Computer Science Security Alerts

Recent Java Security Vulnerabilities: How to Protect Yourself

Wed, 06 Mar 2013 10:23:00 -0500

There have been a number of serious vulnerabilities in Java in recent weeks, some of them actively exploited on the internet. Oracle has released multiple updates for Java to fix many of these vulnerabilities, but some remain, and more are being discovered as time passes.

Java is a software programming environment from Oracle (formerly Sun) that operates in two modes: local applications and web "applets". An applet is a Java program that is downloaded from a web page and run in a special restricted environment called a "sandbox" that limits what it can do on your computer. All the recent vulnerabilities are flaws that allow malicious applets to escape from the sandbox and fully access your machine.

Only a few websites rely on Java applets these days, because Java applets are not available for phones or most tablets. (Note: do not confuse Java applets with Javascript. Javascript is a programming language for the web that runs in your web browser, it is widely used, and has nothing to do with Java.)

If you do not need Java, uninstall it from your computer. If you need Java for local applications but you do not need to go to any websites that serve Java applets, then you can configure Java on your computer not to support web applets. On Windows, go to Control Panel, select Java, choose the Security tab, and uncheck Enable Java content in the browser.

If you do use Java applets from websites occasionally, do be careful to make sure you are running the latest version of Java. java.com offers a Java applet that checks the version of Java you are running to ensure it is the latest. Also please ensure that your Java Security setting is set to High (this is the default in recent versions of Java). On Windows, go to Control Panel, select Java, choose the Security tab, and set the Security Level slider to High. When the security setting is high, Java will prompt you before running an applet. Always choose "Cancel" when you see the prompt, unless you are certain that the applet is legitimate. This prompt offers a checkbox to avoid the prompt in future for a particular applet, so if you use a particular applet frequently, you may check this box.

For more information on the security status of Java, and the latest recommended version, Oracle documents its Java security efforts in its Software Security Assurance blog, https://blogs.oracle.com/security.

Java security vulnerability patched in Java 7 update 11

Mon, 14 Jan 2013 14:29:00 -0500

Oracle has released a new version of Java, version 7 update 11, which fixes the vulnerability disclosed previously. Please replace all previous versions of Java with this version if possible. For more information, see https://blogs.oracle.com/java/entry/java_vulnerabilities_addressed.

Unpatched Java security vulnerability affects Java use in web browsers

Thu, 10 Jan 2013 13:23:00 -0500

A new vulnerability in the web browser plug-in for all current versions of Java has been uncovered, and is being exploited on the Internet. It allows an attacker to create a malicious web page that will run commands of the attacker's choice when viewed via a web browser containing a Java plug-in. No security patch for this vulnerability is presently available. We recommend that you disable Java in your web browser, if possible. Instructions for doing this for the latest version of Oracle Java are available at http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html, or simply disable or remove the Java plug-in for your specific web browser. If this is not possible, we recommend you use the firefox web browser with the noscript add-on; noscript can be configured to restrict which sites can run Java in the web browser.

For more information about the vulnerability, see http://www.kb.cert.org/vuls/id/625617.

Security flaw in Acrobat Reader: patch available

Wed, 09 Jan 2013 10:05:00 -0500

A security vulnerability in Adobe Acrobat and Adobe Reader has been discovered. This flaw allows a maliciously crafted PDF file to run commands of the attacker's choice when viewed in Acrobat or Acrobat reader. Adobe has released patched versions of Acrobat and Acrobat reader. For more information, see https://www.adobe.com/support/security/bulletins/apsb13-02.html

Skype users targeted for malware

Tue, 16 Oct 2012 09:56:00 -0400

Skype Security reports that its users are being targeted for malware: instant messages are being sent to Skype users containing a link, and the message "lol is this your new profile pic?". The link in the message attempts to install malware on your machine. While it's not unusual for people to be targeted by email messages containing malware links, more and more often, these malware links are being embedded in instant messages, cell texts(SMS), tweets, and the like. The sort of care and due diligence that wise internet users take when they are skeptical about suspicious emails should also be extended to instant messages, cell texts, and other forms of short electronic communication.

Patch now available for security flaw in Internet Explorer

Mon, 24 Sep 2012 10:52:00 -0400

Microsoft has released a patch for the security flaw in Internet Explorer 9 and earlier previously reported. The security flaw is being actively exploited on the internet, and Microsoft indicates this patch is critical. It is now available via Windows/Microsoft update and automatic updates. For more information, see Microsoft Security Bulletin MS12-063.

Unpatched security flaw in Internet Explorer being exploited: please use another browser

Tue, 18 Sep 2012 15:16:00 -0400

A new security flaw in Internet Explorer 9 and earlier has been discovered, and is being actively exploited on the internet. Internet Explorer 10 is not affected. An attacker can run malicious code on your system if Internet Explorer is used to browse a compromised or malicious web site. While Microsoft has issued a security advisory about this problem with some suggestions for mitigating it, there is no patch yet that fixes the vulnerability. Until a patch is released, we recommend you use another web browser, such as Internet Explorer 10, Firefox, Chrome, Safari, or Opera. For more information, see https://technet.microsoft.com/en-us/security/advisory/2757760.

Vulnerability in Oracle Java being actively exploited

Tue, 04 Sep 2012 12:40:00 -0400

A recent vulnerability in Oracle Java allows specially crafted Java code (such as a Java applet on a web page) to make arbitrary modifications to the software and data on an affected machine. This vulnerability is being actively exploited. The vulnerability has been fixed in Oracle Java 7 update 7, which has recently been released. To protect yourself from this vulnerability, please either disable or uninstall the Java Runtime Environment (JRE) plug-in for your web browser, or upgrade it to Java 7 update 7. For more details about the vulnerability, and how to disable Java for various web browsers, please see http://www.kb.cert.org/vuls/id/636312. For more details about Java 7 update 7, see http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html. Java 7 update 7 can be downloaded from http://www.java.com.

Serious flaw in Microsoft Windows being exploited via IE, Office

Wed, 27 Jun 2012 10:18:00 -0400

There is a serious security flaw in Microsoft XML Core Services 3.0 through 6.0, which is a part of all current versions of Microsoft Windows. These services are used by Internet Explorer (IE) and Microsoft Office. The flaw allows attackers to run arbitrary code on your system by creating a specially crafted web page or Office document and persuading you to access it. This flaw is being actively exploited, and no patch is yet available from Microsoft. However, Microsoft has released a "Fix it" workaround for IE. A "Fix it" workaround is not a proper patch to the problem, it's a workaround that reduces the likelihood of an exploit succeeding.

Until this flaw is patched, we recommend you avoid using IE as much as possible, and use a different web browser instead. If you must use IE, consider installing Microsoft's "Fix it" until a proper patch is available. Moreover, please be cautious about any Microsoft Office document received via email or via the web. For example, you might consider not opening any emailed Microsoft Office document, even from a trusted source, unless you are expecting it. If in doubt, contact the sender to confirm.

For more information about this flaw, and for details of how to find and apply Microsoft's "Fix it" workaround, see https://technet.microsoft.com/en-us/security/advisory/2719615 and http://support.microsoft.com/kb/2719615.

Beware of calls offering Microsoft help

Fri, 04 May 2012 10:24:00 -0400

According to Microsoft , there seems to be a rash of fraudulent phone calls to Canadians, where the caller offers "Microsoft Help". The caller often claims to be working for Microsoft, and often claims that a problem has been detected with the individual's computer. The caller may ask for credit card information (allegedly to pay for the help) and/or for remote access to the individual's computer. Those called who provide access to their computers often have computer problems after the call. These calls are always fraudulent: Microsoft does not make calls like this. For more information, see http://www.microsoft.com/security/online-privacy/msname.aspx.

Patches for critical Adobe Reader/Acrobat vulnerability

Wed, 11 Jan 2012 12:11:00 -0500

Security patches for current versions of Adobe Reader are now available. These patches fix the critical vulnerability previously reported, a vulnerability that allows a maliciously crafted PDF file to run malicious commands as the person who is running Adobe Reader. For more information, please see Adobe security bulletins http://www.adobe.com/support/security/bulletins/apsb11-30.html and http://www.adobe.com/support/security/bulletins/apsb12-01.html.

Adobe Reader flaw on Windows and Mac, please upgrade to Adobe Reader X

Tue, 13 Dec 2011 10:31:00 -0500

There is an unpatched vulnerability in Adobe Reader for Windows and Mac that allows a maliciously crafted PDF file to run commands as the person who is running Adobe Reader. Adobe claims that this vulnerability is being actively exploited on Windows. Adobe Reader X supports "protected mode", which guards against this problem. While Adobe is working on a patch for current versions of Reader, it is not available yet. In the meantime, Adobe recommends upgrading to the latest version of Adobe Reader X, and using its "protected mode" feature. Adobe Reader X is available at http://get.adobe.com/reader. For more information, see https://www.adobe.com/support/security/advisories/apsa11-04.html.

Malicious Word Document exploiting unpatched Windows hole

Thu, 03 Nov 2011 17:07:00 -0400

A new "0-day" vulnerability in all versions of Microsoft Windows has been discovered, which is being actively exploited by the W32.Duqu worm. This worm exploits the bug by the use of a malicious Word document, which, if viewed on a Windows system, allows the worm to run arbitrary code on that system. A patch for this vulnerability has not yet been released by Microsoft.
Until this vulnerability is patched, please be particularly careful about viewing unsolicited Word documents obtained via web pages or via email, even if the sender appears to be a known and trusted person (the sender may be forged, or the sender's machine may be infected by the worm). When emailed an unsolicited MS Word document, it may be prudent to confirm with the sender that the document was legitimately sent.
More information is available at http://www.securityfocus.com/bid/50462.

Beware of MacDefender malware for Apple Mac

Fri, 20 May 2011 14:56:00 -0400

A piece of malicious software called MacDefender (or sometimes MacSecurity or MacProtector), targeting Apple Macintosh computers, is circulating widely. This software attempts to install itself on a Mac when the user goes to certain web pages. It claims that "Windows Security has found critical process activity on your PC and will perform a fast scan of system files". It shows an animation of a system scan that claims the computer is infected, and presents a popup inviting the user to remove the infection. Even if the user clicks "cancel", it will then download an installer and attempt to install. If the user provides his/her password, it will successfully install, and claim the mac is infected. While the software is running, it will unexpectedly display pornographic websites. The software is configured to automatically start itself if the machine is restarted. To "remove" the infection, one is told to "register" the software. Registration requests a credit card number, which if provided will be sent to a malicious site: the purpose of this software is apparently to persuade the user to provide that number.

The downloading of the software can be prevented by forcing the browser to quit. Clicking "cancel" will not work because that button is configured to actually install the software.

Apple has not yet officially/publicly acknowledged this threat but it has been reported in the media. For more information, and for what to do if infected, see http://www.tuaw.com/2011/05/02/macdefender-malware-targeting-mac-users.

Security vulnerability in Adobe Flash Player now patched

Wed, 27 Apr 2011 16:08:00 -0400

The security vulnerability previously reported has now been patched by Adobe for Windows and MacOSX. Patched versions of Adobe Flash player are available for Windows at http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows and for Macintosh at http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh. For more information, see http://www.adobe.com/support/security/advisories/apsa11-02.html.

Unpatched security vulnerability in Adobe Flash Player being actively exploited through malicious MS Word attachments.

Tue, 12 Apr 2011 09:49:00 -0400

There is a security vulnerability in current versions of Adobe Flash player that allows criminals to create a malicious flash file that will run commands of the attacker's choice on your computer when viewed. This vulnerability is being actively exploited by malicious email. A .doc or .docx (Microsoft Word) file is attached to the email. Embedded in the .doc attachment is a flash file that runs malicious commands on Microsoft Windows systems.

The vulnerability exists in Adobe Acrobat Reader as well, which has an embedded flash player, but Adobe is not aware of any attacks yet against Acrobat Reader. Adobe plans to release a patched version of Flash Player and Acrobat Reader soon.

Until this problem is patched, if you receive an email you are not expecting that contains a Microsoft Word attachment, do not open the attachment, even if the email is from someone you know (the sender can be forged). If it is from someone you know, contact them to inquire whether they in fact sent you the attachment. If they did, you may open it. If not, please delete it immediately without opening it.

For more information, see http://www.adobe.com/support/security/advisories/apsa11-02.html.

Unpatched security vulnerability in Internet Explorer being actively exploited

Thu, 16 Dec 2010 12:57:00 -0500

A security vulnerability in Internet Explorer (IE) version 6, 7, and 8 has been discovered, and is being exploited in targeted attacks. It allows a specially crafted web page to run commands on your computer if you browse the page using IE. Microsoft has not yet released a patch. If possible, while waiting for a patch for this problem, consider using another web browser, such as Firefox, Chrome or Safari. If you rely on certain web pages that render properly only when using IE, the IE Tab plugin for Firefox and Chrome will allow you to designate specific pages within Firefox or Chrome to be rendered by IE.

For more information, see http://threatpost.com/en_us/blogs/new-remotely-exploitable-bug-found-internet-explorer-121010 and http://www.kb.cert.org/vuls/id/634956.

Protecting Web Login Data

Fri, 10 Dec 2010 14:17:00 -0500

Many websites, like Facebook, Twitter or Gmail, require a login and password. After you type that password, the website assigns your web browser a cookie, which represents your identity on that site while you are logged in. If someone else can intercept your cookie, they can do anything on that website that you can.

Unfortunately, not all websites that use cookies in this way also use encryption (such as SSL/HTTPS) to protect your cookie from being intercepted as it is transmitted. You can tell if a particular web site uses encryption, by checking to see that the URLs used always start with https://.

If the website is not using encryption, anyone with the right software may be able to intercept your cookie and use it to impersonate you. One example of a software program that can do this is Firesheep, a plugin for the Firefox web browser. Firesheep makes it very easy to capture any visible cookies on a network, without any sign to the user that this is happening, and to use those cookies to impersonate someone on a website. Amy Gahran of CNN wrote an article about her experience using Firesheep on a coffee-shop's wireless network.

To protect yourself from this sort of attack, it is important to choose secure access to websites whenever available. The HTTPS Everywhere plugin for firefox makes this easy for many common sites: if the site offers both http and https access, HTTPS Everywhere will direct your firefox web browser to use HTTPS.

Another way to protect yourself is to use a Virtual Private Network (VPN). Any CSLab user can request access to the CSLab VPN, which will encrypt all your network traffic and tunnel it to the CSLab network, from which it will then be forwarded on to its destination. The University of Toronto also has a VPN service, which works similarly. Note, however, that if you use a VPN, your network traffic will be routed through the university, so please do not do anything that you would not do when connected to the university's networks.

Finally, please use general good sense when using online websites. For example, when you are finished using a website, log out. Be especially vigilant when using a public network (such as a WIFI hotspot or an Internet Cafe). Watch for signs that your social networking and other web accounts have been used by someone else, and change your password (using HTTPS of course) if you think it has been.

Serious Vulnerability in Adobe Acrobat, Reader 9.4 and earlier: patch available

Wed, 17 Nov 2010 12:33:00 -0500

Adobe has announced a serious vulnerability exists in Adobe Acrobat and Acrobat Reader versions 9.4 and earlier, for all platforms (Windows, Macintosh and UNIX). It allows a specially crafted PDF document to run arbitrary commands when viewed. The vulnerability has been fixed in version 9.4.1 of Acrobat and Acrobat Reader. Version 9.4.1 also incorporates an Adobe Flash security fix. Previous versions should be upgraded. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-28.html.

Critical Exploited Vulnerability in Adobe Acrobat and Acrobat Reader Fixed

Wed, 06 Oct 2010 16:37:00 -0400

A security update is now available for the critical vulnerability in all versions of Adobe Acrobat/Acrobat Reader (version 9.3.4 and earlier), reported previously. The vulnerability allows an attacker to crash your computer and/or take control of it. Adobe recommends that all users of Acrobat and Acrobat reader versions 9.3.4 and earlier upgrade to version 9.4. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-21.html.

Fix for critical exploited vulnerability in Adobe Flash Player

Tue, 21 Sep 2010 09:56:00 -0400

Adobe has released version 10.1.85.3 of its Flash player, which fixes the critical exploited vulnerability in 10.1.82.76 and before, reported earlier. The vulnerability allows an attacker to crash the computer running Flash Player, and/or take control of it. Adobe recommends all users of Flash Player upgrade to 10.1.85.3. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-22.html

Critical Exploited Vulnerability in Adobe Flash Player, Acrobat Reader

Wed, 15 Sep 2010 13:07:00 -0400

Adobe has reported that a critical vulnerability exists in current versions of Adobe Flash Player (version 10.1.82.76 and earlier) and Acrobat/Acrobat Reader (version 9.3.4 and earlier), for all platforms. The vulnerability allows an attacker to crash your computer and/or take control of it. Adobe claims that there are reports the flash player vulnerability is being actively exploited on Microsoft Windows. Adobe promises fixes during the week of September 27th, 2010 for Flash player, and during the week of October 4th, 2010 for Acrobat and Acrobat Reader. In the meanwhile, users of Mozilla web browsers (Firefox, SeaMonkey) can restrict the automatic execution of Flash media using the noscript add-on . For more information, see http://www.adobe.com/support/security/advisories/apsa10-03.html.

Critical Vulnerability in Adobe Acrobat, Acrobat Reader

Mon, 23 Aug 2010 12:01:00 -0400

Adobe has announced a vulnerability in Adobe Acrobat and Adobe Acrobat Reader 9.3.3 (and earlier versions) for Windows, Macintosh and UNIX (Reader only) and Adobe Acrobat and Adobe Acrobat Reader 8.2.3 (and earlier versions) for Windows and Macintosh. It allows a specially crafted PDF document to run arbitrary commands when viewed. The vulnerability has been fixed in version 9.3.4 and 8.2.4 of Acrobat and Acrobat Reader, and previous versions should be upgraded. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-17.html.

Critical Vulnerability in Adobe Flash Player, Adobe AIR

Mon, 16 Aug 2010 10:58:00 -0400

Adobe has released patches for the critical vulnerability in Adobe Flash Player versions 9 and 10, and in Adobe AIR. This vulnerability allows a malicious person to create flash media that will run commands of their choosing on your computer when viewed. This vulnerability can be exploited by convincing a user to open a webpage, a PDF file or another document that contains embedded malicious flash media. Adobe urges users of Flash Player 10 to upgrade to version 10.1.82.76, users of Flash Player 9 to upgrade to 9.0.280, and users of Adobe AIR to 2.0.3. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-16.html.

Windows Remote Code Execution flaw being actively exploited, fix available

Tue, 03 Aug 2010 15:52:00 -0400

A serious vulnerability in all current versions of Microsoft Windows permits remote attackers to run programs of their choice on a Windows computer if they can persuade the user to display the icon of a specially crafted shortcut. This problem is being actively exploited. An off-cycle patch has been released by Microsoft and is available via Windows Update. For more information, see http://www.microsoft.com/technet/security/Bulletin/MS10-046.mspx.

Unpatched vulnerability in Adobe Flash now partially fixed

Thu, 10 Jun 2010 16:10:00 -0400

The critical unpatched vulnerability in Adobe Flash Player 10.0.45.2 and earlier versions for all platforms mentioned previously has now been partially addressed by Adobe. Flash Player version 10.1, which does not have this vulnerability, has been released for most platforms (including Windows and Mac), and it is now available from the Adobe Flash Player Download Centre. The version of Flash Player 10.1 released by Adobe for Windows is the same version as the previous release candidate of 10.1 (10.1.53.64), so if you have installed that release candidate, that should be sufficient. Adobe confirms that version 8 and earlier do not possess this vulnerability. However, version 9 is still vulnerable; Adobe promises a patch by June 29th, 2010. For more information, see http://www.adobe.com/support/security/advisories/apsa10-01.html

Critical unpatched vulnerability in Adobe Flash, Reader and Acrobat

Tue, 08 Jun 2010 12:31:00 -0400

Adobe has announced a critical unpatched vulnerability in Adobe Flash Player 10.0.45.2 and earlier versions for all platforms. This vulnerability is also present in the embedded Flash functionality of Adobe Acrobat and Acrobat Reader, for all platforms. The vulnerability allows an attacker to take control of an affected computer, and is actively being exploited. Adobe does not yet have a patch for the problem. The Flash Player 10.1 release candidate at http://labs.adobe.com/technologies/flashplayer10 is not vulnerable, so although it is in "beta", it may be worthwhile to consider running it. For more information, see http://www.adobe.com/support/security/advisories/apsa10-01.html

New Vulnerability in Adobe Acrobat, Acrobat Reader: patch available

Wed, 14 Apr 2010 14:57:00 -0400

Adobe has announced a vulnerability in recent versions of Adobe Acrobat and Adobe Acrobat Reader, for all platforms (Windows, Macintosh and UNIX). It allows a specially crafted PDF document to run arbitrary commands when viewed. The vulnerability has been fixed in version 9.3.2 and 8.2.2 of Acrobat and Acrobat Reader, and previous versions should be upgraded. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-09.html.

Acrobat PDF Launch Action Can Be Used to Create Malicious PDF Documents

Wed, 07 Apr 2010 15:17:00 -0400

The PDF data format has a little-used feature called "Launch Action", which allows a specially crafted PDF file to execute an external program. It has recently been shown that this feature can be used by an attacker to run arbitrary programs of the attacker's choosing. Adobe Acrobat and Acrobat Reader will issue a warning when this feature is being invoked, and will permit it to execute only if the user selects Open. The warning reads: The file and its viewer appliation are set to be launched by this PDF file. The file may contain programs, macros, or viruses that could potentially harm your computer. Only open the file if you are sure it is safe. If this file was placed by a trusted person or program, you can click Open to view the file.. We recommend that you always select Do Not Open when you see this message.

Those who want to turn off the "Launch Action" feature entirely can click "Edit > Preferences > Categories > Trust Manager > PDF File Attachments" and then un-check the box that reads "Allow opening of non-PDF file attachments with external applications."

Versions of the Foxit PDF reader prior to 3.2.1 execute the external program without issuing any warning, so Foxit users should upgrade to 3.2.1 or later immediately.

Patch Available for Actively Exploited Internet Explorer Version 6 and 7 Vulnerability

Tue, 30 Mar 2010 13:50:00 -0400

Microsoft has issued today a new patch for an actively exploited vulnerability in Internet Explorer version 6 and 7 (IE6, IE7) described previously. The vulnerability allows an attacker to run arbitrary commands as the user who is running the web browser. The patch has been made available through Windows Update, so Windows machines configured for automatic updates should receive the patch automatically. For more information, see http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx.

Unpatched Internet Explorer Version 6 and 7 Vulnerability

Thu, 11 Mar 2010 15:50:00 -0500

An unpatched vulnerability in Internet Explorer version 6 and 7 (IE6, IE7) has been confirmed by Microsoft, and details about the vulnerability have just been released. Public exploits are expected imminently. All versions of IE6 and IE7 are affected but IE8 (and IE5) are not affected. The vulnerability allows an attacker to run arbitrary commands as the user who is running the web browser. Microsoft has not yet released a patch.

Microsoft makes some general suggestions at http://www.microsoft.com/protect that may help to reduce the likelihood and impact of an attack. However, we recommend the use of a web browser other than Internet Explorer, such as www.firefox.com, Google Chrome, Apple Safari, or www.opera.com. For more information, see http://www.microsoft.com/technet/security/advisory/981374.mspx.

Recent Internet Explorer Vulnerability fixed

Fri, 22 Jan 2010 11:06:00 -0500

A fix is now available for the serious vulnerability in all recent versions of Internet Explorer (IE) reported previously. Microsoft has disclosed in its patch release that the vulnerability affected IE 5 too. The fix (for all supported versions of Internet Explorer) has been made available as an off-cycle release via Windows Update. For more information, please see http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx.

Given the fact that Internet Explorer is very frequently targetted for exploits, and good alternative browsers exist, at present we continue to recommend in general that web browsers other than Internet Explorer be used for one's default or everyday browser. Alternatives to Internet Explorer include www.firefox.com, Google Chrome, Apple Safari, or www.opera.com.

Unpatched Internet Explorer Vulnerability

Fri, 15 Jan 2010 13:54:00 -0500

An unpatched vulnerability in all recent versions of Internet Explorer (IE) has been confirmed by Microsoft, and is being actively exploited. All versions of IE 6, 7, and 8 are affected. The vulnerability allows an attacker to run arbitrary commands as the user who is running the web browser. Microsoft has not yet released a patch.

Fix for December 2009 Adobe Acrobat Vulnerability

Fri, 15 Jan 2010 13:36:00 -0500

Adobe has released Acrobat and Acrobat Reader 9.3 that fixes the serious and actively exploited Javascript vulnerability previously reported.. Users of Acrobat and Acrobat Reader 9.2 and earlier are urged to upgrade to 9.3. For users of Acrobat 8.x who are unable to upgrade to 9.3, Adobe has released Acrobat 8.2, which also fixes this vulnerability. For more information, see http://www.adobe.com/support/security/bulletins/apsb10-02.html.

Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system.

Thu, 17 Dec 2009 09:24:00 -0500

There are reports that this vulnerability is being actively exploited in the wild. Adobe recommends customers follow the mitigation guidance below until a patch is available.
This vulnerabilty applies to Adobe Reader 9.2 and earlier versions for Windows, Macintosh, and UNIX and Adobe Acrobat 9.2 and earlier versions for Windows and Macintosh.
It is possible to mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the 'Enable Acrobat JavaScript' option
5. Click OK
Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue.
See http://www.adobe.com/support/security/advisories/apsa09-07.html for more information.

Critical Vulnerabilities in Adobe Flash Player, Adobe AIR

Fri, 11 Dec 2009 10:49:00 -0500

Adobe has reported that a number of critical vulnerabilities exist in widely used versions of Adobe Flash Player versions 9 and 10, and Adobe AIR, that allows a malicious person to create flash media that will run commands of their choosing on your computer when viewed. This problem is fixed in Adobe Flash Player version 9.0.260, version 10.0.42.34, and Adobe AIR 1.5.3. Previous versions are vulnerable. For more information, see http://www.adobe.com/support/security/bulletins/apsb09-19.html, or http://www.publicsafety.gc.ca/prg/em/ccirc/2009/av09-051-eng.aspx.

Unpatched Internet Explorer 6 and 7 Vulnerability

Tue, 24 Nov 2009 09:57:00 -0500

An unpatched vulnerability in Internet Explorer (IE) versions 6 and 7, the default web browser in many versions of Microsoft Windows (Windows 2000, XP, Server 2003, Server 2008, and Vista), has been publicly announced, and an exploit for this vulnerability is available. It allows an attacker to run arbitrary commands as the user who is running the web browser. Microsoft has not yet released a patch. Internet Explorer version 8 is not affected.

Microsoft makes some configuration suggestions that can reduce the impact of an attack. However, we recommend the use of a web browser other than Internet Explorer 6 or 7, such as Internet Explorer 8, www.firefox.com, Google Chrome, Apple Safari, or www.opera.com. For more information, see http://www.microsoft.com/technet/security/advisory/977981.mspx.

Patches available for Vista SMB2 Remote Command Execution Vulnerability

Wed, 14 Oct 2009 09:38:00 -0400

The security vulnerability in Windows Vista, Server 2008, and Windows 7 RC reported previously has been patched. The vulnerability was caused by a bug in SMB v2.0 (the part of Windows that implements enhanced network shares), allowing an attacker to create a specially crafted network packet to run arbitrary commands on an affected Windows machine. For more information, see http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx

Patch for A New Adobe Acrobat Vulnerability

Tue, 13 Oct 2009 16:13:00 -0400

Adobe has released patches to all shipping versions of Acrobat and Acrobat reader, for all platforms (Windows, Mac, UNIX) that fix a newly identified vulnerability that would allow an attacker to create a malicious PDF file that, when viewed with Acrobat, could run arbitrary commands as the user viewing the file. Adobe claims that versions 9.2, 8.1.7 and 7.1.4 of Acrobat and Acrobat reader contain the fix. Users of previous versions of Acrobat on all platforms are urged to upgrade to one of these versions. For more information, see http://www.adobe.com/support/security/bulletins/apsb09-15.html.

Vista SMB2 Vulnerability Allows Remote Command Execution

Thu, 17 Sep 2009 13:31:00 -0400

A security vulnerability in Windows Vista, Server 2008, and Windows 7 RC has been discovered. A bug in SMB v2.0 (the part of Windows that implements enhanced network shares) allows an attacker to create a specially crafted network packet to run arbitrary commands on an affected Windows machine. An exploit of this bug has already been made public. Windows 2000, XP, and the RTM (final) version of Windows 7 is not affected by this bug, but the RC (beta/testing) version of Windows 7 is apparently affected. Microsoft has not yet released a fix, but has published some workarounds at http://www.microsoft.com/technet/security/advisory/975497.mspx.