A working exploit for the latest versions of Adobe’s PDF Reader software (X and XI) is being made available to malicious hackers for $50,000 via underground forums.
Starting with Version X, Adobe’s Reader software has employed a ‘sandbox’ that supposedly insulates the operating system from attacks originating in Reader content. The exploit code reportedly gets around the sandbox.
Adobe is investigating, but no patches are available yet. Since this threat is active, anyone using Adobe Reader X or XI should exercise extreme caution when opening PDF documents or clicking links to PDF documents from unknown sources. Another option is to uninstall the Adobe software and use an alternative like Foxit Reader.
More details from KrebsOnSecurity.
Security researcher Tavis Ormandy has discovered several security vulnerabilities in Sophos security products. The holes were patched within a few weeks of the initial reports, but Ormandy maintains that Sophos’ response was too slow. The vulnerabilities, if unpatched, can allow attackers to gain full control of computers running affected Sophos software.
Regardless of whether you agree with Ormandy’s conclusions about Sophos, it’s clear that if you run Sophos security products, you should make sure they are fully patched.
Yesterday, Adobe announced a new version of Flash that includes fixes for several security holes in earlier versions. Anyone who uses Flash to view web-based video, which includes anyone who uses YouTube, should install the latest version of Flash as soon as possible.
The latest version of Flash for Windows is 11.5.502.110. Adobe also made available updates for older versions of Flash that address the same security vulnerabilities, but we recommend updating to the latest version.
A new version of Google Chrome, also announced yesterday, includes these security fixes. A similar patch for Internet Explorer 10 in Windows 8 was made available by Microsoft.
These updates resolve buffer overflow vulnerabilities that could lead to code execution, memory corruption vulnerabilities that could lead to code execution, and a security bypass vulnerability that could lead to code execution.
Growth of the ZeroAccess botnet is unfortunately showing no signs of slowing down. darkReading reports “2.2 million infected with fraudulent ad-click botnet’s malware“. The perpetrators make money by using infected computers to fraudulently ‘click’ on web-based ads.
Most current anti-malware software can detect and disable ZeroAccess-related malware. Make sure your anti-malware software is up to date, and run regular scans.
Version 16.0.2 of Firefox fixes three critical security flaws in the previous version. Users are encouraged to upgrade as soon as possible.
Those of you running Windows 8 already should head over to Microsoft Update and install a new out-of-cycle patch for Adobe Flash in Internet Explorer 10.
We were wondering whether the recent Java updates addressed the security holes reported by Adam Gowdiak of Security Explorations. Well, Mr. Gowdiak tested the most recent Java in various browsers, and the answer is no, they do not.
Gowdiak went even further, developing a simple fix for the vulnerability. Oracle is unimpressed, saying that a proper fix will involve a lot more testing than the 30 minutes Gowdiak spent on it. They are sticking to their original estimate, that an official fix will not be available until the February 2013 Critical Patch Update.
So Java, despite the recent patches, is still vulnerable to exploits using the hole reported by Gowdiak. We continue to recommend disabling Java in web browsers.
Java is increasingly the focus of both malware developers and security researchers. Many malware packages include Java code, and drive-by malware infections often use known Java vulnerabilities to trigger web browser-based infections. Java releases are filled with fixes for security vulnerabilities. Security researchers find new Java holes with alarming frequency.
ARS Technica recently asked their readers to talk about Java and how they use it. The resulting article outlines the results of this informal survey and makes some recommendations to users.
Many Windows computers also contain the Java Runtime Environment (JRE), which allows standalone Java applications to run without a web browser. Many system administration tools are developed in Java, since this allows the same code to run on many different operating systems. There are also plenty of Java games, including the hugely popular Minecraft. Although Minecraft can be run from within a web browser, the full version of the game runs in the JRE.
Java vulnerabilities exist both in Java browser plugins and in the JRE. However, Java code that runs in the JRE must be explicitly downloaded and installed by the user. For example, to play the full version of Minecraft, the user must go to the Minecraft web site, buy the game, download the installer, install the game on their computer, then run the game. On the other hand, Java code on a malicious or hacked web site can run automatically and invisibly the moment a user visits that web site – if their browser has a functioning Java plugin.
Clearly, Java web browser plugins present a much greater security risk than standalone Java. Our recommendations – echoed by the ARS Technica article – remain the same: you should seriously consider disabling Java plugins in your web browser, but it’s okay to leave the JRE installed on your computer.
Oracle has released updates for all of its Java packages. The updates include a variety of bug and security fixes across all the affected Java products.
You can download the Java Runtime Environment (JRE) or Java Developer Kit (JDK) appropriate for your computing environment from the Java downloads page.
Java browser plugins that are not updated as part of a JRE update will require separate updates, in some cases from the web browser developer (Chrome, Internet Explorer).
It is unclear whether these updates include fixes for the vulnerabilities reported in late September 2012. Update 2012-Oct-25: Apparently they do not, according to security researcher Adam Gowdiak.
Update 2012Oct12: Version 16.0.1 of Firefox has just been released. The new version fixes the vulnerability that caused version 16.0 to be pulled from the Firefox download site yesterday. All users are encouraged to upgrade to 16.0.1 as soon as possible.
Firefox 16.0 has been removed from the Mozilla web site due to a new vulnerability. Users who have already upgraded to the new version should either downgrade to version 15.0.1 or exercise extreme caution before visiting any unfamiliar or suspicious web site. The new vulnerability makes it possible for web sites to access information that is normally protected by the browser.