Category Archives: Vulnerability Management

APSB13-14 – Adobe Flash May 2013 Security Bulletin Review

Adobe has release, the May 14th 2013, during his May Patch Tuesday, one Adobe Flash security bulletin dealing with 13 vulnerabilities. This security bulletin has a Critical severity rating. The associated vulnerabilities have all a 10.0 CVSS base score.

APSB13-14 – Adobe Flash May 2013 Security Bulletin Review

APSB13-14 is concerning :

  • Adobe Flash Player 11.7.700.169 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.280 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.54 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.50 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.7.0.1530 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.7.0.1660 and earlier versions for Android
  • Adobe AIR 3.7.0.1530 SDK & Compiler and earlier versions

CVE-2013-2728 (10.0 CVSS base score), CVE-2013-3324 (10.0 CVSS base score), CVE-2013-3325 (10.0 CVSS base score), CVE-2013-3326 (10.0 CVSS base score), CVE-2013-3327 (10.0 CVSS base score), CVE-2013-3328 (10.0 CVSS base score), CVE-2013-3329 (10.0 CVSS base score), CVE-2013-3330 (10.0 CVSS base score), CVE-2013-3331 (10.0 CVSS base score) and CVE-2013-3332 (10.0 CVSS base score) were discovered and privately reported by Mateusz Jurczyk and Ben Hawkes of the Google Security Team.

CVE-2013-3333 (10.0 CVSS base score), CVE-2013-3334 (10.0 CVSS base score) and CVE-2013-3335 (10.0 CVSS base score) were discovered and privately reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team.

Microsoft May 2013 Patch Tuesday Review

Microsoft has release, May 14th 2013, during his May Patch Tuesday, two updated security advisories, two new security advisories and ten security bulletins. On the ten security bulletins two of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. KB2840613 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-14.

Microsoft Security Advisory 2820197

MSA-2820197 update includes kill bits to prevent Honeywell Enterprise Buildings Integrator and SymmetrE and ComfortPoint Open Manager ActiveX controls from being run in Internet Explorer.

Microsoft Security Advisory 2846338

MSA-2846338 concern a privately reported security vulnerability, CVE-2013-1303 (9.3 CVSS base score), in Microsoft Malware Protection Engine that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. This vulnerability has been publicly disclosed as a denial of service. Only x64-based versions of the Malware Protection Engine are affected.

Microsoft Security Advisory 2847140

MSA-2847140, released May 3rd 2013, has been updated. The security advisory concern Microsoft Internet Explorer 8 remote code execution vulnerability (CVE-2013-1347) used in targeted attacks against United States Department of Labor (DOL) Site Exposure Matrices (SEM) and other websites. Microsoft has issue MS13-038 to address the vulnerability.

MS13-037 Cumulative Security Update for Internet Explorer

MS13-037 security update, classified as Critical, allowing remote code execution, is the fix for 11 privately reported vulnerabilities in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10. CVE-2013-1297 (4.3 CVSS base score) was discovered and privately reported by Yosuke Hasegawa. CVE-2013-0811 (9.3 CVSS base score) was discovered and privately reported by Jose Antonio Vazquez Gonzalez, working with VeriSign iDefense Labs. CVE-2013-1306 (9.3 CVSS base score) and CVE-2013-1309 (9.3 CVSS base score) were discovered and privately reported by SkyLined, working with HP’s Zero Day Initiative. CVE-2013-1307 (9.3 CVSS base score) was discovered and privately reported by Ivan Fratric of the Google Security Team. CVE-2013-1308 (9.3 CVSS base score) was discovered and privately reported by [email protected], working with HP’s Zero Day Initiative. CVE-2013-1310 (9.3 CVSS base score) was discovered and privately reported by Yuhong Bao. CVE-2013-1311 (9.3 CVSS base score) was discovered and privately reported by Scott Bell of Security-Assessment.com. CVE-2013-1312 (9.3 CVSS base score) was discovered and privately reported by Stephen Fewer of Harmony Security. CVE-2013-1313 (9.3 CVSS base score) was discovered and privately reported by VUPEN Security (Pwn2Own 2013), working with HP’s Zero Day Initiative.

MS13-038 Security Update for Internet Explorer

MS13-038 security update, classified as Critical, allowing remote code execution, is the fix for one publicly disclosed vulnerability in Internet Explorer 8. CVE-2013-1347 (9.3 CVSS base score), was discovered exploited in the wild in targeted attacks.

MS13-039 Vulnerability in HTTP.sys Could Allow Denial of Service

MS13-039 security update, classified as Important, allowing denial of service, is the fix for one privately reported vulnerability in Microsoft Windows. CVE-2013-1305 (5.0 CVSS base score) was discovered and privately reported by Marek Kroemeke, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, AKAT-1, working with HP’s Zero Day Initiative.

MS13-040 Vulnerabilities in .NET Framework Could Allow Spoofing

MS13-040 security update, classified as Important, allowing spoofing, is the fix for one privately reported vulnerability and one publicly disclosed vulnerability in .NET Framework. CVE-2013-1336 (5.0 CVSS base score) was discovered and privately reported by James Forshaw of Context Information Security. CVE-2013-1337 (7.5 CVSS base score) was publicly disclosed.

MS13-041 Vulnerability in Lync Could Allow Remote Code Execution

MS13-041 security update, classified as Important, allowing remote code execution, is the fix for one privately reported vulnerability in Microsoft Lync. CVE-2013-1302 (9.3 CVSS base score) was discovered and privately reported.

MS13-042 Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution

MS13-042 security update, classified as Important, allowing remote code execution, is the fix for 11 privately reported vulnerabilities in Microsoft Office. CVE-2013-1316 (9.3 CVSS base score), CVE-2013-1317 (9.3 CVSS base score), CVE-2013-1318 (10.0 CVSS base score), CVE-2013-1319 (10.0 CVSS base score), CVE-2013-1320 (10.0 CVSS base score), CVE-2013-1321 (9.3 CVSS base score), CVE-2013-1322 (10.0 CVSS base score), CVE-2013-1323 (9.3 CVSS base score), CVE-2013-1327 (9.3 CVSS base score), CVE-2013-1328 (9.3 CVSS base score) and CVE-2013-1329 (9.3 CVSS base score) were discovered and privately reported by Will Dormann of the CERT/CC.

MS13-043 Vulnerability in Microsoft Word Could Allow Remote Code Execution

MS13-043 security update, classified as Important, allowing remote code execution, is the fix for one privately reported vulnerability in Microsoft Office. CVE-2013-1335 (9.3 CVSS base score) was discovered and privately reported by Will Dormann of the CERT/CC.

MS13-044 Vulnerability in Microsoft Visio Could Allow Information Disclosure

MS13-044 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability in Microsoft Office. CVE-2013-1301 (4.3 CVSS base score) was discovered and privately reported by Timur Yunusov of Positive Technologies.

MS13-045 Vulnerability in Windows Essentials Could Allow Information Disclosure

MS13-045 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability in Windows Essentials. CVE-2013-0096 (6.8 CVSS base score) was discovered and privately reported by Andrea Micalizzi, working with Beyond Security’s SecuriTeam Secure Disclosure team.

MS13-046 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege

MS13-046 security update, classified as Important, allowing elevation of privilege, is the fix for three privately reported vulnerabilities in Microsoft Windows. CVE-2013-1332 (7.2 CVSS base score) was discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc. CVE-2013-1333 (7.2 CVSS base score) was discovered and privately reported by Qihoo 360 Security Center. CVE-2013-1334 (7.2 CVSS base score) was discovered and privately reported by an anonymous researcher, working with the iDefense VCP.

Oracle Java Critical Patch Update April 2013 Review

Oracle has provide his Java Critical Patch Update (CPU) for April 2013 who has been released on Tuesday, April 16. On the 42 security vulnerabilities fixed in this CPU, 39 of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0.

This update fix the vulnerabilities exploited by James Forshaw (tyranid), Joshua J. Drake and VUPEN Security during Pwn20wn 2013. But this update is also fixing vulnerabilities reported by Adam Gowdiak of Security Explorations and other security researchers.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

  • JDK and JRE 7 Update 17 and earlier
  • JDK and JRE 6 Update 43 and earlier
  • JDK and JRE 5.0 Update 41 and earlier
  • JavaFX 2.2.7 and earlier

Proposed updates are:

  • JDK and JRE 7 Update 21
  • JDK and JRE 6 Update 45
  • JDK and JRE 5.0 Update 43
  • JavaFX 2.2.21

19 (45,24%) of the vulnerabilities have a CVSS base score of 10.0, 28 (66,67%) of the vulnerabilities have a high CVSS base score (CVSS => 7.0), 13 (30,95%) of the vulnerabilities have a medium CVSS base score (CVSS >= 4.0 < 7.0) and 1 (2,38%) of the vulnerabilities has a low CVSS base score (CVSS < 4.0). Also 25 (59,52%) of the vulnerabilities affects Java SE 6 and 42 (100%) of the vulnerabilities are affecting Java SE 7.

Also some modifications have been done in the Security Levels provided by Oracle. Previously five levels were existing (Very-High, High, Medium, Low and Custom), in the new provided version only three levels are still existing (Very-High, High and Medium).

Oracle-Java-Update-21-Security-Levels

 

But, there is always a but with Oracle, they don’t seem to have enable, by default, the check for revocation using Certificate Revocation Lists (CRLs) despite that some bad guys are using valid stollen and revoked certificates to sign malware’s.

Oracle-Java-Update-21-CRLs-Checks

So we advise you to update asap, enable the CRL check, if you still have Oracle Java plug-in installed !

APSB13-11 – Adobe Flash April 2013 Security Bulletin Review

Adobe has release, the 9 April 2013, during his April Patch Tuesday, one Adobe Flash security bulletin dealing with four vulnerabilities. This security bulletin has a Critical severity rating.

APSB13-11 – Security updates available for Adobe Flash Player

APSB13-11 is concerning :

  • Adobe Flash Player 11.6.602.180 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.275  and earlier versions for Linux
  • Adobe Flash Player 11.1.115.48 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.44 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.6090 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.6090 SDK & Compiler and earlier version

CVE-2013-1378 (7.5 CVSS base score), CVE-2013-1379 (7.5 CVSS base score) and CVE-2013-1380 (7.5 CVSS base score) have been discovered and privately reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security TeamCVE-2013-2555 (10.0 CVSS base score) has been discovered and privately reported by a VUPEN Security reported through TippingPoint’s Zero Day Initiative.