Keeping your system secure is a never ending battle. The evil-doers on the net are getting ever more sophisticated, and coming up with new ways to fool, cajole, trick or force you into downloading, running or loading software on your system that will compromise your system – at best, rendering it unusable, or at worst, invading your privacy, or even draining your bank account. It’s a Wild West frontier out there in the interwebs!

With that, let’s take a look at some of the recent updates and developments ion security news:

Adobe has announced in a security advisory that their Acrobat and Reader products, all versions up to and including the latest 9.2, are susceptible to attacks. A maliciously crafted PDF file could crash the program, and cause arbitrary code to run on your system and gain control. There is no fix for this, and there are reports that this vulnerability is being actively exploited in the wild as I write this.

Adobe plans to release an update to Acrobat products on January 12, 2010. In the meanwhile, please be careful when opening PDFs – if you don’t know the source, or if it was downloaded from the web, it could contain malicious code.

Adobe has offered this workaround which employs what they call “Javascript Blacklist Framework,” with mitigation for WIndows, Mac and Linux users. For those who cannot or don’t wish to utilize the Javascript Blacklist Framework, this situation can still be mitigated by disabling Javascript as described in the advisory. Keep in mind that some Acrobat features (including forms) may not work properly with Javascript disabled.

Additionally, if you’re running Flash Media Server, be sure to check out the latest Adobe security advisory concerning that product. All users of FMS 3.5.2 and earlier should upgrade to version 3.5.3 as soon as possible.

In fact, you might want to get prepared for a lot more of this from Adobe. Tony Bradley, writing for PCWorld, cites an interview with McAfee security specialists in which they cite Adobe software as a prime vector for malware in 2010 – due to its ubiquity, and the fact that “not many people keep their Adobe software patched.” Please don’t fall into this category!

The fine folks at WordPress.org have released WordPress 2.9, which is mostly a performance upgrade and was intended to be the last release in the 2.x family. However, a few issues reared their ugly head, and the 2.9.1 release candidate is now available, with general release expected soon. As always, upgrading is recommended, as the bad guys tend to go after untended older versions of software such as this.

Worpress 3.0 is in the works, and we’ll likely see it some time in the first half of 2010.

Mozilla has delayed their planned release of Firefox 3.6, which was originally scheduled to roll out his month. The latest from Mozilla is that 3.6 will be released sometime in the first calendar quarter of 2010. Additionally, version 4.0, which was to come out later in 2010, may now actually slip into 2011. These delays could spell a bump in the road for Mozilla, who faces ever increasing competition from the likes of Apple’s Safari, Google’s Chrome, Opera, and even the latest version of IE shipping with WIndows 7. Mozilla will have to work hard in 2010 to maintain their technical leadership in the browser world.

The moral of the story here is that you just can’t rest – as a computer owner with connections to the internet, you must keep active with your software updates – there are a seemingly endless stream of exploits being developed, and they almost always go after users with down-revision software. So, let’s see what’s been updated in the past week or so, and please do take a few minutes to check and ensure you are current with the latest versions.

We’ll start with WordPress – this popular blogging platform is now up to version 2.8.6, correcting two security flaws that allow registered blog users to gain unauthorized access to your server. If you have open blog registrations enabled on your blog (i.e., for commenting), this update is highly recommended. WordPress is due for its 2.9 version update, but the 2.8 version continues to evolve. If you’re hosting your blog on WordPress, upgrade today!

On the Browser front, we’ve seen two updates in the past week:

Google’s Chrome browser was updated November 12 to version 3.0.195.33, fixing two bugs, one of which was a security issue. The update should come automatically, but it is worth checking to ensure you have it.

Apple’s Safari browser received a rather large security update on November 11, to version 4.0.4. This update is highly recommended for all users, as it fixes browser stability issues as well as quite a few security flaws. From Apple’s site:

• Colorsync: Viewing a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution (Windows)
• Libxml: Parsing maliciously crafted XML content may lead to an unexpected application termination (Windows and Mac)
• Safari: Using shortcut menu options within a maliciously crafted website may lead to the disclosure of local information (Windows and Mac)
• Webkit: Visiting a maliciously crafted website may result in unexpected actions on other websites (Windows and Mac)
• Webkit: Accessing a maliciously crafted FTP server could result in an unexpected application termination, information disclosure, or arbitrary code execution (Windows and Mac)
• Webkit: Mail may load remote audio and video content when remote image loading is disabled (Mac)

Finally, we have Microsoft’s Windows November Update:

• MS09-063 – Critical – Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (Windows Vista and Windows Server 2008)
• MS09-064 – Critical – Vulnerability in License Logging Server Could Allow Remote Code Execution (Windows 2000 only)
• MS09-065 – Critical – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (Windows 2000, XP, and Vista, Windows Server 2003 and 2008)
• MS09-066 – Important – Vulnerability in Active Directory Could Allow Denial of Service (Windows XP, Windows Server 2000, 2003 and 2008)
• MS09-067 – Important – Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (Microsoft Office Excel 2002, 2003 and 2007 for Windows, Microsoft Office 2004 and 2008 for Mac, as well as all supported versions of Office Excel Viewer and Office Compatibility Pack)
• MS09-068 – Important – Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (Microsoft Office Word 2002 and 2003 for Windows, Microsoft Office 2004 and 2008 for Mac, and all supported versions of Word Viewer)
• The Microsoft Malicious Software Removal Tool and Outlook Junk Email Filters have also received their monthly update as part of this package.

That certainly seems to be enough for one week! Keep that software up to date, and keep your system safe. It’s a wild uncivilized web out there.

Classified as a “hardening release,” this series of updates is focused on improving several areas of security concern, and is therefore recommended for anyone running WordPress on their site.

According to the WordPress Blog, the biggest changes in this release are:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

If you are running WordPress and haven’t upgraded, please take the time and do so as soon as you can!

WordPress 2.9 is just around the corner, and beta testing is due to begin almost any day now. The final release of 2.9 is due out later this year, so keep an eye out here for news and availability.

Well, here we go again! Another “Windows Patch Tuesday” has come and gone (Microsoft sends its Windows updates on the 2nd Tuesday of the month, if you haven’t noticed), and in this month’s batch we have a few interesting ones!

Microsoft has continued to plug holes in its Active Template Library (the coding widgets used by many software developers on the Windows platform), and this month’s updates included 5 separate ATL patches for my Windows XP SP3 machine. Additionally, there were two vulnerabilities fixed in remote service protocols, one in Windows Media handling, and an update for MS Office. Finally, there is an update to the Outlook Junk E-mail filter as well.

Make sure to patch your systems and keep them up to date! Remember, you are never bullet proof, but you can stay a step ahead of the rest by updating frequently!

If you’re interested, here is the list of patches that came through on my system this morning:

• MS09-043: Description of the security update for Office 2003 Web Components and Office XP Web Components in Office 2003: August 11, 2009
• Microsoft Security Bulletin MS09-044 – Critical – Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927)
• Microsoft Security Bulletin MS09-042 – Important – Vulnerability in Telnet Could Allow Remote Code Execution (960859)
• Microsoft Security Bulletin MS09-038 – Critical – Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557)
• Microsoft Security Bulletin MS09-041 – Important – Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657)
• Microsoft Security Bulletin MS09-037 – Critical – Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908) (5 separate patches in Windows XP SP3)
• Outlook 2007 Junk E-mail Filter update: August 11, 2009
• Extended Protection for authentication
• Windows Malicious Software Removal Tool – August 2009

Late breaking update! As this went to press, I learned that WordPress has also issued a security update this morning, bringing their current version to 2.8.4. Update soon, this one’s a critical risk.