Posts Tagged ‘arbitrary code execution’
Wednesday, December 11, 2013 @ 05:12 PM gHale
Adobe patched holes in its Flash Player and Shockwave Player Tuesday, including one that already has an exploit chomping at the bit.
“These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331,” the company said in a security advisory.
That CVE (Common Vulnerabilities and Exposures) ID refers to a type confusion vulnerability fixed in the new version of Flash Player. A memory corruption flaw tracked as CVE-2013-5332 also ended up fixed. If exploited successfully, both vulnerabilities can lead to arbitrary code execution allowing attackers to take control of the affected systems.
Some mitigation for this type of exploit exists since Flash 11.6, which introduced a click-to-play feature that requires users to confirm the playback of Flash content embedded in documents when opened in Microsoft Office versions older than Office 2010.
Tuesday’s update, though, moved the Windows and Macintosh versions of Flash Player to version 11.9.900.170, and the Linux version to 18.104.22.1682. The Flash Player versions bundled with Google Chrome, Internet Explorer 10 and Internet Explorer 11 will automatically update through those browsers’ update mechanisms.
The two Flash Player vulnerabilities were also fixed in Adobe AIR, a runtime for rich Internet applications that has Flash support. The patches are included in Adobe AIR version 22.214.171.1240 for Windows, Mac and Android.
Adobe Shockwave Player version 126.96.36.199 for Windows and Mac also released Tuesday to resolve two different memory corruption vulnerabilities—CVE-2013-5333 and CVE-2013-5334—that could lead to arbitrary code execution. Shockwave Player is not as widespread as Flash Player, but Adobe said it is on over 450 million desktop computers, which makes it a big target for attackers.
Monday, September 23, 2013 @ 05:09 PM gHale
The Apple iOS 7 update came out with some fanfare, but more importantly it brought in 80 security fixes.
The update fixes problems that could lead to a denial of service attack or trigger unexpected application termination or arbitrary code execution on devices like an iPad, iPod Touch or iPhone running an out of date OS.
Some of what security experts were calling the bigger flaws Apple fixed included passcode bypass flaws, one (CVE-2013-0957) that could allow an attacker to break an app in the third-party sandbox and determine the user’s passcode and a second (CVE-2013-5147) that exploited the way the iPhone handled calls to bypass the screen lock in iOS 6.1.
Another similar data privacy vulnerability was one that could allow an attacker to intercept user credentials by compromising a TrustWave certificate (CVE-2012-5134). TrustWave issued and subsequently revoked the faulty sub-CA certificate.
Four Safari bugs, including a problem where the browser’s history was still visible even after it cleared, ended up fixed. There was also an issue in Safari with a memory corruption problem in the way it handled XML files and a cross-site scripting flaw on sites that allow users to upload files.
Apple also addressed vulnerabilities from last year with all of them fixing arbitrary code execution bugs in the libxml and libxslt libraries.
Tuesday, September 17, 2013 @ 05:09 PM gHale
Apple pushed out patches last week and updated its OS X Mountain Lion to 10.8.5, improving “stability, compatibility and security” issues and fixing 30 different vulnerabilities in the operating system.
The update fixes multiple vulnerabilities in Apache that could have led to a cross-site scripting error and vulnerabilities in BIND that could have led to a denial of service attack. Other fixes, including some in assorted components like PostgreSQL, PHP and OpenSSL fixed errors that could have led to arbitrary code execution, data corruption or privilege escalation problems.
Apple also updated its Certificate Trust Policy, adding and removing several root certificates from the list of trusted system roots. Apple also patched its Installer function, which previously presented a dialog to let the user continue when it encountered a revoked certificate. Now, the system refuses any revoked package.
The update also resolved the previously reported sudo vulnerability. An attacker could gain root privileges on a system where sudo, a Linux command that manages user privileges on several types of systems, saw use before. “On OS X, only admin users can change the system clock. This issue was addressed by checking for an invalid timestamp,” read the security document released with the patches Thursday.
10.8.5 is likely the last update Apple users will see for the company’s “cat” series (Lion, Mountain Lion, etc) of operating systems. The next iteration of Apple’s OS, Mavericks, is on tap for release at the end of October.
On the security front, Apple has already announced in its Core Technologies Overview (.PDF) that Mavericks will feature more finely tuned Address Space Layout Randomization (ASLR), compressed memory, sandboxes and code signing entitlements.
Monday, May 13, 2013 @ 10:05 AM gHale
Open source web server application developer NGINX released an updated stable version 1.4.1 and development version 1.5.0 to fix a major security flaw.
A stack-based buffer overflow can occur in worker processes when handling specially crafted requests – the overflow could end up exploited in such a way that it could lead to arbitrary code execution.
The flaw, now given an identity as CVE-2013-2028, appeared in NGINX 1.3.9, a development branch of the server released in November 2012, and appears to have persisted through development to still be present in April’s release of the new stable version. A patch is also available for the flaw, which Greg MacManus of iSIGHT Partners Labs discovered.
The updated versions are available to download from the NGINX site.
Given that 1.4.0 has only been available for a few weeks, many sites will likely be running the unaffected older stable branch of NGINX – 1.2 – originally published in April 2012, for which the most recent bug-fix release is version 1.2.8, published at the start of April. This is now a legacy version of NGINX.
Thursday, January 17, 2013 @ 08:01 PM gHale
Schneider Electric found issues with an Authenticated Communication Risk vulnerability in the Schneider Electric Software Update utility (SESU), according to a report in ICS-CERT.
The SESU is a centralized update mechanism for updating Schneider Electric software on Windows PC. Schneider Electric has updated the SESU client as of January 2013, which adds the use of HTTPS to resolve this vulnerability. This remotely exploitable vulnerability first came to Schneider Electric from security researcher Arthur Gervais.
The following products and versions suffer from the issue:
• Unity Pro, V5.0 L, M, S, XL,
• Unity Pro, V6.0 L, M, S, XL,
• Unity Pro, V6.1 L, M, S, XL,
• Unity Pro, V0 L, M, S, XL, XLS,
• Vijeo Designer V6.0.x, V6.1.0.x, V5.0.0.x, V5.1.0.x,
• Vijeo Designer Opti V6.0.x, V5.1.0.x, V5.0.0.x,
• Web Gate Client Files V5.1.x,
• IDS V1.0, V2.0,
• PowerSuite 2.5,
• Smart Widget Acti 9 V188.8.131.52,
• Smart Widget H8035 V184.108.40.206,
• Smart Widget H8036 V220.127.116.11,
• Smart Widget PM201 V18.104.22.168,
• Smart Widget PM710 V22.214.171.124,
• Smart Widget PM750 V126.96.36.199,
• SoMachine V1.2.1,
• Spacail.pro V1.0.0.x, and
• SESU V1.0.x, V1.1.x
Successfully exploiting this vulnerability could result in arbitrary code execution.
Schneider Electric is a manufacturer and integrator of energy management equipment and software. According to Schneider Electric, their products see use in energy, industry, and building automation worldwide.
Schneider Electric software on the customer PC uses the SESU service as the mechanism of communication with the Schneider Electric central update server in order to receive periodic software updates. The SESU client on the customer PC does not check the authenticity of the origin. By redirecting messages to Port 80/TCP on an unauthorized source, an attacker could execute arbitrary code on a vulnerable system that could result in loss of availability, integrity, and confidentiality.
CVE-2013-0655 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
An attacker with a medium skill level would be able to exploit this vulnerability.
Schneider Electric has produced a customer notification that contains mitigations to resolve this vulnerability. In order to resolve the vulnerability with the software server, Schneider Electric has taken the following actions:
1. The SESU server updated to the latest version. Currently, HTTP and HTTPS get support in parallel. HTTPS does ensure signed communication.
2. The new SESU client updated as of January 2013 to use HTTPS instead of HTTP. The new version of the SESU Client will be available to customers for distribution via the SESU mechanism in January 2013.
3. Customers can also use an updated software product CD that will contain the updated SESU client, when the CD becomes available. Contact your local support desk for details.
4. While HTTP and HTTPS SESU client functionality both have support, in May the HTTP port of the SESU server will end up disabled. This means only HTTPS will get support during SESU client updates from that time forward, which mitigates this current vulnerability.
Thursday, November 29, 2012 @ 04:11 PM gHale
There is an alert warning users of Samsung printers and some Dell printers manufactured by Samsung about the presence of a hardcoded account that could allow remote attackers to access an affected device with administrative privileges.
This privileged access could also change the device configuration, access sensitive information stored on it (credentials, network configuration, etc.), and even mount additional attacks through arbitrary code execution, according to a report on US-CERT.
The hardcoded account is present in all printers released before October 31, 2012. Samsung is not rushing out a patch saying it will come out “later this year.”
“As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from accessing an SNMP interface using the affected credentials from a blocked network location,” US-CERT said, especially because the hardcoded account remains active even if SNMP is disabled in the printer management utility.
Samsung said it is aware of and has resolved the security issue affecting Samsung network printers and multifunction devices. The issue affects devices only when SNMP is enabled, and is resolved by disabling SNMP.
“We take all matters of security very seriously and we are not aware of any customers who have been affected by this vulnerability,” officials said in a statement.
Samsung will release updated firmware for all current models by November 30, with all other models receiving an update by the end of the year.
Wednesday, October 31, 2012 @ 08:10 AM gHale
Mozilla released a Firefox 16.0.2 update for its browser to close critical security holes.
The flaws center on the location object and the three problems, assigned CVE-2012-4194, CVE-2012-4195 and CVE-2012-4196, ended up fixed in the updates. The flaws also affect Thunderbird 16 to a more limited extent so a Thunderbird 16.0.2 update also released.
Enterprise ESR versions of the browser and email client also suffer from the problem; a 10.0.10 update for Firefox ESR and Thunderbird ESR also been released along with a 2.13.2 update of SeaMonkey.
Researcher Mariusz Mlynski discovered the true value of window.location could end up shadowed which could enable a cross site scripting (XSS) attack in conjunction with some plugins.
Mozilla security researcher moz_bug_r_a4 found using CheckURL on window.location could force a return to the wrong calling document, also enabling an XSS attack; there was also a possibility of arbitrary code execution via any add-on that interacted with page content.
In addition, Antoine Delignat-Lavaud of the PROSECCO research team at INRIA found it was possible to inject properties into the Location object, exposing it to cross-origin reading. Further details of the bugs were not immediately available.
Updates are available through Firefox and Thunderbird’s standard update mechanism and should deliver automatically to users.
To force an update, select the About window for the particular application which will then trigger a check and download of any pending update.
Friday, September 7, 2012 @ 04:09 PM gHale
RealFlex created in upgrade that solves the uncontrolled search path element vulnerability, or a DLL hijack, in its RealWinDemo application.
Independent researcher Carlos Mario Penagos Hollmann, who found the vulnerability, validated the fix resolves the issue.
The RealFlex products affected are:
• RealWinDemo 2.1.12 and prior,
• RealWin 2.1.12 and prior, and
• FlexView 3.1.85 and prior.
Successful exploitation of this vulnerability may lead to arbitrary code execution.
RealWinDemo is a Microsoft Windows-based human-machine interface/supervisory control and data acquisition (HMI/SCADA) software package that primarily sees use for customer demonstration purposes. It also sees use in small automation projects using standard protocols such as Modbus.
RealWin is primarily a demo product to generate sales of the RealFlex 6 SCADA product. RealWin is in production on projects in Nigeria, USA, India, Philippines, Saudi Arabia, and Mexico.
RealWinDemo uses an uncontrolled search path to find resources that could allow an unauthorized user to locate and exploit one or more locations. An unauthorized user could place a malicious DLL in a directory where it could load before the valid DLL. An attacker must have access to the host file system to exploit this vulnerability. If exploited, this vulnerability could allow execution of arbitrary code. CVE-2012-3004 is the number assigned to this vulnerability, which has a CVSS V2 base score of 6.2.
This vulnerability is not remotely exploitable and cannot undergo exploitation without user interaction. The exploit only triggers when a local user runs the vulnerable application and loads a malicious realwin.dll or keyhook.dll file.
RealFlex has produced an updated version that resolves the issue. Customers may log in to download an updated version of the following products:
• RealWin 2.1.13,
• FlexView 3.1.86, and
• RealWinDemo 2.1.13.