Keeping your system secure is a never ending battle. The evil-doers on the net are getting ever more sophisticated, and coming up with new ways to fool, cajole, trick or force you into downloading, running or loading software on your system that will compromise your system – at best, rendering it unusable, or at worst, invading your privacy, or even draining your bank account. It’s a Wild West frontier out there in the interwebs!

With that, let’s take a look at some of the recent updates and developments ion security news:

Adobe has announced in a security advisory that their Acrobat and Reader products, all versions up to and including the latest 9.2, are susceptible to attacks. A maliciously crafted PDF file could crash the program, and cause arbitrary code to run on your system and gain control. There is no fix for this, and there are reports that this vulnerability is being actively exploited in the wild as I write this.

Adobe plans to release an update to Acrobat products on January 12, 2010. In the meanwhile, please be careful when opening PDFs – if you don’t know the source, or if it was downloaded from the web, it could contain malicious code.

Adobe has offered this workaround which employs what they call “Javascript Blacklist Framework,” with mitigation for WIndows, Mac and Linux users. For those who cannot or don’t wish to utilize the Javascript Blacklist Framework, this situation can still be mitigated by disabling Javascript as described in the advisory. Keep in mind that some Acrobat features (including forms) may not work properly with Javascript disabled.

Additionally, if you’re running Flash Media Server, be sure to check out the latest Adobe security advisory concerning that product. All users of FMS 3.5.2 and earlier should upgrade to version 3.5.3 as soon as possible.

In fact, you might want to get prepared for a lot more of this from Adobe. Tony Bradley, writing for PCWorld, cites an interview with McAfee security specialists in which they cite Adobe software as a prime vector for malware in 2010 – due to its ubiquity, and the fact that “not many people keep their Adobe software patched.” Please don’t fall into this category!

The fine folks at WordPress.org have released WordPress 2.9, which is mostly a performance upgrade and was intended to be the last release in the 2.x family. However, a few issues reared their ugly head, and the 2.9.1 release candidate is now available, with general release expected soon. As always, upgrading is recommended, as the bad guys tend to go after untended older versions of software such as this.

Worpress 3.0 is in the works, and we’ll likely see it some time in the first half of 2010.

Mozilla has delayed their planned release of Firefox 3.6, which was originally scheduled to roll out his month. The latest from Mozilla is that 3.6 will be released sometime in the first calendar quarter of 2010. Additionally, version 4.0, which was to come out later in 2010, may now actually slip into 2011. These delays could spell a bump in the road for Mozilla, who faces ever increasing competition from the likes of Apple’s Safari, Google’s Chrome, Opera, and even the latest version of IE shipping with WIndows 7. Mozilla will have to work hard in 2010 to maintain their technical leadership in the browser world.

Yesterday was the second Tuesday of the month, and by now you should know just what that means… another set of security updates for Microsoft products. This week also sees us with some other notable updates to some Adobe products, and you’ll want to take note of these as well.

Remember that security updates are a fact of life these days. It isn’t an indication that the software manufacturers are creating shoddy product; rather, it is a sign that they are discovering flaws and repairing them in an effort to stay ahead of the malicious communities out there in the wild and untamed internet world. Security is an ongoing process these days.

We’ll start with Adobe this time.

Adobe Flash Player

Adobe has indicated that critical vulnerabilities have been discovered with Flash Player and Adobe AIR. These flaws could cause the application to crash, and an application that crashes can lead to weakness that can be exploited – in this case, potentially allowing a hacker to take over your system.

Adobe recommends all users of Flash Player version 10.0.32.18 and lower to upgrade to version 10.0.42.34. Users of Firefox will have this pushed to them automatically, users of IE will have to go and get it manually. Either way, make sure you get the update!

Also, users of Adobe AIR version 1.5.2 and lower should upgrade to version 1.5.3.

Adobe Illustrator CS3 and CS4

It isn’t often that a program like Illustrator is impacted by a security threat, but in this case Adobe has found that a flaw in the handling of EPS files can result in an attacker being able to run code on your system, gaining control of your computer. There is no fix available at this time! Adobe has plans to release an update on January 8, 2010.

Until an update is released, the best risk mitigation is to avoid opening any EPS file from an unknown source.

Microsoft Products

Microsoft has released six new security updates for the month of December, covering a variety of products. Additionally they’ve released a couple of security advisories, as well as their usual updates to their Outlook junk email filter, and their Malicious Software Removal Tool.

The security updates are as follows:

• MS09-069 - addresses a vulnerability in Windows (KB 974392). In this case a weakness in the LSASS service could facilitate a denial of service attack. This is considered an important update and affects Windows 2000, XP, and Server 2003.
• MS09-070 - addresses two vulnerabilities in Windows (KB 971726). An attacker can gain control of a system by taking advantage of a flaw in Windows Active Directory Federation Services. This update is rated Important and impacts Windows Server 2003 and Server 2008, both 32 bit and x64 versions.
• MS09-071 - addresses two vulnerabilities in Windows (KB 974318). A vulnerability in the Internet Authentication Service could allow an attacker to gain control over a server. This update is Critical for Windows Server 2008, 32 bit and x64 versions. This update is also rated Moderate or Important for many other Windows versions, including Windows 2000, XP, Vista, and Server 2003.
• MS09-072 - addresses four vulnerabilities in Internet Explorer (KB 976325). The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. This update is Critical for IE 5 and 6, Critical or Moderate for IE 7 depending on the system, and Moderate for IE 8.
• MS09-073 - addresses a vulnerability in Windows (KB 975539). In this case, the text converter in Microsoft WordPad and Microsoft Office Word has a flaw that can allow remote code execution and result in an attacker gaining control of the computer. This is rated Important for Windows 2000, XP, and Server 2003. It is also rated Important for Office Word 2002, 2003, Office Converter Pack, and Works 8.5.
• MS09-074 - addresses a vulnerability in Microsoft Office Project (KB 967183). This could allow remote code execution and system takeover if a user opens a maliciously crafted Project file. This is rated Critical for Project 2000, and Important for Project 2002 SP1 and 2003 SP3.

Additional updates beyond the core six security updates:

• Microsoft Security Advisory (954157) Security Enhancements for the Indeo Codec
• Microsoft Security Advisory (973811) Extended Protection for Authentication
• Office InfoPath 2007 Update (details)
• Office Outlook Junk E-Mail filter (details)
• Microsoft Malicious Software Removal Tool (details)

Keep those systems up to date, and stay ahead of the bad guys!

The moral of the story here is that you just can’t rest – as a computer owner with connections to the internet, you must keep active with your software updates – there are a seemingly endless stream of exploits being developed, and they almost always go after users with down-revision software. So, let’s see what’s been updated in the past week or so, and please do take a few minutes to check and ensure you are current with the latest versions.

We’ll start with WordPress – this popular blogging platform is now up to version 2.8.6, correcting two security flaws that allow registered blog users to gain unauthorized access to your server. If you have open blog registrations enabled on your blog (i.e., for commenting), this update is highly recommended. WordPress is due for its 2.9 version update, but the 2.8 version continues to evolve. If you’re hosting your blog on WordPress, upgrade today!

On the Browser front, we’ve seen two updates in the past week:

Google’s Chrome browser was updated November 12 to version 3.0.195.33, fixing two bugs, one of which was a security issue. The update should come automatically, but it is worth checking to ensure you have it.

Apple’s Safari browser received a rather large security update on November 11, to version 4.0.4. This update is highly recommended for all users, as it fixes browser stability issues as well as quite a few security flaws. From Apple’s site:

• Colorsync: Viewing a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution (Windows)
• Libxml: Parsing maliciously crafted XML content may lead to an unexpected application termination (Windows and Mac)
• Safari: Using shortcut menu options within a maliciously crafted website may lead to the disclosure of local information (Windows and Mac)
• Webkit: Visiting a maliciously crafted website may result in unexpected actions on other websites (Windows and Mac)
• Webkit: Accessing a maliciously crafted FTP server could result in an unexpected application termination, information disclosure, or arbitrary code execution (Windows and Mac)
• Webkit: Mail may load remote audio and video content when remote image loading is disabled (Mac)

Finally, we have Microsoft’s Windows November Update:

• MS09-063 – Critical – Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (Windows Vista and Windows Server 2008)
• MS09-064 – Critical – Vulnerability in License Logging Server Could Allow Remote Code Execution (Windows 2000 only)
• MS09-065 – Critical – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (Windows 2000, XP, and Vista, Windows Server 2003 and 2008)
• MS09-066 – Important – Vulnerability in Active Directory Could Allow Denial of Service (Windows XP, Windows Server 2000, 2003 and 2008)
• MS09-067 – Important – Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (Microsoft Office Excel 2002, 2003 and 2007 for Windows, Microsoft Office 2004 and 2008 for Mac, as well as all supported versions of Office Excel Viewer and Office Compatibility Pack)
• MS09-068 – Important – Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (Microsoft Office Word 2002 and 2003 for Windows, Microsoft Office 2004 and 2008 for Mac, and all supported versions of Word Viewer)
• The Microsoft Malicious Software Removal Tool and Outlook Junk Email Filters have also received their monthly update as part of this package.

That certainly seems to be enough for one week! Keep that software up to date, and keep your system safe. It’s a wild uncivilized web out there.

Keeping your software up to date is really important these days. There is big money in organized crime, seeking to compromise computers and gain access to your personal information – especially banking information. These malicious entities seek to gain a foothold in your computer by exploiting known vulnerabilities in popular software. As a result, something as benign as visiting a web site, opening an image, or playing a music file can lead to a compromised system, if your software has un-patched vulnerabilities.

So, keep that software up to date!

We’ll start this week with a bit of good news on the OS front, for those Apple customers who have migrated to the latest version of their OS.

Apple Mac OS X 10.6.2 (Snow Leopard) Updates:

Apple has released a Snow Leopard update that fixes a number of problems customers have reported, including patching a large number of security flaws in the firewall, Apache services, Apple Type Services (font handling), graphics and media services; the list goes on and on. You can read about it here.

Perhaps more exciting for users of Adobe Photoshop: John Nack has reported that the Photoshop team has been working with Apple, and this updated fixes a number of issues with Photoshop:

Affecting multiple versions of Photoshop:

• 50654: When opening and saving, applications–including Adobe applications–may sporadically crash
• 51230: Images don’t open when dragged onto the Adobe program icon in the Dock

• 51220: Crash or program error occurs when using Menlo font in Photoshop and Premiere CS3 and CS4

CS4-specific:

• 51764: Only one image opens when many are dragged onto Photoshop’s icon
• 51278: Cursors don’t display correctly in Photoshop CS4
• 51339: Editing in Photoshop CS4 fails from 64-bit Lightroom in Mac OS X 10.6
• Cannot drag from Safari onto Photoshop icon (and other application icons) in Dock to open file

Whether you get this update for security or for the Photoshop fixes, get it!

Browser Updates:

Opera – version 10.1 was released at the end of October, and this update combined a series of user experience features with a few security updates that I would consider critical. From the Opera changelog page:

These are all flaws that could result in a malicious user or site compromising your system. The last one listed seems especially concerning, sinc edetails aren’t being released. If you’re using Opera, make sure to install this update as soon as possible.

Firefox – Although version 3.5.4 was only recently released, the team at Mozilla.com has pushed out a new verison 3.5.5. This update contains several stability fixes, and in looking at the bug reports, the issues address browser crashes – typically the first place that hackers look for opportunities to gain access into your system. Firefox has pushed out this change, so you should see it automatically; if not, please visit www.mozilla.com and get the update.

Note also that for users who are still using the 3.0 version of Firefox, this has also been updated from 3.0.14 to 3.0.15 as of the end of October.

Java Updates:

Java 6 Update 17 was released on 11/4/2009. This release contains fixes for 23 security vulnerabilities. If you have the Java virtual machine installed on your system, this update is highly recommended.

Adobe Software Updates:

Photoshop Elements for Windows, version 7 and version 8, have a potential privilege escalation problem. This means that a user could gain administrator privileges by exploiting this vulnerability. Adobe has not patched the software yet, but they have provided a workaround to mitigate the risk.

Shockwave Player 11.5.1.601 and earlier have critical vulnerabilities that could allow a malicious attacker to run arbitrary code on your system. Chances are you’re not using Shockwave anymore (it is generally superseded by Flash), but if you do have it, please upgrade to the latest version 11.5.2.602.

That’s all for this week! Keep your software up to date, and keep safe!

Firefox has just released an update to version 3.5.4, correcting quite a few security flaws and correcting a number of stability issues.

This update is recommended for all Firefox users of the 3.5.x family of browsers.

From www.mozilla.com, the list of fixes includes the following:

Firefox 3.5.4 fixes the following issues:

• Several security issues.
• Fixed several stability issues.
• Added the ability to re-submit crash reports
• After using Clear Recent History some SSL sites would not load all images and styles without pressing reload

You can find the complete list of changes here. You may also be interested in the Firefox 3.5.3 release notes for a list of changes in the previous version.

The list of security issues fixed makes this a mandatory upgrade, in my book:

• MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
• MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
• MFSA 2009-62 Download filename spoofing with RTL override
• MFSA 2009-61 Cross-origin data theft through document.getSelection()
• MFSA 2009-59 Heap buffer overflow in string to number conversion
• MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
• MFSA 2009-56 Heap buffer overflow in GIF color map parser
• MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
• MFSA 2009-54 Crash with recursive web-worker calls
• MFSA 2009-53 Local downloaded file tampering
• MFSA 2009-52 Form history vulnerable to stealing

Firefox should attempt to upgrade itself automatically, but if not, just use Help > Check for Updates…

Keep up to date, and stay safe on the web!

Classified as a “hardening release,” this series of updates is focused on improving several areas of security concern, and is therefore recommended for anyone running WordPress on their site.

According to the WordPress Blog, the biggest changes in this release are:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

If you are running WordPress and haven’t upgraded, please take the time and do so as soon as you can!

WordPress 2.9 is just around the corner, and beta testing is due to begin almost any day now. The final release of 2.9 is due out later this year, so keep an eye out here for news and availability.

Let’s start with the Microsoft Windows updates.

As they are wont to do, Microsoft released their monthly update on the second Tuesday of October, and this month there were a massive number of patches for Windows, Office and related Microsoft applications. The canonical list, with links to tech bulletins, can be found at the Microsoft Security October 2009 Update page.

October’s updates include a total of 13 separate security updates, two of which are the standard monthly updates for Outlook Junk Email filter, and the Windows Malicious Software Removal Tool (mrt.exe). But the other 11 updates include patches for no less than 29 critical vulnerabilities, spanning a gamut of OS-related modules:

• Active Template Library (ATL) vulnerabilities (4 patches)
• Internet Explorer (4 patches)
• Silverlight and .NET framework (3 patches)
• GDI+ (the OS Graphics engine) (8 patches)
• Windows Media Player and Runtime (3 patches)
• Windows Kernel (3 patches)
• Indexing Service (1 patch)
• Windows Crypto API (2 patches)
• Windows LSASS service (1 patch)

The moral of the story here – make sure you have automatic updates turned ON. More than a few of these vulnerabilities are already being exploited in the wild, and the release of patches is a signal to malicious entities to begin trying to exploit un-patched machines.

Apple releases iPhone OS 3.1.2

The update for the iPhone OS contains several fixes for issues that have been plaguing iPhone users, including:

• A sporadic issue that may cause iPhone to not wake from sleep
• Resolution to an intermittent issue that may interrupt cellular network services until restart
• Bug fix to remedy crashes during video streaming

This update applies to all versions of the iPhone, and is available through iTunes, so synch those devices and get your update!

Adobe releases security updates for Acrobat and Reader

Acrobat and Reader have been updated as follows:

• Windows and Mac from 9.1.3 to 9.2
• Legacy Windows and Mac, from 8.1.6 to 8.1.7
• Linux version, from 7.1.3 to 7.1.4

From Adobe’s security page:

Critical vulnerabilities have been identified in Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. This update represents the second quarterly security update for Adobe Reader and Acrobat.

Adobe Reader

Adobe Reader users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.

Acrobat

Acrobat Standard and Pro users on Windows can find the appropriate update here:

http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows

Acrobat 3D users on Windows can find the appropriate update here:

http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can find the appropriate update here:

http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.

Severity rating

Adobe categorizes this as a critical update.

This week’s tip comes courtesy of the Security Now! podcast, a great weekly treatise on all things secure. This is a really cool tip, thanks to Steve Gibson for producing a very informative podcast!

There is a “diagnostic page” on Google, that consolidates malware reporting of a given domain or site based on Google’s crawling of the website. It will give a report on the website, indicating whether Google’s web crawling bots have detected malware in the site or any of its links. The diagnostic page is accessible using the following URL text:

http://www.google.com/safebrowsing/diagnostic?site=somedomain.com

Where you can substitute “somedomain.com” with any domain for which you wish to see a report. For example, if we run this against the New York Times, using the following URL:

http://www.google.com/safebrowsing/diagnostic?site=nytimes.com

We find that there is a record of malicious software found on one page of the site, which is consistent with the news reports surrounding that incident. Trying this diagnostic URL against other, more questionable sites, yields some often more colorful reporting. Go ahead, click the link to see the report. Cool!

This is one handy trick that I’ll keep up my sleeve, for use prior to browsing to questionable sites!

Browser Updates

Firefox has released version 3.5.3 (or 3.0.14 for those still using the legacy version). This version fixes several known security risks, as well as incorporating some stability fixes.

Google Chrome was updated to 3.0.195.1, incorporating stability fixes that have been in beta for the past few months.

Here are the latest current browser versions. Use Help > About… in your browser to verify you are up to date:

• Firefox: 3.5.3  or 3.0.14
• Chrome: 3.0.195.21

No changes since our last status update:

• Safari: 4.0.3
• Opera: 10.00
• Internet Explorer: 8.0.6001.18702
• Camino: 1.6.9

Adobe Software

Adobe’s next security maintenance release for Acrobat and Reader is planned for Tuesday, October 13. It is not clear whether there will be any update to Flash Player in the next security cycle.

That’s all for this week’s security update!

It seems Apple moved quickly to release an update to Mac OS X 10.6.1 – primarily, it would seem, to upgrade the Flash Player plug-in to the current 10.0.32.18. You may recall from last week’s security topic, that Apple’s initial release of Snow Leopard included an older version of Flash Player that was vulnerable to malicious attacks. Apple moved quickly to fix this, but with that response time, you have to wonder if this wasn’t an oversight as they were rushing to get Snow Leopard shipped. If you’ve made the move to Snow Leopard, make sure you get the update!

Apple had a busy week last week, however; with a flurry of releases.

It started with hosting a huge music event and showing a new line of iPods, introduced by none other than Steve Jobs himself. Of course, to go along with the new hardware, Apple also released iTunes 9 and QuickTime 7.6.4. I mention this as part of our security update, because this version of QuickTime… you guessed it… patches some vulnerabilities in which a maliciously crafted video could lead to a crash and ultimately execution of arbitrary code. Again, make sure you get this update!

Apple didn’t stop there, however. They have released iPhone OS 3.1 and OS 3.1.1 for iPod Touch, both available using the iTunes updater. These updates address several security concerns as well:

• Playing a maliciously crafted MP3 or AAC file could result in crashes and arbitrary code execution.
• Deleted mail may still be visible using Spotlight Search, as we reported last month.
• Several vulnerabilities related to web browsing that could result in security or privacy issues.

Apple has certainly done well in providing these updates, but in my opinion has done the user community an even greater service in their increased level of disclosure of the problems and their solutions. My hat is off to Apple for stepping up their level of communications, a very important part of strategy in security management!

Note that this update does NOT apply to Snow Leopard, OS X 10.5.6.

This release updates Java SE 6 to version 1.6.0_15 (for 64-bit Intel Macs only), J2SE 5.0 to version 1.5.0_20 (all Intel and PPC Macs), and J2SE 1.4.2 to 1.4.2_22 (all Intel and PPC Macs). The updates catch up with Java fixes released by Sun in August, but apparently there are still a few pending vulnerabilities that have yet to be incorporated into the Leopard packages.

Make sure you update as soon as possible, as there are active exploits in the wild for some of these flaws!