Posts Tagged ‘Mac’
Monday, November 18, 2013 @ 07:11 PM gHale
Adobe has been under fire this year for vulnerabilities, and the most recent fix to Flash Player is no different as it fixes security holes that could lead to compromise of the targeted system.
The new Flash Player 11.9.900.152 eliminates two memory corruption vulnerabilities (CVE-2013-5329 and CVE-2013-5330) that would allow an attacker to execute malicious native code on the targeted machine surreptitiously.
Adobe labeled both security updates as critical and have the highest priority rating (1) on Windows and Mac. This means administrators should install the latest version in the shortest time possible.
The company did not provide any information about possible exploitation of the vulnerabilities.
Adobe released a security hotfix for ColdFusion as well, for versions 10, 9.0.2, 9.0.1, and 9.0 for Windows, Macintosh, and Linux.
The patch addresses a flaw (reflected cross site scripting – CVE-2013-5326) that an attacker could leverage remotely when the CFIDE directory ends up exposed (in ColdFusion 10 and earlier).
Another security hole plugged by the ColdFusion hotfix would allow unauthorized remote read access.
Wednesday, September 11, 2013 @ 12:09 PM gHale
Adobe launched a series of updates and patches for vulnerabilities in Flash, Reader, Acrobat and Shockwave.
Adobe said quite a few of the vulnerabilities could end up running attacker code on vulnerable systems or crash those machines. The updates for Adobe Reader and Acrobat resolve memory corruption flaws and buffer overflows in the software for Windows and Mac.
From Adobe’s advisory for Reader and Acrobat:
• Updates resolve stack overflow vulnerabilities that could lead to code execution (CVE-2013-3351).
• Updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2013-3352, CVE-2013-3354, CVE-2013-3355).
• Updates resolve buffer overflow vulnerabilities that could lead to code execution (CVE-2013-3353, CVE-2013-3356).
• Updates resolve integer overflow vulnerabilities that could lead to code execution (CVE-2013-3357, CVE-2013-3358).
The update for Adobe Flash fixes four vulnerabilities that can lead to code execution on Windows, Mac and Linux systems.
“Adobe has released security updates for Adobe Flash Player 11.8.800.94 and earlier versions for Windows and Macintosh, Adobe Flash Player 184.108.40.2067 and earlier versions for Linux, Adobe Flash Player 220.127.116.11 and earlier versions for Android 4.x, and Adobe Flash Player 18.104.22.168 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system,” the advisory said.
As for Shockwave, the update fixes two memory corruption vulnerabilities that can lead to remote code execution on Windows and Mac.
Thursday, September 5, 2013 @ 05:09 PM gHale
The developers behind Bitcoin-QT, a software wallet used to protect and back up Bitcoin currency, have a new version of the client, fixing some security issues like a critical denial-of-service (DoS) bug.
Version 0.8.4 of the original Bitcoin client posted to SourceForge and anyone running an out of date version can update by either running the Windows installer or copying over the new code on Mac and Linux builds.
According to the update summary, an attacker could have sent a series of messages that would have resulted in an integer division-by-zero error in the Bloom Filter handling code. This DoS bug would have forced versions 0.8.0 through 0.8.3 of the program to crash.
The update also adds a constant-time algorithm to check RPC password guess attempts (CVE-2013-4165) and a fix for the fill-memory-with-orphan-transactions attack (CVE-2013-4627) that opened new vectors of attack by a previous buggy patch.
Bitcoins, the decentralized virtual currency that popped into the cultural mainstream this summer has already proved a popular target for attackers. Hackers knocked the Mt. Gox trading exchange offline in April.
Thursday, July 18, 2013 @ 04:07 PM gHale
Windows for quite some time now has had a monopoly on suffering from the ravages of ransomware, but now it appears Macs are joining in on the “fun.”
There is now a strain of Mac OS X ransomware, also known as “scareware,” which essentially takes a victim’s computer hostage until they pay a certain fee to unlock it, said researchers at security firm Malwarebytes.
In the case of the threat Malwarebytes found, users, after visiting a website filled with malicious code, had their browsers hijacked and then they received a message claiming to come from the FBI, senior security researcher Jerome Segura said in a blog post.
The faux alert tries to intimidate the victim with a legitimate-looking post that says their “browser has been blocked” because their computer either violated copyright laws, viewed porn or initiated some type of illegal access.
The scam demands $300 from the victim, who can pay it through Green Dot MoneyPak by purchasing a prepaid card and transferring the value to the attackers.
Paying the scammers is not what anyone recommends, but neither is trying to “force quit” the web page containing the bogus threat, said Malwarebytes researchers. Because of the Safari browser’s auto-restore feature, the page only will return when the browser starts back up.
Instead, users should click on the “Safari” tab on the navigation bar and choose “Reset Safari,” ensuring all of the boxes are checked. Then hit “Reset.”
The ransomware comes from websites where victims end lured after searching for popular search terms, Segura said. For example, Segura stumbled upon the scam after searching for “Taylor Swift” on Bing Images. Segura did not say how widespread the threat is.
Windows users have seen this type of threat before, but attackers appear headed in the same direction on Macs.
Thursday, July 11, 2013 @ 04:07 PM gHale
Google released Chrome 28 for Windows, Mac, and Chrome Frame which addresses a large number of vulnerabilities.
As what usually occurs, finding a vulnerability means some type of payout, so for one critical hole, a use-after-free with network sockets, Google awarded Collin Payne $6,267.40 for his work.
While that was a nice amount, the largest sum went to Andrey Labunets. Labunets identified a high-impact flaw described as “confusion setting up sign-in and sync.”
He also found a medium-severity “incorrect sync of NPAPI extension component.” Google appeared impressed by the combination of the two issues, so the company rewarded the researcher with $21,500.
Miaubiz found some other high-severity vulnerabilities – a use-after-free in input handling, and a use-after-free in resource loading – which earned the security researcher $3,000.
The Chrome team’s internal security work led to the discovery of various issues (CVE-2013-2880) labeled high risk.
In addition, Google fixed seven medium- and three low-impact security holes in Chrome 28. One of the low-impact issues affects only Macs.
Wednesday, July 10, 2013 @ 11:07 AM gHale
Not only does Microsoft enjoy Patch Tuesday, but so does Adobe as the company released security updates for its Flash Player and Shockwave Player products as well as hotfixes for ColdFusion.
The security updates close critical vulnerabilities. Of the hotfixes for ColdFusion, one rated as “Critical,” while the other “important.”
The patches for Flash Player fix security holes that allowed potential attackers to trigger crashes and take control of affected systems. Windows and Mac users should update to version 11.8.800.94. An update to version 22.214.171.1247 is available for Linux. The versions of Flash Player for Google Chrome (11.8.800.97) and for Internet Explorer 10 (11.8.800.94) should update automatically. Recent Android 4.x systems can become current by updating to 126.96.36.199. Older versions of Android such as 3.x and 2.x should update to version 188.8.131.52 of Flash Player.
The security hole in Adobe’s Shockwave also enables attackers to execute malicious code on a system. Windows and Mac OS X users can fix their players by updating to version 184.108.40.206.
Two hotfixed vulnerabilities were in Adobe’s ColdFusion. In ColdFusion 10 for Windows, Mac OS X and Linux, security hole CVE-2013-3350 enables attackers to “invoke public methods on ColdFusion Components using WebSockets.” Security hole CVE-2013-3349 in ColdFusion versions 9.0, 9.0.1 and 9.0.2 that run on JRun could trigger Denial-of-Service (DoS) scenarios. This hole doesn’t affect ColdFusion 10.
Wednesday, February 20, 2013 @ 03:02 PM gHale
Adobe released a security bulletin today that fixes a vulnerability in its Reader and Acrobat products found just one week ago.
The vulnerability, which attackers are jumping on and taking advantage of, could cause a crash of either and software and potentially allow a bad guy take control of the affected system.
For PC users, there is a sense of urgency to update as Adobe confirmed attackers are leveraging two of the vulnerabilities (CVE-2013-0640 and CVE-2013-0641) in targeted attacks designed to trick Windows users into opening a malicious PDF file attached in an email.
Mac and Linux users are not immune to this flaw, they just simply are not under attacker’s microscope at this juncture.
The security patches are available for software on Windows, Mac, and Linux. The following is a list of upgrades:
• Users of Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Reader XI (11.0.02).
• For users of Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader X (10.1.6).
• For users of Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader 9.5.4.
• Users of Adobe Reader 9.5.3 and earlier 9.x versions for Linux should update to Adobe Reader 9.5.4.
• Users of Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Acrobat XI (11.0.02).
• Users of Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh should update to Adobe Acrobat X (10.1.6).
• Users of Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh should update to Adobe Acrobat 9.5.4.
Windows and OS X users can use the product’s update feature (Help => Check for Updates).