Zero-Days Rule November’s Patch Tuesday – Krebs on Security

Microsoft today issued security updates to fix at least 19 vulnerabilities in its software, including a zero-day flaw in Internet Explorer browser that is already being actively exploited. Separately, Adobe has released a critical update that plugs at least two security holes in its Flash Player software.

Three of the eight patches that Microsoft released earned its most dire “critical” label, meaning the vulnerabilities fixed in them can be exploited by malware or miscreants remotely without any help from Windows users. Among the critical patches is an update for Internet Explorer (MS13-088) that mends at least two holes in the default Windows browser (including IE 11). MS13-089 is a critical file handling flaw present in virtually every supported version of Windows.

The final critical patch — MS13-090 — fixes essentially another IE flaw (ActiveX) that showed up in targeted attacks late last week. Microsoft says attackers used a second, “information disclosure” vulnerability in tandem with the ActiveX flaw, but that the company is still investigating that one. It noted that its Enhanced Mitigation Experience Toolkit (EMET) tool successfully blocked the ActiveX exploit.

Nevertheless, it’s important for IE users to apply these updates as quickly as possible. According to Rapid7, exploit code for the ActiveX vulnerability appeared on Pastebin this morning.

“It was known to be under some targeted exploitation, but that will probably expand now that the exploit is public,” said Ross Barrett, senior manager of security engineering at Rapid7. “I would call patching this issue priority #1.” For what it’s worth, Microsoft agrees, at least according to this suggested patch deployment chart.

Today’s patch batch from Redmond did not include an official patch for yet another zero-day vulnerability that has been under active exploitation, although Microsoft did release a stopgap Fix-It tool last week to help blunt the threat. The company also is once again advising Windows users to take another look at EMET.

Check out Microsoft’s Technet blog for more information on these and other updates that the company released today.

In a separate patch release, Adobe issued a fix for its Flash Player software for Windows, Mac, Linux and Android devices. The Flash update brings the ubiquitous player to v. 11.9.900.152 on Mac and Windows systems. Users browsing the Web with IE10 or IE11 on Windows 8.x should get the new version of Flash (11.9.900.152) automatically; IE users not on Windows 8 will need to update manually if Flash is not set to auto-update.

To check which version of Flash you have installed, visit this page. Direct links to the various Flash installers are available here. Be aware that downloading Flash Player from Adobe’s recommended spot — this page — often includes add-ons, security scanners or other crud you probably don’t want. Strangely enough, when I visited that page today with IE10 , the download included a pre-checked box to install Google Toolbar and to switch my default browser to Google Chrome.

Speaking of Chrome, it’s high time to address a sore spot for me these past few months. When Chrome first began shipping auto-updates for Flash, Google often quietly fixed new Flash vulnerabilities in its browser even before Adobe issued its patch advisories — sometimes days in advance. Increasingly over the past year, however, Google has lagged behind in this department. In September 2013, for example, it took Google more than a week to update its browser to fix the latest Flash flaws, leaving users dangerously exposed. A Google spokesperson attributed that one-week delay to “a bug in Chrome on Windows 8 Metro” that prompted the Google to “halt the update” while it investigated the root cause. But the company never fully explained why the rollout of that Flash update was suspended for users on other versions of Windows.

I’m happy to see that Chrome appears to be back on its game: the latest version of Chrome (31.0.1650.48) includes this Flash update (v. 11.9.900.152). If you’re using Chrome and see the latest version, you may simply need to close and restart the browser.

Finally, while Adobe says it is not aware of any exploits or active attacks against either of the Flash flaws, the company may have fixed something of a zero-day today. Among the other patches Adobe released is a set of fixes for ColdFusion, its Web application platform. Not long ago, researcher Alex Holden of Hold Security pinged Adobe that the same attackers who stole the company’s source code for ColdFusion, Acrobat, Reader and Photoshop also were using a zero-day flaw in ColdFusion which, according to Adobe may result in access files remotely without authorization. That flaw was one of two vulnerabilities that Adobe fixed in today’s updates for ColdFusion.

Holden maintains this flaw was being used by attackers prior to today. “Hold Security identified an attack attempt against a ColdFusion version 8 resource by the same hackers behind breaches like LexisNexis, Adobe, and others,” Holden said. “Unaware of the possible effectiveness of this attack, Hold Security reached out to Adobe. While Adobe did not find the precise attack effective against any of supported CF versions, they did identify a critical flaw in the same resource which led to the patch issued today.

For its part, Adobe says they are unaware of any zero-day attacks against the now-patched vulnerability, and that the vulnerability they credited Holden with fixing was present only in ColdFusion version 10.

Update: 8:29 p.m. ET: Added statement from Hold Security.