Patch Tuesday for July 2014 is just behind us in the case of Microsoft and Adobe, and just ahead of us in the case of Oracle.
As regular Naked Security reader Haemish Edgerton pointed out to us, Adobe updated both Flash and Shockwave Player (for those of you still using it), but only the Flash update involves security fixes, so there was only one Adobe security bulletin this month.
Three CVEs (officially-numbered vulnerabilities) are listed amongst the bugs fixed in the Flash update.
Unfortunately, the third CVE relates to a vulnerability that is now being popularised, like Heartbleed, with a catchy name and logo by the Google researcher who worked out how to exploit it.
Michele Spagnuolo has dubbed his exploit “Rosetta”, by analogy with the Rosetta Stone that helped linguists decipher early Egyptian script, because it works by translating Flash files into 100% printable alphanumeric characters.
The “Rosetta” exploit, officially tagged as CVE-2014-4671, is what’s known as a Cross Site Request Forgery, or CSRF, meaning that it provides a way for malicious website X to retrieve data that is only supposed to be revealed when you visit site Y.
According to Adobe, the Flash update for July 2014 update also fixes “vulnerabilities that could potentially allow an attacker to take control of the affected system.”
That’s longhand for remote code execution (RCE) or click-to-own, where a crook implants malware on your computer without so much as a by-your-leave.
We suggest that you apply this Flash update as soon as you possibly can, not just because of the RCE holes, but because Spagnuolo has now gone public with a detailed description of the Rosetta attack.
Spagnuolo has also published what he refers to as “ready-to-be-pasted, universal, weaponized full featured proofs of concept with ActionScript sources.”
If you are relying on Adobe’s auto-updating process, the new Flash Player version numbers to look out for are 220.127.116.114 on Linux, and 18.104.22.168 on Windows and OS X.
NB. Sophos products detect and block Flash files made with Spagnuolo’s “Rosetta Flash” conversion tools as Troj/RosFlash-A.
Microsoft published six bulletins this month, matching what it announced in advance.
The update that most users will be immediately interested in is Bulletin One, a Cumulative Security Update for Internet Explorer that gets the identifier MS14-037.
This is a critical fix because it patches RCE holes, as well as various other bugs, so don’t delay in applying it.
Fortunately, however, the RCE flaws are amongst some of the 23 vulnerabilities that were responsibly disclosed, none of which has been seen in the wild.
Only one of this month’s vulnerabilities in IE was publicly known in advance of the patches, and is nevertheless not known to have been exploited in real-world attacks.
The publicly-disclosed hole is known as CVE-2014-2783, and has been dubbed an “Extended Validation SSL Certificate” vulnerability.
Briefly put, so-called Extended Validation (EV) HTTPS certificates are supposed to apply to specific server names only.
So a rogue Certificate Authority that fell in with crooks, or was under pressure from its country’s intelligence service, or had its private keys stolen, would be throttled to issuing one dodgy EV certificate at a time.
If the untrustworthy CA tried to create an EV certificate for, say, *.example.com instead of just thisone.example.com, browsers should reject that certificate, considering the wildcard to be below the standards required for extended validation.
JNT – a new risky file type
But for all the obvious importance of Microsoft’s IE update, it is the second critical fix, MS14-038, that is the most intriguing, and perhaps even more important, patch.
This closes a single, privately-disclosed, parsing flaw in Microsoft Journal (JNT) files.
I’ll be honest and admit that I wasn’t even aware of .JNT files, or the application JOURNAL.EXE (installed by default on non-server flavours of Windows), until this vulnerability was announced.
Journal is a note-taking application that lets you scribble down notes as if on a piece of paper, and share them in them as .JNT files with other people.
Anyway, deliberately-crafted Journal files can be made to crash the Journal software in a way that could give an attacker remote control of your computer, for example by persauding you to open a .JNT attachment in an email.
In short: apply the patch.
And, if you weren’t aware of .JNT files as yet another proprietary Windows document exchange type, then you almost certainly aren’t deliberately using the Journal application, so consider adding .JNT to your web and email file filtering blocklist.
Elevation of Privilege
Three of the other flaws patched by Microsoft are so-called Elevation of Privilege (EoP) holes, two of which allow local users to “promote” themselves to kernel-level privilege.
As usual, these flaws only get an Important rating, instead of Critical, mainly because they can’t be directly exploited from outside your network, or even inside your network by someone who isn’t logged in.
However, I’m sticking to my opinion that this sort of hole is probably somewhere closer to Critical than Important, simply because of the advantage, to crooks who are already inside your network, of being able to get kernel-level privileges at will.
There are two obvious abuse scenarios for EoP-to-kernel exploits:
- By rogue insiders. Users who have not been given administrator privileges on their own computers can unofficially acquire those rights in unauthorised, and quite possibly unauditable, ways. That’s hard for IT to control or even to detect using its regular tools.
- By malware seeking to install a rootkit. Rootkits are add-on modules that add what you might call tamper protection to malware, often making it harder to detect and remove. Making users non-administrators usually keeps rootkits out.
Finally, to wrap up this overview, we’ll mention Oracle.
Oracle’s patching drum beats to a different rhythm, using the Tuesday closest to the middle of the month, not the second Tuesday as with Microsoft and Adobe.
So Oracle’s July 2014 updates have yet to drop, but we do know one thing: support for Java on Windows XP is over.
In Oracle’s own words, Java 8 won’t work at all on XP, but users “may still continue to use Java 7 updates on Windows XP at their own risk.”
As my friend and colleague Chester Wisniewski twittily quipped,
Of course, the truth is that the sort of users who are sticking with a now-unsupported XP “because they can” are likely to end up even less secure, by sticking with a now-unsupported Java as well.
Still got Java in your browser?
Try turning it off and seeing if any websites stop working – the chance is good that nothing will break and you can leave it off for evermore.