Critical security update for Adobe Reader and Acrobat

Adobe has issued a security bulletin urging users of its Adobe PDF Reader and Acrobat products to update their software before hackers take advantage of two critical vulnerabilities.

 

Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh are vulnerable to a flaw that could be exploited by hackers to make unauthorised cross-domain requests. This same vulnerability was revealed in Adobe Flash Player last week.

 

Meanwhile, another flaw could give hackers an opportunity to inject malicious code onto computers via vulnerable installations of Reader and Acrobat.

 

As we’ve mentioned many times before, it’s essential that you keep your installations of Adobe’s software up-to-date as they are increasingly being taken advantage of by hackers to launch attacks.

 

Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1 if possible. Similarly, Adobe Acrobat should be updated to version 9.3.1. It’s a shame, therefore, that Adobe’s Reader advisory makes such a bad job of linking to the right files.

 

For instance, the link it is giving for the Mac update actually links to a page full of Windows files:

 

Hopefully Adobe will sort that out soon, and make it clearer where users can download the right patches for their operating system from. I, for one, am still finding it difficult to locate Adobe Reader 9.3.1.

 

By Graham Cluley, Sophos

 

 

Apply the Critical Security Updates for Internet Explorer Vulnerabilities (MS10-002 – Critical)

This cumulative security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. This security update is rated Critical for all supported releases of Internet Explorer.

 

Executive Summary

This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

 

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8 (except Internet Explorer 6 for supported editions of Windows Server 2003). For Internet Explorer 6 for supported editions of Windows Server 2003 as listed, this update is rated Moderate.

 

The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes.

 

This security update also addresses the vulnerability first described in Microsoft Security Advisory 979352.

 

Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

 

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

 

[ Download MS10-002 ]

 

Critical flaws fixed in Firefox 3.5.4

If your a user of the Firefox web browser then it’s time to update your software again, as Mozilla has issued an important update that fixes a number of critical flaws.

 

In total, 16 vulnerabilities are patched in Firefox 3.5.4 – with 11 given the highest rating of “critical”. What does that mean? Well, according to Mozilla’s own website a “critical” vulnerability is one which “can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”

 

In other words, critical vulnerabilities can be used to invisibly install and run malicious code on your computer – such as a Trojan horse or worm.

 

As we revealed in the Sophos Threat Report [PDF] published earlier this year, SophosLabs sees in excess of 23,000 new malicious webpages every day – infected with the intention of compromising your computer. So it’s really important that alongside running up-to-date with anti-virus software, you ensure your web browser – whether it be Firefox, Internet Explorer, Safari, Opera, or something else – is protected with the latest patches.

 

The update is now available from the Mozilla website, but hopefully most existing users will be pestered into updating by Firefox’s auto-update facility.

 

Firefox’s security is becoming ever more important as it creeps up on Microsoft Internet Explorer’s pole position as number one browser for the web. It is estimated that there are now over 330 million users of Firefox - more than the population of the United States!

 

by Graham Cluley, Sophos

 

Google Chrome updated to patch security vulnerabilities

Google’s Chrome web browser may be some way off dominating the competitive browser market, but it still has its ardent fans.

 

Those users should be aware that Google has released a new version of its Chrome web browser which fixes a number of security vulnerabilities.

 

Version 2.0.172.43 of Chrome fixes a high severity flaw in the V8 Javascript engine which would allow maliciously-crafted Javascript on a webpage to read unauthorised memory, bypassing security checks. It is possible that this could lead to unauthorised data being disclosed to an attacker or allow a malicious hacker to run code on your computer. Google has said it will make more details of the issue available once the majority of users are patched.

 

In addition, another flaw labelled “high severity” fixes a problem whereby webpages using XML can cause a Google Chrome tab process to crash. Google says that this update prevents hackers from being able to exploit this vulnerability to run arbitary code inside the Chrome sandbox.

 

Finally, the new version of Google Chrome will no longer connect to HTTPS (SSL) sites whose certificates are signed using MD2 or MD4 hashing algorithms. These algorithms are considered weak and might allow an attacker to spoof an invalid site as a valid HTTPS site.

 

More details of the latest update to Google Chrome are available on the Chrome Release blog. The update is being rolled out automatically to Chrome users.

 

Although nothing like as widely used as Internet Explorer or Firefox (the latest monthly stats about visitors to the Clu-blog tell me that 4.45% of you are using Chrome, as opposed to 44.3% on Internet Explorer and 37.36% on Firefox. Safari lies in third place at 10.29%), it’s perfectly possible that users inside your organisation have unilaterally chosen to use Chrome as their default browser if you haven’t implemented a policy to control which program your staff use to surf the net.

 

This entry was posted on Thursday, August 27th, 2009 at 8:09 am and is filed under Data leakage, Malware, WWW. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

by Graham Cluley, Sophos

« Previous Page