Adobe patches Business Logic error in Flash

In a rare turn of events, Adobe has only needed to resolve one vulnerability during December’s Patch Tuesday. According to the tech giant’s security advisory, the lone “Business Logic error” bug, CVE-2017-11305, is a moderately dangerous vulnerability.
“This update addresses a regression that could lead to the unintended reset of the global settings preference file,” Adobe says.
The vulnerability impacts Adobe Flash and Adobe Flash for Google Chrome on Windows, Mac, Linux and Chrome OS, as well as Adobe Flash for Microsoft Edge and Internet Explorer 11 on Windows 8.1 and 10.
Granted a priority rating of 2, Adobe has not received reports of the vulnerability being exploited in the wild.
See also: Adobe accidentally releases private PGP key
In November, Adobe patched 67 vulnerabilities, many of them critical. The bugs impacted Adobe Flash, Acrobat, and Reader, as well as other software.
In total, five vulnerabilities were fixed in Flash, all of which were deemed critical. The out-of-bounds read and use-after-free security flaws, if exploited, could lead to remote code execution.
Cross-site scripting (XSS) vulnerabilities, type confusion issues, buffer problems, and memory corruption vulnerabilities were also fixed in other software.

In the same Patch Tuesday, Microsoft issued fixes for over 30 vulnerabilities in software including the Microsoft Windows operating system, Microsoft Office, Exchange Server, and Microsoft Edge.
政府机关信息数据分享的挑战
More security news
Yes, that Netflix tweet is creepy — and raises serious privacy questions
New Spider ransomware threatens to delete your files if you don’t pay within 96 hours
信息安全的投入可能占公司收入的很大一部分,但是和由于它的最终用户没有得到很好的安全教育,而轻易地让一个狡猾的入侵者打败相比,则是九牛一毛。
Google Project Zero ‘tpf0’ exploit whets appetite for iOS 11 jailbreak
Ransomware’s bitcoin problem: How price surge means a headache for crooks
Best gifts: Top tech for co-workers
SEE FULL GALLERY
1 – 5 of 21
NEXT
PREV
Previous and related coverageAdobe accidentally releases private PGP key Adobe Lightroom adds AI, machine learning for better auto settings Microsoft, Adobe advance partnership with new cross-cloud productivity integrations
Related Topics:
Security TV
Data Management
“木马入侵”的受害者多少都有安装防恶意代码程序,可是基于病毒代码库的防恶意软件要落后木马的制作者,所以,要加强基础网络安全基础知识和技能的学习。

猜您喜欢

360发布国内首份《智能网联汽车信息安全最佳实践》
位置定位服务LBS泄漏私密信息
网络安全法普法宣传 004《网络安全法》的突出亮点
纪念南京大屠杀80周年:勿忘历史,爱我中华
PAPCORDOBA HUGTHEPANDA
商业间谍与黑客参与搜索专利大战 APT攻击让员工信息安全意识

On Wednesday, in a presentation at Black Hat Europe, Positive Technologies security researchers Mark Ermolov and Maxim Goryachy plan to explain the firmware flaws they found in Intel Management Engine 11, along with a warning that vendor patches for the vulnerability may not be enough.
Two weeks ago, the pair received thanks from Intel for working with the company to disclose the bugs responsibility. At the time, Chipzilla published 10 vulnerability notices affecting its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE).
The Intel Management Engine, which resides in the Platform Controller Hub, is a coprocessor that powers the company’s vPro administrative features across a variety of chip families. It has its own OS, MINIX 3, a Unix-like operating system that runs at a level below the kernel of the device’s main operating system.
It’s a computer designed to monitor your computer. In that position, it has access to most of the processes and data on the main CPU. For admins, it can be useful for managing fleets of PCs; it’s equally appealing to hackers for what Positive Technologies has dubbed “God mode.”
The flaws cited by Intel could let an attacker run arbitrary code on affected hardware that wouldn’t be visible to the user or the main operating system. Fears of such an attack led Chipzilla to implement an off switch, to comply with the NSA-developed IT security program called HAP.
But having identified this switch earlier this year, Ermolov and Goryachy contend it fails to protect against the bugs identified in three of the ten disclosures: CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707.
国农科技:关于筹划重组停牌期满申请继续停牌的公告
The duo say they found a locally exploitable stack buffer overflow that allows the execution of unsigned code on any device with Intel ME 11, even if the device is turned off or protected by security software.
企业需要教育员工相关的职业道德和业务操守,也需加强防泄密的安全保障,比如建立信息安全管理体系ISMS,使用数据防泄露DLP系统,和不断培训员工的信息安全意识。
They claim to have employed a generic technique to bypass the stack canary, a value written to memory to catch overflows via change detection, thereby allowing them to run executable code using Return Oriented Programming.
Though the vulnerabilities require local access to an affected machine or the credentials to access the machine through a remote IT management system, an Active Management Technology (AMT) flaw disclosed by Intel in May raises the possibility of a remote attack.
“Given the massive penetration of devices with Intel chips, the potential scale for attacks is big, everything from laptops to enterprise IT infrastructure is vulnerable,” the pair said in a statement emailed to The Register.

“Such a problem is very hard to resolve – requiring a manufacturer to upgrade firmware, and attackers exploiting it may be just as difficult to detect.”
Dino Dai Zovi, co-founder and CTO of security biz Capsule8, in an email to The Register, said the most troubling aspect of the research is that it may be exploited without the need to open the target system’s enclosure.
“This is not a huge impediment to an attacker with physical access, but as some laptops have case tamper switches, it is able to bypass that protection,” he said.
Ermolov and Goryachy contend patches for the flawed hardware related to CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707 don’t preclude the possibility of exploitation because an attacker with access to the ME-region firmware can overwrite it with a vulnerable version for exploitation.
“Writing an older version of the ME firmware typically requires either writing to the flash chip directly or taking advantage of weak BIOS protections, which would depend on the vendor’s particular configuration,” said Dai Zovi.
The US government’s concern about ME exploitation has made it to the private sector. Hardware vendors Dell, Purism, and System76 are now offering gear with Intel’s ME disabled. And Google has been working on NERF (Non-Extensible Reduced Firmware), an open source software system based on u-root that replaces UEFI and the Intel ME with a small Linux kernel and initramfs (which mount the root file system).
Dai Zovi observed that in addition to these vendor options, “the security community has responded to distrust of the ME by developing a number of open source projects to disable it,” such as me_cleaner and Heads.
Asked whether Intel has any plans to alter the way its Management Engine works or to offer chips without the ME, a company spokesperson suggested such requests should be directed to hardware vendors.
“The Management Engine (ME) provides important functionality our users care about, including features such as secure boot, two-factor authentication, system recovery, and enterprise device management,” the spokesperson said.
“System owners with specialized requirements should contact the equipment manufacturers for this type of request. However, since any such configuration necessarily removes functionality required in most mainstream products, Intel does not support such configurations.” ®
现在几乎没有人会否认信息安全的重要性。毫无疑问,在未来的几年内,组织要拿出一定量的投资用于信息安全,确保使用积极的安全策略应对不断出现的安全威胁。

猜您喜欢

支付安全最挂人心 “网络安全进社区”于上海开展活动
轻松打动HSE从业人员的HSE在线视频课程
LMS学习管理系统管理员快速操作指南
从替补成员到总决选第二名 李艺彤玩微博实现逆袭
CHRISTYMACK SCHENECTADYLIGHTOPERA
针对企业员工的EHS知识启蒙培训