The Flash update includes a fix to the vulnerability used by Vupen during PWN2OWN. Three of the vulnerabilities are memory corruption issues that could lead to code execution. The fourth is an integer overflow vulnerability that could also lead to code execution. Together, these four fixes are the most critical of the updates since they could, comments Chester Wisniewski in the Sophos NakedSecurity blog, “allow RCE or ‘driveby’ attacks like we frequently see from exploit kits like Blackhole.”
Three of the vulnerabilities were discovered by the Google Security Team (CVE-2013-1378, CVE-2013-1379, CVE-2013-1380), and the fourth by Vupen, reported through TippingPoint's Zero Day Initiative (CVE-2013-2555). Users of browsers other than IE10 and Chrome will need to update manually. “This link should tell you which version of Flash your browser has installed,” comments Brian Krebs. “The most recent versions are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.”
The ColdFusion patch fixes two vulnerabilities: CVE-2013-1387 and CVE-2013-1388. The first could be exploited to impersonate an authenticated user, while the second could be exploited by an unauthorized user to gain access to the ColdFusion administrator console. Both were disclosed by an anonymous researcher who receives the gratitude of Adobe “for responsibly disclosing the relevant issues and for working with Adobe to help protect our customers.”
But according to Amichai Shulman, CTO and cofounder at Imperva, at least one of the vulnerabilities was published some time ago, and is, he told Infosecurity, “a great example of a number of important concepts regarding information security today.” Since it is a server side vulnerability it could affect almost any application written within the framework. “It shows that today's application layer security is very difficult to track and maintain throughout the development stage because multiple components of the application are developed by different parties and an organization does not have total control on code security.” Shulman recommends application layer security, which, he adds, is “a must have in deployment stage.”
He also believes the ColdFusion patch demonstrates the need for virtual patching capabilities. “This vulnerability has been published a while ago,” he points out, “and any organization who did not deploy virtual patching solution for the application layer suffered a wide window of opportunity for attackers to exploit this vulnerability before the patch is issued (not taking into consideration the time it takes to deploy).”
“Last, but not least,” comments Wisniewski, “there are also four critical vulnerabilities in Adobe Shockwave player. I would recommend updating it, but to be fair you should probably remove it. If you insist on keeping it you can retrieve the latest from http://get.adobe.com/shockwave.” Krebs agrees. “Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.”
| For more information on all of this month's patches, please register for free to attend our monthly Patch Update webinar on Thursday 11th April using this link. |