File Update

Lousy Adobe Flash Updated To v18 0 0 203 Lousy Adobe AIR Updated To v18 0 0 180 CRITICAL Security Patches

The updates, patching ACTIVE in-the-wild EXPLOIT CVE-2015-5119, are out and available.

Adobe just bothered to catch up and release the accompanying security bulletin:

https://helpx.adobe.com/security/products/flash-player/apsb15-16.html

If youre still using Adobe Flash and Air, you can go for the updates:

https://get.adobe.com/flashplayer/

https://get.adobe.com/air/

Because Adobe is so incredibly obtuse these days, when you visit the get Air page, all youre going to see listed is "Version 18". IOW, tough luck if you want to know the actual version number. We little peon customers are too stupid to care about such vital things, right? But Ive verified that what theyre currently offering really is Air v18.0.0.180, which is what we want. Proof:


Meanwhile, Adobe already has the beta of Flash version 18.0.0.205 in preparation for their in-band release of Flash on the second-Tuesday-of-the-month, July 14th. Keep an eye out for that one, if you care. (-_-) zzz


Hold on to your proverbial hats. This is an incredible list of security flaws patched in Flash and AIR:

Vulnerability Details

These updates improve memory address randomization of the Flash heap for the Window 7 64-bit platform (CVE-2015-3097).

These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431).

These updates resolve null pointer dereference issues (CVE-2015-3126, CVE-2015-4429). 

These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2015-3114).

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119).

These updates resolve vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116).

I marked our pal, in-the-wild exploit CVE-2015-5119 in red. Thats 36 security flaws patched in Flash and AIR. Yes, Flash (and therefore AIR) really is crap code. And no doubt, it has many more security flaws waiting to be exploited. I read an article last week claiming that Adobe Flash is now the #1 most dangerous software you can run on the Internet, surpassing awful Oracle Java plug-in. Astounding. It takes some seriously bad coding to surpass Javas horrendous security problems.

If you dont need Flash/AIR or Java running over the Internet, then get rid of their Internet Plug-ins. Please.

:-Derek

Available link for download

Lots Of Recent Apple Security Patches

 I) Security Update 2013-001
(For Snow Leopard, Snow Leopard Server, Lion and Lion Server, included in OS X Mountain Lion Update 10.8.3)

Apples security content document:

Summary: Seventeen CVE issues were patched, covering twenty-one security issues in OS X.

CVE IDs:
(I have arranged the list chronologically and collected together the affected parts of OS X as a contrast to Apples listing)

CVE-2011-3058 - Cross-site scripting attacks on EUC-JP encoded websites; Affecting international components for Unicode.

CVE-2012-2088 - Memory corruption caused by a maliciously crafted image; Affecting IOAcceleratorFamily.

CVE-2012-3488,
CVE-2012-3489 - SQL privileges escalation and other issues; Affecting PostgreSQL.

CVE-2012-3525 - Jabber dialback result messages rerouted by a remote attacker, disclosing information; Affecting the Jabber Messages Server.

CVE-2012-3749 - Bypassing of ASLR (address space layout randomization) and kernel address information disclosure; Affecting Kernel.

CVE-2012-3756 - Maliciously crafted MP4 files causing a buffer overflow; Affecting QuickTime.

CVE-2013-0156 - Ruby on Rails issue allowing remote attacker arbitrary code execution via XML parameters; Affecting Podcast Producer Server, Profile Manager, Ruby and Wiki Server.

CVE-2013-0333 - Ruby on Rails issue allowing remote attacker arbitrary code execution via JSON data; Affecting Podcast Producer Server and Wiki Server

CVE-2013-0963 - Bypass of certificate-based Apple ID authentication erroneously extending trust to a user; Affecting Identity Services.

CVE-2013-0966 - Attacker access to HTTP authentication protected directories via URIs containing ignorable Unicode character sequences; Affecting Apache.

CVE-2013-0967 - Maliciously crafted website Java Web Start application launching automatically despite the Java plug-in being disabled; Affects CoreTypes.


CVE-2013-0976 - Maliciously crafted images could cause unexpected system termination or arbitrary code execution; Affecting IOAcceleratorFamily.


II) OS X Mountain Lion Update 10.8.3
(Update and Combo Update)

Apples security content document (same as above):

The security patch content is the generally same as Security Update 2013-001 and Safari 6.0.3.


III) Safari v6.0.3
(Included as part of OS X 10.8.3 and Security Update 2013-001)

Apples security content document:


IV) iOS 6.1.3

Apples security content document:
AHEM: Before I get into what this version of iOS fixes, I have to point out that iOS 6.1.3 allows yet-another passcode lock bypass. Sigh. This one enables anyone to use the phone for calls and provides access to the owners photo gallery. That is all. But that is enough! Read about it and watch the break-in demonstration video at Sophos:


Summary: This update patched the screen lock bypass problem accessible via making an emergency call. The other five patches cover a variety of issues in WebKit, dyld, lockdownd, USB and the Kernel.

CVE-IDs:

CVE-2013-0912 - A maliciously crafted website could use SVG files to cause unexpected application termination or arbitrary code execution; Affects WebKit.

CVE-2013-0977 - Unsigned code could be executed could result from incorrect handling of Mach-O executable files with overlapping segments; Affects dyld.

CVE-2013-0978 - The addresses of structures in the kernel were disclosed via an issue in the ARM prefetch abort handler; Affects Kernel.

CVE-2013-0979 - Able to change permissions on arbitrary files that included a symbolic link after restoring from a backup; Affects LockDown / lockdownd.

CVE-2013-0980 - Screen lock bypass via a logic error in the handling of emergency calls form the lock screen; Affects Passcode Lock.

CVE-2013-0981 - Execution of arbitrary code via an issue with pipe object pointers in the IOUSBDeviceFamily driver; Affects USB.


V) Apple TV v5.2.1

Apples security content document:
About the security content of Apple TV 5.2.1

Summary: The three patched security flaws are, not surprisingly, also found in iOS 6.1.3.

CVE-IDs:

CVE-2013-0977 - - Unsigned code could be executed could result from incorrect handling of Mach-O executable files with overlapping segments.

CVE-2013-0978 - The addresses of structures in the kernel were disclosed via an issue in the ARM prefetch abort handler.

CVE-2013-0981 - Execution of arbitrary code via an issue with pipe object pointers in the IOUSBDeviceFamily driver.


General Conclusion: As I often say, bad memory management is the bane of modern coding. However, its interesting to see a wide variety of issues addressed in these updates, not just memory management. Hopefully, this indicates few memory management problems remain in Apples software, causing attention to turn to other aspects of Apple code.

Available link for download