnerabilities in the Windows operating system, Internet Explorer browser, and server software
Microsoft’s security bulletin rated ‘critical‘, are updates to the Internet Explorer browser and a fix to a remote code execution bug in Windows Journal ( CVE-2014-1824). The ‘important‘ rated bulletin resolve vulnerabilities in the on-screen keyboard, ancillary function driver, and DirectShow, each of which could be exploited leading to privilege escalation. Finally, the ‘moderate‘ rated bulletin patches a denial of service bug in Microsoft’s service bus.
In the update log, only one vulnerability was publicly disclosed while 23 vulnerabilities were left privately disclosed in the latest Internet Explorer update. A critical vulnerability could have enabled remote code execution if a user were to view a specifically crafted malicious webpage while using Internet Explorer. If exploited, the attacker would have the same user-rights on the victims computer, meaning low-level computers would give minimal access to possibly sensitive data.
The other ‘critical‘ bulletin patches a privately reported vulnerability in Microsoft Windows, which could be successfully exploited if a user opens a malicious Journal file. Similar to the other vulnerability, it relies on the victims user-rights.
Adobe Security Updates:
Yesterday, Adobe released an update for Flash Player that patches a critical vulnerability discovered by Google engineer, Michele Spagnuolo.
Largely trafficked websites such as eBay, Instagram, Tumblr, and others use JSON with Padding or JSONP which are vulnerable to an exploit by a new proof-of-concept exploit tool released yesterday, regarding Adobe Flash Player. Internet giants such as Google, YouTube and Twitter have already fixed the vulnerabilities on their end.
Spagnuolo’s tool dubbed, ‘Rosetta Flash‘, coverts binary SWF files into a file made up of strictly alpha numeric characters. Websites that accept SWF uploads could allow an attacker to use the tool to covert a malicious SWF file, so that it can be passed as a JSONP callback and then reflect on the endpoint, Spagnuolo wrote in a blog post. He also noted that a vulnerable endpoint could be forced to perform an arbitrary request to a vulnerable domain and loose data to an attacker-controlled domain.
“This is a well-known issue in the infosec community, but so far no public tools for generating arbitrary ASCII-only, or, even better, alphanum only, valid SWF files have been presented,” Spagnuolo said. “This led websites owners and even big players in the industry to postpone any mitigation until a credible proof of concept was provided.”
Rosetta Flash requires three factors to operate, SWF files must perform GET and POST requests with a cookie to the host domain without a crossdomain.xml check in place, JSONP must be supported as it allows the attacker to control the first bytes of output by specifying the callback parameter in the request URL, and SWF files embedded on the attacker’s domain using a content-type forcing <object> tag in order to execute the converted file as flash.
“This is why allowing users to upload a SWF file on a sensitive domain is dangerous: by uploading a carefully crafted SWF, an attacker can make the victim perform requests that have side effects and exfiltrate sensitive data to an external, attacker-controlled, domain,” Spagnuolo said.
For Rosetta Flash to convert the binary SWF file to alphanumeric, the tool uses a mashup of zlib compression, Huffman encoders, and ADLER23 checksum brute-forcing to map legitimate bytes that are not normally allowed in a flash file.
“Naturally, since we are mapping a wider charset to a more restrictive one, this is not a real compression, but an inflation,” Spagnuolo said. “We are effectively using Huffman as a Rosetta stone.”
The Adobe Flash Player update 14.0.0.125 and 11.2.202.378 patch three CVE’s and two others in addition to Spagnuolo’s issue, all which are rated critical for Windows and Mac.
- CVE-2014-0537
- CVE-2014-0539
- CVE-2014-4671
“These updates include additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs,” Adobe said in its advisory.
- To check your version of flash: https://www.adobe.com/software/flash/about/
- Even if the auto-updater is on, it may be multiple days or weeks, recommended to manually upgrade: https://www.adobe.com/products/flashplayer/distribution3.html
- Adobe also has an automatic install tool (beware of unwanted cross-checked installs): http://get.adobe.com/flashplayer/
