Patch Tuesday wrap-up, July 2014 - Adobe fixes "Rosetta", plus a new risky file type on Windows...

Filed Under: Adobe, Adobe Flash, Featured, Internet Explorer, Java, Microsoft, Oracle, Vulnerability

Patch Tuesday for July 2014 is just behind us in the case of Microsoft and Adobe, and just ahead of us in the case of Oracle.

As regular Naked Security reader Haemish Edgerton pointed out to us, Adobe updated both Flash and Shockwave Player (for those of you still using it), but only the Flash update involves security fixes, so there was only one Adobe security bulletin this month.

Three CVEs (officially-numbered vulnerabilities) are listed amongst the bugs fixed in the Flash update.

Two of the CVEs, namely CVE-2014-0537 and CVE-2014-0539, weren't publicly disclosed holes, and weren't remote code execution vulnerabilities.

Unfortunately, the third CVE relates to a vulnerability that is now being popularised, like Heartbleed, with a catchy name and logo by the Google researcher who worked out how to exploit it.

Michele Spagnuolo has dubbed his exploit "Rosetta", by analogy with the Rosetta Stone that helped linguists decipher early Egyptian script, because it works by translating Flash files into 100% printable alphanumeric characters.

The "Rosetta" exploit, officially tagged as CVE-2014-4671, is what's known as a Cross Site Request Forgery, or CSRF, meaning that it provides a way for malicious website X to retrieve data that is only supposed to be revealed when you visit site Y.

According to Adobe, the Flash update for July 2014 update also fixes "vulnerabilities that could potentially allow an attacker to take control of the affected system."

That's longhand for remote code execution (RCE) or click-to-own, where a crook implants malware on your computer without so much as a by-your-leave.

We suggest that you apply this Flash update as soon as you possibly can, not just because of the RCE holes, but because Spagnuolo has now gone public with a detailed description of the Rosetta attack.

Spagnuolo has also published what he refers to as "ready-to-be-pasted, universal, weaponized full featured proofs of concept with ActionScript sources."

Heigh-ho.

If you are relying on Adobe's auto-updating process, the new Flash Player version numbers to look out for are 11.2.202.394 on Linux, and 14.0.0.145 on Windows and OS X.

NB. Sophos products detect and block Flash files made with Spagnuolo's "Rosetta Flash" conversion tools as Troj/RosFlash-A.

Microsoft's patches

Microsoft published six bulletins this month, matching what it announced in advance.

The update that most users will be immediately interested in is Bulletin One, a Cumulative Security Update for Internet Explorer that gets the identifier MS14-037.

This is a critical fix because it patches RCE holes, as well as various other bugs, so don't delay in applying it.

Fortunately, however, the RCE flaws are amongst some of the 23 vulnerabilities that were responsibly disclosed, none of which has been seen in the wild.

Only one of this month's vulnerabilities in IE was publicly known in advance of the patches, and is nevertheless not known to have been exploited in real-world attacks.

The publicly-disclosed hole is known as CVE-2014-2783, and has been dubbed an "Extended Validation SSL Certificate" vulnerability.

Briefly put, so-called Extended Validation (EV) HTTPS certificates are supposed to apply to specific server names only.

So a rogue Certificate Authority that fell in with crooks, or was under pressure from its country's intelligence service, or had its private keys stolen, would be throttled to issuing one dodgy EV certificate at a time.

If the untrustworthy CA tried to create an EV certificate for, say, *.example.com instead of just thisone.example.com, browsers should reject that certificate, considering the wildcard to be below the standards required for extended validation.

JNT - a new risky file type

But for all the obvious importance of Microsoft's IE update, it is the second critical fix, MS14-038, that is the most intriguing, and perhaps even more important, patch.

This closes a single, privately-disclosed, parsing flaw in Microsoft Journal (JNT) files.

I'll be honest and admit that I wasn't even aware of .JNT files, or the application JOURNAL.EXE (installed by default on non-server flavours of Windows), until this vulnerability was announced.

Journal is a note-taking application that lets you scribble down notes as if on a piece of paper, and share them in them as .JNT files with other people.

Anyway, deliberately-crafted Journal files can be made to crash the Journal software in a way that could give an attacker remote control of your computer, for example by persauding you to open a .JNT attachment in an email.

In short: apply the patch.

And, if you weren't aware of .JNT files as yet another proprietary Windows document exchange type, then you almost certainly aren't deliberately using the Journal application, so consider adding .JNT to your web and email file filtering blocklist.

Elevation of Privilege

Three of the other flaws patched by Microsoft are so-called Elevation of Privilege (EoP) holes, two of which allow local users to "promote" themselves to kernel-level privilege.

As usual, these flaws only get an Important rating, instead of Critical, mainly because they can't be directly exploited from outside your network, or even inside your network by someone who isn't logged in.

However, I'm sticking to my opinion that this sort of hole is probably somewhere closer to Critical than Important, simply because of the advantage, to crooks who are already inside your network, of being able to get kernel-level privileges at will.

There are two obvious abuse scenarios for EoP-to-kernel exploits:

  • By rogue insiders. Users who have not been given administrator privileges on their own computers can unofficially acquire those rights in unauthorised, and quite possibly unauditable, ways. That's hard for IT to control or even to detect using its regular tools.
  • By malware seeking to install a rootkit. Rootkits are add-on modules that add what you might call tamper protection to malware, often making it harder to detect and remove. Making users non-administrators usually keeps rootkits out.

Oracle's patches

Finally, to wrap up this overview, we'll mention Oracle.

Oracle's patching drum beats to a different rhythm, using the Tuesday closest to the middle of the month, not the second Tuesday as with Microsoft and Adobe.

So Oracle's July 2014 updates have yet to drop, but we do know one thing: support for Java on Windows XP is over.

In Oracle's own words, Java 8 won't work at all on XP, but users "may still continue to use Java 7 updates on Windows XP at their own risk."

As my friend and colleague Chester Wisniewski twittily quipped,

Of course, the truth is that the sort of users who are sticking with a now-unsupported XP "because they can" are likely to end up even less secure, by sticking with a now-unsupported Java as well.

Still got Java in your browser?

Try turning it off and seeing if any websites stop working - the chance is good that nothing will break and you can leave it off for evermore.

Patchwork letters and background of denim cloth courtesy of Shutterstock.

, , , , , , , , , , , ,

You might like

7 Responses to Patch Tuesday wrap-up, July 2014 - Adobe fixes "Rosetta", plus a new risky file type on Windows...

  1. LindaB · 103 days ago

    So they have a critical update for IE 6,7 and 8 that are almost only used on XP but you can't get a download of the critical update for XP - why not?
    If IE 6, 7 and 8 are so insecure they should be able to be patched irrespective of what OS they are running on. The error in coding creating the vulnerability is attributable only to Microsoft so they should allow us affected users to make our systems more secure, even though we may have to run an older OS.
    One of my machines cannot run anything newer than XP but it does what is needed (network attached storage) of it perfectly so doesn't need to be replaced but would benefit from being more secure by adding the IE patch. As IE is an inherent part of the OS, by Microsoft's design, it has to be safe and should be able to be patched properly. All we need is a simple downloadable file to install the update.

    • Paul Ducklin · 103 days ago

      Seriously? You are running a NAS server, presumably to store and share data that has some importance to you (either in terms of its storage or its availability, or else you wouldn't need a NAS server, right?) And to run this server you are using an unpatched, unsupported operating system created nearly 15 years ago in an era when security was rather less of an issue to most people, including Microsoft, on a computer that is so old it can't run anything except this tired old operating system...

      ...and you are concerned because you can't patch the *browser* on this NAS server?

      May I suggest you try a stripped-down Linux server install? It seems that what you actually want and need is a computer that is set up _as a server_, rather than a XP desktop pretending to be a server. (I think it's reasonable, if perhaps a little pushy, to suggest that your problem is that your computer with XP is not "doing what is needed perfectly" at all.)

    • jimcsecurity · 103 days ago

      I agree with Paul. Microsoft announced the end of support for Windows XP many years ago (2007 if I am not mistaken). This was done to give everyone the time to migrate away from it gradually over the years. Thus when the April 2014 deadline arrived such migrations would be completed.

      Microsoft has no obligation to patch Windows XP. Products cannot be maintained indefinitely. Since your hardware cannot run a newer version of Windows, I agree with Paul a Linux distribution would be an option for you. Thank you.

    • Jim · 102 days ago

      Ouch. Unless that XP system is hardened like nobody's business and the network locks out all traffic not coming from the specific "servers" that it serves, it's a time-bomb. And if you had the time to harden it, you've wasted your resources: A XP system hardened by the best is still an also-ran in the modern security climate.

      I agree with the others: Get rid of it. It's like playing Russian Roulette with 5 bullets in the revolver.

      IE 6 is (or should be) just as dead as XP. Nobody running on a newer OS has 6, and nobody should be running on XP.

      IE 7 is a bit newer, and is fully-supported on Vista systems and later. IE 8 is also a current version, and is also fully-supported.

  2. fired up · 103 days ago

    "... so consider adding .JNT to your web and email file filtering blocklist."

    OK, a little bit embarrassed, but I hate to have to admit, how and where?

    I have looked through all the Options on both Thunderbird (v24.6) and Firefox (v30) and can't find a "blocklist".

  3. jimcsecurity · 103 days ago

    I would like to point out that since I don’t use Windows Journal I looked to determine if it could be uninstalled. For Windows 8 and Windows 8.1 Update this is not possible. For Windows 7, it can be removed from the Control Panel using the steps below:

    Open Control Panel->Programs and Feature -> Turn Windows features on or off -> un-tick/un-check Tablet PC Components

    Please note that the Math Input Panel and handwriting recognition will also be removed with these steps. I hope this helps. Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog