Saturday, June 18, 2016

Help Us Stop the Updates to Rule 41
-EFF Calls for a Day of Action on June 21st-

--
This issue is critical to all US citizen computer users.
Therefore, I'm posting about it here to bring it to everyone's attention.
:-Derek


From the Electronic Frontier Foundation

"U.S. government agents want to use an obscure procedure to radically expand their use of hacking techniques. We need to stop them.

"The change to Rule 41 would make it easier for U.S. government agents to break into our computers, take data, and use hacking techniques.

"The rule change especially impacts people using privacy-protective technologies, including Tor and VPNs.

"The United States Congress never approved this expansion of the FBI’s powers. But now, Congress is our last chance to stop the change from taking effect."
Please reject the changes to Rule 41 of the Federal Rules of Criminal Procedure by passing the Stopping Mass Hacking Act (S.2952, H.R.5321). These amendments would lead to a vast expansion of government hacking, a largely unregulated law enforcement technique that makes us all less secure. 

Why you should care

"We’ve written a detailed explanation of the changes to Rule 41, which explains why this update will result in a dramatic increase in government hacking. Here’s an overview of some of the main reasons we are concerned:

"Government agents hacking into computers more frequently is a recipe for disaster. Law enforcement will increase their exploitation of security vulnerabilities in common software products, meaning vulnerabilities that could affect millions will be left open instead of patched.

"Law enforcement will forum shop, finding government-friendly magistrate judges to sign off on warrants with a loose connection to the judicial district.

"Law enforcement will pressure judges to sign off on remote searches of thousands of computers with a single warrant—a direct violation of the Fourth Amendment and a pattern we’re already seeing.

"This rule change especially impacts people using privacy protective technologies like Tor or VPNs, which is why we’re asking privacy tools to join us in standing up for users on June 21."


"The proposal comes from the advisory committee on criminal rules for the Judicial Conference of the United States. The amendment [PDF] would update Rule 41 of the Federal Rules of Criminal Procedure, creating a sweeping expansion of law enforcement’s ability to engage in hacking and surveillance. The Supreme Court just passed the proposal to Congress, which has until December 1 to disavow the change or it becomes the rule governing every federal court across the country.  This is part of a statutory process through which federal courts may create new procedural rules, after giving public notice and allowing time for comment, under a “rules enabling act.”




--

Thursday, June 16, 2016

Adobe Flash Has Another In-The-Wild Exploit:
Flash 22.0.0.192 and AIR 22.0.0.153 Updates
Plus Other Adobe Security Updates

--
Adobe Flash and AIR Updates:

Adobe was supposed to release a security update of Adobe Flash, and therefore AIR, on Tuesday, June 14th. But a Flash zero-day exploit was discovered and Adobe delayed the update until today, Thursday, June 16th. Adobe kindly posted a warning Security Bulletin to that effect. If this sounds familiar, the same scenario played out in May as well. (0_o)


The new versions are Flash v22.00.192 and AIR v22.0.0.153.


You can find the current versions of Adobe Flash and AIR here:


https://get.adobe.com/flashplayer/


https://get.adobe.com/air/download/


- -

Adobe Flash v22.00.192 update:

https://helpx.adobe.com/security/products/flash-player/apsb16-18.html

Vulnerability Details
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-4144, CVE-2016-4149).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148).

These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2016-4135, CVE-2016-4136, CVE-2016-4138).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171).

These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4140).

These updates resolve a vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2016-4139). 
The CVE currently being exploited In-The-Wild is CVE-2016-4171, bolded above. If you'd like to know more about this exploit, have a read of Dan Goodin's article on the subject:

Critical Adobe Flash bug under active attack currently has no patch
Exploit works against the most recent version; Adobe plans update later this week.
--

Adobe AIR v22.0.0.153 Update:


https://helpx.adobe.com/security/products/air/apsb16-23.html

Vulnerability Details

This update resolves a vulnerability in the directory search path used by the Air (sic) installer that could lead to code execution (CVE-2016-4116).
Note that this is actually a vulnerability found in the previous installer for AIR.
~ ~ ~ ~ ~

The other Adobe security updates from Tuesday, June 14th:

Adobe ColdFusion Hotfixes available:

https://helpx.adobe.com/security/products/coldfusion/apsb16-22.html

Vulnerability Details

These hotfixes resolve an important input validation issue (CVE-2016-4159) that could be exploited to conduct cross-site scripting attacks.
--
  
Adobe Creative Cloud Desktop Application v3.7.0.272 Update:

https://helpx.adobe.com/security/products/creative-cloud/apsb16-21.html

Vulnerability Details

This update resolves a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4157).

This update resolves an unquoted service path enumeration vulnerability in the Creative Cloud Desktop Application(CVE-2016-4158).
--

Adobe Brackets v1.7 Update:

https://helpx.adobe.com/security/products/brackets/apsb16-20.html

Vulnerability Details
This update resolves a JavaScript injection vulnerability, which could be abused in a cross-site scripting attack (CVE-2016-4164).

This update resolves an input validation vulnerability in the extension manager (CVE-2016-4165).
--

Adobe DNG Software Development Kit (SDK) 1.4 (2016 release) Update:

https://helpx.adobe.com/security/products/dng-sdk/apsb16-19.html

Vulnerability Details

This update resolves a memory corruption vulnerability (CVE-2016-4167).
~ ~ ~ ~ ~

And some HaPPy news!

In Safari 10, set to ship with macOS Sierra, Apple plans to disable common plug-ins like Adobe Flash, Java, Silverlight, and QuickTime by default in an effort to focus on HTML5 content and improve the overall web browsing experience. . . .

. . . When a website offers both Flash and HTML5 content, Safari will always deliver the more modern HTML5 implementation. On a website that requires a plug-in like Adobe Flash to function, users can activate it with a click. . . .

Safari 10 will also include a command to reload a page with installed plug-ins activated to give users additional options for controlling the content that's displayed, and there are preferences for choosing which plug-ins are visible to which websites in Safari's Security preferences. . . .
One more nail in the coffin of poorly written Internet plugins. (^_^)

 --

Friday, May 13, 2016

Adobe Flash In-The-Wild Exploit Patched:
Flash v21.0.0.242, AIR v21.0.0.215
Plus ColdFusion Hotfixes

--

Adobe has released Flash v21.0.0.242 and AIR v21.0.0.215. The patch blocks an in-the-wild exploit of Flash. There is a total of 25 CVE patches. Presumably, this patch is two days later than Adobe's usual 'second Tuesday of the month' patching schedule due to the late discovery of the ongoing exploit.

Download Flash Update
Download Air Update

The security bulletin is HERE.
Vulnerability Details

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1105, CVE-2016-4117).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-1101).

These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2016-1103).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115).

These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4116).
Also of note:

Adobe has released security hotfixes for ColdFusion versions 10, 11 and the 2016 release.

The security bulletin is HERE.
Vulnerability Details 
These hotfixes resolve an important input validation issue (CVE-2016-1113) that could be abused to conduct cross-site scripting attacks.

These hotfixes include an updated version of the Apache Commons Collections library to mitigate an important Java deserialization vulnerability (CVE-2016-1114).

These hotfixes resolve a moderate host name verification problem affecting wild card certificates (CVE-2016-1115).
Hopefully, that's the end of Adobe security patches for May. (0_o)

--

Tuesday, May 10, 2016

Two Critical Adobe Updates:
Acrobat & Reader v15.016.20039 Now,
Flash Update On The Way

--

Sometimes I have to roll my eyes. This is yet-another opportunity to shout expletives at Adobe for endangering our computers. It's another 'OMG you suck Adobe!' moment. Get a load of the number of CVEs patched in Acrobat/Reader v15.16.20039. Ninety-two CVEs. It has to be a record. Then there's the ongoing in-the-wild exploit of Flash that Adobe promises to patch later this week. Dangerous stuff. *sigh*

Out Today:


Adobe Acrobat & Reader v15.016.20039


Check for updates from within the applications,

Or download update installers at the pages linked below:

Download Reader Update

Download Acrobat Update

The security bulletin is HERE.

Vulnerability Details

• These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1045, CVE-2016-1046, CVE-2016-1047, CVE-2016-1048, CVE-2016-1049, CVE-2016-1050, CVE-2016-1051, CVE-2016-1052, CVE-2016-1053, CVE-2016-1054, CVE-2016-1055, CVE-2016-1056, CVE-2016-1057, CVE-2016-1058, CVE-2016-1059, CVE-2016-1060, CVE-2016-1061, CVE-2016-1065, CVE-2016-1066, CVE-2016-1067, CVE-2016-1068, CVE-2016-1069, CVE-2016-1070, CVE-2016-1075, CVE-2016-1094, CVE-2016-1121, CVE-2016-1122, CVE-2016-4102, CVE-2016-4107).

• These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2016-4091, CVE-2016-4092).

• These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1037, CVE-2016-1063, CVE-2016-1064, CVE-2016-1071, CVE-2016-1072, CVE-2016-1073, CVE-2016-1074, CVE-2016-1076, CVE-2016-1077, CVE-2016-1078, CVE-2016-1080, CVE-2016-1081, CVE-2016-1082, CVE-2016-1083, CVE-2016-1084, CVE-2016-1085, CVE-2016-1086, CVE-2016-1088, CVE-2016-1093, CVE-2016-1095, CVE-2016-1116, CVE-2016-1118, CVE-2016-1119, CVE-2016-1120, CVE-2016-1123, CVE-2016-1124, CVE-2016-1125, CVE-2016-1126, CVE-2016-1127, CVE-2016-1128, CVE-2016-1129, CVE-2016-1130, CVE-2016-4088, CVE-2016-4089, CVE-2016-4090, CVE-2016-4093, CVE-2016-4094, CVE-2016-4096, CVE-2016-4097, CVE-2016-4098, CVE-2016-4099, CVE-2016-4100, CVE-2016-4101, CVE-2016-4103, CVE-2016-4104, CVE-2016-4105).

• These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2016-1043).

• These updates resolve memory leak vulnerabilities (CVE-2016-1079, CVE-2016-1092).

• These updates resolve an information disclosure issue (CVE-2016-1112).

• These updates resolve various methods to bypass restrictions on Javascript API execution (CVE-2016-1038, CVE-2016-1039, CVE-2016-1040, CVE-2016-1041, CVE-2016-1042, CVE-2016-1044, CVE-2016-1062, CVE-2016-1117).

• These updates resolve vulnerabilities in the directory search path used to find resources that could lead to code execution (CVE-2016-1087, CVE-2016-1090, CVE-2016-4106).
Total count: 92 CVEs patched.
~ ~ ~ ~ ~

Coming up later this week:


Adobe Flash update.


The warning security advisory is HERE.

Summary

A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild.  Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
I'll make another post when the update for Adobe Flash is available. Until then, avoid or stop using Flash.

--

Tuesday, March 22, 2016

IT'S OVER (For Now):
FBI/DOJ Vacates Court Date Against Apple

--

This evening, MacNN published that:

Tomorrow's iPhone 5c court hearing vacated by judge after request
A few hours ago, the US Department of Justice filed to vacate tomorrow's hearing, as it has apparently found another method to access the San Bernardino shooter's work-owned iPhone 5c. The filing says that on Sunday, an "outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone" which "should eliminate the need for the assistance from Apple Inc. ("Apple") set forth in the All Writs Act Order in this case." . . . 

The government is planning to perform more testing on the iPhone 5c to determine suitability of the proposed procedure, and report back to the courts on April 5 with progress, which may yet result in Apple having to appear and defend its position.
DOJ Motion To Vacate Hearing

So, see you again April 5th! (?)

It is so easy at this point to speculate what is REALLY going on at the FBI and DOJ. But let's sit tight and take this forced break in the proceedings. I expect full well that there will be more attempts to wreck the First, Fourth and Fifth Amendments to the US Constitution ahead.
(0_o)


--
--

Sunday, March 13, 2016

Suggested Reading Re:
Apple Vs FBI Vs US Constitution

--

I find it a bit absurd to write an article sending someone to another article. But sometimes someone else's writing is so good that I have to help draw attention to it. I've been pouring through a deluge of articles, videos, podcasts... discussing aspects of the Apple Vs FBI Vs US Constitution case. This specific article is one of the best of the lot and provides an excellent summary of the core failings of the FBI's case, discussing the law involved in detail with very good reader comprehension. Please read this article by John Eden at TechCrunch:

Why Apple is right to resist the FBI
... Apple should do what is necessary to preserve our enduring constitutional values, including life, liberty and the pursuit of happiness. Those values also include the privacy and speech rights protected by the Constitution. The First Amendment famously protects an individual’s right to say what he or she thinks or feels, and the Fourth Amendment guarantees that Americans shall be free of unreasonable searches and seizure.

These values and constitutional ideals are not mere commodities to be traded away, but are instead regulative ideals that capture and define who we are. Such ideals must remain unmolested by the temporary whims of each and every government agency. That’s what it means to be a nation of laws that is guided by a constitution.

In this particular case, Apple has a responsibility to resist the FBI’s efforts to force the company to undermine the security measures in its mobile operating system. To understand what is at stake here, one has to think deeply about what the world would be like if Apple were to comply with the FBI’s demands.... 
In a nutshell, here’s where we are: A government agency is trying to force the world’s most valuable technology company to break its encryption technology despite (1) having no legal authority to do so and (2) being unable to articulate what they hope to achieve on behalf of the American people. Sounds like a grand bargain to me.
Thank you to John Eden for excellent writing and thank you to the folks at MacDailyNews for bringing the article to my attention.

--


Thursday, March 10, 2016

Adobe Critical Updates:
In-The-Wild Exploit!

--

Over the past few days, Adobe has provided critical security updates. Version numbers and download links:

Flash v21.0.0.182 --Active exploit in-the-wild
AIR v21.0.0.176 --Active exploit in-the-wild
Acrobat v15.010.20060
Reader v15.010.20060
Digital Editions v4.5.1

Here are the links to the various Adobe Security Bulletins:

Flash & AIR

Acrobat & Reader
Digital Editions

And here are the number of CVEs patched:


Flash & AIR: 18. 

 - CVE-2016-1010 is being actively exploited in-the-wild.
(CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988, CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0993, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-1000, CVE-2016-1001, CVE-2016-1005, CVE-2016-1010)
Acrobat & Reader: 3
(CVE-2016-1007, CVE-2016-1008, CVE-2016-1009)
Digital Editions: 1 
(CVE-2016-0954)
So get updating kids! Adobe critical updates go on forever...


--

And remember: 
UNinstall the Java Internet plug-in and never install it again! 
Don't bother updating it. 
Just UNinstall it.
Never install it again.


--