Adobe Reader v8.x and v9.x patched

Late Tuesday, 12 Jan 2010, Adobe released updated versions of Adobe Reader 8 and 9 to correct an exploitable flaw.  If you're still using Adobe Reader instead of the less-hacked Foxit Reader, you should update. Here's a link to a Youtube video of what can happen to you if you run Adobe Reader and DON'T apply these patches:

Screen Capture: Targeted Attack PDF Exploit Taking Over A Computer

US-CERT Current Activity

Adobe Releases Update for Adobe Reader and Acrobat
added January 12, 2010 at 07:01 pm

Adobe has released an update for Reader and Acrobat to address multiple vulnerabilities. These vulnerabilities affect Adobe Reader 9.2 and earlier versions for Windows, Macintosh, and UNIX and Adobe Acrobat 9.2 and earlier versions for Windows and Macintosh. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Adobe Security Bulletin APBS10-02 and apply any necessary updates to help mitigate the risks.

Other reports here:

Adobe update trumps Microsoft's lone fix in patch frenzy - SC Magazine US

Microsoft's monthly security update took a backseat on Tuesday to a scheduled critical fix from Adobe that addresses a zero-day vulnerability in its widely deployed Reader and Acrobat software.

Adobe was to address the flaw, which is being exploited in in-the-wild attacks, among others as part of its quarterly security update.

Adobe has other problems, too:

Adobe confirms 'sophisticated, coordinated' breach | Zero Day | ZDNet.com

In an attack described as “sophisticated” and “coordinated,” Adobe said its corporate network systems were breached by hackers.

Today is Microsoft Patch Tuesday -- time to update

Despite Microsoft claiming this is "Critical" only on Windows 2000, all my systems (XP Home and Pro and Windows 7 Pro) installed this patch.  I recommend you do so also.

MS Patch Tuesday: Another critical font engine vulnerability | Zero Day | ZDNet.com

The first Microsoft patch for 2010 is out, providing cover for a solitary vulnerability in the way Windows handles EOT (Embedded OpenType) fonts.

The update is rated “critical” but Microsoft says there is a low likelihood of exploitation on its newer operating systems.

The vulnerability, which was discovered by Google security engineer Tavis Ormandy, is a remote code execution issue in the way that the Microsoft Windows Embedded OpenType (EOT) Font Engine decompresses specially crafted EOT fonts.

From the MS10-001 advisory:

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Because Microsoft considers this a very difficult vulnerability to exploit on most operating systems, it is rated “critical” only for Windows 2000.

However, it’s important to note that Windows XP, Windows Vista and Windows 7 are all affected by this flaw.

US-CERT Current Activity

Microsoft Releases January Security Bulletin
added January 12, 2010 at 02:07 pm

Microsoft has released an update to address a vulnerability in Microsoft Windows in its Microsoft Security Bulletin Summary for January 2010. This vulnerability may allow an attacker to execute arbitrary code. An attacker may be able to exploit this vulnerability by convincing a user to view content rendered in a specially crafted Embedded OpenType (EOT) font in an application that can render EOT fonts. Common applications that can render EOT fonts include Microsoft Internet Explorer, Microsoft Office Word, and Microsoft Office PowerPoint.

US-CERT encourages users and administrators to review the bulletin and apply any necessary updates to help mitigate the risks.

Microsoft Security Bulletin: January 2010

Overview of the January 2010 Microsoft patch and status.

Microsoft Advices XP Users to Uninstall Flash Player 6

As part of today's bulletin release, Microsoft advices users of Windows XP to uninstall Flash Player 6 which is installed with Windows XP. Affected users should upgrade to the latest version or Flash Player which is available for download from Adobe.

Some thoughts on password security for laptop (and smartphone) owners

Just read a good article at Lifehacker on the risks of allowing your computer to save your passwords:

Your Passwords Aren't As Secure As You Think; Here's How to Fix That - Passwords - Lifehacker

If you allow applications to save your passwords, anyone with physical access to your PC can decode them unless you're properly encrypting them—and chances are pretty good you're not. Let's walk through the right and wrong ways to store your passwords.

For the purpose of this article, we'll assume that the people you allow into your house are trustworthy enough not to hack your passwords, and your laptop has been stolen instead—but the tips here should apply to either scenario. Regardless of how you choose to save your passwords, you should make sure to use great passwords and even stronger answers for security questions.

The article discusses in some user-friendly detail the risks of allowing Firefox, Internet Explorer, instant-messaging programs, and other software to save passwords for you.

I use the free LastPass Password Manager to store my online passwords for everything except my bank (I don't do online banking yet -- the risks are IMHO too great) and credit-card accounts (where my risk is at most $50/card), and I have a very long, complex password for LastPass.

I also use an encrypted password manager in my PDA -- Yaps V2.5 for Palm OS -- and I recommend that anyone storing passwords in a phone or PDA use an encrypted password store. There are some real snake oil password-encryption products out there, so please do some research before you purchase anything.

Malicious apps found in Google's Android online store

If you have an Android phone, you should be careful about the apps you load, especially if you use the phone to access anything which requires security. I've seen this story reported multiple times on security sites today.

Malicious apps found in Google's Android online store - SC Magazine US

Rogue applications developed to steal banking credentials from users were discovered late last month in Google's Android Market online software store.

The malicious programs were disguised as a legitimate mobile banking apps and were designed to steal users' online banking credentials, according to Oregon-based First Tech Credit Union, which posted a fraud alert about the threat on Dec. 22.

Reminder: Disable Javascript in your PDF Reader

Especially if you're using Adobe Reader.

Large-scale attacks exploit unpatched Adobe PDF bug | Security Central - InfoWorld

A week before Adobe is scheduled to patch a critical vulnerability in its popular PDF software, hackers are actively exploiting the bug with both targeted and large-scale attacks, a security researcher said today.

The SANS Institute's Internet Storm Center (ISC) reported Monday that they'd received samples of a new rigged PDF document that hijacked PCs using a bug Adobe acknowledged Dec. 14 . Later last month, Adobe said it would not patch the bug until Jan. 12. In his write-up of the sample, ISC analyst Bojan Zdrnja called the attack PDF "sophisticated" and its use of egg-hunt shellcode "sneaky."

Security reality check: user error

This could just as easily be any Windows or Linux user as well. I've summarized the original article by highlighting the "user errors" ... I leave it as an exercise for the student to go read the full article to get the solutions.

[Mac] Security reality check: user error

By Rich Mogull, Macworld
January 05, 2010 04:02 PM ET
Sponsored by:

Some security problems are due to user error (or user laziness). It's not that hard to practice good system security on your Mac [ASF note: for Windows and Linux users: every where you see "your Mac" just read it as "your computer" -- it applies regardless of your OS-of-choice]. But a surprising number of people--including some who should know better--don't. Here are some basic tips on practicing safe computing.

Poor passwords

The Threat A few months ago a close friend called me. A criminal was posing as him, passing bad checks, transferring funds out of bank accounts, and changing passwords. Fortunately, the nefarious activity was discovered early, and my friend worked with his banks and other providers to stop the attack and recover the lost funds. Piecing together what happened, I discovered the root problem: my friend had been using the same single password for most of his banks, e-mail, and other online services.

...

What You Can Do Use a password management tool like ... [ASF note: article recommends a Mac-only solution. I use LastPass online with a LONG passphrase (and I don't use it for my banking or credit-card passwords) and YAPS, Yet Another Password Safe on my Palm phone, but I recommend using whatever fits YOUR personal phone/PDA-and-computer needs. Ask me if you need recommendations.]

Sharing too much

The Threat Out of the box, new Macs expose few network services, and file sharing is disabled. But many power users quickly expose these services and turn on sharing, opening themselves up to potential exposure over the network. [ASF note: also true of Windows "Power Users". Know what you're doing before you enable services to Internet-exposed computers. Read the article for more.]

Unencrypted personal data

The Threat If bad guys gain access to your Mac itself--whether over your Internet connection or by physically possessing your Mac--they can possess all your crucial personal information--credit card, Social Security or Tax ID numbers, account passwords and so on.

Financial management software, plain-text password cheat-sheets, and e-mail messages are all ripe sources of confidential information. They're the first things any attacker will seek out when he gains access to your Mac. If he finds what he wants, the effects can be costly and long-lasting. This is a case where the risk is low, but the potential cost is so high that precautions are worthwhile.

What You Can Do [ASF note: article is very Mac-specific. Windows users should (a) use a password manager to encrypt things like SSNs and (b) use disk encryption like TrueCrypt, which works for Mac, Windows, and Linux computers. Do NOT store passwords in plain-text files, spreadsheets, or email folders. My laptop's datafiles are all encrypted using TrueCrypt.]

No backups

The Threat There are plenty of ways bad guys can destroy your data; it's not that hard to accidentally do it yourself. While losing applications or rebuilding a system is painful, losing something irreplaceable like all your family photos is the digital equivalent of your house burning down. So the most important thing you can do keep your data safe is to back it up regularly.

... [ASF note: my primary laptop hard-drive failed a few months ago. I was backed up to both local copies and a remote backup, so I lost nothing except the time it took to re-install my software and recover my data.]

Risky downloads

The Threat While there is virtually no malicious software for Macs circulating in the wild, what little Mac malware we do see is almost always hidden in illegitimate software. [ASF note: also true for Windows users.]

Right now, the most common source of Mac trojans is pirated software downloaded from the Net. ...

The next most common sources of infection are sites that ask you to download new QuickTime plugins or special applications to look at pictures or videos of people in various states of undress.

Lastly, we do sometimes see trojans planted in free software, especially gambling software and simple games. These, like the other trojans, tend to appear on less-popular sites or online forums.

What You Can Do Use your common sense. Don't try to find free copies of commercial programs. Don't download random QuickTime plugins or video viewers unless you know, with absolute certainty, that the source is legitimate. When downloading software, avoid forums or sources that are off the beaten track. If there's any doubt about a program, do a quick online search for it and see if it also appears on more mainstream download sites.

...

Antisocial networking

The Threat If the Internet is the Wild West of the digital world, social networking sites are the seedy saloons.

Criminals love social networking sites; they're cross-platform, based on trust, and often full of security flaws. We've seen social networking worms propagating through friend's lists, attackers stealing contact e-mails for spam, fake advertisements, and direct browser attacks to take over systems. And once you start installing widgets and applications on a social site, you are essentially allowing arbitrary programs to run inside your browser with full access to your information.

What You Can Do When posting information on a social networking site, don't put anything up there that you wouldn't want the whole world to see. Also carefully consider the applications you allow the site to install--especially on Facebook, where you can't always control the information an application accesses.....[ASF note: more advice in the article.]

Peer-to-peer sharing

The Threat Peer to peer (P2P) file-sharing can be a great way to distribute or download large files. But researchers have found reams of sensitive information on P2P networks. For example, there have been cases of public employees placing sensitive legal and government documents on home computers that were also running P2P software; those files turned up on the P2P networks. In my own research, I've seen everything from tax returns to scans of passports.

It isn't that P2P file-sharing itself is evil (despite what the recording and motion picture industries might claim). It's just that it's all too easy to inadvertently share things you shouldn't.

What You Can Do If you use P2P services, ... [ASF note: DON'T use P2P, especially on business computers, including computers you connect from home to the company network. If you use P2P on your home computer, do it in a "Virtual Machine" that only exposes your music or other shared files but doesn't have access to your taxes, checkbook, documents, or email. Call me if you need help with this.]

PDF exploits now in the wild! Disable Javascript in Adobe Reader

Just read a technical explanation of how it works, and it isn't being detected by most anti-virus programs yet. If you use Adobe Reader instead of my preferred reader, Foxit Reader, follow the advise in the paragraph below:

Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324

Since this exploit has not been patched yet, I would like to urge you all to, at least, disable JavaScript in your Adobe Reader applications. We are getting more reports about PDF documents exploiting this vulnerability, and it certainly appears that the attackers are willing to customize them to get as many victims to open them as possible. Also keep in mind that such malicious PDF documents can go to a great length when used in targeted attacks – the fake PDF that gets opened can easily fool any user into thinking it was just a mistakenly sent document.

I would also disable Javascript in Foxit Reader just for safety.