Keep Your Eyes on This Adobe 0-Day

A new Adobe exploit is circulating via Flash movies in the last day or so. Looks like the vulnerability is present across many Adobe products and can be exploited on Android, Linux, Windows and OS X.

Here is a link to the Dark Reading article about the issue.

You can also find the Adobe official alert here.

As this matures and evolves and gets patched, it is a good time to double check your patching process for workstation and server 3rd party software. That should now be a regular patching process like your ongoing operating system patches at this point. If not, then it is time to make it so.

Users of HoneyPoint Wasp should be able to easily any systems compromised via this attack vector using the white listing detection mechanism. Keep a closer than usual eye out for suspicious new processes running on workstations until the organization has applied the patch across the workstation environment.

Critical Windows Update

Today Microsoft is rolling out an unscheduled update. This vulnerability is critical and there are reports that it has been exploited by malware for the last few weeks. The most vulnerable systems are Windows 2000, Windows XP and Windows 2003. On these systems it is possible exploit the system without authentication. On Windows Vista and Windows Server 2008, the exploit requires authentiation to run, it would likely also lead to a Denial of Service condition due to the use of DEP and ASLR in these versions of Windows.

This is the first vulnerability that can be easily wormable in the past few years. It is very important that this update be tested and rolled out by your organization as soon as possible to prevent exploitation. The Security Bulletin can be found here.

Linux Local Kernel Exploit

Two proof of concept kernel exploits have been released into the wild that exploit a newly discovered vulnerability. Kernel versions 2.6.17 to 2.6.24.1 are affected. The vulnerability is found within the vmsplice function call. This exploit effectively gives local root access on a wide range of Linux distributions.
Kernel version 2.6.24.2 fixes the issue. It’s recommended to disable all shell access until your kernel is updated, either by building from sources, or waiting for your Linux distribution to release an update.

Excel Exploit In The Wild

Microsoft reported today that a previously unknown vulnerability in Excel is being actively exploited. According to the release the issue affects older versions of Excel, including Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for OS X. The exploit requires the victim to open a malicious Excel file in order for the exploit to execute.

There is currently no fix for this issue, other than being very careful about which Excel files are opened. Microsoft said that they are working on a fix that may come out before the next patch cycle.

Microsoft’s advisory is at: http://www.microsoft.com/technet/security/advisory/947563.mspx

Mac Java, JUNOS, and a Samba Exploit

Mac OS X has multiple vulnerabilities in Java. An error in a Java access check could be exploited to add or remove items from a Keychain without prompting the user. This could be achieved by a specially crafted Java packet. This affects Mac OS X versions prior to 10.5. The next issue is in Java 1.4 and J2SE 5.0 that could allow for a denial of service, bypassing security mechanisms, or compromise a users system. Users of Mac OS X systems should update to Java release 6.

A vulnerability in Juniper JUNOS can be exploited to cause a denial of service. This can occur due to an error processing BGP UPDATE messages, and can be triggered by a specially crafted BGP message. Administrators of Juniper devices should apply the vender recommended updates, available at https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-12-008&viewMod%20e=view.

 The samba_mailslot() vulnerability reported earlier this month now has public exploit code available. Samba 3.0.27a is vulnerable to stack-based buffer overflow when processing “SAMLOGON” domain logon packets. Code is now available to exploit this vulnerability, although it currently only causes a denial of service. Samba 3.0.28 is currently available.

OpenBSD Ouchie, Apple QuickTime and Solaris 10 Vulns

In a pretty rare occurrence, a remote buffer overflow in OpenBSD has been identified. The vulnerability exists in “dhcpd”, the DHCP daemon, and allows denial of service and arbitrary code execution on 4.0 – 4.2. This issue was originally published in May, but new developments have been made in refining the exploits and in details about the issue. Patches are available, and should be installed as soon as possible.

Apple updated QuickTime to fix several identified issues, including some security problems. The updates are now available, and if you use the Apple update service, you should get them applied automatically. The big problem repaired in this release is a heap overflow that can be used to seize control of machines. We mention this update because QuickTime is one of those pesky applications that seem to turn up everywhere, in many organizations. It would likely be wise to check not only workstations, but also any servers that are used in training, multi-media or presentations. QuickTime seems to be a common tool for these mechanisms.

Lastly, Solaris 10 systems have proven to be vulnerable to a new buffer overflow in the monitoring package “srsexec”. This is installed in many Solaris systems, especially those leveraging the centralized console management and administrative console applications. Attackers with local access to the Solaris system can exploit this issue to execute arbitrary code as “root”, since the binary is suid by default. Patches are already available and should be applied as soon as practical.