Wed, Jan 11, 2012
Patches for critical Adobe Reader/Acrobat vulnerability
Security patches for current versions of Adobe Reader are now available. These patches fix the critical vulnerability previously reported, a vulnerability that allows a maliciously crafted PDF file to run malicious commands as the person who is running Adobe Reader. For more information, please see Adobe security bulletins http://www.adobe.com/support/security/bulletins/apsb11-30.html and http://www.adobe.com/support/security/bulletins/apsb12-01.html.
Adobe Reader flaw on Windows and Mac, please upgrade to Adobe Reader X
There is an unpatched vulnerability in Adobe Reader for Windows and Mac that allows a maliciously crafted PDF file to run commands as the person who is running Adobe Reader. Adobe claims that this vulnerability is being actively exploited on Windows. Adobe Reader X supports "protected mode", which guards against this problem. While Adobe is working on a patch for current versions of Reader, it is not available yet. In the meantime, Adobe recommends upgrading to the latest version of Adobe Reader X, and using its "protected mode" feature. Adobe Reader X is available at http://get.adobe.com/reader. For more information, see https://www.adobe.com/support/security/advisories/apsa11-04.html.
Malicious Word Document exploiting unpatched Windows hole
A new "0-day" vulnerability in all versions of Microsoft Windows has been discovered, which is being actively exploited by the W32.Duqu worm. This worm exploits the bug by the use of a malicious Word document, which, if viewed on a Windows system, allows the worm to run arbitrary code on that system. A patch for this vulnerability has not yet been released by Microsoft.
Until this vulnerability is patched, please be particularly careful about viewing unsolicited Word documents obtained via web pages or via email, even if the sender appears to be a known and trusted person (the sender may be forged, or the sender's machine may be infected by the worm). When emailed an unsolicited MS Word document, it may be prudent to confirm with the sender that the document was legitimately sent.
More information is available at http://www.securityfocus.com/bid/50462.
Beware of MacDefender malware for Apple Mac
A piece of malicious software called MacDefender (or sometimes MacSecurity or MacProtector), targeting Apple Macintosh computers, is circulating widely. This software attempts to install itself on a Mac when the user goes to certain web pages. It claims that "Windows Security has found critical process activity on your PC and will perform a fast scan of system files". It shows an animation of
a system scan that claims the computer is infected, and presents a popup inviting the user to remove the infection. Even if the user clicks "cancel", it will then download an installer and attempt to install. If the user provides his/her password, it will successfully install, and claim the mac is infected. While the software is running, it will unexpectedly display pornographic websites. The software is configured to automatically start itself if the machine is restarted. To "remove" the infection, one is told to "register" the software. Registration requests a credit card number, which if provided will be sent to a malicious site: the purpose of this software is apparently to persuade the user to provide that number.
The downloading of the software can be prevented by forcing the browser to quit. Clicking "cancel" will not work because that button is configured to actually install the software.
Apple has not yet officially/publicly acknowledged this threat but it has been reported in the media. For more information, and for what to do if infected, see http://www.tuaw.com/2011/05/02/macdefender-malware-targeting-mac-users.
Wed, Apr 27, 2011
Security vulnerability in Adobe Flash Player now patched
The security vulnerability previously reported has now been patched by Adobe for Windows and MacOSX. Patched versions of Adobe Flash player are available for Windows at http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows and for Macintosh at http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh. For more information, see http://www.adobe.com/support/security/advisories/apsa11-02.html.
Unpatched security vulnerability in Adobe Flash Player being actively exploited through malicious MS Word attachments.
There is a security vulnerability in current versions of Adobe Flash player that allows criminals to create a malicious flash file that will run commands of the attacker's choice on your computer when viewed. This vulnerability is being actively exploited by malicious email. A .doc or .docx (Microsoft Word) file is attached to the email. Embedded in the .doc attachment is a flash file that runs malicious commands on Microsoft Windows systems.
The vulnerability exists in Adobe Acrobat Reader as well, which has an embedded flash player, but Adobe is not aware of any attacks yet against Acrobat Reader. Adobe plans to release a patched version of Flash Player and Acrobat Reader soon.
Until this problem is patched, if you receive an email you are not expecting that contains a Microsoft Word attachment, do not open the attachment, even if the email is from someone you know (the sender can be forged). If it is from someone you know, contact them to inquire whether they in fact sent you the attachment. If they did, you may open it. If not, please delete it immediately without opening it.
For more information, see http://www.adobe.com/support/security/advisories/apsa11-02.html.
Thu, Dec 16, 2010
Unpatched security vulnerability in Internet Explorer being actively exploited
A security vulnerability in Internet Explorer (IE) version 6, 7, and 8 has been discovered, and is being exploited in targeted attacks. It allows a specially crafted web page to run commands on your computer if you browse the page using IE. Microsoft has not yet released a patch. If possible, while waiting for a patch for this problem, consider using another web browser, such as Firefox, Chrome or Safari. If you rely on certain web pages that render properly only when using IE, the IE Tab plugin for Firefox and Chrome will allow you to designate specific pages within Firefox or Chrome to be rendered by IE.
For more information, see http://threatpost.com/en_us/blogs/new-remotely-exploitable-bug-found-internet-explorer-121010 and http://www.kb.cert.org/vuls/id/634956.
Wed, Nov 17, 2010
Serious Vulnerability in Adobe Acrobat, Reader 9.4 and earlier: patch available
Adobe has announced a serious vulnerability exists in Adobe Acrobat
and Acrobat Reader versions 9.4 and earlier, for all platforms
(Windows, Macintosh and UNIX). It allows a specially crafted PDF
document to run arbitrary commands when viewed. The vulnerability
has been fixed in version 9.4.1 of Acrobat and Acrobat Reader. Version
9.4.1 also incorporates an Adobe Flash security fix. Previous
versions should be upgraded. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-28.html.
Critical Exploited Vulnerability in Adobe Acrobat and Acrobat Reader Fixed
A security update is now available for the critical vulnerability in all versions of Adobe Acrobat/Acrobat Reader (version 9.3.4 and earlier), reported previously.
The vulnerability allows an attacker to crash your computer
and/or take control of it. Adobe recommends that all users of Acrobat
and Acrobat reader versions 9.3.4 and earlier upgrade to version 9.4.
For more information, see
http://www.adobe.com/support/security/bulletins/apsb10-21.html.
Fix for critical exploited vulnerability in Adobe Flash Player
Adobe has released version 10.1.85.3 of its Flash player, which
fixes the critical exploited vulnerability in 10.1.82.76 and before, reported
earlier. The vulnerability allows an attacker to crash the computer
running Flash Player, and/or take control of it. Adobe recommends all
users of Flash Player upgrade to 10.1.85.3. For more information, see
http://www.adobe.com/support/security/bulletins/apsb10-22.html
Critical Exploited Vulnerability in Adobe Flash Player, Acrobat Reader
Adobe has reported that a critical vulnerability exists in current
versions of Adobe Flash Player (version 10.1.82.76 and earlier) and
Acrobat/Acrobat Reader (version 9.3.4 and earlier), for all platforms.
The vulnerability allows an attacker to crash your computer
and/or take control of it. Adobe claims that there are reports the flash player
vulnerability is being actively exploited on Microsoft Windows.
Adobe promises fixes during the week of September 27th, 2010 for
Flash player, and during the week of October 4th, 2010 for Acrobat and
Acrobat Reader. In the meanwhile, users of
Mozilla web browsers (Firefox, SeaMonkey) can restrict the automatic execution of Flash media using the noscript
add-on . For more information, see
http://www.adobe.com/support/security/advisories/apsa10-03.html.
Critical Vulnerability in Adobe Acrobat, Acrobat Reader
Adobe has announced a vulnerability in Adobe Acrobat and Adobe Acrobat
Reader 9.3.3 (and earlier versions) for Windows, Macintosh and UNIX
(Reader only) and Adobe Acrobat and Adobe Acrobat Reader 8.2.3 (and
earlier versions) for Windows and Macintosh. It allows a specially
crafted PDF document to run arbitrary commands when viewed. The
vulnerability has been fixed in version 9.3.4 and 8.2.4 of Acrobat and
Acrobat Reader, and previous versions should be upgraded. For more
information, see http://www.adobe.com/support/security/bulletins/apsb10-17.html.
Critical Vulnerability in Adobe Flash Player, Adobe AIR
Adobe has released patches for the critical vulnerability in Adobe
Flash Player versions 9 and 10, and in Adobe AIR. This vulnerability
allows a malicious person to create flash media that will run commands
of their choosing on your computer when viewed. This vulnerability
can be exploited by convincing a user to open a webpage, a PDF file or
another document that contains embedded malicious flash media. Adobe
urges users of Flash Player 10 to upgrade to version 10.1.82.76, users
of Flash Player 9 to upgrade to 9.0.280, and users of Adobe AIR to
2.0.3. For more information, see
http://www.adobe.com/support/security/bulletins/apsb10-16.html.
Windows Remote Code Execution flaw being actively exploited, fix available
A serious vulnerability in all current versions of Microsoft
Windows permits remote attackers to run programs of their choice on a
Windows computer if they can persuade the user to display the icon of a
specially crafted shortcut. This problem is being actively
exploited. An off-cycle patch has been released by Microsoft and
is available via Windows
Update. For more information, see http://www.microsoft.com/technet/security/Bulletin/MS10-046.mspx.
Unpatched vulnerability in Adobe Flash now partially fixed
The critical unpatched vulnerability in Adobe Flash
Player 10.0.45.2 and earlier versions for all platforms mentioned
previously has now been partially addressed by Adobe.
Flash Player version 10.1, which does not have this vulnerability, has
been released for most platforms (including
Windows and Mac), and it is now available from the Adobe Flash Player Download
Centre. The version of Flash Player 10.1 released by Adobe for
Windows is the same version as the previous release candidate of 10.1
(10.1.53.64), so if you have installed that release candidate, that
should be sufficient. Adobe confirms that version 8 and earlier do not
possess this vulnerability. However, version 9 is still vulnerable;
Adobe promises a patch by June 29th, 2010. For more information, see
http://www.adobe.com/support/security/advisories/apsa10-01.html
Critical unpatched vulnerability in Adobe Flash, Reader and Acrobat
Adobe has announced a critical unpatched vulnerability in Adobe Flash
Player 10.0.45.2 and earlier versions for all platforms. This
vulnerability is also present in the embedded Flash functionality of
Adobe Acrobat and Acrobat Reader, for all platforms. The vulnerability
allows an attacker to take control of an affected computer, and is
actively being exploited. Adobe does not yet have a patch
for the problem. The Flash Player 10.1 release candidate at
http://labs.adobe.com/technologies/flashplayer10
is not vulnerable, so although it is in "beta", it may be
worthwhile to consider running it. For more information, see
http://www.adobe.com/support/security/advisories/apsa10-01.html
New Vulnerability in Adobe Acrobat, Acrobat Reader: patch available
Adobe has announced a vulnerability in recent versions of Adobe
Acrobat and Adobe Acrobat Reader, for all platforms (Windows, Macintosh
and UNIX). It allows a specially crafted PDF document to run arbitrary
commands when viewed. The vulnerability has been fixed in version 9.3.2
and 8.2.2 of Acrobat and Acrobat Reader, and previous versions should be
upgraded. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-09.html.
Acrobat PDF Launch Action Can Be Used to Create Malicious PDF Documents
The PDF data format has a little-used feature called "Launch Action",
which allows a specially crafted PDF file to execute an external program.
It
has recently been shown that this feature can be used by an attacker
to run arbitrary programs of the attacker's choosing. Adobe Acrobat and
Acrobat Reader will issue a warning when this feature is being invoked,
and will permit it to execute only if the user selects Open.
The warning reads: The file and its viewer appliation are set to be
launched by this PDF file. The file may contain programs, macros, or viruses
that could potentially harm your computer. Only open the file if you are
sure it is safe. If this file was placed by a trusted person or program,
you can click Open to view the file.. We recommend that you always
select Do Not Open when you see this message.
Those who want to turn off the "Launch Action" feature entirely can click "Edit > Preferences > Categories > Trust Manager > PDF File Attachments" and then un-check the box that reads "Allow opening of non-PDF file attachments with external applications."
Versions of the Foxit PDF reader prior to 3.2.1 execute the external program without issuing any warning, so Foxit users should upgrade to 3.2.1 or later immediately.
Tue, Mar 30, 2010
Patch Available for Actively Exploited Internet Explorer Version 6 and 7 Vulnerability
Microsoft has issued today a new patch for an actively exploited
vulnerability in Internet Explorer version 6 and 7 (IE6, IE7)
described previously. The vulnerability allows an
attacker to run arbitrary commands as the user who is
running the web browser. The patch has been made available through
Windows Update,
so Windows machines configured for automatic updates should receive the patch
automatically. For more information, see http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx.
Unpatched Internet Explorer Version 6 and 7 Vulnerability
An unpatched vulnerability in Internet Explorer version 6 and 7
(IE6, IE7) has been confirmed by Microsoft, and details about the
vulnerability have just been released. Public exploits are expected
imminently. All versions of IE6 and IE7 are affected but IE8 (and IE5)
are not affected. The vulnerability allows an attacker to run arbitrary
commands as the user who is running the web browser. Microsoft has not
yet released a patch.
Microsoft makes some general suggestions at http://www.microsoft.com/protect that may help to reduce the likelihood and impact of an attack. However, we recommend the use of a web browser other than Internet Explorer, such as www.firefox.com, Google Chrome, Apple Safari, or www.opera.com. For more information, see http://www.microsoft.com/technet/security/advisory/981374.mspx.
Fri, Jan 22, 2010
Recent Internet Explorer Vulnerability fixed
A fix is now available for the serious vulnerability
in all recent versions of Internet Explorer (IE) reported
previously. Microsoft has disclosed in its patch release that the
vulnerability affected IE 5 too. The fix (for all supported versions
of Internet Explorer) has been made available as an off-cycle
release via Windows
Update. For more information, please see http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx.
Given the fact that Internet Explorer is very frequently targetted for exploits, and good alternative browsers exist, at present we continue to recommend in general that web browsers other than Internet Explorer be used for one's default or everyday browser. Alternatives to Internet Explorer include www.firefox.com, Google Chrome, Apple Safari, or www.opera.com.
Fri, Jan 15, 2010
Unpatched Internet Explorer Vulnerability
An unpatched vulnerability in all recent versions of Internet Explorer
(IE) has been confirmed by Microsoft, and is being actively exploited.
All versions of IE 6, 7, and 8 are affected. The vulnerability allows
an attacker to run arbitrary commands as the user who is running the
web browser. Microsoft has not yet released a patch.
Microsoft makes some general suggestions at http://www.microsoft.com/protect that may help to reduce the likelihood and impact of an attack. However, we recommend the use of a web browser other than Internet Explorer, such as www.firefox.com, Google Chrome, Apple Safari, or www.opera.com. For more information, see http://www.microsoft.com/technet/security/advisory/979352.mspx.
Fix for December 2009 Adobe Acrobat Vulnerability
Adobe has released Acrobat and Acrobat Reader 9.3 that fixes the serious and actively exploited Javascript
vulnerability previously reported.. Users of Acrobat and Acrobat Reader 9.2 and
earlier are urged to upgrade to 9.3. For users of Acrobat 8.x who are unable
to upgrade to 9.3, Adobe has released Acrobat 8.2, which also fixes
this vulnerability. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-02.html.
Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system.
There are reports that this vulnerability is being actively exploited in the wild. Adobe recommends customers follow the mitigation guidance below until a patch is available.
This vulnerabilty applies to Adobe Reader 9.2 and earlier versions for Windows, Macintosh, and UNIX and
Adobe Acrobat 9.2 and earlier versions for Windows and Macintosh.
It is possible to mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the 'Enable Acrobat JavaScript' option
5. Click OK
Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue.
See http://www.adobe.com/support/security/advisories/apsa09-07.html for more information.
Critical Vulnerabilities in Adobe Flash Player, Adobe AIR
Adobe has reported that a number of critical vulnerabilities exist in widely
used versions of Adobe Flash Player versions 9 and 10, and Adobe AIR, that
allows a malicious person to create flash media that will run commands of
their choosing on your computer when viewed.
This problem is fixed in Adobe Flash Player version
9.0.260, version 10.0.42.34, and Adobe AIR 1.5.3. Previous
versions are vulnerable. For more information, see
http://www.adobe.com/support/security/bulletins/apsb09-19.html, or
http://www.publicsafety.gc.ca/prg/em/ccirc/2009/av09-051-eng.aspx.
Unpatched Internet Explorer 6 and 7 Vulnerability
An unpatched vulnerability in Internet Explorer (IE) versions 6 and 7, the
default web browser in many versions of Microsoft Windows (Windows 2000,
XP, Server 2003, Server 2008, and Vista), has been publicly announced,
and an exploit for this vulnerability is available. It allows an attacker
to run arbitrary commands as the user who is running the web browser.
Microsoft has not yet released a patch. Internet Explorer version 8 is
not affected.
Microsoft makes some configuration suggestions that can reduce the impact of an attack. However, we recommend the use of a web browser other than Internet Explorer 6 or 7, such as Internet Explorer 8, www.firefox.com, Google Chrome, Apple Safari, or www.opera.com. For more information, see http://www.microsoft.com/technet/security/advisory/977981.mspx.
Wed, Oct 14, 2009
Patches available for Vista SMB2 Remote Command Execution Vulnerability
The security vulnerability in Windows Vista, Server 2008, and Windows
7 RC reported
previously has been patched. The vulnerability was caused by a
bug in SMB v2.0 (the part of Windows that implements enhanced network
shares), allowing an attacker to create a specially crafted network
packet to run arbitrary commands on an affected Windows machine. For more
information, see
http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx
Patch for A New Adobe Acrobat Vulnerability
Adobe has released patches to all shipping versions of Acrobat and
Acrobat reader, for all platforms (Windows, Mac, UNIX) that fix
a newly identified vulnerability that would allow an attacker to
create a malicious PDF file that, when viewed with Acrobat, could run
arbitrary commands as the user viewing the file. Adobe claims that
versions 9.2, 8.1.7 and 7.1.4 of Acrobat and Acrobat reader contain
the fix. Users of previous versions of Acrobat on all platforms are
urged to upgrade to one of these versions. For more information, see
http://www.adobe.com/support/security/bulletins/apsb09-15.html.
Vista SMB2 Vulnerability Allows Remote Command Execution
A security vulnerability in Windows Vista, Server 2008, and Windows
7 RC has been discovered. A bug in SMB v2.0 (the part of Windows
that implements enhanced network shares) allows an attacker to create a
specially crafted network packet to run arbitrary commands on an affected
Windows machine. An
exploit of this bug has already been made public. Windows 2000, XP, and
the RTM (final) version of Windows 7 is not affected by this bug, but the
RC
(beta/testing) version of Windows 7 is apparently affected. Microsoft
has not yet released a fix, but has published some workarounds at
http://www.microsoft.com/technet/security/advisory/975497.mspx.
Patches for Critical Vulnerability in Adobe Flash Player, Acrobat Reader
Adobe has released patches for the critical vulnerability in Adobe
Flash Player versions 9 and 10, and in Adobe Acrobat and Acrobat Reader mentioned
previously. This vulnerability allows a malicious person to create
flash media that will run commands of their choosing on your computer
when viewed. This vulnerability can be exploited in Adobe Acrobat reader
via a PDF file that contains embedded malicious flash media. There are
reports that malicious PDF files that exploit this vulnerability are actively
propagating. Adobe urges users of Flash Player 10 to upgrade
to version 10.0.32.18 or later, users of Flash Player 9 to
upgrade to 9.0.246.0 or later, and users of Adobe Reader
to upgrade to 9.1.3 or later. For more information, see
http://www.adobe.com/support/security/bulletins/apsb09-10.html.
Critical Exploited Vulnerability in Adobe Flash Player, Acrobat Reader
Adobe has reported that a critical vulnerability exists in current
versions of Adobe Flash Player versions 9 and 10 that allows a malicious
person to create flash media that will run commands of their choosing
on your computer when viewed. This vulnerability can be exploited in Adobe
Acrobat reader via a PDF file that contains embedded malicious flash media.
There are reports that malicious PDF files that exploit this
vulnerability are actively propagating. Adobe promises fixes on
July 30th and 31st. In the meanwhile, as a partial workaround, Adobe has
supplied instructions that temporarily disable the ability of Acrobat Reader
to display flash media embedded in a PDF file. For more information, see
http://www.adobe.com/support/security/advisories/apsa09-03.html.
Another Exploited ActiveX Vulnerability in Windows web browsers; workaround available
Another security vulnerability in Microsoft ActiveX for Internet Explorer
has been reported by Microsoft, and is being actively exploited. This
vulnerability exploits a flaw in a Microsoft Office Web Component ActiveX
control, and allows an attacker to create a malicious web page
which, when browsed by a Windows-based web browser, will run
commands of the attacker's choosing on the browsing machine.
While a fix is not yet available, Microsoft has published a
workaround that (temporarily) disables the vulnerable ActiveX
control(s). This workaround is available from Microsoft at http://support.microsoft.com/default.aspx/kb/973472.
For more information, see
http://www.microsoft.com/technet/security/advisory/973472.mspx.
Important Windows Patches Expected for Exploited DirectX, Quicktime Flaws
Microsoft has announced that it plans to release six security
bulletins on Tuesday, July 14th, along with patches that will fix the DirectX
DirectShow Quicktime flaw and the Video
ActiveX Control flaw, both mentioned previously. These
both are being actively exploited via compromised web sites.
Other flaws discovered by Microsoft, not yet being actively
exploited, will also be fixed. For more information, see http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx.
Unpatched Web-Exploitable Flaw in DirectX on Windows XP, 2003 and 2000
An unpatched security vulnerability in DirectX on Windows XP, 2003 and 2000
has been announced. It allows an attacker to create and distribute (e.g. via
a web site) a malicious QuickTime media file. This malicious file, when
viewed (e.g. via a web browser) will run the attacker's commands
on the viewing machine. Microsoft is aware of limited active attacks
that exploit this vulnerability. While no patches have yet been
released, Microsoft has outlined some workarounds that will block
some of the ways that this vulnerability is presently being exploited.
For more information, and for workaround instructions, please see
http://www.microsoft.com/technet/security/advisory/971778.mspx
Exploited ActiveX Vulnerability in Windows web browsers; workaround available
A security vulnerability in the Microsoft Video ActiveX control
has been discovered and is being actively exploited. This vulnerability
allows an attacker to create a malicious web page which, when browsed by
a Windows-based web browser, will run commands of the attacker's choosing
on the browsing machine. While a fix is not yet available, Microsoft
has published a workaround that (temporarily) disables the vulnerable
ActiveX control(s). This workaround is available from Microsoft at http://support.microsoft.com/kb/972890.
For more information, see http://www.kb.cert.org/vuls/id/180513
and
http://www.microsoft.com/technet/security/advisory/972890.mspx.
Significant vulnerability in Adobe Shockwave; update available.
Adobe has reported a significant vulnerability in Adobe Shockwave Player
version 11.5.0.596 and earlier. The vulnerability allows an attacker to
create a malicious shockwave file which, when viewed in an affected version
of Shockwave Player, runs arbitrary commands of the attacker's choice on
the machine running the player. Because Shockwave Player is available as a
plug-in for web browsers, any web browser using a vulnerable version of the
player can be exploited by an attacker by making a malicious shockwave file
available on a web site, and luring the user of the web browser to that site.
The flaw is fixed in Shockwave Player version 11.5.0.600 and later; please update any installations of Shockwave Player accordingly by going to the website http://get.adobe.com/shockwave/. For more information, see http://www.adobe.com/support/security/bulletins/apsb09-08.html.
Thu, Jun 18, 2009
Patch for A New Adobe Acrobat Vulnerability
Adobe has released patches to all shipping versions of Acrobat and
Acrobat reader that fix a newly identified vulnerability that would allow
an attacker to create a malicious PDF file that, when viewed with Acrobat,
could run arbitrary commands as the user viewing the file. Adobe claims
that versions 9.1.2, 8.1.6 and 7.1.3 of Acrobat and Acrobat reader contain
the fix. Users of previous versions of Acrobat on all platforms are
urged to upgrade to one of these versions. For more information, see
http://www.adobe.com/support/security/bulletins/apsb09-07.html.
Critical Unpatched Mac OSX Java Vulnerability Now Fixed
The serious flaw in the Java virtual machine
mentioned earlier is now fixed for Mac OS X 10.4.11 and 10.5.7.
The flaw allows a Java applet to run
arbitrary commands as the user of the web browser viewing the applet.
This means a malicious web site could do harmful things to any unpatched
Macintosh that connects to it with a web browser capable of running Java
applets.
Patches are presently available vi Apple Software Update, or as Java for Mac OS X 10.5 Update 4 or Java for Mac OS X 10.4, Release 9 from Apple's support site at http://support.apple.com/downloads/.
Please note that Java and Java applets are different and distinct from Javascript. This particular flaw does not affect Javascript.
Wed, Jun 10, 2009
Multiple Security Flaws in Microsoft Office Applications: Patches Available
A set of flaws in all current versions of Microsoft Office for Windows
and the Macintosh allow maliciously crafted MS Word or Excel
files to be provided by an attacker, for example, as an email
attachment or on a web page, which, when opened, allows the
attacker to run arbitrary commands as the user who opened
the file. Patches are available from Microsoft via Automatic
Update/Windows Update, and for download from Microsoft's web site.
For more information, see Microsoft's security bulletin at
http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx.
Unpatched Web-Exploitable Flaw in DirectX on Windows XP, 2003 and 2000
An unpatched security vulnerability in DirectX on Windows XP, 2003 and 2000
has been announced. It allows an attacker to create and distribute (e.g. via
a web site) a malicious QuickTime media file. This malicious file, when
viewed (e.g. via a web browser) will run the attacker's commands
on the viewing machine. Microsoft is aware of limited active attacks
that exploit this vulnerability. While no patches have yet been
released, Microsoft has outlined some workarounds that will block
some of the ways that this vulnerability is presently being exploited.
For more information, and for workaround instructions, please see
http://www.microsoft.com/technet/security/advisory/971778.mspx
![[Valid HTML 4.01 Transitional]](/support/security/valid-html401-blue.png){kind=small}
![[Valid RSS]](/support/security/valid-rss.png)
![[Valid Atom]](/support/security/valid-atom.png)