Category Archives: Vulnerability Management

Adobe APSB12-19 Flash Player Update Review

Vulnerability Management,

Adobe has release, the 21 August 2012, just one week after his Patch Tuesday release, an out of band patch APSB12-19 updating Flash Player 10.x and 11.x. This update correct 6 vulnerabilities, all these vulnerabilities have a Critical severity rating and 5 of the 6 vulnerabilities have a base CVSS score of 10.0.

CVE-2012-4163, with a CVSS base score of 10.0, how could lead to code execution, has been discovered and privately reported by Xu Liu of Fortinet’s FortiGuard Labs.

CVE-2012-4164, with a CVSS base score of 10.0, how could lead to code execution, has been discovered and privately reported by Will Dormann of CERT.

CVE-2012-4165 and CVE-2012-4166, with both a CVSS base score of 10.0, how could lead to code execution, has been discovered and privately reported by Honggang Ren of Fortinet’s FortiGuard Labs.

CVE-2012-4167, with a CVSS base score of 10.0, how could lead to code execution, has been discovered and privately reported by Alexander Gavrun through iDefense’s Vulnerability Contributor Program.

CVE-2012-4168, with a CVSS base score of 4.3, how could lead to information leak, has been discovered and privately reported by Opera Software ASA.

Adobe August 2012 Patch Tuesday Review

Vulnerability Management, , , ,

Adobe has release, the 14 August 2012, during his August Patch Tuesday, three security bulletins dealing with 26 vulnerabilities. All these security bulletins have a Critical severity rating and 23 of 26 vulnerabilities have a CVSS base score of 10.0.

APSB12-16 – Security update for Adobe Reader and Acrobat

APSB12-16 is concerning Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. 20 vulnerabilities have been fixed in these updates, all of them are classified as Critical and allow code execution. 18 of the 20 vulnerabilities have a CVSS base score of 10.0.

CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159 and CVE-2012-4160 have been discovered and privately reported by Mateusz Jurczyk and Gynvael Coldwind, of the Google Security Team. All these vulnerabilities have a CVSS base score of 10.0.

CVE-2012-4147 (CVSS base score of 10.0), CVE-2012-4161 (CVSS base score of 7.5) and CVE-2012-4162 (CVSS base score f 7.5) have been discovered and privately reported by James Quirk.

CVE-2012-2051, with a CVSS base score of 10.0, has been discovered and privately reported by Mateusz Jurczyk of the Google Security Team.

CVE-2012-2049, with a CVSS base score of 10.0, has been discovered and privately reported by Pavel Polischouk of the Vulnerability Research team at TELUS Security Labs.

CVE-2012-2050, with a CVSS base score of 10.0, has been discovered and privately reported by an anonymous contributor working with Beyond Security’s SecuriTeam Secure Disclosure Program.

CVE-2012-4148, with a CVSS score of 10.0, has been discovered and privately reported by John Leitch at Microsoft and Microsoft Vulnerability Research (MSVR).

CVE-2012-1525, with a CVSS score of 10.0, has been discovered and privately reported by Nicolas Grégoire through iDefense’s Vulnerability Contributor Program.

Despite the high number of fixed vulnerabilities, Adobe Reader for Linux has not been updated and they are still known vulnerabilities in the Windows and Macintosh versions. Adobe plan to release an out-of-band update for Adobe Reader for Linux before 27 August.

APSB12-17- Security update for Adobe Shockwave Player

APSB12-17 is concerning Adobe Shockwave Player 11.6.5.635 and earlier versions on the Windows and Macintosh. 5 vulnerabilities have been fixed in these updates, all of them are classified as Critical and allow code execution. All these vulnerabilities have a CVSS base score of 10.0.

CVE-2012-2043, CVE-2012-2046 and CVE-2012-2047 have been discovered and privately reported by Honggang Ren of Fortinet’s FortiGuard Labs. All these vulnerabilities have a CVSS base score of 10.0.

CVE-2012-2045, with a CVSS base score of 10.0, has been discovered and privately reported by Will Dormann of CERT.

CVE-2012-2044, with a CVSS base score of 10.0, has been discovered and privately reported by suto.

APSB12-18 – Security update for Adobe Flash Player

APSB12-18 is concerning Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux.

CVE-2012-1535, with a CVSS base score of 9.3, has been discovered exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows. But since the 18 August a Metasploit module is available and doesn’t require to forge a malicious Word document. The Metasploit module is actually focusing on Windows XP SP3 and is still quiet unstable, but you should urgently update your Flash Player.

Microsoft August 2012 Patch Tuesday Review

Vulnerability Management

Microsoft has release, the 14 August 2012, during his August Patch Tuesday, two security advisories and nine security bulletins. On the nine security bulletins six of them have a Critical security rating.

Microsoft Security Advisory 2661254

MSA-2661254 is the suite of the Flame malware attacks consequences. Microsoft allow the usage restriction of certificates with RSA keys less than 1024 bits in length. This MSA will be pushed as a security update during October 2012 Patch Tuesday, so you have two months to assess the impact of this update. We strongly recommend you to test this MSA before pushing it on all your Windows, KB-2661254 provide you known issues with this security update. For example, Internet Explorer will not allow access to a website that is secured by using an RSA certificate that has a key length of less than 1024 bits.

Microsoft Security Advisory 2737111

MSA-2737111 is dealing with vulnerabilities in third-party code, Oracle Outside In libraries, that affect Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and FAST Search Server 2010 for SharePoint. These Oracle vulnerabilities were patched during July 2012 Oracle quarterly patch cycle. MS12-058 security bulletin addresses this issue for Microsoft Exchange. Also, these Oracle Outside In vulnerabilities have been publicly disclosed.

MS12-052 – Cumulative Security Update for Internet Explorer

MS12-052 security update, classified as Critical, allowing remote code execution, is the fix for four privately reported vulnerabilities. CVE-2012-1526 has a CVSS base score of 9.3 and was discovered and privately reported by GWSlabs. CVE-2012-2521 has a CVSS base score of 9.3 and was discovered and privately reported by Derek Soeder. CVE-2012-2522 has a CVSS base score of 9.3 and was discovered and privately reported by Sung-ting Tsai and Ming-Chieh Pan of Trend MicroCVE-2012-2523 has a CVSS base score of 9.3 ans was discovered and privately reported by Cris Neckar of Google’s Chrome Security Team.

MS12-053 – Vulnerability in Remote Desktop Could Allow Remote Code Execution

MS12-053 security update, classified as Critical, allowing remote code execution, is fixing one vulnerability CVE-2012-2526. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by Edward Torkington.

MS12-054 – Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution

MS12-054 security update, classified as Critical, allowing remote code execution, is fixing four privately reported vulnerabilities. All these vulnerabilities were reported by Yamata Li. CVE-2012-1850 has a CVSS base score of 5.0. CVE-2012-1851CVE-2012-1852 and CVE-2012-1853 have a CVSS base score of 10.0.

MS12-055 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

MS12-055 security update, classified as Important, allowing elevation of privilege, is fixing one vulnerability CVE-2012-2527. This vulnerability has a CVSS base score of 7.2 and was discovered and privately reported by Matthew Jurczyk of Google Inc.

MS12-056 – Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution

MS12-056 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-2523. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by Cris Neckar of Google’s Chrome Security Team.

MS12-057 – Vulnerability in Microsoft Office Could Allow Remote Code Execution

MS12-057 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-2524. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by Andrei Costin.

MS12-058 – Vulnerabilities in Microsoft Exchange ServerWebReady Document Viewing Could Allow Remote Code Execution

MS12-049 security update, classified as Critical, allowing remote code execution, is fixing 13 vulnerabilities discovered in third-party code Oracle Outside In librairies. These vulnerabilities have been publicly disclosed.

MS12-059 – Vulnerability in Microsoft Visio Could Allow Remote Code Execution

MS12-059 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-1888. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by Alexander Gavrun.

MS12-060 – Vulnerability in Windows Common Controls Could Allow Remote Code Execution

MS12-060 security update, classified as Critical, allowing remote code execution, is fixing one vulnerability CVE-2012-1856. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by an unknown security researcher.

Oracle Push Java SE 7 Update to Uninstall Version 6

Vulnerability Management,

Last release of Java SE 6, version 6 update 33(1.6.0_33-b03), was done the 12 Jun 2012 during quarterly Oracle Java CPU (Critical Patch Update). This CPU had fix 14 security vulnerabilities in previous JSE products versions 7, 6, 5 and 4. One of these vulnerabilities was CVE-2012-1723 how is actually used in Blackhole exploit kit.

Metasploit exploitation demonstration of CVE-2012-1723

Since few days you may have see a notification on you system asking you to update Java.

By getting details on the update you will see that Java SE 7 update 5 (1.7_5) is available and by installing this update your previous version of JSE will removed. However, if you wish to keep Java 6 you will need to update from the offline Java installer to the latest version of JSE, how is version 7 update 5. Hu ! What a choice, I have to update to version 7 or to update to version 7.

As you may know Java SE 6 will be no longer supported after November 2012.  The last Java CPU update is planned for 2012, October 12. After November 2012, Oracle will no longer post updates of Java SE 6 to its public download sites. For enterprise customers, who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 6 or older versions, long-term support is available through Oracle Java SE Support . But it seem through this forced Java SE update to version 7 that Java SE 6 update 33 was the last one.

So we are encouraging you to plan a mega release on your infrastructures, cause Java SE 6 seem to be officially dead !