Friday, December 18, 2009

Security Smorgasbord, vol 1 no 9

Another week, another Day Zero vulnerability from Adobe:

Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild. Adobe recommends customers follow the mitigation guidance below until a patch is available.

Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue.

This means that someone can create a PDF that takes over your computer when you view it. It's being actively exploited in the wild, which is why Adobe made the announcement even though there's no fix available. Yuk.

If you run Linux or Mac, you're in better shape. The PDF will cause the Reader application to crash, which is when the malicious code will run. You're unlikely to be running with elevated privilege with either Mac or Linux.

If you open a PDF (say, from an email) and your browser crashes, and then you get prompted to enter your password because a program needs to run, just say no. This is a 100% sure sign that the exploit code is trying to take over your computer. This is where (and when) you stop it.

If you run Vista or Windows 7, the same thing applies to you. Microsoft's security improvements really help you here.

Windows XP users, you're kind of screwed. There's pretty much no way you can protect yourself. About the best you can do is minimize your exposure by not opening any PDF files you get from anyone that you don't know. Or that came from someone you do know, but where the email looks fishy, like a "lol look at this" which could be from an email virus. When in doubt, email back to your friend and ask him if he actually sent it to you.

Adobe has promised a fix in January, so let's be careful out there.


You know, sometimes I think I can just automatically add a "oh yeah - make sure you go get your latest Adobe fixes" to each week's Smorgasbord post ...


Big set of fixes from Mozilla, for a bunch (7) of problems. This isn't just Firefox, but is Thunderbird and Seamonkey as well. When these apps say there are security updates available and ask if you want them, make sure to say yes.

And let me just say for the 400th time that Mozilla has an outstanding security update process. Mostly transparent and painless, which means people use it. Internet Explorer 8 needs to adopt this.


Did you know that the Mozilla team has a security blog?


SCOTUS to hear texting privacy case:
The U.S. Supreme Court has agreed to review a federal appeals court ruling involving the privacy of personal text messages sent and received by a member of the Ontario, Calif., police department on his official pager.

Last June, the U.S. Court of Appeals for the Ninth Circuit ruled that Ontario police Sgt. Jeff Quon had a reasonable expectation of privacy in personal text messages transmitted on his SWAT pager in the absence of an official policy regarding pager use.

Sun's Scott McNeally said it, ten years ago. You got no privacy. Get over it.

You should assume no privacy until proven otherwise. Of course, I would say that, having been trained to be paranoid by the Finest Minds in the Free World.

I would say, though, that the Police in particular should assume no privacy when using taxpayer funded equipment.


Online Banking pretty much unsecurable:
Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication and proving that any authentication method that relies on browser communications can be defeated. This includes chip cards and biometric technologies.
One of the classic sayings in computer security is that "SSL encryption [authentication in this case] is like using an armored car to deliver money from a park bench to a cardboard box under the overpass." There's big, big money in online financial fraud, which means that the Bad Guys are better funded than the Good Guys.

There's a very good report on this (short, not too techy, on-point) from Finjan.

Quite frankly, I simply don't see online banking as being securable, at least from a Windows computer (or a mobile phone).

Hat tip: SANS. You can sign up for their weekly email summaries.


TOTWTYTR said...

I don't know if this is related, but I restarted Thunderbird this morning to find that all of my email, data, accounts had been deleted. I've lost all my saved mail, unless I can restore it using Acronis.


Anonymous said...

I leave all my mail on the server so I can SMTP to it on any of my machines, I figure it is safer there than tucked up in a profile file I'm apt to lose one way or the other.

As for Acrobat, it should be taken out back and shot. Every layer of functionality drills a dozen new holes in whatever flimsy security it had previously. Is it just Acrobat proper which is vulnerable, or will this dick up Foxit, too?