Archive for June, 2010

Systems Affected

* Adobe Flash Player
* Adobe AIR

Other Adobe products that support Flash may also be vulnerable.

Overview

There are vulnerabilities in Adobe Flash player and AIR.  An attacker could exploit these vulnerabilities to take control of your computer.

Solution

Update Flash Player and Adobe AIR

Adobe Security Bulletin APSB10-14 recommends updating at the Adobe Flash Player Download Center and Adobe AIR Download Center. Both Flash Player and AIR support automatic updates. This will update the Flash web browser plug-in and ActiveX control and AIR, but will not update Flash support in Adobe Reader, Acrobat, or other products.

To reduce your exposure to these and other Flash vulnerabilities, consider the following mitigation technique.

Disable Flash in your web browser

Uninstall Flash or restrict which sites are allowed to run Flash. To the extent possible, only run trusted Flash content on trusted domains. For more information, see Securing Your Web Browser.

Description

Adobe Security Advisory APSB10-14 describes vulnerabilities in Flash Player and AIR. This Flash content could be on a web page, in a PDF document, in an email attachment, or embedded in another file.

By convincing you to open malicious Flash content, an attacker may be able to take control of your computer or cause it to crash.

References

* Security update available for Adobe Flash Player -
<http://www.adobe.com/support/security/bulletins/apsb10-14.html>

* Adobe Flash Player Download Center -
<http://get.adobe.com/flashplayer/>

* Adobe AIR Download Center – <http://get.adobe.com/air/>

* US-CERT Technical Cyber Security Alert TA10-162A -
<http://www.us-cert.gov/cas/techalerts/TA10-162A.html>

You may think that you are anonymous as you browse websites, but pieces of information about you are always left behind. You can reduce the amount of information revealed about you by visiting legitimate sites, checking privacy policies, and minimizing the amount of personal information you provide.

What information is collected?

When you visit a website, a certain amount of information is automatically
sent to the site. This information may include the following:
* IP address – Each computer on the internet is assigned a specific,
unique IP (internet protocol) address. Your computer may have a static
IP address or a dynamic IP address. If you have a static IP address, it
never changes. However, some ISPs own a block of addresses and assign an
open one each time you connect to the internet—this is a dynamic IP
address. You can determine your computer’s IP address at any given time
by visiting www.showmyip.com.
* domain name – The internet is divided into domains, and every user’s
account is associated with one of those domains. You can identify the
domain by looking at the end of URL; for example, .edu indicates an
educational institution, .gov indicates a US government agency, .org
refers to organization, and .com is for commercial use. Many countries
also have specific domain names. The list of active domain names is
available from the Internet Assigned Numbers Authority (IANA).
* software details – It may be possible for an organization to determine
which browser, including the version, that you used to access its site.
The organization may also be able to determine what operating system
your computer is running.
* page visits – Information about which pages you visited, how long you
stayed on a given page, and whether you came to the site from a search
engine is often available to the organization operating the website.

If a website uses cookies, the organization may be able to collect even more
information, such as your browsing patterns, which include other sites
you’ve visited. If the site you’re visiting is malicious, files on your
computer, as well as passwords stored in the temporary memory, may be at
risk.

How is this information used?

Generally, organizations use the information that is gathered automatically
for legitimate purposes, such as generating statistics about their sites. By
analyzing  the statistics, the organizations can better understand the
popularity of the site and which areas of content are being accessed the
most. They may be able to use this information to modify the site to better
support the behavior of the people visiting it.

Another way to apply information gathered about users is marketing. If the
site uses cookies to determine other sites or pages you have visited, it may
use this information to advertise certain products. The products may be on
the same site or may be offered by partner sites.

However, some sites may collect your information for malicious purposes. If attackers are able to access files, passwords, or personal information on
your computer, they may be able to use this data to their advantage. The
attackers  may  be able to steal your identity, using and abusing your
personal information for financial gain. A common practice is for attackers
to use this type of information once or twice, then sell or trade it to
other people. The attackers profit from the sale or trade, and increasing
the number of transactions makes it more difficult to trace any activity
back to them. The attackers may also alter the security settings on your
computer so that they can access and use your computer for other malicious activity.

Are you exposing any other personal information?

While using cookies may be one method for gathering information, the easiest way for attackers to get access to personal information is to ask for it. By representing a malicious site as a legitimate one, attackers may be able to convince you to give them your address, credit card information, social security number, or other personal data (see Avoiding Social Engineering and Phishing Attacks for more information).

How can you limit the amount of information collected about you?

* Be careful supplying personal information – Unless you trust a site,
don’t give your address, password, or credit card information. Look for
indications that the site uses SSL to encrypt your information (see
Protecting Your Privacy for more information). Although some sites
require  you  to  supply  your social security number (e.g., sites
associated with financial transactions such as loans or credit cards),
be especially wary of providing this information online.
* Limit cookies – If an attacker can access your computer, he or she may
be able to find personal data stored in cookies. You may not realize the
extent of the information stored on your computer until it is too late.
However,  you  can  limit the use of cookies (see Browsing Safely:
Understanding Active Content and Cookies for more information).
* Browse  safely  – Be careful which websites you visit; if it seems
suspicious,  leave the site. Also make sure to take precautions by
increasing your security settings (see Evaluating Your Web Browser’s
Security Settings for more information), keeping your virus definitions
up to date (see Understanding Anti-Virus Software for more information),
and scanning your computer for spyware (see Recognizing and Avoiding
Spyware for more information).

_________________________________________________________________

Author: Mindi McDowell

Vulnerability affecting the Mircosoft Windows
Help and Support Center. This vulnerability is due to improper
sanitization of hcp:// URIs. Exploitation of this vulnerability may
allow a remote, unauthenticated attacker to execute arbitrary
commands.

URL: http://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspx

Cisco has released a security advisory to address multiple
vulnerabilities in Network Building Manager. The advisory indicates
that the legacy Richards-Zeta Mediator products are also affected by
these vulnerabilities. Exploitation of these vulnerabilities may allow
an attacker to operate with escalated privileges or obtain sensitive
information.

US-CERT encourages users and administrators to review Cisco security
advisory cisco-sa-20100526-mediator and apply any necessary updates to
help mitigate the risks.

Relevant Url(s):
<http://www.cisco.com/en/US/products/products_security_advisory09186a0080b2c518.shtml>

Adobe has released a security advisory to notify users of a
vulnerability in Adobe Flash Player, Reader, and Acrobat. Exploitation
of this vulnerability may allow an attacker to execute arbitrary code
and take control of the affected system. The advisory indicates that
Adobe is aware of active exploitation of this vulnerability.

US-CERT encourages users and administrators to review Adobe security
advisory APSA10-01 and apply any necessary workarounds until a fix is
released by the vendor.

US-CERT will provide additional information as it becomes available.

Relevant Url(s):
<http://www.adobe.com/support/security/advisories/apsa10-01.html>