Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe flash player and air patched

Published: 2009-12-09
Last Updated: 2009-12-10 00:54:00 UTC
by Swa Frantzen (Version: 4)
2 comment(s)

The almost universally installed flash player of adobe has been update to version 10.0.42.34. Adobe air was upgraded as well to version 1.5.3.

Read more about it in the apsb09-19 bulletin from adobe.

The reason behind it are 7 vulnerabilities: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800 and, CVE-2009-3951 of which 6 lead to arbitrary code execution and the last one is a windows-only issue leading to unauthorized information disclosure, related to CVE-2008-4820.

"Upgrade!" is the loud and clear message should our audience need that encouragement.

At this point we have no guidance for users wishing to know more about version 9 of the flash player aside of considering an upgrade to the latest incarnation of version 10.

Thanks for the heads-up go to David and Andrew.

UPDATE 1:

Martin wrote in with a link to the download page for those with licenses (where you can get e.g. MSI packages) and that states: "As of December 8, 2009, Flash Player 9 is no longer available for distribution. All Licensees should now distribute Flash Player 10". I guess that implies those still holding out on Flash player 9 have but one path forward.

UPDATE 2:

We were informed by a reader that the w removed link to the download page for those with licenses is in fact a secret link. From the email adobe sends to their customers getting this link rightfully:

**********
You may not share the above link, share information with others, or publish the above link on websites, blogs, or by any other means that can be publicly accessed. The information contained on this site is meant for your use only in accordance with Adobe Flash Player Distribution License Agreement you accepted. You may direct others to http://www.adobe.com/products/players/fpsh_distribution1.html to request distribution rights.


Regards,

Adobe Systems Incorporated
***********

We didn't know about it being a secret link. And apologize for unknowingly exposing it.

If anybody knows a non-secret link that clearly states Flash Player 9 is at the end of it's updates, please send it to us as it's the kind of pressure some out there need to get to be allowed to upgrade the software.

UPDATE 3:

Flash player 9 updates for unsupported platforms are available in KB 406791. Note that his is intended for those still using unsupported OSes from their respective vendors such as Windows 98, Windows ME, MacOS X 10.1-10.3, and Red Hat Enterprise Linux 3 and 4 operating systems, who cannot run Flash player 10. Note adobe nowheresaid these were updated to fix the same bugs as those fixed in Flash player 10: use at your own risk.

--
Swa Frantzen -- Section 66

Keywords: adobe flash patches
2 comment(s)

Facebook announces privacy improvements

Published: 2009-12-09
Last Updated: 2009-12-09 19:59:00 UTC
by Swa Frantzen (Version: 1)
1 comment(s)

Facebook, one of the largest social networking sites and somewhat notorious on the privacy front, has been working on a turn about of their privacy approach.

Last week there was a message from the founder Mark Zuckerberg referencing earlier trials with improved tools and settings and stating:

The plan we've come up with is [...] to create a simpler model for privacy control where you can set content to be available to only your friends, friends of your friends, or everyone.

We're adding something that many of you have asked for - the ability to control who sees each individual piece of content you create or upload. In addition, we'll also be fulfilling a request made by many of you to make the privacy settings page simpler by combining some settings. If you want to read more about this, we began discussing this plan back in July.

press release was made today accompanied by a blog post highlighting:

  • Adding Control For Each Item
  • Simplified Privacy Settings
  • Help In Choosing Settings
  • Expanded Privacy Education

Privacy settings can be reached on: http://www.facebook.com/privacy/ it still feels quite complex to a casual user like myself, but adding more control is a good thing. Now onto getting security for the information you post online by default I guess.

--
Swa Frantzen -- Section 66

Keywords: facebook privacy
1 comment(s)

OSSEC 2.3 released

Published: 2009-12-09
Last Updated: 2009-12-09 18:12:31 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

OSSEC 2.3 was actually released a few days ago, but a careful reader pointed out we had not covered it yet.

From the announcement: What's New?

  1. Log analysis rules for the Nginx web server
  2. Log analysis rules for Suhosin (Hardened PHP)
  3. Support for real time file integrity monitoring on Windows systems
  4. Support for monitoring the output of commands (process monitoring)

The Changelog has more detailed coverage of the changes.

--
Swa Frantzen -- Section 66

Keywords: OSSEC upgrade
0 comment(s)
New Poll: What DNS service do you use (see right hand sidebar)

ntpd upgrade to prevent spoofed looping

Published: 2009-12-09
Last Updated: 2009-12-09 14:10:04 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Martin wrote in to point to VU #568372. It contains a description of a vulnerability (CVE-2009-3563) in the ntpd.org reference implementation of ntpd, which will sound very familiar for any dog owner seeing his pet chase it's own tail. Basically all that's needed is a single spoofed packet to set of ntp daemons to start endlessly sending messages to themselves or to each-other.

Filtering in the short term is a possible workaround, but upgrading your ntp software to at least version 4.2.4p8 is a far better long term strategy.

Note that this software is often embedded in various devices and operating systems, so upgrading it might take a bit of effort in tracking it all down.

--
Swa Frantzen -- Section 66

Keywords: DoS ntp ntpd
0 comment(s)
Diary Archives