Apply the security updates issued by Adobe and Microsoft asap

Are you still using Adobe Flash Player? Are you browsing the web with IE or Edge? Does your company use an Exchange Server? Apply security updates asap!

It’s time to patch your systems, especially if you have installed Adobe Flash Player. Adobe has released Security updates to fix critical Flash vulnerabilities that affect any OS (Windows, Mac, Linux), including ChromeOS.

The security vulnerabilities in flash could be exploited by attackers to gain the control over the vulnerable system as explained by Adobe in an executive summary:

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. ” reads the security advisory issued by Adobe.

Users are urged to update their Flash Player to the version 23.0.0.162.

Not only Adobe users are under the fire, Microsoft has released the September 2016 Patch Update that includes 14 bulletins addressing a total of 50 vulnerabilities. Seven vulnerabilities addressed in the last patch update have been rated as “critical,” other seven as “important.”

One of the vulnerabilities fixed by the update is a zero-day flaw (CVE-2016-3351) in the Internet Explorer (IE) and Edge, tracked as MS16-104 and MS16-105.

The CVE-2016-3351, so-called Microsoft Browser Information Disclosure Vulnerability, could be exploited by an attacker to remotely execute code by tricking a victim to visit a specially crafted webpage using Internet Explorer or Edge.

Once the victims visit the webpage, the attacker would gain the same user rights as the current user and could take control of the vulnerable system.

The vulnerability was first spotted by security experts at Proofpoint that worked with researchers from Trend Micro.

“Proofpoint researchers recently uncovered a massive malvertising campaign with colleagues at Trend Micro [2]. The actors, dubbed AdGholas, were notable for their use of steganography and careful targeting of the malicious ads for massive volumes of high-quality impressions – impressions that went to 1-5 million “average users” a day and specifically avoided researchers. Avoiding researchers and their virtual machines and sandboxes relied on exploiting an information disclosure zero-day in Microsoft Internet Explorer/Edge, among other techniques.” reads the analysis published by Proofpoint.

The exploitation of the zero-day was first reported by TrendMicro that uncovered a massive malvertising campaign, dubbed AdGholas, actively exploiting it. The same vulnerability was also exploited by another threat actor in the wild, a hacking crew known as GooNky.

“On September 13, 2016 Microsoft released a security bulletin [1] fixing the CVE-2016-3351 vulnerability, which included a patch for Internet Explorer and Edge browsers. This informational disclosure bug was first reported in 2015. During our work with Trend Micro on the AdGholas [2] campaign, we reported it again and it was assigned a CVE ID and patch. Briefly, this vulnerability is a MIME type check used to filter out systems that have certain shell extension associations, including .py, .pcap, and .saz. In some cases, certain extensions association including .doc, .mkv., .torrent, and .skype are required to trigger the next exploitation step.”

The Microsoft update also addresses another critical flaw in all the supported versions of the Exchange Server (MS16-108) widely adopted by organizations. In this case, attackers could exploit the bug using remote-code execution to get full control of the Exchange Server.

The attack scenario is simple, the attackers just need to send a malicious file to its victims, the vulnerability is automatically triggered when the Exchange Server pre-parses file to find out the file type.

As anticipated the Microsoft update addresses many other flaws, give a look at it.

Let me close with an information regarding the traditional Microsoft monthly update, this is the last Windows Patch Tuesday.

The future patch updates will bundle all patches together, this means that users will have to install the whole package of patches altogether.

Don’t waste time, patch your system asap.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Microsoft, Adobe, security updates)