On Monday, Adobe issued security updates for 47 vulnerabilities in the Windows and macOS versions of Acrobat DC (Consumer and Classic 2015), Acrobat Reader DC (Consumer and Classic 2015), Acrobat 2017, and Acrobat Reader 2017.
Many vulnerabilities are ranked as critical and could be exploited for arbitrary code execution.
“Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical vulnerabilities whose successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.
Many of the security vulnerabilities were reported to Adobe through Trend Micro’s Zero Day Initiative (ZDI).
Adobe addressed the vulnerabilities with the release of versions 2018.011.20040, 2017.011.30080 and 2015.006.30418.
The vulnerabilities include 24 critical memory corruptions that could be exploited to execute arbitrary in the context of the targeted user and many other issues such as Security Bypass and NTLM SSO hash theft ranked as “important.”
Adobe has credited independent researchers and experts from Cisco Talos, Check Point, Palo Alto Networks, Tencent, Knownsec 404 Security Team, ESET, Kaspersky, Cybellum, and Cure53 for the vulnerabilities in Acrobat and Reader releases.
Adobe announced the end of support for Acrobat and Reader 11.x on October 15, 2017, and that version 11.0.23 is the final release for these products.
Adobe has also released security updates to fix a flaw in the Windows and macOS versions of Photoshop CC.
“Adobe has released updates for Photoshop CC for Windows and macOS. These updates resolve a criticalvulnerability in Photoshop CC 19.1.3 and earlier 19.x versions, as well as 18.1.3 and earlier 18.x versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory.
A few days ago, Adobe has released security updates to address several vulnerabilities in its products, including Flash Player, Creative Cloud and Connect products.
The security updates also address a Critical Code Execution vulnerability in Flash Player tracked as CVE-2018-4944. The flaw is a critical type confusion that could be exploited to execute arbitrary code, the good news is that Adobe has rated the flaw with a rating of “2” because the company considers not imminent the development of exploit code.
Researchers shared details of a code injection vulnerability they found in the in the Signal app for both Windows and Linux systems. The flaw was promptly fixed by Signal.
Signal has fixed a code injection vulnerability in the app for both Windows and Linux systems that was reported by a team of Argentinian experts.
A remote attacker could have exploited the flaw to inject a malicious code inside the Signal desktop app running on the recipients’ system without requiring any user interaction, just by sending the victims a specially crafted link.
The discovery of the flaw was casual, the white-hat hackers Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo were chatting on Signal messenger when one of them shared a link of an XSS vulnerable Argentinian government website.
The experts noticed that the XSS payload was executed on the recipients’ Signal desktop app.
“we were chatting as usual and suddenly Alfredo shows us an XSS in an Argentinian government site (don’t worry, it’s been reported). He was using the Signal add-on for Chrome. Javier and I were using the desktop version, based on the insecure electron framework. As I was reading, something caught my attention: an icon was showing next to the URL, as a “picture not found” icon.” reads a blog post published by the experts.
“I jumped from my chair and warned: “your XSS is triggered in signal-desktop!!”.”
The researchers focused their attention on XSS flaws in the Signal Messaging App and conducted other tests discovering that the vulnerabilities was affecting the function responsible for handling shared links.
“We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny).” continues the experts. “They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack. However, to abuse this vuln, we could:
- crash the app with repeated and specially crafted URLs, obtaining segmentation fault/DoS (Alfredo’s app crashed several times but mine didn’t, so we couldn’t reproduce it)
- send a crafted image in base64 format (we didn’t carry on with this)
- send a file/phish and execute it with <iframe src=”…”></iframe>
- have fun with <img>, <audio> and <video> 🙂”
The attackers can also exploit the vulnerability to inject a form on the recipient’s chat window, tricking them to provide sensitive information via social engineering attacks.
The experts applauded the Signal security team that on Friday in under 2 hours from the report has fixed the issue.
Experts explained that the flaw did not allow attackers to execute system commands or gain sensitive information like decryption keys on the recipients’ system.
After Signal fixed the issue, the researcher analyzed the file’s history and discovered the patch leverages a regex function to validate URLs.
The applied “patch” already existed in the application, but was probably accidentally removed in a commit on April 10th
to fix an issue
The experts are concerned about that regex and they are afraid someone might exploit it.
The Signal app continues to be the most secure choice for encrypted communication.
The Danish state rail operator DSB was hit by a massive DDoS cyber attack that paralyzed some operations, including ticketing systems and the communication infrastructure.
The Danish state rail operator DSB was hit by an unprecedented DDoS cyber attack, the attack was confirmed on Monday by the company and reported by The Local media outlet.
The attack was launched on Sunday and paralyzed the ticketing system and prevented passengers across the country from buying tickets.
“Tickets purchases via the company’s app, ticket machines, website and in 7-Eleven stores were all out of action due to the issue on Sunday.” reported The Local.
“Passengers with Rejsekort travel cards were able to use that system, while others purchased tickets from ticket inspectors on board trains.”
The state rail operator DSB restored normal operations on Monday morning
The company experts confirmed the attack from an external source with the specific intent to destroy the operations at the state rail operator DSB. The hackers took offline also internal mail system and the telephone infrastructure. The only way to communicate with the customers was represented by social media.
The train safety was not compromised by hackers, assured the deputy director.
“Our technicians and IT contractors have analysed this closely during the night and have concluded this is an outside attack in which someone has attempted to bring our system down,” DSB vice-director Aske Wieth-Knudsen said.
“”We have previously been subjected to an attack and, of course, we have made some processes to avoid this. The type of attack we saw yesterday is a new way of doing it, as we have not seen before. So it needs to be analyzed a bit closer, exactly what has happened so we can prevent it from repeating, says Aske Wieth-Knudsen.” Wieth-Knudsen told DR.
The company is investigating the issue along with Danish authorities and are monitoring the situation to prevent further attacks.
“At this moment in time I have not yet been in contact with anyone. We are still clarifying some messages, since the attack was only resolved during the night,” he told Ritzau.
“Now the day has started we will naturally contact relevant bodies,” he added.
Aske Wieth-Knudsen from DSB confirmed that the company has not been paid any kind of ransom in connection with the cyber assault.
Google releases additional Meltdown mitigations for Android as part of the May 2018 Android Security Bulletin. The tech giant also addresses flaws in NVIDIA and Qualcomm components.
Both Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.
The Meltdown attack (CVE-2017-5754 vulnerability) could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.
The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.
The good news is that Meltdown attacks are not easy to conduct and the risk of exploitation is considered low.
Early this year, Google released mitigations for both Meltdown and Spectre attacks, and not delivered additional mitigations. The Meltdown mitigation was addressed along with the information disclosure flaw in USB driver tracked as CVE-2017-16643.
“The most severe vulnerability in this section [Kernel components] could enable a local malicious application to bypass operating system protections that isolate application data from other applications,” reads the security advisory published by Google.
The May 2018 Android Security Bulletin is composed of two parts, the first one being the 2018-05-01 security patch level, that addresses seven High severity issues (CVE-2017-13309, CVE-2017-13310, CVE-2017-13311, CVE-2017-13312, CVE-2017-13313, CVE-2017-13314, CVE-2017-13315) in Android runtime, Framework, Media framework, and System.
The flaws addressed in the 2018-05-01 security patch level include Information Disclosure, Elevation of Privilege, and Denial of Service that affects Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1 releases.
The second section is the “2018-05-05 security patch level vulnerability details” that includes details for each of the security vulnerabilities that apply to the 2018-05-05 patch level.
The 2018-05-05 security patch level includes patches for security vulnerabilities affecting NVIDIA and Qualcomm components.
Three vulnerabilities that were fixed in the NVIDIA components are CVE-2017-6289, CVE-2017-5715, CVE-2017-6293, respectively a critical elevation of privilege, an information disclosure and an elevation of privilege ranked as High risk.
“The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of the TEE.” continues the advisory.
Google addressed 11 vulnerabilities in Qualcomm components, including a Critical remote code execution flaw that could be exploited by an attacker over WLAN. The remaining issued are 9 elevation of privilege vulnerabilities and one denial of service issue.
A backdoor was discovered in the Python module named SSH Decorator (ssh-decorate), that was developed by Israeli developer Uri Goren.
Are you using the Python module ‘SSH Decorator’? You need to check the version number, because newer versions include a backdoor.
The library was developed to handle SSH connections from Python code.
Early this week, a developer noticed that multiple backdoored versions of the SSH Decorate module, the malicious code included in the library allowed to collect users’ SSH credentials and sent the data to a remote server controlled by the attackers.
The remote server that received stolen data is accessible at the following address:
The following images were shared bleepingcomputer.com that first reported the news.
The Israeli developer Uri Goren, once notified to the problem, confirmed that backdoor was added by attackers.
Initially, the developer has updated the password for the PyPI Python central repo hub and published a sanitized version of the package.
“I have updated my PyPI password, and reposted the package under a new name ssh-decorator,” he said.
“I have also updated the readme of the repository, to make sure my users are also aware of this incident.”
“It has been brought to our attention, that previous versions of this module had been hijacked and uploaded to PyPi unlawfully. Make sure you look at the code of this package (or any other package that asks for your credentials) prior to using it.” reads the README file.
The presence of the backdoor in the SSH Decorator module alerted many users on Reddit, many of them accused Goren that for this reason decided to take down the package from both GitHub and PyPI — the Python central repo hub.
Developers that use the SH Decorator (ssh-decorate) module need to use the last safe version was 0.27, later version 0.28 through 0.31 were compromised.