Keeping your system secure is a never ending battle. The evil-doers on the net are getting ever more sophisticated, and coming up with new ways to fool, cajole, trick or force you into downloading, running or loading software on your system that will compromise your system – at best, rendering it unusable, or at worst, invading your privacy, or even draining your bank account. It’s a Wild West frontier out there in the interwebs!

With that, let’s take a look at some of the recent updates and developments ion security news:

Adobe has announced in a security advisory that their Acrobat and Reader products, all versions up to and including the latest 9.2, are susceptible to attacks. A maliciously crafted PDF file could crash the program, and cause arbitrary code to run on your system and gain control. There is no fix for this, and there are reports that this vulnerability is being actively exploited in the wild as I write this.

Adobe plans to release an update to Acrobat products on January 12, 2010. In the meanwhile, please be careful when opening PDFs – if you don’t know the source, or if it was downloaded from the web, it could contain malicious code.

Adobe has offered this workaround which employs what they call “Javascript Blacklist Framework,” with mitigation for WIndows, Mac and Linux users. For those who cannot or don’t wish to utilize the Javascript Blacklist Framework, this situation can still be mitigated by disabling Javascript as described in the advisory. Keep in mind that some Acrobat features (including forms) may not work properly with Javascript disabled.

Additionally, if you’re running Flash Media Server, be sure to check out the latest Adobe security advisory concerning that product. All users of FMS 3.5.2 and earlier should upgrade to version 3.5.3 as soon as possible.

In fact, you might want to get prepared for a lot more of this from Adobe. Tony Bradley, writing for PCWorld, cites an interview with McAfee security specialists in which they cite Adobe software as a prime vector for malware in 2010 – due to its ubiquity, and the fact that “not many people keep their Adobe software patched.” Please don’t fall into this category!

The fine folks at WordPress.org have released WordPress 2.9, which is mostly a performance upgrade and was intended to be the last release in the 2.x family. However, a few issues reared their ugly head, and the 2.9.1 release candidate is now available, with general release expected soon. As always, upgrading is recommended, as the bad guys tend to go after untended older versions of software such as this.

Worpress 3.0 is in the works, and we’ll likely see it some time in the first half of 2010.

Mozilla has delayed their planned release of Firefox 3.6, which was originally scheduled to roll out his month. The latest from Mozilla is that 3.6 will be released sometime in the first calendar quarter of 2010. Additionally, version 4.0, which was to come out later in 2010, may now actually slip into 2011. These delays could spell a bump in the road for Mozilla, who faces ever increasing competition from the likes of Apple’s Safari, Google’s Chrome, Opera, and even the latest version of IE shipping with WIndows 7. Mozilla will have to work hard in 2010 to maintain their technical leadership in the browser world.

Yesterday was the second Tuesday of the month, and by now you should know just what that means… another set of security updates for Microsoft products. This week also sees us with some other notable updates to some Adobe products, and you’ll want to take note of these as well.

Remember that security updates are a fact of life these days. It isn’t an indication that the software manufacturers are creating shoddy product; rather, it is a sign that they are discovering flaws and repairing them in an effort to stay ahead of the malicious communities out there in the wild and untamed internet world. Security is an ongoing process these days.

We’ll start with Adobe this time.

Adobe Flash Player

Adobe has indicated that critical vulnerabilities have been discovered with Flash Player and Adobe AIR. These flaws could cause the application to crash, and an application that crashes can lead to weakness that can be exploited – in this case, potentially allowing a hacker to take over your system.

Adobe recommends all users of Flash Player version 10.0.32.18 and lower to upgrade to version 10.0.42.34. Users of Firefox will have this pushed to them automatically, users of IE will have to go and get it manually. Either way, make sure you get the update!

Also, users of Adobe AIR version 1.5.2 and lower should upgrade to version 1.5.3.

Adobe Illustrator CS3 and CS4

It isn’t often that a program like Illustrator is impacted by a security threat, but in this case Adobe has found that a flaw in the handling of EPS files can result in an attacker being able to run code on your system, gaining control of your computer. There is no fix available at this time! Adobe has plans to release an update on January 8, 2010.

Until an update is released, the best risk mitigation is to avoid opening any EPS file from an unknown source.

Microsoft Products

Microsoft has released six new security updates for the month of December, covering a variety of products. Additionally they’ve released a couple of security advisories, as well as their usual updates to their Outlook junk email filter, and their Malicious Software Removal Tool.

The security updates are as follows:

• MS09-069 - addresses a vulnerability in Windows (KB 974392). In this case a weakness in the LSASS service could facilitate a denial of service attack. This is considered an important update and affects Windows 2000, XP, and Server 2003.
• MS09-070 - addresses two vulnerabilities in Windows (KB 971726). An attacker can gain control of a system by taking advantage of a flaw in Windows Active Directory Federation Services. This update is rated Important and impacts Windows Server 2003 and Server 2008, both 32 bit and x64 versions.
• MS09-071 - addresses two vulnerabilities in Windows (KB 974318). A vulnerability in the Internet Authentication Service could allow an attacker to gain control over a server. This update is Critical for Windows Server 2008, 32 bit and x64 versions. This update is also rated Moderate or Important for many other Windows versions, including Windows 2000, XP, Vista, and Server 2003.
• MS09-072 - addresses four vulnerabilities in Internet Explorer (KB 976325). The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. This update is Critical for IE 5 and 6, Critical or Moderate for IE 7 depending on the system, and Moderate for IE 8.
• MS09-073 - addresses a vulnerability in Windows (KB 975539). In this case, the text converter in Microsoft WordPad and Microsoft Office Word has a flaw that can allow remote code execution and result in an attacker gaining control of the computer. This is rated Important for Windows 2000, XP, and Server 2003. It is also rated Important for Office Word 2002, 2003, Office Converter Pack, and Works 8.5.
• MS09-074 - addresses a vulnerability in Microsoft Office Project (KB 967183). This could allow remote code execution and system takeover if a user opens a maliciously crafted Project file. This is rated Critical for Project 2000, and Important for Project 2002 SP1 and 2003 SP3.

Additional updates beyond the core six security updates:

• Microsoft Security Advisory (954157) Security Enhancements for the Indeo Codec
• Microsoft Security Advisory (973811) Extended Protection for Authentication
• Office InfoPath 2007 Update (details)
• Office Outlook Junk E-Mail filter (details)
• Microsoft Malicious Software Removal Tool (details)

Keep those systems up to date, and stay ahead of the bad guys!

Let’s start with the Microsoft Windows updates.

As they are wont to do, Microsoft released their monthly update on the second Tuesday of October, and this month there were a massive number of patches for Windows, Office and related Microsoft applications. The canonical list, with links to tech bulletins, can be found at the Microsoft Security October 2009 Update page.

October’s updates include a total of 13 separate security updates, two of which are the standard monthly updates for Outlook Junk Email filter, and the Windows Malicious Software Removal Tool (mrt.exe). But the other 11 updates include patches for no less than 29 critical vulnerabilities, spanning a gamut of OS-related modules:

• Active Template Library (ATL) vulnerabilities (4 patches)
• Internet Explorer (4 patches)
• Silverlight and .NET framework (3 patches)
• GDI+ (the OS Graphics engine) (8 patches)
• Windows Media Player and Runtime (3 patches)
• Windows Kernel (3 patches)
• Indexing Service (1 patch)
• Windows Crypto API (2 patches)
• Windows LSASS service (1 patch)

The moral of the story here – make sure you have automatic updates turned ON. More than a few of these vulnerabilities are already being exploited in the wild, and the release of patches is a signal to malicious entities to begin trying to exploit un-patched machines.

Apple releases iPhone OS 3.1.2

The update for the iPhone OS contains several fixes for issues that have been plaguing iPhone users, including:

• A sporadic issue that may cause iPhone to not wake from sleep
• Resolution to an intermittent issue that may interrupt cellular network services until restart
• Bug fix to remedy crashes during video streaming

This update applies to all versions of the iPhone, and is available through iTunes, so synch those devices and get your update!

Adobe releases security updates for Acrobat and Reader

Acrobat and Reader have been updated as follows:

• Windows and Mac from 9.1.3 to 9.2
• Legacy Windows and Mac, from 8.1.6 to 8.1.7
• Linux version, from 7.1.3 to 7.1.4

From Adobe’s security page:

Critical vulnerabilities have been identified in Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. This update represents the second quarterly security update for Adobe Reader and Acrobat.

Adobe Reader

Adobe Reader users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.

Acrobat

Acrobat Standard and Pro users on Windows can find the appropriate update here:

http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows

Acrobat 3D users on Windows can find the appropriate update here:

http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can find the appropriate update here:

http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.

Severity rating

Adobe categorizes this as a critical update.

Indesign 6.0.4:

This update fixes many previous issues in the areas of Scripting, Master Pages, Digital Editions, Import/Export Graphics, as well as other miscellaneous issues. Read the release notes (pdf) for a canonical list of fixes.

This update does not address certain issues running Adobe InDesign CS4 on Mac OS X Leopard (v10.5.1-v10.5.5):

• The Cmd-H keyboard shortcut doesn’t work to hide the InDesign application.
  The Place, Save, Save As or Export commands may cause crashes when using either the Adobe or the OS dialog box.

As a means of fixing these issues, Adobe recommends upgrading to Snow Leopard, OS X 10.6.1.

InCopy 6.0.4:

This update provides fixes several issues in the areas of hyphenation, INCX import as well as other miscellaneous issues.

As mentioned above for InDesign, this update doesn’t address the same Leopard issues, and again, Adobe recommends upgrading to Snow Leopard – OS X 10.6.1 – to solve these problems.

Both updates are available using the Adobe Updater service from with your Creative Suite applications.

New features in Photoshop Elements 8 include:

• Content aware scaling
• Photo Merge for exposure blending
• People Recognition (automatically tagging images)
• Auto-analyzer, editing and other new features within the Organizer
• Full screen preview in Organizer
• Synchronize Libraries between computers
• Previewing of adjustments (a’ la Photoshop’s "Variations")
• New albums and templates

At $79 (discounted from $99) this is a pretty good deal for the amateur, hobbyist, etc. There are some features I’d like to see in Lightroom (i.e. the Library sync).

New features in Premiere Elements 8 include:

• All of the Organizer improvements listed above
• Smartfix feature to correct camera shake, lighting and color problems
• Smartmix automation feature for audio editing
• SmartTrim provides fully automated or guided video trimming
• InstantMovie feature enhanced with new themes
• Motion tracking synchronizes graphics movement with subjects in the scene
• Added themes, effects and transitions
• New online video sharing capabilities

Also $79 (discounted from $99) and also a good deal for the amateur or hobbyist.

The bundle (includes both Photoshop Elements and Premiere Elements) is available at $119 (discounted from $149). The “Plus” bundle includes online storage of up to 20Gb, additional online content, and online tutorials, and is available for $149 (discounted from $179).

This week’s tip comes courtesy of the Security Now! podcast, a great weekly treatise on all things secure. This is a really cool tip, thanks to Steve Gibson for producing a very informative podcast!

There is a “diagnostic page” on Google, that consolidates malware reporting of a given domain or site based on Google’s crawling of the website. It will give a report on the website, indicating whether Google’s web crawling bots have detected malware in the site or any of its links. The diagnostic page is accessible using the following URL text:

http://www.google.com/safebrowsing/diagnostic?site=somedomain.com

Where you can substitute “somedomain.com” with any domain for which you wish to see a report. For example, if we run this against the New York Times, using the following URL:

http://www.google.com/safebrowsing/diagnostic?site=nytimes.com

We find that there is a record of malicious software found on one page of the site, which is consistent with the news reports surrounding that incident. Trying this diagnostic URL against other, more questionable sites, yields some often more colorful reporting. Go ahead, click the link to see the report. Cool!

This is one handy trick that I’ll keep up my sleeve, for use prior to browsing to questionable sites!

Browser Updates

Firefox has released version 3.5.3 (or 3.0.14 for those still using the legacy version). This version fixes several known security risks, as well as incorporating some stability fixes.

Google Chrome was updated to 3.0.195.1, incorporating stability fixes that have been in beta for the past few months.

Here are the latest current browser versions. Use Help > About… in your browser to verify you are up to date:

• Firefox: 3.5.3  or 3.0.14
• Chrome: 3.0.195.21

No changes since our last status update:

• Safari: 4.0.3
• Opera: 10.00
• Internet Explorer: 8.0.6001.18702
• Camino: 1.6.9

Adobe Software

Adobe’s next security maintenance release for Acrobat and Reader is planned for Tuesday, October 13. It is not clear whether there will be any update to Flash Player in the next security cycle.

That’s all for this week’s security update!

A recent study at UC Berkeley, a government inquiry, and several recent news articles have combined to highlight a new privacy concern, as well as some underhanded tricks that web tracking companies are using to monitor internet user activity. Using Adobe’s Flash Player, web sites now have the ability to track users using a concept similar to browser cookies – and up to now, this has been done silently, without notification, and in some cases even after individual users have “opted out” of cookie tracking.

In fact, the study showed that more than 50% of the top 100 internet sites used Flash data to “re-spawn” cookies that had been intentionally cleared, deleted, or blocked by users.

Here’s an experiment you can try. Take a look at the following folder in your system, to see what sites are using Flash data to maintain tracking information on your system:

In Windows XP:

C:\Documents and Settings\{yourname}\Application Data\Macromedia\Flash Player\#SharedObjects

In Windows Vista:

C:\Users\{yourname}\AppData\Roaming\Macromedia\Flash Player\#SharedObjects

In Mac OS/X:

~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/

In either case, look in the subfolder with a random name, and you’ll be amazed at what you find.

The idea of using Flash Player to store tracking information isn’t new, but it has spawned a hidden system for tracking user activity in a way that is neither self-evident, nor easily managed. Read on for some background and suggestions in how to deal with this situation.

If you want to skip the gory details and just know how to prevent this, skip to the section near the end, titled “Adobe’s Flash Player Settings Application.”

Read on…

Concept of a browser cookie

Once upon a time, a very long time ago in web years (about 1994), early developers of internet Web tools came across the challenge of keeping track of multiple users of a web site. They developed a technology that would allow the web server to know whether a particular user had previously visited their site. This would allow the server to display different content based on the visitor’s history, and led to many new ways of conducting Web business, most notably e-commerce (the original “shopping cart” concept). Thus was born the “cookie.”

A browser cookie isn’t much more than a very small amount of data, usually something like a serial number, that identifies a site visitor. The actual user-specific data is managed on the server, and the cookie is the link that lets the visitor’s browser talk to the server and allow the server to keep track of the visitor’s status – logged in, items in shopping cart, site display preferences, etc.

Almost as soon as cookies were developed, watchful groups became concerned over the potential privacy violations; ways that companies (or individuals) could misuse the browser as a tool to keep track of users and their browsing habits. Browsers were updated to allow users to block cookies entirely, or to clear them from history, and the game was on.

Third party cookies and privacy concerns

In many cases, today’s web sites are composed of content from multiple servers and locations, notably servers different from the ones to which we’ve requested a connection. Consider the ubiquitous advertisement pane that pops up on many pages – this advertisement is coming from another server, a “third party” to you and the hosting server. The advertising company serving the banner uses cookies to know whether it has served you an ad, and it may adjust its content based on your browsing history.

These types of third party cookies created a whole new area of concern, and most modern web browsers now include a setting in which you can completely block third party cookies, while allowing regular cookies to be passed between you and the site you are visiting. If you don’t have this blocking active already, please consider doing so right now!

Cookie management in browsers

Here is an example of the cookie management feature in Internet Explorer, and Firefox (Windows):

Note that in both cases, the browser clearly allows you to accept or block all cookies, and also makes a provision to block only third-party cookies while accepting first-party cookies. Other browsers have similar settings.

If you don’t already have these settings made, I recommend blocking third-party cookies as a privacy measure. This is my personal opinion, but is shared by many in the computing security field.

The Local Shared Object (aka “Flash Cookie”)

Now that you’ve got your cookie blocking active, here comes the curve ball.

Adobe’s Flash Player allows web sited to store information similar to a cookie on your machine. Adobe euphemistically refers to this data as a “Local Shared Object,” but most people refer to this as a “Flash Cookie,” and indeed it shares many traits with browser cookies:

• An LSO can store data from the server
• An LSO can be used to maintain state for user management (tracking, commerce, session management, etc)

However, the LSO has some very key differences from browser cookies:

• An LSO has no expiration date
• An LSO can be very large (up to 10 Mb) in contrast to a browser cookie’s 4kb
• An LSO can not be blocked or cleared by any setting within the browser

Scared yet?

The study and results

A recent study by UC Berkeley reviewed the characteristics of 100 top web sites, as ranked by QuantCast. This study concluded that both HTTP and Flash Cookies were ubiquitous among top web sites, and over 50% of the sites surveyed were using Flash as well as HTTP cookies for various purposes. Further, the study found that Flash data was being used to reinstate, or “re-spawn,” cookie data that had been deleted or blocked by users. This included cookie data that was specifically subject to “opt-out” settings in accordance with the Network Advertising Initiative process.

I don’t know about you, but I don’t care to have companies re-spawning anything on my system after I’ve deleted it. This sounds WAY too much like malware behavior.

Adobe’s Flash Player Settings Application

Are you ready to stop the insanity? OK, let’s see how we can put an end to this nonsense. As I mentioned in the beginning, the solution is neither self-evident, nor easily managed. Here’s the kicker:

There is no settings panel within the Flash Player.

That’s right, it doesn’t exist at all. Not in the browser. Not in the player. How, then, do we manage the Flash Player settings? Why, we go to macromedia.com, of course. Didn’t you know that? (Sarcasm intended).

Here’s the entry link, spelled out, just for fun, and below that is a small snapshot of the page you get when you go there:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html

What an odd place to locate the Flash Player Settings Manager. The oddest thing is, this page *is* the settings manager – there is no application, it is the page itself. Notice the fine print below the small image:

Am I wrong in thinking that, if your app needs a notice below it saying, “this is not an image, this is the actual Settings Manager,” there might be some room for improvement here?

The bottom line is that this is what Adobe has provided, obviously a relic from Macromedia days… so let’s dig in and look at some of the settings. Notice the row of icons across the top, there are actually 6 separate pages to this app, one for each tab. First is the "Global Privacy Settings” which controls your camera and microphone. You can set it to “always deny” or to “always ask” for permission to use your microphone and camera. Spooky…

Next up, we’ll go to the second tab, and here’s where it gets interesting:

In Global Storage settings, the default size for LSOs is 100Kb, but it will grow if needed. You can set it to a lower setting, or move it all the way to the left for 0kb… no storage (although an empty “cookie” is still created).

Notice that “Allow third party Flash content” is ON by default. I recommend turning this OFF!

You can explore the other tabs, but we’re going to jump over to the fourth tab, titled “Website Privacy Settings.” Pay dirt!

In here, we can see a list of all the sites that have installed Flash content on your computer. Some are relatively harmless (the kuler.adobe.com site stores my kuler settings) and others are obviously tracking cookie engines. Again, you can set “always ask,” “always allow,” or “always deny,” but given that I’ve never had a site like quantserve ask my permission to install LSOs on my machine, I chose to “Delete all sites.”

Notice that there isn’t any sign of an “OK” or “make it so” button, so we must assume that clicking these settings has an immediate effect on Flash Player.

Conclusions and Recommendations

Having Local Shared Objects accessible by Flash Player allows many rich internet features, and enables intelligent applications to provide a broad and engaging user experience. However, the potential for abuse is far too open in the current Flash Player incarnation. The fact that the settings application is on a seemingly deprecated Macromedia website, and not readily available within the application, is an oversight that must be remedied, and soon. The results of the UC Berkeley study demonstrate that this feature is already widely abused.

Adobe, please give us a settings panel accessible from the right click context menu in Flash Player. Also, please embrace the TNO (“trust no one”) philosophy, by having the default for third party content be “opt-out.” We have to make these types of things easy for the common users – I don’t want to have to explain these settings to my parents.

That’s all I have to say about that. I’d love to hear your comments!

It is a big step for a large public company to take, to admit that things are wrong. To apologize and to explain the steps being taken to correct a problem that has gotten out of control.

Such is the case with Adobe’s customer service. While customers have complained with increasing frequency in industry forums, and even Adobe’s own user communities and blogs, little has been done, or so it seemed.

Until now.

Lambert Walsh, Adobe’s Vice President of Technical Services, has issued an open letter to Adobe Customers (link opens as a pdf). In his letter, Mr. Walsh attempts reparations for the decline in the quality of customer service, explains some of the reasons for the slip-ups, and offers hope that the root cause of the problems is being addressed, while offering some additional contacts for help should any customer feel they are not being cared for as expected.

Additionally, John Nack, Adobe’s Principal Product Manager for Photoshop, has posted a blog entry on the subject, and that entry is seeing some lively conversation in the comments. John is to be commended for being very visible on the front lines and for taking quite a few shots from disgruntled customers via his blog comments.

Will Adobe get their service back on track? Only time will tell. Making a visible public statement and admitting the problem is certainly a positive first step. Follow through and eventual improvement will be a tougher, longer term challenge for the company.

In the meanwhile, Adobe’s executives can take a lesson from Mr. Nack – every Adobe person in sales, marketing, product development, and quality assurance should be required to spend a fixed time – say, 1-2 hours each week – supplementing the technical support telephone lines and talking with customers. Let them use the phone systems, the troubleshooting databases, and all the call management systems used by the customer services representatives we’ve loved to hate. I daresay the experience would be eye-opening!