Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe Reader 9

Published: 2008-07-17
Last Updated: 2008-07-17 22:13:00 UTC
by Mari Nichols (Version: 3)
3 comment(s)

One of our readers, Steve, let us know that the Adobe website has Version 9 of Reader available for download.  Be sure to notice that they kindly offer a "Free eBay Desktop" is checked by default and it is a 33.5MB download.

As far as security upgrades, Adobe says the Security enhancements provides new digital signature functionality. The new version also adds support for 256-bit AES encryption.  Other security features include SOAP/WSDL, XSD, Kerberos, W3C XML digital signatures, 256-bit AES, OASIS WS-Security, HTTP/HTTPS, RSA, XML encryption, and ECMAScript for XML (E4X) in the JavaScript interpreter. Reader is also NIST PKI test-suite compliant.

UPDATE  Downloaders Beware:  Tim M. wrote in to let us know that installing Adobe 9 leaves you with an "Acrobat.com" icon on your desktop.  It appears to be a beta version of software based on Adobe AIR and you do not have the option not to install it.  The icon launchs an app for sharing files, etc... on line.  This makes us wonder what kind of security implications arise from your users having online collaboration tools in a Beta distribution?  Included in the download are Adobe Buzzword, web-based online word processing and Adobe ConnectNow meeting facilitator, both allowing workers to share information.  The programs can be manually removed via Control Panel, Add or Remove Programs.

More info here:  http://www.adobe.com/acom/createpdf/?promoid=DAFVV 

UPDATE  2:  One of our readers Rauno let us know that a smaller installer, AdbeRdr90_en_US_Std.exe without these two extra apps, is available from Adobe's FTP website at ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.0/enu

3 comment(s)

Microsoft Updates 2 DirectX Bulletins

Published: 2008-07-17
Last Updated: 2008-07-17 18:48:22 UTC
by Mari Nichols (Version: 1)
2 comment(s)

Microsoft has issued a "Security Bulletin Major Revision" involving its DirectX products.  These revisions include the following two previously released bulletins and particularly affect administrative users as the resulting compromise allows the attacker to gain user rights. 

MS08-033   Vulnerabilities in DirectX Could Allow Remote Code Execution (951698) is rated as critical and states that DirectX 9.0 was added as affected software. This vulnerability can be exploited through a specially crafted media file.  http://www.microsoft.com/technet/security/Bulletin/MS08-033.mspx

MS07-064   Vulnerabilities in DirectX Could Allow Remote Code Execution (941568) is also rated critical and has been updated to reflect DirectX 9.0 and 9.0a as affected software.  This vulnerability can be exploited through a specially crafted media file via streaming.  http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx

Yet another opportunity to remind administrators to try not to log in with admin rights unless it is absolutely necessary.  It is much better to use a non-admin profile for routine tasks and surfing.  And yes, it might be more cumbersome, but surely, more secure.

Keywords: DirectX 9
2 comment(s)

Firefox Releases 3.0.1 and fixes 3 security vulnerabilities

Published: 2008-07-17
Last Updated: 2008-07-17 18:43:29 UTC
by Mari Nichols (Version: 1)
0 comment(s)

A security advisory released yesterday by Mozilla fixes the following issues and more:

MFSA 2008-36 Crash with malformed GIF file on Mac OS X. Where a specially crafted GIF file caused the browser to free an uninitialized pointer. This can crash the browser and allow arbitrary code execution on the victim’s computer.
 
MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running. Now this one had an easy workaround…. Just always run Firefox! 

MFSA 2008-34 Remote code execution by overflowing CSS reference counter. This vulnerability affects the CSSValue array data structure.
 
In addition to the security fixes, some stability issues, a phishing and malware database issue and and updated Public Suffix list are included in this version.
 
 
Update:  The new version isn't compatible with the SnagIt plugin.

 

0 comment(s)
Diary Archives