Archive for the Advisories Category

It's getting boring.

Current Flash Player version ( for the general public, for Chrome users) is affected by a remote code execution vulnerability which is reported as being exploited in the wild.

Since Adobe Reader X (the newest version with "protected" mode) is vulnerable but not exploitable, Adobe doesn't plan an out-of-band patch: looks like browser users are second-class citizens.

As usual, you can outright disable the Flash plugin or use NoScript's active content blocking (not FlashBlock, please).


I know, it's getting ridiculous, so here's a news report about the new unpatched vulnerabilities being exploited in the wild, and here's my old commentary about the old ones, which is still valid as it will always be, I'm afraid, until Adobe's plugins finally fade away...

The Adobe Flash Player, current version and below, is affected by a critical vulnerability which, according to Adobe's Security Advisory APSA10-03, is being actively exploited in the wild. A patch won't be available until September the 27th, which means the 3 or 4 Flash users out there are left in the cold, under attack for two weeks at least.

In the meanwhile, the only mitigation measures available are either disabling Flash outright or using NoScript.
At any rate, relying on the "FlashBlock" extensions for your security is not a good idea, neither on Firefox nor on Chrome: these toys are great against annoyances, but too easy to circumvent to be hacker-proof. Unfortunately you can always find naive advices in the press...

If you believe that building your whitelist of websites trusted to run scripts is too tiresome, please consider this: after 2 or 3 days of training, NoScript will know enough about your browsing habits to amost vanish in the background. Moreover, latest versions feature a true "one click" UI which further reduces your initial effort, because now the contextual menu is shown as soon as you just hover over NoScript's icon, allows you to switch multiple permissions at once and disappears as your mouse moves away. However, if you're an irreducible who wants JavaScript to run free everywhere, you can still emulate a safer "FlashBlock mode" by using NoScript's (not recommended) Allow Scripts Globally command after having checked NoScript Options|Embeddings|Apply these restrictions to trusted sites as well.

Talking about mitigation, I heard much fanfare (even on ./) about Microsoft's Enhanced Mitigation Toolkit (EMET) 2.0 being able to prevent exploitation of another 0 day affecting Adobe Acrobat Reader. Unfortunately at this moment I had no success at downloading this fabulous tool by following the available links, but this probably just means I'm low on caffeine. Could anybody point me to a working and trusted EMET 2.0 download source? Update: the link from the MS blog was actually broken this morning, but now it's reachable as pointed out by a commenter.

Update 2010-09-20

Adobe rushed out version one week earlier than scheduled to patch this hole.

Some time ago we advised to uninstall the Microsoft .NET Framework assistant because it was breaking some Firefox extensions.
Windows Presentation Foundation Plugin in the Add-Ons Manager
Of course, as many noticed at that time, having add-ons from Microsoft installed into Firefox behind your back by a Windows update also expanded the attack surface of the Mozilla browser, by adding the possible (likely) vulnerabilities of Microsoft's technology to the mix. Ironically, this is the very argument used by Microsoft itself against Google Frame.

This easy precognition is reality now. According to Microsoft,

MS09-054 addresses an IE vulnerability (CVE-2009-2529), which was discovered and presented by Mark Dowd, Ryan Smith, and David Dewey at the BlackHat conference in July. [...]

A browse-and-get-owned attack vector exists. All that is needed is for a user to be lured to a malicious website. [...]

While the vulnerability is in an IE component, there is an attack vector for Firefox users as well.

The reason is that .NET Framework 3.5 SP1 installs a “Windows Presentation Foundation” plug-in in Firefox.
Via this plug-in it is possible to launch XBAP, and reach this vulnerability, from within Firefox.

The Windows Presentation Foundation plugin enables "XAML Browser Applications" (XBAPs) to run into your browser. Ironically, this appears to be Microsoft's late equivalent of Java Applets, with some ActiveX scent as a bonus (native code). Talk about lesson learned...

In order to protect yourself, open Tools|Add-ons|Plugins, select Windows Presentation Foundation, and click the Disable button.

An old Java vulnerability, already fixed 6 months ago in every Java implementation except Apple's, allows remote attackers (i.e. malicious web sites) to launch arbitrary code from Safari or Firefox with full user privileges, evading the Java applet sandbox on Mac OS X.

Here's the Slashdot's routine Apple+Java bashing with linked source articles.

At this moment, the easiest way to protect your Mac web browser is either turning off Java globally or... you know what ;)

Update Jun 15th

Three weeks later, Apple finally patched..

Bad Behavior has blocked 576 access attempts in the last 7 days.