Computer Science Security Alerts
To be emailed any new alerts as they appear, or to cease being emailed such alerts, send email to securityalerts-request@cs. These can also be obtained via an Atom or RSS feed.

Thu, Oct 30, 2014

Drupal content management system sites may be compromised
Drupal is a Content Management System (CMS) that is widely used for web sites. A vulnerability in Drupal, with accompanying fixes, was announced on Oct 15th. Within 7 hours of the announcement, a widespread automated attack began compromising Drupal sites worldwide, silently installing back doors. The Drupal Security Team advises that any Drupal site that was not patched before Oct 15th 11pm UTC should be considered already compromised, and should be restored from a backup made before that time.

For more information, see https://www.drupal.org/PSA-2014-003.

/alerts/2014     permanent link

Wed, Oct 15, 2014

Poodle vulnerability in web servers and web browsers
A fundamental flaw in the SSL 3.0 protocol, an older version of the protocol that secures "https" web browsers, has been discovered. This flaw is called "Poodle", it was announced by Google, and is documented at https://www.openssl.org/~bodo/ssl-poodle.pdf. The SSL 3.0 is very old; all modern browsers accept newer versions of the SSL protocol. However, most web browsers and web servers still support SSL 3.0, and a technique can often be used to trick them into using it. We recommend that SSL 3.0 be disabled in web servers and web browsers whenever possible. For a writeup of common ways to disable SSL 3.0 in various web browsers and web servers, see http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566.

/alerts/2014     permanent link

Thu, Sep 25, 2014

Serious vulnerability in bash shell affects MacOSX and UNIX, Linux systems

A newly discovered serious vulnerability in the bash shell has been discovered. The bash shell is available on MacOSX, Linux and many UNIX systems. The vulnerability permits anyone who can set an environment variable that is later passed to bash, to run arbitrary code as the user that bash is running as. Patches are available for some but not all systems, but should be available for all systems soon.

It is particularly important to ensure that no web cgi scripts use or invoke bash, because an attacker can set environment variables remotely.

Linux machines that symlink /bin/sh to /bin/bash should be changed to use another shell for /bin/sh, such as /bin/dash.

For more details, consult the US CERT advisory at https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability. Please monitor your operating system vendor's site for patches and patch as soon as possible.

/alerts/2014     permanent link

Wed, Feb 26, 2014

Security flaw in Apple OSX and iOS devices
There is a serious security flaw in Apple OSX 10.9/"Mavericks" (for Mac) and iOS 6 and 7 (for Ipad/Iphone/Ipod) systems where the Safari web browser (the default browser in OSX and iOS) fails to properly validate the authenticity of SSL (https) web pages. Apple has released OSX 10.9.2, iOS 7.0.6 and iOS 6.1.6, which fix the problem. Until your device has been upgraded to a patched version of OSX or iOS, please avoid using the Safari web browser for sensitive web transactions (like online banking or online purchases). The Firefox and Chrome web browsers on OSX do not have this flaw, so if you cannot update your Mac to 10.9.2, using Firefox or Chrome instead of Safari for secure web transactions should provide adequate protection. Unfortunately there is no equivalent workaround for iOS 6 or iOS 7 devices except to upgrade to iOS 6.1.6 or 7.0.6, respectively. For more information about the bug, see https://www.imperialviolet.org/2014/02/22/applebug.html. Pointers to the relevant apple updates are as follows:

A web site, https://gotofail.com, has been set up that you can use to test to see if your web browser is vulnerable to the problem.

/alerts/2014     permanent link

Wed, Mar 06, 2013

Recent Java Security Vulnerabilities: How to Protect Yourself
There have been a number of serious vulnerabilities in Java in recent weeks, some of them actively exploited on the internet. Oracle has released multiple updates for Java to fix many of these vulnerabilities, but some remain, and more are being discovered as time passes.

Java is a software programming environment from Oracle (formerly Sun) that operates in two modes: local applications and web "applets". An applet is a Java program that is downloaded from a web page and run in a special restricted environment called a "sandbox" that limits what it can do on your computer. All the recent vulnerabilities are flaws that allow malicious applets to escape from the sandbox and fully access your machine.

Only a few websites rely on Java applets these days, because Java applets are not available for phones or most tablets. (Note: do not confuse Java applets with Javascript. Javascript is a programming language for the web that runs in your web browser, it is widely used, and has nothing to do with Java.)

If you do not need Java, uninstall it from your computer. If you need Java for local applications but you do not need to go to any websites that serve Java applets, then you can configure Java on your computer not to support web applets. On Windows, go to Control Panel, select Java, choose the Security tab, and uncheck Enable Java content in the browser.

If you do use Java applets from websites occasionally, do be careful to make sure you are running the latest version of Java. java.com offers a Java applet that checks the version of Java you are running to ensure it is the latest. Also please ensure that your Java Security setting is set to High (this is the default in recent versions of Java). On Windows, go to Control Panel, select Java, choose the Security tab, and set the Security Level slider to High. When the security setting is high, Java will prompt you before running an applet. Always choose "Cancel" when you see the prompt, unless you are certain that the applet is legitimate. This prompt offers a checkbox to avoid the prompt in future for a particular applet, so if you use a particular applet frequently, you may check this box.

For more information on the security status of Java, and the latest recommended version, Oracle documents its Java security efforts in its Software Security Assurance blog, https://blogs.oracle.com/security.

/alerts/2013     permanent link

Mon, Jan 14, 2013

Java security vulnerability patched in Java 7 update 11
Oracle has released a new version of Java, version 7 update 11, which fixes the vulnerability disclosed previously. Please replace all previous versions of Java with this version if possible. For more information, see https://blogs.oracle.com/java/entry/java_vulnerabilities_addressed.

/alerts/2013     permanent link

Thu, Jan 10, 2013

Unpatched Java security vulnerability affects Java use in web browsers

A new vulnerability in the web browser plug-in for all current versions of Java has been uncovered, and is being exploited on the Internet. It allows an attacker to create a malicious web page that will run commands of the attacker's choice when viewed via a web browser containing a Java plug-in. No security patch for this vulnerability is presently available. We recommend that you disable Java in your web browser, if possible. Instructions for doing this for the latest version of Oracle Java are available at http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html, or simply disable or remove the Java plug-in for your specific web browser. If this is not possible, we recommend you use the firefox web browser with the noscript add-on; noscript can be configured to restrict which sites can run Java in the web browser.

For more information about the vulnerability, see http://www.kb.cert.org/vuls/id/625617.

/alerts/2013     permanent link

Wed, Jan 09, 2013

Security flaw in Acrobat Reader: patch available

A security vulnerability in Adobe Acrobat and Adobe Reader has been discovered. This flaw allows a maliciously crafted PDF file to run commands of the attacker's choice when viewed in Acrobat or Acrobat reader. Adobe has released patched versions of Acrobat and Acrobat reader. For more information, see https://www.adobe.com/support/security/bulletins/apsb13-02.html

/alerts/2013     permanent link

Tue, Oct 16, 2012

Skype users targeted for malware
Skype Security reports that its users are being targeted for malware: instant messages are being sent to Skype users containing a link, and the message "lol is this your new profile pic?". The link in the message attempts to install malware on your machine. While it's not unusual for people to be targeted by email messages containing malware links, more and more often, these malware links are being embedded in instant messages, cell texts(SMS), tweets, and the like. The sort of care and due diligence that wise internet users take when they are skeptical about suspicious emails should also be extended to instant messages, cell texts, and other forms of short electronic communication.

/alerts/2012     permanent link

Mon, Sep 24, 2012

Patch now available for security flaw in Internet Explorer

Microsoft has released a patch for the security flaw in Internet Explorer 9 and earlier previously reported. The security flaw is being actively exploited on the internet, and Microsoft indicates this patch is critical. It is now available via Windows/Microsoft update and automatic updates. For more information, see Microsoft Security Bulletin MS12-063.

/alerts/2012     permanent link

Tue, Sep 18, 2012

Unpatched security flaw in Internet Explorer being exploited: please use another browser
A new security flaw in Internet Explorer 9 and earlier has been discovered, and is being actively exploited on the internet. Internet Explorer 10 is not affected. An attacker can run malicious code on your system if Internet Explorer is used to browse a compromised or malicious web site. While Microsoft has issued a security advisory about this problem with some suggestions for mitigating it, there is no patch yet that fixes the vulnerability. Until a patch is released, we recommend you use another web browser, such as Internet Explorer 10, Firefox, Chrome, Safari, or Opera. For more information, see https://technet.microsoft.com/en-us/security/advisory/2757760.

/alerts/2012     permanent link

Tue, Sep 04, 2012

Vulnerability in Oracle Java being actively exploited
A recent vulnerability in Oracle Java allows specially crafted Java code (such as a Java applet on a web page) to make arbitrary modifications to the software and data on an affected machine. This vulnerability is being actively exploited. The vulnerability has been fixed in Oracle Java 7 update 7, which has recently been released. To protect yourself from this vulnerability, please either disable or uninstall the Java Runtime Environment (JRE) plug-in for your web browser, or upgrade it to Java 7 update 7. For more details about the vulnerability, and how to disable Java for various web browsers, please see http://www.kb.cert.org/vuls/id/636312. For more details about Java 7 update 7, see http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html. Java 7 update 7 can be downloaded from http://www.java.com.

/alerts/2012     permanent link

Wed, Jun 27, 2012

Serious flaw in Microsoft Windows being exploited via IE, Office
There is a serious security flaw in Microsoft XML Core Services 3.0 through 6.0, which is a part of all current versions of Microsoft Windows. These services are used by Internet Explorer (IE) and Microsoft Office. The flaw allows attackers to run arbitrary code on your system by creating a specially crafted web page or Office document and persuading you to access it. This flaw is being actively exploited, and no patch is yet available from Microsoft. However, Microsoft has released a "Fix it" workaround for IE. A "Fix it" workaround is not a proper patch to the problem, it's a workaround that reduces the likelihood of an exploit succeeding.

Until this flaw is patched, we recommend you avoid using IE as much as possible, and use a different web browser instead. If you must use IE, consider installing Microsoft's "Fix it" until a proper patch is available. Moreover, please be cautious about any Microsoft Office document received via email or via the web. For example, you might consider not opening any emailed Microsoft Office document, even from a trusted source, unless you are expecting it. If in doubt, contact the sender to confirm.

For more information about this flaw, and for details of how to find and apply Microsoft's "Fix it" workaround, see https://technet.microsoft.com/en-us/security/advisory/2719615 and http://support.microsoft.com/kb/2719615.

/alerts/2012     permanent link

Fri, May 04, 2012

Beware of calls offering Microsoft help
According to Microsoft, there seems to be a rash of fraudulent phone calls to Canadians, where the caller offers "Microsoft Help". The caller often claims to be working for Microsoft, and often claims that a problem has been detected with the individual's computer. The caller may ask for credit card information (allegedly to pay for the help) and/or for remote access to the individual's computer. Those called who provide access to their computers often have computer problems after the call. These calls are always fraudulent: Microsoft does not make calls like this. For more information, see http://www.microsoft.com/security/online-privacy/msname.aspx.

/alerts/2012     permanent link

Wed, Jan 11, 2012

Patches for critical Adobe Reader/Acrobat vulnerability
Security patches for current versions of Adobe Reader are now available. These patches fix the critical vulnerability previously reported, a vulnerability that allows a maliciously crafted PDF file to run malicious commands as the person who is running Adobe Reader. For more information, please see Adobe security bulletins http://www.adobe.com/support/security/bulletins/apsb11-30.html and http://www.adobe.com/support/security/bulletins/apsb12-01.html.

/alerts/2012     permanent link

Tue, Dec 13, 2011

Adobe Reader flaw on Windows and Mac, please upgrade to Adobe Reader X
There is an unpatched vulnerability in Adobe Reader for Windows and Mac that allows a maliciously crafted PDF file to run commands as the person who is running Adobe Reader. Adobe claims that this vulnerability is being actively exploited on Windows. Adobe Reader X supports "protected mode", which guards against this problem. While Adobe is working on a patch for current versions of Reader, it is not available yet. In the meantime, Adobe recommends upgrading to the latest version of Adobe Reader X, and using its "protected mode" feature. Adobe Reader X is available at http://get.adobe.com/reader. For more information, see https://www.adobe.com/support/security/advisories/apsa11-04.html.

/alerts/2011     permanent link

Thu, Nov 03, 2011

Malicious Word Document exploiting unpatched Windows hole
A new "0-day" vulnerability in all versions of Microsoft Windows has been discovered, which is being actively exploited by the W32.Duqu worm. This worm exploits the bug by the use of a malicious Word document, which, if viewed on a Windows system, allows the worm to run arbitrary code on that system. A patch for this vulnerability has not yet been released by Microsoft.
Until this vulnerability is patched, please be particularly careful about viewing unsolicited Word documents obtained via web pages or via email, even if the sender appears to be a known and trusted person (the sender may be forged, or the sender's machine may be infected by the worm). When emailed an unsolicited MS Word document, it may be prudent to confirm with the sender that the document was legitimately sent.
More information is available at http://www.securityfocus.com/bid/50462.

/alerts/2011     permanent link

Fri, May 20, 2011

Beware of MacDefender malware for Apple Mac
A piece of malicious software called MacDefender (or sometimes MacSecurity or MacProtector), targeting Apple Macintosh computers, is circulating widely. This software attempts to install itself on a Mac when the user goes to certain web pages. It claims that "Windows Security has found critical process activity on your PC and will perform a fast scan of system files". It shows an animation of a system scan that claims the computer is infected, and presents a popup inviting the user to remove the infection. Even if the user clicks "cancel", it will then download an installer and attempt to install. If the user provides his/her password, it will successfully install, and claim the mac is infected. While the software is running, it will unexpectedly display pornographic websites. The software is configured to automatically start itself if the machine is restarted. To "remove" the infection, one is told to "register" the software. Registration requests a credit card number, which if provided will be sent to a malicious site: the purpose of this software is apparently to persuade the user to provide that number.

The downloading of the software can be prevented by forcing the browser to quit. Clicking "cancel" will not work because that button is configured to actually install the software.

Apple has not yet officially/publicly acknowledged this threat but it has been reported in the media. For more information, and for what to do if infected, see http://www.tuaw.com/2011/05/02/macdefender-malware-targeting-mac-users.

/alerts/2011     permanent link

Wed, Apr 27, 2011

Security vulnerability in Adobe Flash Player now patched
The security vulnerability previously reported has now been patched by Adobe for Windows and MacOSX. Patched versions of Adobe Flash player are available for Windows at http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows and for Macintosh at http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh. For more information, see http://www.adobe.com/support/security/advisories/apsa11-02.html.

/alerts/2011     permanent link

Tue, Apr 12, 2011

Unpatched security vulnerability in Adobe Flash Player being actively exploited through malicious MS Word attachments.
There is a security vulnerability in current versions of Adobe Flash player that allows criminals to create a malicious flash file that will run commands of the attacker's choice on your computer when viewed. This vulnerability is being actively exploited by malicious email. A .doc or .docx (Microsoft Word) file is attached to the email. Embedded in the .doc attachment is a flash file that runs malicious commands on Microsoft Windows systems.

The vulnerability exists in Adobe Acrobat Reader as well, which has an embedded flash player, but Adobe is not aware of any attacks yet against Acrobat Reader. Adobe plans to release a patched version of Flash Player and Acrobat Reader soon.

Until this problem is patched, if you receive an email you are not expecting that contains a Microsoft Word attachment, do not open the attachment, even if the email is from someone you know (the sender can be forged). If it is from someone you know, contact them to inquire whether they in fact sent you the attachment. If they did, you may open it. If not, please delete it immediately without opening it.

For more information, see http://www.adobe.com/support/security/advisories/apsa11-02.html.

/alerts/2011     permanent link

Thu, Dec 16, 2010

Unpatched security vulnerability in Internet Explorer being actively exploited

A security vulnerability in Internet Explorer (IE) version 6, 7, and 8 has been discovered, and is being exploited in targeted attacks. It allows a specially crafted web page to run commands on your computer if you browse the page using IE. Microsoft has not yet released a patch. If possible, while waiting for a patch for this problem, consider using another web browser, such as Firefox, Chrome or Safari. If you rely on certain web pages that render properly only when using IE, the IE Tab plugin for Firefox and Chrome will allow you to designate specific pages within Firefox or Chrome to be rendered by IE.

For more information, see http://threatpost.com/en_us/blogs/new-remotely-exploitable-bug-found-internet-explorer-121010 and http://www.kb.cert.org/vuls/id/634956.

/alerts/2010     permanent link

Fri, Dec 10, 2010

Protecting Web Login Data

Many websites, like Facebook, Twitter or Gmail, require a login and password. After you type that password, the website assigns your web browser a cookie, which represents your identity on that site while you are logged in. If someone else can intercept your cookie, they can do anything on that website that you can.

Unfortunately, not all websites that use cookies in this way also use encryption (such as SSL/HTTPS) to protect your cookie from being intercepted as it is transmitted. You can tell if a particular web site uses encryption, by checking to see that the URLs used always start with https://.

If the website is not using encryption, anyone with the right software may be able to intercept your cookie and use it to impersonate you. One example of a software program that can do this is Firesheep, a plugin for the Firefox web browser. Firesheep makes it very easy to capture any visible cookies on a network, without any sign to the user that this is happening, and to use those cookies to impersonate someone on a website. Amy Gahran of CNN wrote an article about her experience using Firesheep on a coffee-shop's wireless network.

To protect yourself from this sort of attack, it is important to choose secure access to websites whenever available. The HTTPS Everywhere plugin for firefox makes this easy for many common sites: if the site offers both http and https access, HTTPS Everywhere will direct your firefox web browser to use HTTPS.

Another way to protect yourself is to use a Virtual Private Network (VPN). Any CSLab user can request access to the CSLab VPN, which will encrypt all your network traffic and tunnel it to the CSLab network, from which it will then be forwarded on to its destination. The University of Toronto also has a VPN service, which works similarly. Note, however, that if you use a VPN, your network traffic will be routed through the university, so please do not do anything that you would not do when connected to the university's networks.

Finally, please use general good sense when using online websites. For example, when you are finished using a website, log out. Be especially vigilant when using a public network (such as a WIFI hotspot or an Internet Cafe). Watch for signs that your social networking and other web accounts have been used by someone else, and change your password (using HTTPS of course) if you think it has been.

/advice     permanent link

Wed, Nov 17, 2010

Serious Vulnerability in Adobe Acrobat, Reader 9.4 and earlier: patch available
Adobe has announced a serious vulnerability exists in Adobe Acrobat and Acrobat Reader versions 9.4 and earlier, for all platforms (Windows, Macintosh and UNIX). It allows a specially crafted PDF document to run arbitrary commands when viewed. The vulnerability has been fixed in version 9.4.1 of Acrobat and Acrobat Reader. Version 9.4.1 also incorporates an Adobe Flash security fix. Previous versions should be upgraded. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-28.html.

/alerts     permanent link

Wed, Oct 06, 2010

Critical Exploited Vulnerability in Adobe Acrobat and Acrobat Reader Fixed
A security update is now available for the critical vulnerability in all versions of Adobe Acrobat/Acrobat Reader (version 9.3.4 and earlier), reported previously. The vulnerability allows an attacker to crash your computer and/or take control of it. Adobe recommends that all users of Acrobat and Acrobat reader versions 9.3.4 and earlier upgrade to version 9.4. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-21.html.

/alerts     permanent link

Tue, Sep 21, 2010

Fix for critical exploited vulnerability in Adobe Flash Player
Adobe has released version 10.1.85.3 of its Flash player, which fixes the critical exploited vulnerability in 10.1.82.76 and before, reported earlier. The vulnerability allows an attacker to crash the computer running Flash Player, and/or take control of it. Adobe recommends all users of Flash Player upgrade to 10.1.85.3. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-22.html

/alerts     permanent link

Wed, Sep 15, 2010

Critical Exploited Vulnerability in Adobe Flash Player, Acrobat Reader
Adobe has reported that a critical vulnerability exists in current versions of Adobe Flash Player (version 10.1.82.76 and earlier) and Acrobat/Acrobat Reader (version 9.3.4 and earlier), for all platforms. The vulnerability allows an attacker to crash your computer and/or take control of it. Adobe claims that there are reports the flash player vulnerability is being actively exploited on Microsoft Windows. Adobe promises fixes during the week of September 27th, 2010 for Flash player, and during the week of October 4th, 2010 for Acrobat and Acrobat Reader. In the meanwhile, users of Mozilla web browsers (Firefox, SeaMonkey) can restrict the automatic execution of Flash media using the noscript add-on . For more information, see http://www.adobe.com/support/security/advisories/apsa10-03.html.

/alerts     permanent link

Mon, Aug 23, 2010

Critical Vulnerability in Adobe Acrobat, Acrobat Reader
Adobe has announced a vulnerability in Adobe Acrobat and Adobe Acrobat Reader 9.3.3 (and earlier versions) for Windows, Macintosh and UNIX (Reader only) and Adobe Acrobat and Adobe Acrobat Reader 8.2.3 (and earlier versions) for Windows and Macintosh. It allows a specially crafted PDF document to run arbitrary commands when viewed. The vulnerability has been fixed in version 9.3.4 and 8.2.4 of Acrobat and Acrobat Reader, and previous versions should be upgraded. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-17.html.

/alerts     permanent link

Mon, Aug 16, 2010

Critical Vulnerability in Adobe Flash Player, Adobe AIR
Adobe has released patches for the critical vulnerability in Adobe Flash Player versions 9 and 10, and in Adobe AIR. This vulnerability allows a malicious person to create flash media that will run commands of their choosing on your computer when viewed. This vulnerability can be exploited by convincing a user to open a webpage, a PDF file or another document that contains embedded malicious flash media. Adobe urges users of Flash Player 10 to upgrade to version 10.1.82.76, users of Flash Player 9 to upgrade to 9.0.280, and users of Adobe AIR to 2.0.3. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-16.html.

/alerts     permanent link

Tue, Aug 03, 2010

Windows Remote Code Execution flaw being actively exploited, fix available
A serious vulnerability in all current versions of Microsoft Windows permits remote attackers to run programs of their choice on a Windows computer if they can persuade the user to display the icon of a specially crafted shortcut. This problem is being actively exploited. An off-cycle patch has been released by Microsoft and is available via Windows Update. For more information, see http://www.microsoft.com/technet/security/Bulletin/MS10-046.mspx.

/alerts     permanent link

Thu, Jun 10, 2010

Unpatched vulnerability in Adobe Flash now partially fixed
The critical unpatched vulnerability in Adobe Flash Player 10.0.45.2 and earlier versions for all platforms mentioned previously has now been partially addressed by Adobe. Flash Player version 10.1, which does not have this vulnerability, has been released for most platforms (including Windows and Mac), and it is now available from the Adobe Flash Player Download Centre. The version of Flash Player 10.1 released by Adobe for Windows is the same version as the previous release candidate of 10.1 (10.1.53.64), so if you have installed that release candidate, that should be sufficient. Adobe confirms that version 8 and earlier do not possess this vulnerability. However, version 9 is still vulnerable; Adobe promises a patch by June 29th, 2010. For more information, see http://www.adobe.com/support/security/advisories/apsa10-01.html

/alerts     permanent link

Tue, Jun 08, 2010

Critical unpatched vulnerability in Adobe Flash, Reader and Acrobat
Adobe has announced a critical unpatched vulnerability in Adobe Flash Player 10.0.45.2 and earlier versions for all platforms. This vulnerability is also present in the embedded Flash functionality of Adobe Acrobat and Acrobat Reader, for all platforms. The vulnerability allows an attacker to take control of an affected computer, and is actively being exploited. Adobe does not yet have a patch for the problem. The Flash Player 10.1 release candidate at http://labs.adobe.com/technologies/flashplayer10 is not vulnerable, so although it is in "beta", it may be worthwhile to consider running it. For more information, see http://www.adobe.com/support/security/advisories/apsa10-01.html

/alerts     permanent link

Wed, Apr 14, 2010

New Vulnerability in Adobe Acrobat, Acrobat Reader: patch available
Adobe has announced a vulnerability in recent versions of Adobe Acrobat and Adobe Acrobat Reader, for all platforms (Windows, Macintosh and UNIX). It allows a specially crafted PDF document to run arbitrary commands when viewed. The vulnerability has been fixed in version 9.3.2 and 8.2.2 of Acrobat and Acrobat Reader, and previous versions should be upgraded. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-09.html.

/alerts     permanent link

Wed, Apr 07, 2010

Acrobat PDF Launch Action Can Be Used to Create Malicious PDF Documents
The PDF data format has a little-used feature called "Launch Action", which allows a specially crafted PDF file to execute an external program. It has recently been shown that this feature can be used by an attacker to run arbitrary programs of the attacker's choosing. Adobe Acrobat and Acrobat Reader will issue a warning when this feature is being invoked, and will permit it to execute only if the user selects Open. The warning reads: The file and its viewer appliation are set to be launched by this PDF file. The file may contain programs, macros, or viruses that could potentially harm your computer. Only open the file if you are sure it is safe. If this file was placed by a trusted person or program, you can click Open to view the file.. We recommend that you always select Do Not Open when you see this message.

Those who want to turn off the "Launch Action" feature entirely can click "Edit > Preferences > Categories > Trust Manager > PDF File Attachments" and then un-check the box that reads "Allow opening of non-PDF file attachments with external applications."

Versions of the Foxit PDF reader prior to 3.2.1 execute the external program without issuing any warning, so Foxit users should upgrade to 3.2.1 or later immediately.

/alerts     permanent link

Tue, Mar 30, 2010

Patch Available for Actively Exploited Internet Explorer Version 6 and 7 Vulnerability
Microsoft has issued today a new patch for an actively exploited vulnerability in Internet Explorer version 6 and 7 (IE6, IE7) described previously. The vulnerability allows an attacker to run arbitrary commands as the user who is running the web browser. The patch has been made available through Windows Update, so Windows machines configured for automatic updates should receive the patch automatically. For more information, see http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx.

/alerts     permanent link

Thu, Mar 11, 2010

Unpatched Internet Explorer Version 6 and 7 Vulnerability
An unpatched vulnerability in Internet Explorer version 6 and 7 (IE6, IE7) has been confirmed by Microsoft, and details about the vulnerability have just been released. Public exploits are expected imminently. All versions of IE6 and IE7 are affected but IE8 (and IE5) are not affected. The vulnerability allows an attacker to run arbitrary commands as the user who is running the web browser. Microsoft has not yet released a patch.

Microsoft makes some general suggestions at http://www.microsoft.com/protect that may help to reduce the likelihood and impact of an attack. However, we recommend the use of a web browser other than Internet Explorer, such as www.firefox.com, Google Chrome, Apple Safari, or www.opera.com. For more information, see http://www.microsoft.com/technet/security/advisory/981374.mspx.

/alerts     permanent link

Fri, Jan 22, 2010

Recent Internet Explorer Vulnerability fixed
A fix is now available for the serious vulnerability in all recent versions of Internet Explorer (IE) reported previously. Microsoft has disclosed in its patch release that the vulnerability affected IE 5 too. The fix (for all supported versions of Internet Explorer) has been made available as an off-cycle release via Windows Update. For more information, please see http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx.

Given the fact that Internet Explorer is very frequently targetted for exploits, and good alternative browsers exist, at present we continue to recommend in general that web browsers other than Internet Explorer be used for one's default or everyday browser. Alternatives to Internet Explorer include www.firefox.com, Google Chrome, Apple Safari, or www.opera.com.

/alerts     permanent link

Fri, Jan 15, 2010

Unpatched Internet Explorer Vulnerability
An unpatched vulnerability in all recent versions of Internet Explorer (IE) has been confirmed by Microsoft, and is being actively exploited. All versions of IE 6, 7, and 8 are affected. The vulnerability allows an attacker to run arbitrary commands as the user who is running the web browser. Microsoft has not yet released a patch.

Microsoft makes some general suggestions at http://www.microsoft.com/protect that may help to reduce the likelihood and impact of an attack. However, we recommend the use of a web browser other than Internet Explorer, such as www.firefox.com, Google Chrome, Apple Safari, or www.opera.com. For more information, see http://www.microsoft.com/technet/security/advisory/979352.mspx.

/alerts     permanent link

Fix for December 2009 Adobe Acrobat Vulnerability
Adobe has released Acrobat and Acrobat Reader 9.3 that fixes the serious and actively exploited Javascript vulnerability previously reported.. Users of Acrobat and Acrobat Reader 9.2 and earlier are urged to upgrade to 9.3. For users of Acrobat 8.x who are unable to upgrade to 9.3, Adobe has released Acrobat 8.2, which also fixes this vulnerability. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-02.html.

/alerts     permanent link

Thu, Dec 17, 2009

Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system.

There are reports that this vulnerability is being actively exploited in the wild. Adobe recommends customers follow the mitigation guidance below until a patch is available.
This vulnerabilty applies to Adobe Reader 9.2 and earlier versions for Windows, Macintosh, and UNIX and Adobe Acrobat 9.2 and earlier versions for Windows and Macintosh.
It is possible to mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the 'Enable Acrobat JavaScript' option
5. Click OK
Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue.
See http://www.adobe.com/support/security/advisories/apsa09-07.html for more information.

/alerts     permanent link

Fri, Dec 11, 2009

Critical Vulnerabilities in Adobe Flash Player, Adobe AIR
Adobe has reported that a number of critical vulnerabilities exist in widely used versions of Adobe Flash Player versions 9 and 10, and Adobe AIR, that allows a malicious person to create flash media that will run commands of their choosing on your computer when viewed. This problem is fixed in Adobe Flash Player version 9.0.260, version 10.0.42.34, and Adobe AIR 1.5.3. Previous versions are vulnerable. For more information, see http://www.adobe.com/support/security/bulletins/apsb09-19.html, or http://www.publicsafety.gc.ca/prg/em/ccirc/2009/av09-051-eng.aspx.

/alerts     permanent link


CSLab Support Page
To be emailed any new alerts as they appear, or to cease being emailed such alerts, send email to securityalerts-request@cs. These can also be obtained via an Atom or RSS feed.

Blosxom

[Valid HTML 4.01 Transitional] [Valid RSS] [Valid Atom]