icetray - Fotolia
"The shadow of crisis has passed," President Barack Obama said during his State of the Union address Tuesday, "And the state of the union is strong."
While Obama's speech addressed the need for national cybersecurity legislation, events this week have illustrated that while the state of the union may be strong, the state of software security is in a world of hurt, as evidenced by a flood of new software flaws and security patches this week.
Adobe Flash patches one flaw, investigates another
Adobe Systems Inc. released an emergency out-of-band update for its Flash Player yesterday to fix a vulnerability that has been exploited in the wild. Meanwhile, another Flash vulnerability -- disclosed by a security researcher who goes by the Twitter handle Kafeine -- remains unpatched.
APSB15-02 was released early Thursday, just a week after the Jan. 13release of Adobe's first patch update of the year, which fixed nine critical Flash flaws. If exploited, CVE-2015-0310 could be used to circumvent memory address randomization on the Windows platform. Users are urged to update to 18.104.22.1687 on Windows and Mac OS, and 22.214.171.1248 on Linux.
A second flaw, disclosed by Kafeine in his blog Wednesday, remains unpatched. Kafeine said that he found an instance of an Angler exploit kit that targets Flash.
"Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to (and including) 126.96.36.1997 is installed and enabled," Kafeine wrote. Google Chrome is not vulnerable because Flash runs in the browser's sandbox.
Adobe issued a security advisory late Thursday stating that it is investigating a separate exploit, CVE-2015-0311, on Adobe Flash 188.8.131.527 and earlier versions, believed to be the same vulnerability that Kafeine disclosed.
"We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below," Adobe said in the advisory.
No workaround was made available by Adobe. The company said it expects to release a patch for CVE-2015-0311, deemed critical, during the week of Jan. 26.
OpenSSL: Not Heartbleed, but still needs attention
On Jan. 8, 2015, OpenSSL released eight security advisories in its first release since Oct. 15. Two vulnerabilities could potentially enable denial-of-service attacks; both affect OpenSSL's implementation of Datagram Transport Layer Security (DTLS) protocol. Versions 1.0.1k, 1.0.0p and 0.9.8zd patched the eight vulnerabilities.
OpenSSL versions 1.0.11, 1.0.0q and 0.9.8ze were released Jan. 15 -- less than one week later -- to fix software bugs.
Oracle's first CPU of 2015
Meanwhile Oracle Corp. released its first 2015 Critical Patch Update Tuesday, issuing a record 169 patches affecting products including Java, Fusion Middleware, Enterprise Manager and MySQL, among others.
A total of 19 patches were released for the vulnerability-prone Java, a relatively low number in comparison to recent CPUs. However, four were rated a maximum 10.0 for severity on the CVSS, and 14 are remotely executable without authentication.
Fusion Middleware received the most fixes with a total of 36. Of them, two vulnerabilities could potentially result in a server takeover, and 28 could be remotely exploited without authentication.
Oracle E-Business Suite received 10 patches, one of which noted Oracle vulnerability researcher David Litchfield believed at first was a backdoor when he discovered it in June 2014. The backdoor, it turns out, is part of a "seeded installation." According to Litchfield, Oracle had no documentation of this issue, which could potentially fully compromise the database server.
Firefox and Chrome release new versions, fix vulnerabilities
Mozilla Firefox and Google Chrome both released updates this month, fixing vulnerabilities in older browser versions.
Firefox 35 was released on Jan. 13, fixing a total of nine bugs. Of the three critical flaws, CVE-2014-8643 patched a critical sandbox escape issue in the Gecko Media Plugin used for videos on Windows. CVE-2014-8641 fixed a read-after-free flaw in WebRTC. CVE-2014-8634 and CVE-2014-8634 fixed several memory safety bugs. A high-severity flaw addressed uninitialized memory use during bitmap rendering.
Chrome 40 for Windows, Mac OS and Linux was released on Wednesday, fixing 62 vulnerabilities. Of the 17 high-severity issues, many were memory corruption or use-after-free vulnerabilities. Twenty-six of the flaws came from external researchers for which Google paid out a total of $53,500 in bug bounties.
In other news
- A Ponemon Institute LLC report released Wednesday found a number of companies are increasing security budgets in the aftermath of 2014's "mega breaches." Surveying 735 IT and security practitioners, the report focused on the effect headline-making breaches involving companies including Target Corp. , Home Depot Inc. and Staples Inc., had on organizations' IT budgets and compliance practices. Sixty-one percent of respondents said security budgets increased by 34% on average, most of which was spent on security information and event management, endpoint security, and intrusion detection and prevention systems. When it came to breaches the practitioners' organizations were involved in, 47% attributed the breaches to insufficient funding, and 35% cited a lack of in-house expertise.
- On the same day that President Obama gave his State of the Union address, the Associated Press reported that the HealthCare.gov site is "quietly sending personal health information to a number of third-party websites" without users' consent. While names, birthdates and Social Security numbers are not available to third parties, data including zip codes, income levels, smoking status, pregnancy status and IP addresses reportedly is made available. A research firm told the AP that it found dozens of connections embedded on HealthCare.gov, including Google's data analytics service, Twitter, Facebook and online advertising providers. The government website claims that "no personally identifiable information is collected." Though the Obama administration said that the connections are intended to improve user experience, and that outside firms are banned from using data for their own interests. The AP also reported that there is no evidence the data has been misused. This news broke just days after US-CERT issued an advisory about a phishing scam involving the website.
- Another new report from Ponemon released last Friday concluded that enterprises spend an annual average of $1.27 million -- an equivalent of more than 20,500 man hours -- investigating and handling false-positive cybersecurity alerts. A total of 630 IT and security practitioners in the U.S. were surveyed, and it was found that of the 17,000 cybersecurity alerts companies received on average annually, only 3,200 (or 19%) are reliable. And due to the high volume of false positive alerts and the unreliability of alerting systems, only 705 (or 4%) are investigated.
Get SearchSecurity's latest patch management news and advice.
Learn more about security budget management, HealthCare.gov security issues and incident response success.