Hot on the heels of a Flash Player critical vulnerability, Adobe has released a security bulletin outlining a critical vulnerability in all Adobe Reader and Acrobat versions prior to version 8.1.3.

Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Acrobat and Reader version 9 is not vulnerable to these particular flaws.  A few interesting things to note here. No patch for Acrobat/Reader 7 and earlier has been released. Additionally, the update is available only by moving to a new version of Acrobat/Reader, either version 8.1.3 or 9. This may cause significant pain and stress among organizations that have standardized on Acrobat or Reader, especially in FDA validated systems.  This is because Adobe has not made it possible to just apply a security update patch to the affected software.  Instead, organizations must deploy a new version, which may contain additional changes including a changed user interface, changed behavior, and changed compatibility.  Therefore, I expect some organizations may choose to live with the risk rather than move into a new version, and have to re-document and re-validate processes according to an updated version of Acrobat or Reader.

Adobe has released an advisory about a series of critical vulnerabilities in flash player 9.0.124.0 and earlier.  The fix is to install the just-released flash player 10.0.12.36.  The interesting thing is that the architecture of some security related things has changed wholeheartedly with player 10 – so things that used to work with 9, may stop working with 10.

Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. Due to the possibility that these security enhancements and changes may impact existing content, customers are advised to review this Adobe Developer Center article to determine if their content will be impacted, and to begin implementing necessary changes immediately to help ensure a seamless transition.

The bulletin is here, and the updated player is here.  Happy patching!

From DarkReading.com:

With all the talk about hackers launching attacks from legitimate Websites, you’d think that the major security vendors’ sites, at least, would be vulnerability-free.

Not so, according to a report issued yesterday by a security watchdog site.
The site, XSSed, states that it has verified some 30 cross-site scripting vulnerabilities spread across the Websites of three of the industry’s best-known security vendors: McAfee, Symantec, and VeriSign. The vulnerabilities could make it possible for attackers to launch phishing campaigns from these sites or even distribute malware to the companies’ customers, according to XSSed.

Cross-site scripting vulnerabilities aren’t a new type of threat, and they aren’t particularly difficult to defend against. It seems a little crazy that the companies that many people depend on to help them get a handle on security don’t practice the things that they preach. Or then again, maybe they don’t even preach them:

This isn’t the first time that XSS vulnerabilities have been exposed on sites such as McAfee’s and Symantec’s, notes Jeremiah Grossman, CTO of WhiteHat Security. Back in January, XSSed reported that some 60 sites that had received the “hacker safe” label from McAfee’s ScanAlert service were vulnerable to XSS attacks. (Emphasis added)

I disagree with Grossman’s conclusion, however, that the XSS vulnerabilities on these security companies’ web sites aren’t something to worry about. His argument is that, while these are security companies, they primarily focus on anti-virus and anti-malware software. However, when these companies start handing out “Hacker Safe!” badges to other web sites (which, in my opinion, is like throwing rocks at a beehive), they put themselves in an arena in which things like simple XSS vulnerabilities cannot be overlooked. I believe that the “more important” sites that are mentioned, such as bank and e-commerce web sites, are really unlikely to have their security problems taken care of before the people that are supposed to “know security” do.

From the press release:

“We are pleased to be given this opportunity to be directly supporting SAFE’s mission of delivering unique electronic identity credentials for legally enforceable and regulatory compliant digital signatures across the global biopharmaceutical environment,” said Peter Hesse, President and Founder, Gemini Security Solutions. “We have focused significant energy toward helping corporations realize the benefits of digital signatures and identity management standards to safeguard critical information. We are excited to be recognized both as a SAFE partner and a trusted technical expert.”

We are glad to officially be a part of the SAFE community. While we have been involved in SAFE since its inception, we are now playing a greater part in the development and adoption of secure standards for the biopharmaceutical industry.

The folks over at the daily wtf have an amusing story about trying to determine if a sales pitch was worth it.

Since there’s really only one thing that could cause such a dialog to pop-up so fast, I checked the source code…

if (form.id.value=="buyers") { 
if (form.pass.value=="gov1996") { 
location="http://officers.federalsuppliers.com/agents.html" }

Even if you don’t understand Javascript, you can probably appreciate how terrible this implementation is…

This is great. We covered Microsoft OneCare when it was first announced and again when Vista was nearing release. Now comes news from SecurityFocus that Microsoft OneCare deleted Outlook e-mails...

Recent reports suggest Microsoft’s OneCare anti-virus offering suffered a bug that could have caused it to delete or quarantine all e-mail in a user’s Outlook inbox, in certain cases when it finds a virus.

Well isn’t that nice. You have a spam/virus email in your PST, so to get rid of it, we’ll just delete the entire PST file. Yikes. Glad they didn’t include it in Vista as Anil had suggested.

Taking profiteering to a new level:

I got hacked by my own host. No, it wasn’t a mistake. No, the server didn’t just go down. They hacked it so that they could upsell me on some $2000 security audit and package!

“They” seems to be the malicious action of one individual who part-timed on support for the hosting provider and worked at a security consulting firm. Interesting (but illegal) way of drumming up business…

Every software developer has done this at one point in time… You fix a bug but in the process, introduce a new one.

Well, it sucks when the bug you are fixing is actually a cumulative patch for eight security vulnerabilities, and the bug you introduce is a security vulnerability that is as severe as worst of the eight you fixed.

Oh well, here’s hoping they get this one worked out before exploits show up in the wild.

Microsoft recently made some major changes to the Vista code to increase stability and create a more secure operating system.

This is the “new” Microsoft. More secure, stable, and able to do anything that (*cough*) Mac OS X can. To be honest, I like this shift and borrowing (to use the term lightly) provides the seeds for innovation.

To help improve security, MS is going to provide users with a product called Windows Live OneCare. It is a anti-virus/spyware scanner with some extra bells and whistles. (Windows already has a defragmenter, do I need repackaged it in this product??)

Here’s the catch. It’s $49.95 per year. Now don’t get me wrong, you have to pay for Symantec’s anti-virus too. But Symantec doesn’t write the OS code, they exist because MS can’t do it securely.

My point is why not just include OneCare with Vista? Users are paying (alot) of money already. Not only that, but home users will not pay for OneCare, because they don’t care. How many people do you know that just use whatever anti-virus that Dell preloaded on there, only to ignore expired definition update warnings after the free 6 months?

Then your friends call and ask you to fix their computer.

If OneCare is automated to update and scan automatically, then home users are covered. Less security problems gives you a better rep, and helps in dealing with the corporate market. I’d say, “just write better code,” but that isn’t going to happen.

Don’t play their game MS. Look from at other OSes you are already taking ideas from. How much money do you think Symantec makes from its OS X anti-virus scanner?

How much money do you think you’ll make from offering a product no one will pay for? How much more “secure” will that make Vista? The only way users will pay is with crashed hard drives, stolen data, and all sorts of headaches.

Here is an opportunity where MS goals meet consumer ones. MS wants to provide a more secure OS, “borrow” ideas, stifle competition (what company doesn’t deep down)...and ultimately generate more revenue. Let’s face it, the past few years haven’t been great for MS.

Incorporating OneCare meets these goals.

Users and businesses, want a secure OS too. A secure OS that takes care of itself, and doesn’t require mom and pop and the IT guy on the third floor to constantly be dealing with a varient of the Sober worm, and it would be nice that people wouldn’t be required to buy other anti-virus products to patch an expensive OS (hmm…lawsuit?)

Incorporating OneCare meets these goals too.

Microsoft has recently announced pricing and licensing details for their OneCare Live service. Question: will users really pay the company that gave them an operating system susceptible to viruses, spyware, and malware an additional $50/year?