Vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server

Looks like there has been another vulnerability discovered in the BlackBerry Enterprise Server PDF distiller of the BlackBerry Attachment Service.

Looks like there has been another vulnerability discovered in the BlackBerry Enterprise Server PDF distiller of the BlackBerry Attachment Service. This vulnerability is scoring 7.8 on the CVSS scale, so it is a high risk vulnerability.  You should apply the patch to your BES server ASAP.

See http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB24761 for the details from RIM.

If you haven’t already done so, you really should have the attachment service running in a segmented network in order to prevent the spread of malware. The PDF distiller has required quite a few patches in the past few years and is, in my opinion, the weakest point in the whole BES architecture.  See the BlackBerry technical notes on how to achieve segmentation here.

VLC media player auto-update and vulnerability

Secunia has published an advisory about new vulnerabilities found in VLC Media Player.

I just picked up an advisory from Secunia about VLC Media Player vulnerabilities. There are 9 vulnerabilities. Three are related to A/52, DTS and MPEG audio decoders. Three are about the AVI, ASF and Matroska demuxer. The other three are about the XSPF playlist, the ZIP and RTPM implementation.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires that the user is tricked into opening a specially crafted file.

There is no CVE Reference and unfortunately cannot figure out a CVSS score.  You can find the original advisory (VideoLAN-SA-1003) here:
http://www.videolan.org/security/sa1003.html

There are two interesting things about this one.  One, as of right now (April 25, 2010 at 22:39 GMT-6), the fixed version for Windows (1.0.6) is still not available on the Video LAN web site.  That’s a bit unusual because, typically, the vendor likes to make sure the patch/updated version of the vulnerable software is available before publishing the vulnerability on their on web site.  The second thing that’s interesting is that the auto-update does not seem to work in my installed version (1.0.1).

I thought that maybe I had a problem in my home LAN that caused the auto-update to fail.  I fired up Wireshark and did a quick sniff of the traffic when trying to get VLC to update.  I used the Follow TCP Stream feature and it was quickly apparent that the problem wasn’t with me at all.  The GET that VLC sent got a 206 Partial Content

HTTP/1.1 206 Partial Content
Content-Type: text/plain
Accept-Ranges: bytes
ETag: “3280753111”
Last-Modified: Mon, 01 Feb 2010 23:15:18 GMT
Content-Range: bytes 0-485/486
Content-Length: 486
Date: Mon, 26 Apr 2010 04:24:08 GMT
Server: lighttpd/1.4.19

1.0.5
http://www.videolan.org/mirror-geo-redirect.php?file=vlc/1.0.5/win32/vlc-1.0.5-win32.exe
Due to a bug in the update feature of your on of VLC, the automatic download of the new VLC will fail.

You have to download VLC 1.0.5 from VideoLAN’s website: http://www.videolan.org

VLC 1.0.5 is a minor release of 1.0.x version of VLC. It fixes a few bugs, updates the codecs and the compiler for Windows, and should improve decoding speed. It also improves and update many translations.

Well, might as well download 1.0.5 for now and use the auto-update to check the 1.0.6 fix.

Adobe Reader is vulnerable yet again

I figured it would happen eventually, but not quite so soon. It appears that Adobe Reader is suffering from at least two more zero-day vulnerabilities. Here’s the low-down.

I figured it would happen eventually, but not quite so soon. It appears that Adobe Reader is suffering from at least two more zero-day vulnerabilities – less than two months after the JBIG2 vulnerability.  Here’s the low-down.

All currently supported shipping versions of Adobe Reader and Acrobat (9.1, 8.1.4, and 7.1.1 and
earlier versions) are vulnerable to this issue. Adobe plans to provide updates for all affected versions
for all platforms (Windows, Macintosh and UNIX) to resolve this issue.  The vulnerabilities are in the JavaScript engine of the Adobe products.  This, by the way, affects both Adobe Reader and Adobe Acrobat.  The vulnerabilities exist in two JavaScript functions; getAnnots() and spell.customDictionaryOpen() and both allow remote code execution.  One way to protect yourself is to disable JavaScript – see the simple instructions from F-Secure.

Many people made this recommendation when the last vulnerability was uncovered (jbig2 vulnerability), but it just seems to be louder this time; find an alternative reader to the Adobe Reader product.  If you need an idea for what is available out there, take a look at PDFreaders.org.  I know that I have made the recommendation where I work, but it might not be that easy.  Corporations sometimes will rely heavyly on Adobe Reader to view custom business forms that are used on a daily basis with customers.  That reliance will often show itself in the in-house applications that make calls directly to the Adobe DLL.

You can read a bit more about the challenges of replacing Adobe Reader and Acrobat here.

Critical Adobe Reader update – Upgrade NOW!

If you do nothing else today, make sure you at least upgrade your users to the latest version of Adobe Reader.

The vulnerability was announced back on February 20th, but now Adobe released an update to their Reader product.  You can see the bulletin here:

http://www.adobe.com/support/security/bulletins/apsb09-03.html

There are a few interesting things to note.  As indicated in a post by Ryan Naraine on ZDNet, the updates are for Adobe Reader 9 only.  The most frustrating thing right now is that in their infinite wisdom, Adobe did not provide a patch update for Adobe Reader (a file with the MSP extension) which can be applied to your existing installation of Adobe Reader.  Instead, they simply point to their standard URL to download Adobe Reader.

Acrobat 9 Standard, Acrobat 9 Pro and Acrobat 9 Extended for Windows are all available as MSP patches.

Don’t wait, upgrade your users as soon as you can because this is a nasty one.  Users who download a malicious PDF do not need to open it to fall victim to that flaw.

Hopefully, Adobe will release a patch file for Adobe Reader soon.

Time to patch your printers

HP revealed a new vulnerability that a directory traversal issue in the web admin interface allows remote user to view files on the printers. Should you start including printers in your patching policies? Here are some things you should do to protect yourself.

This might surprise some, but printers need patching too.  The rule of thumb you should use is if it has an IP address, then it can be vulnerable and will most likely require a patch at some point in time.

SANS handler’s diary has just published such a story – Time to patch your HP printers.  The actual HP bulletin is here.  Looks like PC Advisor also picked up the story.

The easiest way to do the firmware upgrade is to use HP’s Web Jetadmin.  Using Web Jetadmin, you can discover all your printers on your LAN and remotely do firmware upgrades.

Although this vulnerability only allows the bad guys to access any files on the printer (and therefore view previously printed documents), I can foresee printers being used as a staging point for more serious things.  The reason is that printers have not received the same amount of scrutiny that workstations/serves have and most likely are softer targets.  As well, printers do not run anti-virus or other kind of defensive software.  So what should you do?  Here are a few things that will harden your printers:

  1. Use a central management console like Web Jetadmin.  This will allow you to discover any new printers added and to easily deploy the latest firmware.
  2. Keep up with the firmware releases.  This is probably a difficult one to do, especially if you use printers from a number of vendors.  You should at least do a round of patching once a year.
  3. Scan your printers for vulnerabilities.  Make sure to use a tool that can differentiate between a printer device and a workstation.  If it doesn’t, scanning can lead to lockups and rebooting of your printers.  Not so good if it’s in the middle of printing a big color job by your boss.  Nessus scanner is one such scanner.  Be warned that scanning your printer will probably cause it to print a few pages.

If anyone else has anything else that they do to harden their printers, please use the comments below.