Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: adobe reader

    Other / Time to Patch14 Comments
    20
    Jul 10

    Adobe: ‘Sandbox’ Will Stave Off Reader Attacks

    Adobe Systems Inc. said today the next release of its free PDF Reader application will include new “sandbox” technology aimed at blocking the exploitation of previously unidentified security holes in its software.

    Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. Adobe said that in developing the sandbox technology, it relied on experts from Microsoft and Google (the latter already has incorporated sandboxing into its Chrome Web browser).

    “The idea is to run Reader in a lower-privilege mode so that even if an attacker finds an exploit or vulnerability in Reader, it runs in lower rights mode, which should block the installation of [malware], deleting things on the system, or tampering with the [Windows] registry,” said Brad Arkin, director of product security and privacy at Adobe.

    Even if only somewhat effective, the new protections would be a major advancement for one of the computing world’s most ubiquitous and oft-targeted software applications. The company is constantly shipping updates to block new attacks: Less than a month ago, Adobe rushed out a patch to plug vulnerabilities that hackers were using to break into vulnerable machines. Security vendor McAfee found that roughly 28 percent of all known software exploits in the first quarter of 2010 targeted Adobe Reader vulnerabilities. According to anti-virus maker F-Secure, Reader is now the most-exploited application for Windows.

    Continue reading →

    Time to Patch28 Comments
    29
    Jun 10

    Security Updates for Adobe Acrobat, Reader

    Adobe Systems Inc. is urging users to update installations of Adobe Reader and Acrobat to fix a critical flaw that attackers have been exploiting to break into vulnerable systems.

    The update brings Adobe Acrobat and Reader to version 9.3.3 (another update for the older 8.2 line of both products brings the latest version to v. 8.2.3). Patches are available for Windows, Mac, Linux and Solaris versions of these programs. Adobe’s advisory for this update is here, and the Reader update is available from this link — or by opening the program and clicking “Help” and “Check for Updates.” If you download the update from the Adobe Reader homepage, you’ll end up with a bunch of other stuff you probably don’t want (see below, after the jump for more on this).

    If you use Adobe Reader or Acrobat, please take a moment to update this software. Users may also want to consider switching to other free PDF readers that are perhaps less of a target for malicious hackers, such as Foxit Reader, Nitro PDF Reader, and Sumatra.

    Continue reading →

    Time to Patch33 Comments
    10
    Jun 10

    Adobe Flash Update Plugs 32 Security Holes

    As promised, Adobe has released a new version of its Flash Player software to fix a critical security flaw that hackers have been exploiting to break into vulnerable systems. The update also corrects at least 31 other security vulnerabilities in the widely used media player software.

    The latest version, v. 10.1, fixes a number of critical flaws in Adobe Flash Player version 10.0.45.2 and earlier. Don’t know what version of Flash you’ve got installed? Visit this page to find out. The new Flash version is available for Windows, Mac and Linux operating systems, and can be downloaded from this link.

    Note that if you use both Internet Explorer and non-IE browsers, you’re going to need to apply this update twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera, or whatever other browser you use.

    Please take a moment to check if you have Flash installed and — if so — to update it: A working copy of the code used to exploit this vulnerability has been included in Metasploit, an open source penetration testing framework. Also note that Adobe likes to bundle all kinds of third party software — from security scanners to various browser toolbars — with its software, so if you don’t want these extras you will need to uncheck the box next to the added software before you click the download button.

    The vulnerability that prompted Adobe to issue this interim update (the company had been slated to issue these and other security updates on July 13) also is present in Adobe Reader and Acrobat, although Adobe says it does not plan to fix the flaw in either of these products until June 29.

    Now would be a great time for longtime users of Adobe’s free Reader software to consider removing Reader and switching to an alternative free reader, such as Foxit or Sumatra.

    Note that Flash generally comes with Adobe Download manager, a package that in prior versions has been found to harbor its own security vulnerabilities. The download manager is designed to uninstall itself from machines after a reboot, so to be on the safe side, you may want to reboot your system after updating Flash.

    http://www.adobe.com/support/security/bulletins/apsb10-08.html
    A Little Sunshine / Latest Warnings / Time to Patch / Web Fraud 2.014 Comments
    15
    Apr 10

    Java Patch Targets Latest Attacks

    Oracle Corp. has shipped a new version of its Java software that nixes a feature in Java that hackers have been using to foist malicious software.

    Java 6 Update 20 was released sometime in the last 24 hours, and includes some security fixes, although Oracle’s documentation on that front is somewhat opaque. Most significantly, the update removes a feature that hackers have started using to install malware.

    On Wednesday, a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to plant malicious software.

    If you need Java for some specific reason, then by all means install this update. However, I have found that most users can happily do without this powerful and feature-rich program, which is fast becoming a popular vehicle for launching a range of attacks. More on that in a future post. Stay tuned.

    Continue reading →

    Time to Patch20 Comments
    13
    Apr 10

    Adobe, Microsoft Push Security Upgrades

    Software giants Adobe and Microsoft today each released software updates to fix critical security flaws in their products. In addition, Adobe is rolling out a new auto-updater tool that should make it easier for hundreds of millions of Adobe Reader users to more safely run one of the most frequently attacked software applications.

    Continue reading →

    Time to Patch17 Comments
    6
    Apr 10

    Security Updates for Foxit, QuickTime/iTunes

    Foxit Software has issued an update to make it easier for users to spot PDF files that may contain malicious content. Also, Apple has pushed out new versions of QuickTime and iTunes that correct nearly two dozen security problems in those programs.

    Last month, researcher Didier Stevens said he’d discovered that he could embed an executable file — such as a malicious program — inside of a PDF file. Worse, Stevens found that PDF readers from Adobe Systems and Foxit contained a feature that would run those embedded files upon request, in some cases without even warning the user.

    Stevens found that when he triggered the feature in Adobe Reader the program throws up a warning that launching code could harm the computer (although he also discovered he could change the content of that warning in Adobe Reader).

    Foxit, however, displayed no warning at all and executed the action without user approval. According to Stevens, the Foxit fix shipped last week changes the reader so that it now warns users if a PDF document tries to launch an embedded program.

    Continue reading →

    A Little Sunshine / Time to Patch25 Comments
    8
    Mar 10

    Fiserv to Banks: Stay on Outdated Adobe Reader

    One of the nation’s largest providers of money-transfer and online banking services to credit unions and other financial institutions is urging customers not to apply the latest security updates for Adobe Reader, the very application most targeted by criminal hackers and malicious software.

    At issue is a non-public advisory issued by Fiserv, a Fortune 500 company that provides bank transaction processing services and software to more than 16,000 clients worldwide.

    A reader who works in security for a mid-sized credit union shared with me a notice posted prominently to the “collaborative care” portion of Fiserv’s site, a section dedicated to security and IT managers at partner financial institutions.

    In the notice, dated Feb. 16, 2010, Fiserv instructed its customers to avoid the latest Adobe Reader updates, apparently in favor of one that was released two years ago:

    “NOTICE: Please do not upgrade Adobe Acrobat Reader past Version 8.1.”

    Continue reading →

    Time to Patch24 Comments
    17
    Feb 10

    Security Updates for Adobe Reader, Acrobat

    Adobe is urging users of its PDF Reader and Acrobat software to install an update that fixes a couple of critical security holes in the products. The patches come amid news that booby-trapped PDF files were responsible for roughly 80 percent of the exploits detected in the 4th quarter of 2009.

    The latest update brings Adobe Reader to version 9.3.1, and fixes a pair of vulnerabilities that Adobe has labeled “critical,” which means the flaws could be used to install malicious software on vulnerable systems. Updates are available for Windows, Mac and Linux versions.

    Continue reading →