Another month, another collection of patches and fixes you should install. This month we cover Adobe, Microsoft, VMware, Oracle, Opera and Android.
Adobe
Adobe has released patches for Acrobat and Reader … again. As before, these updates address flaws that allow attackers to take over a system by simply directing the user to a PDF file. Like we’ve seen throughout the past year, if you’re running Adobe Reader X, you’re far better off than if you stayed on 9. (If you’re on 7 or 8, be aware those systems are no longer being maintained and are even riskier.) See details here and here.
Any file can be a potential source of compromise, but as the PDF format becomes increasingly more complex, it is increasingly used as an attack vector. If you don’t have a patch process built around Adobe products, you are not only taking a huge risk, but you’re likely already infected. Modern anti-malware systems do a great job of protecting against this sort of threat, but expecting them to protect the negligence of not patching is like expecting to put out a forest fire with a hand-held extinguisher.
In other Adobe news, there is a problem in Flash that we don’t know much about yet … except that Adobe hasn’t patched it yet. What little we do know about this problem is documented here. Needless to say, when you’re building that system to protect yourself from PDFs, best work Flash patching in, too.
Finally, there’s been problems found in Flex and ColdFusion. These have been patched and, thankfully, do not seem to require a recompilation of your applications. If you’re running a ColdFusion system, please read the technote here and pay close attention to whether you’ve installed the APSB11-14 Hotfix. If you do not have admin privileges to your ColdFusion server, you can use this technique to pull out information to give to your admins.
Microsoft
Microsoft sure believes in 2011 going out with a bang. Thirteen updates came out last week with eight of them critical. We get a nice mix of remote execution and privilege escalation which means “game over” to anyone that runs them together. Problems with TrueType fonts and Excel files are being actively exploited. As usual, the best details are over at the SANS Internet Storm Center. Please patch ASAP.
I also want to take a few minutes and point you to some interesting facets of the Microsoft articles that accompany these problems. Normally, Microsoft hides some information deep in the alerts about workarounds, but they’re usually not very useful. This month, however, is quite different.
- Microsoft has had a history of problems with reading TrueType files. Odds are MS11-087 is not the last patch for this issue. If you want to disable all embedded font functionality, see this workaround. You’re basically blocking access to the embedded font system by setting ownership and access control lists. Note that it will break the ability to generate PDF files from Word.
- The problem with Pinyin IME only affects Chinese versions of Office … and those that installed the optional input method. If you’re the type of person that loads all options just to have a “complete” install, be aware this places you at risk. The more pieces you have in a system, the more options an attacker has to take advantage of you.
- The workarounds for Publisher all read: “Do not open Publisher files that you receive from untrusted sources or that you receive unexpectedly from trusted sources.” This is common verbiage in Microsoft articles. By now, I think we all know users are going to click on stuff. So, better advice might be “If you don’t need Publisher, don’t install it.” This also applies for Word, Excel, Powerpoint, Access, Project, OneNote, PictureManager, etc. Megapackages like Office come with lots of parts and if you don’t need them, don’t install them.
- The problem with Windows Media Player allows an attacker to take complete control by sending you a .dvr-ms file. Do you need to play .dvr-ms files? I know I never have to. You can block this entire format by following the instructions here.
- MS11-094 involves loading DLL libraries over a WebDAV share. Microsoft has been having trouble with WebDAV since 2004. If you don’t use this feature (and unless you’re running Sharepoint, you probably don’t), you may just want to turn it off. Details on doing this are in this workaround. The easiest option is just to disable the WebClient service.
- Hidden in the same MS11-094 vulnerability is an instruction on how to use the Microsoft Office File Block policy. If you work in a high-risk organization and have updated to modern versions of Office, you can drastically reduce your risk by blocking old office types. Details here.
- Similarly, you can block file types that fail validation. As detailed in this workaround from MS11-096, the most common types of files used to spread malware to Office simply won’t be openable. Ask yourself whether you really need macros in old Office formats. I know I don’t.
Oracle
Even if you’re not running their database, you are likely still affected by Oracle updates. Since they purchased SUN, Oracle is now in charge of creating Java patches. Java is behind only Adobe PDF and Flash for the most exploited software. You should be patching Java just like Adobe and if you’re not (as I mentioned above), you’re likely already infected. The Oracle release notes are here. A list of bugs fixed are here.
VMware
There is a relatively minor update to VMware Update Manager 4.x. I am only mentioning it here because many people are still not in the habit of patching VMware. Remember, infrastructure (VMware, Cisco gear, hardware appliances, etc) are really just servers and need to be maintained the same way.
Details on the VMware issues are here.
Opera
For those who use the Opera web browser, note it it has been updated to version 11.60. This update includes a fix for problems involving the BEAST attack. Details are covered here.
Android
If you are running an Android phone, be aware that malware has jumped 472% since July. Sadly, there is little we can do about this other than taking basic precautions. I recommend you at least run the free version of Lookout. If you’ve rooted your phone, try to limit where you install apps from and run DroidWall to keep your apps from being too chatty. I’ll work up a guide to a more secure Android device sometime in 2012, but the above advice should tide you over for the time being.
If you’re supporting devices professionally, there are some non-free options that help out a lot. Feel free to contact us for more details.