Adobe says goodbye to Flash for mobile platforms

Adobe product management team has sent a briefing to Adobe's partners describing the future direction of the development for multi-platform mobile application development tools.

From the security point of view, the biggest and the most welcome news is the announcement of the end of the development of Adobe Flash player for mobile platforms, except for critical security and bug fixes.

Unfortunately, even if the death of Flash for mobile platforms is imminent, Flash for desktop platforms is still very much alive. Adobe Flash vulnerabilities, together with Java virtual machine and Adobe Reader vulnerabilities, have been the most common causes for drive-by download malware infections.

It is yet uncertain what is the future of Flash on desktop, but let us hope that the widespread acceptance of HTML5 will drive Adobe in the right direction of killing Flash players on all remaining platforms.

The move comes after a pressure by iPhone and iPad users which have been frustrated by not being able to access websites built in Flash since Apple announced its decision to exclude Flash support from iOS based devices.
Was Steve Jobs right about Flash after all?

Read More...

NSS Labs offers reward money for fresh exploits

The company has set aside $4,400 for rewards for working exploits for 12 vulnerabilities

NSS Labs is sweetening the pot for its ExploitHub marketplace by offering rewards to security gurus who can write working exploits for a dozen "high-value" vulnerabilities.

The company, which has set aside $4,400 in reward money, plans to give $100 to $500 to the first people to submit a working exploit for the vulnerabilities. Ten of the vulnerabilities concern Microsoft's Internet Explorer browser, and two were found in Adobe's Flash multimedia program.

[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]

The exploits must be client-side remote exploits that can result in code execution. Proof-of-concept code and denial-of-service conditions do not qualify. NSS Labs will pay the developer with American Express gift cards. Residents from countries that the U.S. has a standing embargo against are not allowed to participate.

NSS Labs said that those who win can then sell their exploits on ExploitHub, a marketplace the company set up for penetration testers to acquire exploits to test against their infrastructure. ExploitHub was set up to help with the development of penetration testing tools and to assist computer security researchers.

Those who write the winning exploits may then sell their code on ExploitHub, with NSS Labs taking a 30 percent commission. Penetration testers can also make requests via the marketplace for exploits for specific vulnerabilities. Those who want to buy exploits are vetted by NSS Labs to ensure the marketplace is not abused.

ExploitHub also only sells exploits for vulnerabilities that have been patched and does not host ones for zero-day vulnerabilities. The vulnerabilities that NSS Labs is offering the reward for are:

1. CVE-2011-1256: Microsoft Internet Explorer CElement Memory Corruption
2. CVE-2011-1266: Microsoft Internet Explorer VML vgx.dll Use After Free
3. CVE-2011-1261: Microsoft Internet Explorer selection.empty Use After Free
4. CVE-2011-1262: Microsoft Internet Explorer Redirect Memory Corruption
5. CVE-2011-1963: Microsoft Internet Explorer XSLT Memory Corruption
6. CVE-2011-1964: Microsoft Internet Explorer Style Object Memory Corruption
7. CVE-2011-0094: Microsoft Internet Explorer CSS Use After Free Memory Corruption
8. CVE-2011-0038: Microsoft Internet Explorer 8 IESHIMS.DLL Insecure Library Loading
9. CVE-2011-0035: Microsoft Internet Explorer Deleted Data Source Object Memory Corruption
10. CVE-2010-3346: Microsoft Internet Explorer HTML Time Element Memory Corruption
11. CVE-2011-2110: Adobe Flash Player ActionScript Function Variable Arguments Information
12. CVE-2011-0628: Adobe Flash Player Remote Integer Overflow Code Execution

Read More...

Apple blocks malware-as-PDF threat but new attack emerges

Summary: Even as Apple adds detection to block a Mac OS X malware threat, researchers find new Mac malware posing as a legitimate Flash Player installation package.

Apple has quietly added detection for the recent malware attack that used PDF files as lures to trick Mac OS X users into downloading a malicious Trojan dropper. 

The detection was added into the rudimentary XProtect.plist malware blocker built into Mac OS X.

The malware, flagged as a trojan dropper, installs downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.

However, in what has become a classic cat-and-mouse game, researchers have spotted a new Mac malware threat posing as a legitimate Flash Player installation package.

[ Researchers find Mac OS X malware posing as PDF file ]

Intego explains the characteristics of the new threat:

Users visiting certain malicious websites may see a link or an icon to download and install Flash Player. Since Mac OS X Lion does not include Flash Player, some users may be fooled and think this is a real installation link. When they click the link, an installation package downloads, and, if the user is using Safari as their web browser, the Mac OS X Installer will launch. (Safari considers installer packages, with .pkg or .mpkg extensions, to be “safe” files and will launch them after download, if default settings are used.)

If the user proceeds with the installation procedure, the installer for this Trojan horse will deactivate some network security software, Intego said.

After installation, [it] will delete the installation package itself. The malware installs a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches. This code, installed in a file at ~/Library/Preferences/Preferences.dylib, connects to a remote server, and sends information about the infected Mac to this server: this includes the computer’s MAC address, a unique identifier. This will allow the malware to detect if a Mac is infected.

The company said it has spotted this new malware in the wild but notes that it is not widely distributed.

Read More...

New Mac Trojan Pretends to Be Flash

Mac malware is still quite rare, but there is one new threat floating around that you should be aware of. A new Trojan for Mac OS X disquises itself as an installer for the Adobe Flash Player browser plug-in, according to security software company Intego. The good news (if you want to call it that)? This new malware doesn't appear to have spread very far as of yet.

According to Intego, this Trojan spreads via malicious sites that feature links asking you to download Flash Player (recent versions of Mac OS X don't come with Flash Player pre-installed). Instead of being taken to the Adobe Flash site when clicking the link, you'll inadvertantly download the Trojan instead. The Trojan looks and acts like any typical Mac installer package--in fact, if you have the "Open 'safe' files after downloading" box checked in Safari, the installer will open automatically.

Intego is still trying to learn more about this particur Trojan, but the company says that "the installer for this Trojan horse will deactivate some network security software, and, after installation, will delete the installation package itself." From there, the Trojan "installs a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches." Put in English, it basically turns good apps bad by making them run malicious tasks.

The malware then gathers information about your Mac, including its MAC address, and sends it to a server, which, according to Intego, "will allow the malware to detect if a Mac is infected."

But there's no need to panic: Intego says they've received only one report of this malware in the wild, so as of right now, this particular Trojan doesn't appear to have spread very far.

To keep it from spreading further, and to keep from becoming its next victim, there are a couple steps you can take. First, only download and install the version of Flash available directly from Adobe. Not only does it ensure that you'll get the real thing, but it ensures that you'll get the latest version, complete with the newest security fixes.

Also, if you use Safari, select Preferences from the Safari menu, click General, then un-check the box labeled "Open 'safe' files after downloading". This will prevent installers and other files (images, text documents, etc...) from opening automatically when you download them. In addition, don't open any downloads that you weren't expecting--this will prevent you from being taken advantage of by so-called drive-by downloads and other threats.

nb : pcworld

Read More...

Adobe adding security, privacy goodies to Flash Player 11

Summary: Adobe’s new Flash Player 11 will include support for 64-bit exploit migitation and support for SSL socket connections.

Battling to cope with the hacker bullseye on its back, Adobe plans to add new security and privacy features to the next iteration of its ubiquitous Flash Player, including  support for SSL socket connections and the introduction of 64-bit ASLR (Address Space Layout Randomization).

Adobe said the new Flash Player 11, expected in early October, will include the SSL socket connection support to make it easier for developers to protect the data they stream over the Flash Player raw socket connections.

[ Adobe to rush out Flash Player patch to thwart zero-day attacks ]

Flash Player 11 will also include a secure random number generator.

Adobe’s Platform Security Strategist Peleus Uhley explains:

Flash Player previously provided a basic, random number generator through Math.random. This was good enough for games and other lighter-weight use cases, but it didn’t meet the complete cryptographic standards for random number generation. The new random number generator API hooks the cryptographic provider of the host device, such as the CryptGenRandom function in Microsoft CAPI on Windows, for generating the random number. The native OS cryptographic providers have better sources of entropy and have been peer reviewed by industry experts.

[ Adobe admits to 80 'code changes' in Flash Player patch ]

The company is also adding 64-bit support in Flash Player 11, a move that Uhley says will bring some security side-benefits.

If you are using a 64-bit browser that supports address space layout randomization (ASLR) in conjunction with the 64-bit version of Flash Player, you will be protected by 64-bit ASLR. Traditional 32-bit ASLR only has a small number of bits available in the memory address for randomizing locations. Memory addresses based on 64-bit registers have a wider range of free bits for randomization, increasing the effectiveness of ASLR.

On the privacy side, Adobe is adding a private browsing mode to allow users to stay incognito while viewing Flash files.   A mobile control panel is also being added to Android devices to easier for users to manage their Flash Player privacy settings on their Android devices. Read More...

Adobe Releases Out-of-Band Patch

Adobe released an out-of-band security update to address six critical vulnerabilities, all affecting Adobe Flash Player.

One of the six, a cross-site scripting vulnerability identified as CVE-2011-2444, is reportedly being exploited in the wild. The bug is reportedly being used in targeted attacks that involve malicious links sent out to targets through email messages.

Adobe attributed the discovery of CVE-2011-2444 to Google, who, in response to finding the vulnerability, issued an update for the Google Chrome browser to prevent attackers from exploiting the security hole.

Users are strongly advised to apply the patches as soon as possible, especially since exploiting any the addressed vulnerabilities can lead to either remote code execution, or information disclosure.

Note that users who utilize multiple browsers may need to update their other browsers separately. Users can visit this page through all their browsers to check if they have the latest version of Adobe Flash Player installed, and this page to update. Here is the list of Adobe Flash Player versions affected by vulnerabilities addressed in this update:

• Flash Player 10.3.183.7 and earlier
• Flash Player 10.3.183.7 and earlier for network distribution
• Flash Player 10.3.186.6 and earlier for Android
• Flash Player 10.3.183.7 and earlier for Chrome users

We will update this post once we find more information about the exploit.

nb : trendmicro Read More...

Urgent: Patch Adobe Flash to Protect against Zero-Day Exploit

Adobe issued a critical update today for its Flash Player software. The patch fixes six security vulnerabilities, at least one of which is a zero-day vulnerability being actively exploited in the wild.

The details of the Adobe security bulletin explain, "This update resolves a universal cross-site scripting issue that could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website (CVE-2011-2444)," adding, "Note: There are reports that this issue is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message."

Patch Adobe Flash now to guard against zero-day exploit.The zero-day bug fixed today is similar to a flaw in Flash that was patched in June. Coincidentally, both the June vulnerability, and this one patched today were reported to Adobe by Google.

I have not seen any official indication that the Flash zero-day had anything to do with the Diginotar hack that compromised digital certificates used to authenticate websites as legitimate--but the timing seems about right.

Just as flaws in the ubiquitous Adobe Flash were exploited to infiltrate RSA Security and compromise the encryption keys used in RSA's SecurID two-factor authentication tokens, Flash may also have been the Achilles heel of Diginotar.
Adobe Flash is nearly universal. With Adobe Flash Player software and browser plug-ins available for virtually every operating system and browser, this zero-day flaw could potentially impact 90 to 95 percent of the PCs in the world.

Andrew Storms, director of security operations for nCircle, connects the dots. "Adobe said that today’s bug 'could be used to act on the user's behalf with webmail providers.' I think we can interpret this to mean that a successful attack using this zero-day bug could allow the attacker to access the user's Gmail account."

Storms implores, "It’s time for all IT teams to circle the wagons and patch Flash as soon as possible."

I'll see Storms' "IT teams", and raise him an "everyone who uses Flash". Go download and install the Adobe Flash update now.

nb : pcworld Read More...

September Adobe Flash update patches critical vulnerabilities

Adobe has just released an update (APSB11-26) to its ubiquitous Flash software, revving it to version 10.3.183.10 for Windows, Mac, Solaris and Linux, and to version 10.3.186.7 for Android.

Today's release fixes six vulnerabilities in Flash Player, one of which was being used in targeted attacks (CVE-2011-2444). This bug is a cross-site scripting flaw which could allow malicious web pages to take actions on behalf of the logged in user.

Adobe has rated this update as Critical. SophosLabs has assigned it a High rating.
SophosLabs has yet to see any samples in the wild, and notes that CVE-2011-2444 is not straightforward to exploit. Nevertheless, as Adobe reports, this vulnerability has been exploited, albeit only in targeted attacks so far.

Windows, Mac, Solaris and Linux users can download the latest Flash player from http://get.adobe.com/flashplayer.

Do watch out though. If adding the bloat of Flash to your browsing experience isn't enough for you, Adobe has decided to default to bundling it with the Google Toolbar or McAfee trialware for Windows users.



You can untick the box before downloading if you don't want these options.
Maybe that's why Apple won't support Flash on iDevices. No portable versions of Google Toolbar or McAfee?

Android users can download the latest Flash Player from the Android Marketplace and Google Chrome users were automatically updated on September 20, 2011 with protection against these flaws.

nb : nakedsecurity.sophos

Read More...