US-CERT Details Top 30 Targeted High Risk Security Vulnerabilities

In the final week of April the US-CERT announced the Top 30 exploitable security vulnerabilities that could be used to attack critical infrastructure organizations/companies.

The list includes flaws that can be exploited through malicious email attachments, targeted attacks (spear phishing) and most commonly “watering hole” attacks.

What is a Watering Hole Attack?
A watering hole attack is a targeted exploit of a frequently visited website by specific group of people. The attacker compromises/tampers with the website to inject HTML or JavaScript that will redirect visitors to another site/page specifically crafted to exploit a security vulnerability/flaw e.g. one of the top 30 flaws mentioned by US-CERT. If the exploit is successful (i.e. if the flaw exists on the users computing device) then malware can be installed or any other action of the attacker’s choice can take place (if it’s a remote code execution flaw).

Such an attack is more likely to succeed since the visitors to the site trust it and more likely to respond in a way the attackers wish should a dialog box appear or a message to perform an action is displayed e.g. download a fake codec update to watch a video (which would lead to an exploit taking place against a visitors computing device).

All of the products listed within the above mentioned alert are commonly used and can be patched with low to moderate effort. Please find below advice on how to update each of the affected products in the list.

I hope that the list of products with the associated steps to update each are useful to you in applying the necessary updates in order to avoid being exploited by the Top 30 high Risk Security Vulnerabilities mentioned by US-CERT.

Thank you.

==========================
Microsoft Internet Explorer:
==========================
Please see “Enable automatic updates for Windows” within my “Protecting Your PC“ page.
==========================

==========================
Microsoft Silverlight:
==========================
For Mac:
Please visit this Silverlight page. If you have Silverlight installed and an update is available, please download and install it

For PC:
Please see “Enable automatic updates for Windows” within my “Protecting Your PC“ page.
==========================

Microsoft Office for Mac and Windows:

Office for Mac:

==========================
Office 2011 for Mac:
==========================
The most recent update (at the time of writing is 14.4.9, please select “Office 2011” under the Products column on this page). Please download and install the most recent update for Office 2011 for Mac. In order to install all updates I would suggest using Microsoft AutoUpdate for Mac 2.3.6 (which is compatible with Office 2011 for Mac).

Please note that Update 14.4.9 requires 14.1.0 i.e. SP1 for Office 2011 for Mac to be installed first.

==========================
Office 2008 for Mac:
==========================
While this version of Office is now unsupported if you are using this version it would still be recommended to have the most recent version available. Update 12.3.6 is the most recent update. This update requires Update 12.2.0 (i.e. SP2 for Office 2008 for Mac) to already have been installed. SP2 requires that SP1 also be installed beforehand.

In order to install all updates I would suggest using Microsoft AutoUpdate for Mac 2.3.6 (which is compatible with Office 2008 for Mac).

==========================
Office 2004 for Mac:
==========================
This version of Office is also unsupported. Update 11.6.6 is the most recent update and requires Update 11.6.5 (and all prior updates). In order to install all updates I would suggest using Microsoft AutoUpdate for Office 2004 for Mac.

==========================
Office for Windows:
==========================
For Office 365 (Business Essentials, Business, Business Premium, Home and Personal): These suites stays up to date automatically while an internet connection is available.

==========================
Office 2013, 2010 and 2007:
==========================
Windows Update can detect and install all updates for you when it is configured correctly. Alternatively for Office 2013, it can also be updated manually.

==========================
For Office 2003, Office XP and Office 2000:
==========================
Windows Update can detect and install all updates for Office for you when it is configured correctly.

For any product listed in the table within US-CERT alert that you have installed and no update is being offered within Windows Update I would recommend checking the security bulletins mentioned in the US-CERT alert for more information on installing the appropriate updates manually.

==========================
Oracle Java:
==========================
In order to obtain the latest updates for Java, if you are developer, visit this page and download the most recent Java Development Kit (JDK) or the most recent update for your version of Java JDK e.g. v7, v6, v5 etc. Currently JDK v8 is the most recent. Some developers may also need the latest Java FX.

For corporate desktop systems or consumer/home users, please visit http://java.com to download the most recent Java Runtime Environment (JRE). There is also the option of enabling automatic updates when Java is installed on Windows.

==========================
Adobe:
==========================
Adobe Flash:
For Adobe Flash, since version 11.2 Adobe has included an automatic updater when Flash is installed on Windows. For any version of Windows older than Windows 8.0, Flash can also be downloaded and installed manually from this page (the downloaded version will automatically replace any older version of Flash already installed).

For Windows 8.0 and later, Microsoft issues updates to Adobe Flash via Windows Update. These updates are detailed in this security advisory.

==========================
Adobe AIR:
For the Adobe SDK and SDK & Compiler, updates can be obtained from Adobe’s developer page.
For Adobe AIR desktop runtime, updates are available from this download page.

==========================
Adobe Acrobat and Adobe Reader:
For Acrobat DC and Reader DC, updates are automatically delivered (and available using “Check for Updates” mentioned below). Alternatively, updates for Acrobat for Mac and Windows are available. The latest version of Reader DC is available from here (please ensure to un-check install options such as Google Chrome and Google Toolbar).

For Acrobat 11 and 10, updates are available for Mac and Windows. Alternatively use the built in updater by clicking the Help menu and choosing “Check for Updates”.

For Adobe Reader 11 and 10, updates are available for Mac and Windows. Alternatively use the built in updater by clicking the Help menu and choosing “Check for Updates”.

For older versions of Acrobat and Reader (namely 9, 8 and earlier), no further updates are being made available. It should be possible to run a check for updates as mentioned above but it is recommended to upgrade to a currently serviced version, e.g. 10, 11 or DC.

==========================
For Adobe ColdFusion:
Updates are available for ColdFusion 11 and 10. Installation instructions are also provided within the aforementioned pages.

For ColdFusion 9, there are 3 updates available to be installed in the order presented here:

ColdFusion Security hotfix APSB13-03

ColdFusion Security hot fix APSB13-13

ColdFusion Security hot fix APSB13-27

Additional Security Hotfixes (in addition to those above)

==========================
Adobe Flex:
Adobe Flex is available for download from here. However in an April 2015 security bulletin Adobe recommended updating the Flex index.html file using the steps provided in that bulletin.

==========================
OpenSSL:
==========================
For OpenSSL I would recommend following the guidance provided by US-CERT for upgrading to the most recent non-vulnerable version of OpenSSL using their link provided within their alert since the upgrade/update process requires specific steps to be completed.
==========================

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s