Patch Tuesday for August 2014 has arrived, with Adobe and Microsoft delivering their now-familiar security fixes.
Adobe has updated both its Flash and Reader (plus Acrobat) products, patching just a single known hole in Reader/Acrobat, but seven vulnerabilities in Flash.
The Flash security announcement (APSB14-18) runs to an ploddingly long 1500 words or so, but most of those words comprise an extensive – and apparently complete – table of versions and version number changes.
All we really learn about the vulnerabilities themselves is that “they could potentially allow an attacker to take control of the affected system.”
One is a remote code execution (RCE) hole, where sending you a dodgy Flash file, or sending you to a web page containing such a file, could theoretically allow a crook to run malware on your computer without any visible warning.
Of course, actually exploiting this sort of hole is hard these days, because attackers rely on misdirecting the flow of code execution in the Flash software, which means they need a predictable destination for the hijacked execution path.
A few years ago, that was easy, because system software (DLLs on Windows and shared libraries on Unix-like systems) always loaded at the same place in memory.
Back then, a “controlled crash” that worked on an attacker’s test system would usually work identically on your computer, too.
An injury to one was, indeed, an injury to all.
Address Space Layout Randomisation (ASLR) changed all that, because software no longer always loads at the same place in memory, so that everyone’s memory layout is slightly different.
So a crash that yields remote code execution on the attacker’s test computer will almost certainly just cause a plain old crash on your computer.
Unless, of course, the crook can join together two exploits: one to circumvent ASLR (e.g. by tricking the system into revealing the random addresses it chose on your computer, or by forcing a DLL to load at a fixed location, not a randomised one); and the second to carry out the RCE.
Sadly, five of the seven Flash holes patched this month are ASLR bypasses.
The presence of ASLR bypasses at the same time as an RCE hole should be enough to convince you to roll out this update at once.
Adobe Reader and Acrobat
In contrast, the Reader and Acrobat updates (APSB14-19) patch a single hole, described as “vulnerability that could allow an attacker to circumvent sandbox protection.”
The scope of what this might allow an attacker to do is not specified, but typical examples include reading files and data that are supposed to be off limits, and modifying files that should be protected against change.
Only Windows is affected; Reader on OS X doesn’t get an update.
Note that Adobe officially states that it is “aware of evidence that indicates an exploit in the wild is being used in limited, isolated attacks targeting Adobe Reader users on Windows.”
That’s a rather roundabout way of saying, “The crooks know about this one. Patch now.”
Microsoft’s scorecard this month is 9-3-2, meaning nine bulletins, three RCEs, with two of them critical.
As happens most months, there’s a Cumulative Internet Explorer update (MS14-051), closing the door on 26 vulnerabilities, one of which is described as “publicly disclosed.”
In Microsoft’s words, “the most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.”
In street-speak, that’s what is known as click-to-own: I send you a link, you visit it, and I win automatically and immediately.
As you might expect, with 26 vulnerabilities to fix, the patches apply, at least in part, to every version of Internet Explorer that’s still supported, from IE 6 to IE 11; in 32 bit and 64 bit flavours; on Intel, ARM and Itanium platforms.
As in the case of Adobe Flash, however, it’s the vulnerabilities that are further down the Microsoft’s list (neither critical nor remotely exploitable) that make the most interesting reading.
The remaining four are elevation of privilege (EoP) holes, variously allowing an attacker who has already broken into a system to run code as if they were a logged-in user, and to promote a logged-in user to have system-level powers.
The bottom line
You can see how this month’s Patch Tuesday security bulletins don’t really stand alone.
RCE holes give you the possibility of getting in; ASLR bypasses help you turn that possibility into a reality, even though you might end up on the very bottom rung of the security ladder; and EoPs let you climb that ladder, sometimes (MS14-045) even into the kernel itself.
In other words: patch early, patch often, patch all.
Have a happy Wednesday-after-Patch-Tuesday!