The vulnerability can be exploited remotely if printers supporting the remote firmware update process are not properly protected by firewalls. Local attacks are another possibility.

Consult Researchers Find Security Vulnerability In Printers for additional information about the vulnerability.

A press release issued by HP on December 23 confirms the availability of firmware updates that mitigate the security vulnerability. HP LaserJet printer owners are asked to visit the HP Support website to download the firmware updates to their systems. Here they need to select Drivers & Software, enter the product name or number into the form and select the product from the listing to be taken to a page where they can download the latest printer firmware for that model.

HP is furthermore offering security guidance for imaging and printing on this web page.

The press release provides no details on the changes made by HP or on the printer models firmware updates have been released for. HP stated however that the company is communicating the availability of firmware updates “proactively to customers and partners”. It is however not clear at the time of writing how update news are communicated to HP’s customer base. The HP website for one is not listing the firmware update on the main page, nor on the support start page.

No customer of affected printers has reported unauthorized access to HP, according to the press release.

HP LaserJet users should seek out the HP Support page to find out if a firmware update is available for their printer. The firmware should be installed as soon as possible to protect the printer from the vulnerability.

Facebook Chat in return has seen Skype integration, allowing Facebook users now to video chat with online friends. Security researcher David Vieira-Kurz discovered several vulnerabilities in the new Skype version that could allow an attacker to take over the Skype session of a user. What makes this attack even more dangerous is the fact that the attacker does not have to be a Facebook user’s friend or Skype contact to launch the attack.

The attack uses code that is entered into a wall or comment post. The Skype session information are then displayed on screen. The exploit is persistent in nature as logging off and on again on Facebook does not invalidate the Skype session. The vulnerability is caused by Skype’s inadequate escaping of data that is posted on Facebook.

David has posted a proof of concept video that demonstrates the vulnerability

Windows users who are considering updating to Skype 5.5 for the Facebook integration and chat functionality should consider waiting until an update is released by Skype. No workaround is available at this point in time.

What can you do if you have already updated to Skype 5.5? You could block the Skype app on Facebook under Privacy Settings until a fix is available. Please note that I have not tested this.

Adobe has confirmed reports that the vulnerability is actively exploited via swf files that are embedded in Microsoft Excel files that are delivered via email attachments. A successful exploit causes a crash of the application and could give an attacker control over the computer system.

A security fix is in the final stages of development, and Adobe estimates that it can be distributed during the next week. Computer users for now should be very cautious when they receive emails with Excel attachments, especially if the sender is unknown. It may be a good idea to open the documents online, for instance via Google Docs instead of a desktop client to block potential attacks.

Protected Mode of Adobe Reader X mitigates the issue according to Adobe, so that the security fix for that version will be delivered with the quarterly security update that is scheduled for June 14.

In short:

• All Flash Player versions 10 are affected for all supported desktop and mobile operating systems.
• All versions of Adobe Reader and Acrobat X, 10 and 9 are affected
• The vulnerability is exploited via Excel email attachments that have a Flash file embedded.
• A patch will be delivered in the next week

Additional information are available at the Security Advisory over at Adobe’s website.

A cross site scripting vulnerability was recently discovered by a security researcher on the LastPass.com website. The potential to exploit the vulnerability was limited, as it required a specifically prepared website and a user who was logged into LastPass.

The developers stated on the official LastPass blog that the logs did not indicate that the vulnerability was successfully exploited, other than by the security researcher who discovered it.

The vulnerability has been fixed and, as a consequence, security has been improved on the Last Pass website. The developers list four areas of improvements:

• Implementation of HSTS which basically forces supported web browsers (Chrome and Firefox 4 currently) to stay “on secure SSL web requests for the lastpass.com domain.”
• Increased input filtering and stateful inspection
• Implementation of X-Frame-Options which makes it impossible to embed Last Pass pages via iframes or frames.
• Implementation of “something very similar to Content Security Policy” which allows the LastPass admins to specify how content interacts on their website.

The LastPass blog offers links to several of the concepts and technologies that have been added or implemented as a reaction to the discovered vulnerability.

LastPass users who would like to take a look at the original article can do so here. It details the security researcher’s methodology and is a good read for security interested computer users.

All recent Microsoft operating systems are affected by the vulnerability. Microsoft today, has updated the Security Advisory. The update now links to a Fix-It solution, which basically is a one-click solution to correct the issue.

The program will disable .lnk and .pif file functionality, which will change the graphical representation of icons in the Windows Taskbar and Start Menu. The images below show the changes.

start menu

blank icon

The blank icons can be highly confusing, especially for users who did not apply the fix by themselves. It is advised to test it thoroughly before implementing it in a computer network.

Microsoft provides a Fix-It to enable or disable the workaround to protect the computer system from the attack.

Microsoft has also updated the manual workaround.

1. Click Start, click Run, type Regedit in the Open box, and then click OK.
2. Locate and then click the following registry key:

HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
3. Click the File menu and select Export.
4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save.
Note This will create a backup of this registry key in the My Documents folder by default
5. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.
6. Locate and then click the following registry key:
HKEY_CLASSES_ROOT\piffile\shellex\IconHandler
7. Click the File menu and select Export.
8. In the Export Registry File dialog box, enter PIF_Icon_Backup.reg and click Save.
Note This will create a backup of this registry key in the My Documents folder by default.
9. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.
10. Log all users off and on again, or restart the computer.

The manual workaround has the same effect as the Fix-It solution.

Microsoft furthermore recommends to block the download of lnk and pif files, but does not go into detail on how to do that. Visit the updated security advisory for additional information.

The security company claims that that the vulnerability can be exploited by attackers to crash the browser and execute code on the computer system. Opera was contacted by The Register after the disclosure of the vulnerability.

According to information posted on The Register website a patch is already in the making. Opera is also not sure that the vulnerability can be exploited at all but confirmed that it can be used to crash the web browser. DEP, the Data Execution Prevention module, mitigates the problem said Opera spokesman Thomas Ford.

Opera users should make sure that DEP is enabled in their operating system. It is recommended to only access trustworthy websites until a patch is released or switch to another web browser in the meantime.

The vulnerability is not exploited currently according to Microsoft’s information and it is not likely that it will as a user on the target system needs to be convinced to press the F1 key in response to a pop up dialog box on a specifically prepared website.

The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as “unsafe file types”. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system. To help customers better understand unsafe file types, we have published a white paper on the topic which you can find by clicking this link.

There is currently no fix for affected operating systems but Microsoft confirmed that they continue investigating the issue. It is likely that a patch for the vulnerability will be provided shortly. As of now all users need to remember is to not press F1 when they are accessing websites.

We have posted information about the security vulnerability in the forum but not here on the blog. Adobe has now updated information about the security vulnerability which basically fixed the issue so that users who download and use the Adobe Download Manager from February 23 on do not download the vulnerable software.

Adobe has also posted instructions to verify that the vulnerable version of the Adobe Download Manager does not reside on the computer system if it has been downloaded prior to February 23.

Ensure that the C:\Program Files\NOS\ folder and its contents (“NOS files”) are not present on your system. (If the folder is present, follow the steps below to remove).
Click “Start” > “Run” and type “services.msc”. Ensure that “getPlus(R) Helper” is not present in the list of services.
If the NOS files are found, the Adobe Download Manager issue can be mitigated by:

Navigating to Start > Control Panel > Add or Remove Programs > Adobe Download Manager, and selecting Remove to remove the Adobe Download Manager from your system.

OR

Clicking “Start” > “Run” and typing “services.msc”. Then deleting “getPlus(R) Helper” from the list of services.
Then delete the C:\Program Files\NOS\ folder and its contents.

Probably the easiest way to handle the issue is to uninstall the Adobe Download Manager if it is listed in the list of installed programs. If it is it can be uninstalled easily which will remove the issue. The issue only affects Windows versions of the Adobe Download Manager.

To secure a computer system running Adobe Shockwave a user would therefor have to uninstall Adobe Shockwave, perform a system restart and install the latest version of Shockwave after the reboot.

The Security Bulletin that has been published at the Adobe website gives little information about the vulnerability other than it can be remotely exploited and that it only affects the Microsoft Windows operating system. Users are encouraged to download the latest version of Adobe Shockwave from the program’s website.

It should also be noted that this vulnerability targets only Adobe Shockwave and not Adobe Flash. Thanks goes to Dante for sending me the information via email.

Update: The latest version of Adobe Shockwave can be downloaded from the official website. It is always recommended to upgrade Shockwave to the latest version whenever an update is released by Adobe Software.

Maybe you are interested to know the difference between Shockwave Player and Adobe Flash? Shockwave Player includes Adobe Flash, it goes beyond what Flash offers. According to Adobe, the player is used to display destination Web content, interactive multimedia product demos, training, e-merchandising applications ad rich-media multi-user games.

This security update resolves a publicly disclosed vulnerability and several privately reported vulnerabilities in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The security update is available on Windows Update and Microsoft Update. Additional information and links can be found at the Security Bulletin that has been created for the security vulnerability. Users of affected software programs are encouraged to perform the security update as soon as possible.

The reason why this vulnerability is still working in Google Chrome is because Google has been using an older version of Webkit for their browser’s core. First of all, users without Java on their computers are completely safe. Users with Java and Chrome installed should read on.

The problem is serious but requires the user’s action to be triggered. If the user clicks on a specifically prepared download the file downloads and executes itself automatically without further user input.

Security expert Aviv Raff has setup a demo website that demonstrates the vulnerability in Google Chrome. The demonstration page provides a download button which will download and execute a Java file immediately without further user interaction. This demo only opens a notepad application but serious harm could be done with such an exploit.

The researchers were able to load whatever content they wanted into any location they wished on a user’s machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.

Instead of exploiting a security vulnerability the researchers Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. of the architecture of Windows Vista. Another researcher described the technique as “completely game over.”

It’s currently not known if other operating systems are vulnerable as well but it is very likely. The best against this attack would be an add-on like NoScript that would most likely prevent it completely.