Friday, May 13, 2016

Adobe Flash In-The-Wild Exploit Patched:
Flash v21.0.0.242, AIR v21.0.0.215
Plus ColdFusion Hotfixes


Adobe has released Flash v21.0.0.242 and AIR v21.0.0.215. The patch blocks an in-the-wild exploit of Flash. There is a total of 25 CVE patches. Presumably, this patch is two days later than Adobe's usual 'second Tuesday of the month' patching schedule due to the late discovery of the ongoing exploit.

Download Flash Update
Download Air Update

The security bulletin is HERE.
Vulnerability Details

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1105, CVE-2016-4117).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-1101).

These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2016-1103).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115).

These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4116).
Also of note:

Adobe has released security hotfixes for ColdFusion versions 10, 11 and the 2016 release.

The security bulletin is HERE.
Vulnerability Details 
These hotfixes resolve an important input validation issue (CVE-2016-1113) that could be abused to conduct cross-site scripting attacks.

These hotfixes include an updated version of the Apache Commons Collections library to mitigate an important Java deserialization vulnerability (CVE-2016-1114).

These hotfixes resolve a moderate host name verification problem affecting wild card certificates (CVE-2016-1115).
Hopefully, that's the end of Adobe security patches for May. (0_o)


Tuesday, May 10, 2016

Two Critical Adobe Updates:
Acrobat & Reader v15.016.20039 Now,
Flash Update On The Way


Sometimes I have to roll my eyes. This is yet-another opportunity to shout expletives at Adobe for endangering our computers. It's another 'OMG you suck Adobe!' moment. Get a load of the number of CVEs patched in Acrobat/Reader v15.16.20039. Ninety-two CVEs. It has to be a record. Then there's the ongoing in-the-wild exploit of Flash that Adobe promises to patch later this week. Dangerous stuff. *sigh*

Out Today:

Adobe Acrobat & Reader v15.016.20039

Check for updates from within the applications,

Or download update installers at the pages linked below:

Download Reader Update

Download Acrobat Update

The security bulletin is HERE.

Vulnerability Details

• These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1045, CVE-2016-1046, CVE-2016-1047, CVE-2016-1048, CVE-2016-1049, CVE-2016-1050, CVE-2016-1051, CVE-2016-1052, CVE-2016-1053, CVE-2016-1054, CVE-2016-1055, CVE-2016-1056, CVE-2016-1057, CVE-2016-1058, CVE-2016-1059, CVE-2016-1060, CVE-2016-1061, CVE-2016-1065, CVE-2016-1066, CVE-2016-1067, CVE-2016-1068, CVE-2016-1069, CVE-2016-1070, CVE-2016-1075, CVE-2016-1094, CVE-2016-1121, CVE-2016-1122, CVE-2016-4102, CVE-2016-4107).

• These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2016-4091, CVE-2016-4092).

• These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1037, CVE-2016-1063, CVE-2016-1064, CVE-2016-1071, CVE-2016-1072, CVE-2016-1073, CVE-2016-1074, CVE-2016-1076, CVE-2016-1077, CVE-2016-1078, CVE-2016-1080, CVE-2016-1081, CVE-2016-1082, CVE-2016-1083, CVE-2016-1084, CVE-2016-1085, CVE-2016-1086, CVE-2016-1088, CVE-2016-1093, CVE-2016-1095, CVE-2016-1116, CVE-2016-1118, CVE-2016-1119, CVE-2016-1120, CVE-2016-1123, CVE-2016-1124, CVE-2016-1125, CVE-2016-1126, CVE-2016-1127, CVE-2016-1128, CVE-2016-1129, CVE-2016-1130, CVE-2016-4088, CVE-2016-4089, CVE-2016-4090, CVE-2016-4093, CVE-2016-4094, CVE-2016-4096, CVE-2016-4097, CVE-2016-4098, CVE-2016-4099, CVE-2016-4100, CVE-2016-4101, CVE-2016-4103, CVE-2016-4104, CVE-2016-4105).

• These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2016-1043).

• These updates resolve memory leak vulnerabilities (CVE-2016-1079, CVE-2016-1092).

• These updates resolve an information disclosure issue (CVE-2016-1112).

• These updates resolve various methods to bypass restrictions on Javascript API execution (CVE-2016-1038, CVE-2016-1039, CVE-2016-1040, CVE-2016-1041, CVE-2016-1042, CVE-2016-1044, CVE-2016-1062, CVE-2016-1117).

• These updates resolve vulnerabilities in the directory search path used to find resources that could lead to code execution (CVE-2016-1087, CVE-2016-1090, CVE-2016-4106).
Total count: 92 CVEs patched.
~ ~ ~ ~ ~

Coming up later this week:

Adobe Flash update.

The warning security advisory is HERE.


A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild.  Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
I'll make another post when the update for Adobe Flash is available. Until then, avoid or stop using Flash.


Tuesday, March 22, 2016

IT'S OVER (For Now):
FBI/DOJ Vacates Court Date Against Apple


This evening, MacNN published that:

Tomorrow's iPhone 5c court hearing vacated by judge after request
A few hours ago, the US Department of Justice filed to vacate tomorrow's hearing, as it has apparently found another method to access the San Bernardino shooter's work-owned iPhone 5c. The filing says that on Sunday, an "outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone" which "should eliminate the need for the assistance from Apple Inc. ("Apple") set forth in the All Writs Act Order in this case." . . . 

The government is planning to perform more testing on the iPhone 5c to determine suitability of the proposed procedure, and report back to the courts on April 5 with progress, which may yet result in Apple having to appear and defend its position.
DOJ Motion To Vacate Hearing

So, see you again April 5th! (?)

It is so easy at this point to speculate what is REALLY going on at the FBI and DOJ. But let's sit tight and take this forced break in the proceedings. I expect full well that there will be more attempts to wreck the First, Fourth and Fifth Amendments to the US Constitution ahead.


Sunday, March 13, 2016

Suggested Reading Re:
Apple Vs FBI Vs US Constitution


I find it a bit absurd to write an article sending someone to another article. But sometimes someone else's writing is so good that I have to help draw attention to it. I've been pouring through a deluge of articles, videos, podcasts... discussing aspects of the Apple Vs FBI Vs US Constitution case. This specific article is one of the best of the lot and provides an excellent summary of the core failings of the FBI's case, discussing the law involved in detail with very good reader comprehension. Please read this article by John Eden at TechCrunch:

Why Apple is right to resist the FBI
... Apple should do what is necessary to preserve our enduring constitutional values, including life, liberty and the pursuit of happiness. Those values also include the privacy and speech rights protected by the Constitution. The First Amendment famously protects an individual’s right to say what he or she thinks or feels, and the Fourth Amendment guarantees that Americans shall be free of unreasonable searches and seizure.

These values and constitutional ideals are not mere commodities to be traded away, but are instead regulative ideals that capture and define who we are. Such ideals must remain unmolested by the temporary whims of each and every government agency. That’s what it means to be a nation of laws that is guided by a constitution.

In this particular case, Apple has a responsibility to resist the FBI’s efforts to force the company to undermine the security measures in its mobile operating system. To understand what is at stake here, one has to think deeply about what the world would be like if Apple were to comply with the FBI’s demands.... 
In a nutshell, here’s where we are: A government agency is trying to force the world’s most valuable technology company to break its encryption technology despite (1) having no legal authority to do so and (2) being unable to articulate what they hope to achieve on behalf of the American people. Sounds like a grand bargain to me.
Thank you to John Eden for excellent writing and thank you to the folks at MacDailyNews for bringing the article to my attention.


Thursday, March 10, 2016

Adobe Critical Updates:
In-The-Wild Exploit!


Over the past few days, Adobe has provided critical security updates. Version numbers and download links:

Flash v21.0.0.182 --Active exploit in-the-wild
AIR v21.0.0.176 --Active exploit in-the-wild
Acrobat v15.010.20060
Reader v15.010.20060
Digital Editions v4.5.1

Here are the links to the various Adobe Security Bulletins:

Flash & AIR

Acrobat & Reader
Digital Editions

And here are the number of CVEs patched:

Flash & AIR: 18. 

 - CVE-2016-1010 is being actively exploited in-the-wild.
(CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988, CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0993, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-1000, CVE-2016-1001, CVE-2016-1005, CVE-2016-1010)
Acrobat & Reader: 3
(CVE-2016-1007, CVE-2016-1008, CVE-2016-1009)
Digital Editions: 1 
So get updating kids! Adobe critical updates go on forever...


And remember: 
UNinstall the Java Internet plug-in and never install it again! 
Don't bother updating it. 
Just UNinstall it.
Never install it again.


Monday, March 7, 2016

Apple Provides A Web Page Of
Amicus Briefs in Support of Apple


I've been slowly slogging through Apple's provided 'Amicus Briefs in Support of Apple'. It's an extraordinary list of supporters with links to their court briefs, letters to the court and related statement pages on the web:

Apple Press Info: Amicus Briefs in Support of Apple

I'm giving a talk tonight at a local user group about Apple Vs FBI Vs US Constitution, so I'll simply suggest looking through the list. An amazing array of companies and organizations are supporting Apple's court case.

Meanwhile, I'm not seeing much more than desperation, rhetoric and hyperbole from my government in response. Today's comic over at Joy of Tech summarizes their loony desperation:

What bothers me, of course, is that this bumbling attempt at imposing totalitarianism in the USA will be followed up with more polished, manipulative, propagandist attempts that appeal to the ignorant and easy frightened among us. We've already seen the Director of the FBI post a highly emotion-oriented appeal on the net with little reference to the real legal issue. I expect more of the same in the future with the volume cranked up to 11.

Monday, February 29, 2016

Progress In Apple Vs FBI/DOJ:
NY Judge Backs Apple In Drug Case


Some progress has been made in the Apple debacle with the FBI. It turns out that Apple's objection to government requests for an iOS device cracking key began back in October, 2015. The ruling involves a drug case in Brooklyn, NY and the US Department of Justice.  The judge's decision is provided in an article over at Reuters:

N.Y. judge backs Apple in encryption fight with government
The U.S. government cannot force Apple Inc (AAPL.O) to unlock an iPhone in a New York drug case, a federal judge in Brooklyn said on Monday, a ruling that bolsters the company's arguments in its landmark legal showdown with the Justice Department over encryption and privacy. . . .
(Added emphasis, mine). 

I strongly suggest reading the entire article. This is the first precedent case in this debacle and is going to carry some weight as similar cases progress, especially Apple's Motion To Vacate from last week regarding the FBI obtained terrorist iPhone.

Here is a link to a PDF of the full judgement:



. . .

In deciding this motion, I offer no opinion as to whether, in the circumstances of this case or others, the government's legitimate interest in ensuring that no door is too strong to resist lawful entry should prevail against the equally legitimate societal interests arrayed against it here. Those competing values extend beyond the individual's interest in vindicating reasonable expectations of privacy – which is not directly implicated where, as here, it must give way to the mandate of a lawful warrant. They include the commercial interest in conducting a lawful business as its owners deem most productive, free of potentially harmful government intrusion; and the far more fundamental and universal interest – important to individuals as a matter of safety, to businesses as a matter of competitive fairness, and to society as a whole as a matter of national security – in shielding sensitive electronically stored data from the myriad harms, great and small, that unauthorized access and misuse can cause.

How best to balance those interests is a matter of critical importance to our society, and the need for an answer becomes more pressing daily, as the tide of technological advance flows ever farther past the boundaries of what seemed possible even a few decades ago. But that debate must happen today, and it must take place among legislators who are equipped to consider the technological and cultural realities of a world their predecessors could not begin to conceive. It would betray our constitutional heritage and our people's claim to democratic governance for a judge to pretend that our Founders already had that debate, and ended it, in 1789.

Ultimately, the question to be answered in this matter, and in others like it across the country, is not whether the government should be able to force Apple to help it unlock a specific device; it is instead whether the All Writs Act resolves that issue and many others like it yet to come. For the reasons set forth above, I conclude that it does not. The government's motion is denied.

Dated: Brooklyn, New York 
February 29, 2016 
JAMES ORENSTEIN U.S. Magistrate Judge