Thursday, August 19, 2010

Adobe 'Out Of Band' CRITICAL Updates Parade:
Acrobat and Reader v9.3.4

And the parade marches on. At last we have the latest in CRITICAL Adobe security hole updates. This time the updates are for Adobe Acrobat and Adobe Reader. GET THEM NOW!

Because the process of getting to actual download links at the Adobe site is a huge PITA, here are direct URLs for English Intel Mac users. Send me virtual luv:

Acrobat Reader v9.3.4 update

Adobe Acrobat 9.3.4 Pro update

The general update page for all other users and versions is HERE.

What's so CRITICAL? The update's security bulletin is HERE.

To quote Adobe:

These updates address CVE-2010-2862, which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. They also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-16.
My summary:

1) The updates patch memory corruption vulnerabilities that could lead to hacked code execution on your Mac and/or program crashes. IOW its more of the same old buffer overflow problem that plagues current computer coding in general. (As found in CVE-2010-2862).

Quoting from the CVE:

Integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3, allows remote attackers to execute arbitrary code via a TrueType font with a large maxCompositePoints value in a Maximum Profile (maxp) table.

2) They solve a social engineering attack security hole via PDF files that could lead to hacked code execution on your Mac. (As found in CVE-2010-1240).

Quoting from the CVE:

Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.

BTW: Looking up CVE reports is easy, if snooze inducing. Just go to the National Vulnerability Database site (at the National Institute of Standards and Technology) and search on the CVE number. Here is the URL to get you started:

National Vulnerability Database (NVD) Search Vulnerabilities

And now for a rant:

If you're wondering why these simple and specific CVE searches take a long time (zzzzz) to resolve, it's the decrepit US government. It's Microsoft Windows. It's ancient old PCs the government is too cheap to replace, cranking away on stuff that takes any modern Mac a microsecond. (But of course, the government did manage to fund the infamous 'Bridge To Nowhere' in Alaska, hardy har har, porky pork, oinky oink, so long Ted Stevens you parasite).

I was once offered a job at the Department of Wildlife. I took one look at their computers and wondered what would be the appropriate response: Running away screaming OR sauntering out laughing?

In any case, if you've ever wondered why it's so incredibly easy for The Red Hacker Alliance in Red China and other such scum to hack into US government computers, look no further for your answer. Much as I hated the Bush League, much as I'd like to support the Obama Era, this stupid state of affairs continues. Note the fact that the Obama Administration hired ex-Microsoft executives and coders to help them solve their computer security crisis. That's right! They hired the CAUSE of the problem to SOLVE the problem.

Hmm. What would be the appropriate response? I'll leave it to you to decide.

Stay safe.
Stay secure.
Don't touch my cookies.


No comments:

Post a Comment