Keeping your system secure is a never ending battle. The evil-doers on the net are getting ever more sophisticated, and coming up with new ways to fool, cajole, trick or force you into downloading, running or loading software on your system that will compromise your system – at best, rendering it unusable, or at worst, invading your privacy, or even draining your bank account. It’s a Wild West frontier out there in the interwebs!

With that, let’s take a look at some of the recent updates and developments ion security news:

Adobe has announced in a security advisory that their Acrobat and Reader products, all versions up to and including the latest 9.2, are susceptible to attacks. A maliciously crafted PDF file could crash the program, and cause arbitrary code to run on your system and gain control. There is no fix for this, and there are reports that this vulnerability is being actively exploited in the wild as I write this.

Adobe plans to release an update to Acrobat products on January 12, 2010. In the meanwhile, please be careful when opening PDFs – if you don’t know the source, or if it was downloaded from the web, it could contain malicious code.

Adobe has offered this workaround which employs what they call “Javascript Blacklist Framework,” with mitigation for WIndows, Mac and Linux users. For those who cannot or don’t wish to utilize the Javascript Blacklist Framework, this situation can still be mitigated by disabling Javascript as described in the advisory. Keep in mind that some Acrobat features (including forms) may not work properly with Javascript disabled.

Additionally, if you’re running Flash Media Server, be sure to check out the latest Adobe security advisory concerning that product. All users of FMS 3.5.2 and earlier should upgrade to version 3.5.3 as soon as possible.

In fact, you might want to get prepared for a lot more of this from Adobe. Tony Bradley, writing for PCWorld, cites an interview with McAfee security specialists in which they cite Adobe software as a prime vector for malware in 2010 – due to its ubiquity, and the fact that “not many people keep their Adobe software patched.” Please don’t fall into this category!

The fine folks at WordPress.org have released WordPress 2.9, which is mostly a performance upgrade and was intended to be the last release in the 2.x family. However, a few issues reared their ugly head, and the 2.9.1 release candidate is now available, with general release expected soon. As always, upgrading is recommended, as the bad guys tend to go after untended older versions of software such as this.

Worpress 3.0 is in the works, and we’ll likely see it some time in the first half of 2010.

Mozilla has delayed their planned release of Firefox 3.6, which was originally scheduled to roll out his month. The latest from Mozilla is that 3.6 will be released sometime in the first calendar quarter of 2010. Additionally, version 4.0, which was to come out later in 2010, may now actually slip into 2011. These delays could spell a bump in the road for Mozilla, who faces ever increasing competition from the likes of Apple’s Safari, Google’s Chrome, Opera, and even the latest version of IE shipping with WIndows 7. Mozilla will have to work hard in 2010 to maintain their technical leadership in the browser world.

Keeping your software up to date is really important these days. There is big money in organized crime, seeking to compromise computers and gain access to your personal information – especially banking information. These malicious entities seek to gain a foothold in your computer by exploiting known vulnerabilities in popular software. As a result, something as benign as visiting a web site, opening an image, or playing a music file can lead to a compromised system, if your software has un-patched vulnerabilities.

So, keep that software up to date!

We’ll start this week with a bit of good news on the OS front, for those Apple customers who have migrated to the latest version of their OS.

Apple Mac OS X 10.6.2 (Snow Leopard) Updates:

Apple has released a Snow Leopard update that fixes a number of problems customers have reported, including patching a large number of security flaws in the firewall, Apache services, Apple Type Services (font handling), graphics and media services; the list goes on and on. You can read about it here.

Perhaps more exciting for users of Adobe Photoshop: John Nack has reported that the Photoshop team has been working with Apple, and this updated fixes a number of issues with Photoshop:

Affecting multiple versions of Photoshop:

• 50654: When opening and saving, applications–including Adobe applications–may sporadically crash
• 51230: Images don’t open when dragged onto the Adobe program icon in the Dock

• 51220: Crash or program error occurs when using Menlo font in Photoshop and Premiere CS3 and CS4

CS4-specific:

• 51764: Only one image opens when many are dragged onto Photoshop’s icon
• 51278: Cursors don’t display correctly in Photoshop CS4
• 51339: Editing in Photoshop CS4 fails from 64-bit Lightroom in Mac OS X 10.6
• Cannot drag from Safari onto Photoshop icon (and other application icons) in Dock to open file

Whether you get this update for security or for the Photoshop fixes, get it!

Browser Updates:

Opera – version 10.1 was released at the end of October, and this update combined a series of user experience features with a few security updates that I would consider critical. From the Opera changelog page:

These are all flaws that could result in a malicious user or site compromising your system. The last one listed seems especially concerning, sinc edetails aren’t being released. If you’re using Opera, make sure to install this update as soon as possible.

Firefox – Although version 3.5.4 was only recently released, the team at Mozilla.com has pushed out a new verison 3.5.5. This update contains several stability fixes, and in looking at the bug reports, the issues address browser crashes – typically the first place that hackers look for opportunities to gain access into your system. Firefox has pushed out this change, so you should see it automatically; if not, please visit www.mozilla.com and get the update.

Note also that for users who are still using the 3.0 version of Firefox, this has also been updated from 3.0.14 to 3.0.15 as of the end of October.

Java Updates:

Java 6 Update 17 was released on 11/4/2009. This release contains fixes for 23 security vulnerabilities. If you have the Java virtual machine installed on your system, this update is highly recommended.

Adobe Software Updates:

Photoshop Elements for Windows, version 7 and version 8, have a potential privilege escalation problem. This means that a user could gain administrator privileges by exploiting this vulnerability. Adobe has not patched the software yet, but they have provided a workaround to mitigate the risk.

Shockwave Player 11.5.1.601 and earlier have critical vulnerabilities that could allow a malicious attacker to run arbitrary code on your system. Chances are you’re not using Shockwave anymore (it is generally superseded by Flash), but if you do have it, please upgrade to the latest version 11.5.2.602.

That’s all for this week! Keep your software up to date, and keep safe!

Firefox has just released an update to version 3.5.4, correcting quite a few security flaws and correcting a number of stability issues.

This update is recommended for all Firefox users of the 3.5.x family of browsers.

From www.mozilla.com, the list of fixes includes the following:

Firefox 3.5.4 fixes the following issues:

• Several security issues.
• Fixed several stability issues.
• Added the ability to re-submit crash reports
• After using Clear Recent History some SSL sites would not load all images and styles without pressing reload

You can find the complete list of changes here. You may also be interested in the Firefox 3.5.3 release notes for a list of changes in the previous version.

The list of security issues fixed makes this a mandatory upgrade, in my book:

• MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
• MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
• MFSA 2009-62 Download filename spoofing with RTL override
• MFSA 2009-61 Cross-origin data theft through document.getSelection()
• MFSA 2009-59 Heap buffer overflow in string to number conversion
• MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
• MFSA 2009-56 Heap buffer overflow in GIF color map parser
• MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
• MFSA 2009-54 Crash with recursive web-worker calls
• MFSA 2009-53 Local downloaded file tampering
• MFSA 2009-52 Form history vulnerable to stealing

Firefox should attempt to upgrade itself automatically, but if not, just use Help > Check for Updates…

Keep up to date, and stay safe on the web!