Friday, October 29, 2010

Adobe Flash, Reader and Acrobat
CRITICAL Security Hole
Of The Month Club

Another month, and other Adobe software security hole exploit. If you still use Flash, pay attention! This security hole is currently being exploited In-The-Wild.


-> Adobe Flash Player and earlier

-> Adobe Reader 9.4 and earlier 9.x versions

-> Adobe Acrobat 9.4 and earlier 9.x versions

Hackers exploit newest Flash zero-day bug
Those reports came from Mila Parkour, an independent security researcher who notified Adobe early today after spotting and then analyzing a malicious PDF file. According to Parkour, the rigged PDF document exploits the Flash bug in Reader, then drops a Trojan horse and other malware on the victimized machine.
Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

This issue is described in CVE-2010-3654.

Adobe provide a workaround in their 'Security Advisory' article linked above. They have promised to fix the security hole by November 9th.

Darn, Adobe blew their quarterly update schedule yet again. Can you comprehend why Adobe still believe in 'scheduled' security updates?

Thursday, October 28, 2010

Firefox v3.6.12 Released <- Important security patch

Just gotta love the Mozilla developers! Within A DAY Firefox has been updated to repair a nasty JavaScript security hole being exploited out In-The-Wild. So go grab the thing and update NOW:

Firefox v3.6.12 (English, US)

Thank you Mozilla!

Wednesday, October 27, 2010

Firefox v3.5 & v3.6 Zero-Day Exploit:
JavaScript Hell

An active zero-day exploit of Firefox versions 3.5 and 3.6 been found In-The-Wild. (The current version of Firefox is v3.6.11). Specifically, the Nobel Peace Prize website injects malware into victim computers via a newly discovered Firefox security hole. So far, the malware being injected is the Windows-only Trojan horse Belmoo-A. However, the injected malware could just as easily be any of the current Mac OS X Trojans.

Note of course that Trojan horses are inert until a 'LUSER' runs and installs them, providing it with their computer's Administrator password.

Firefox are aware of the situation and are working on a patch. In the meantime, they recommend the workaround of disabling JavaScript (aka ECMAScript), or installing and using the Firefox add-on NoScript. I use NoScript. I love it! I never leave my homepage without it.

As per usual, JavaScript is the bane of the Internet. However, Java isn't fairing too well either, much to everyone's dismay. I'll be writing about Java's security ills early next month.

Wednesday, October 13, 2010

U2 can B Incognito On The InterWebs!

I was just thinking of this today: InterWeb surveillance. Being not exactly friendly toward the "We Must Know ALL!" attitude of the US government and marketing morons, along with "The Customer Is CRIMINAL" attitude of the Corporate Oligarchy, I simply want to be left the frack alone to my personal privacy. No one ever has the right to 'watch' me. I don't deal with peeping pervs at my house, or over the InterTubes.

Therefore, I don't deal with Google collecting data on me wherever I go on the net. I've written about Tracking Cookies here on the blog and how to subvert them. But I get really tired of various websites still attempting to load Google Analytics.

Then I clicked over to Intego's Mac Security Blog this evening. (You'd think they'd pay me for all the PR I give them! ;-) To my synchronistic joy I found a great little article about a niffy kewl Safari extension that does ALL the Google blocking for me. It blocks FaceBook surveillance as well! And here it is:

Incognito is a Safari extension that prevents Google and Facebook from following you on the web.

It's a jungle out there
When browsing the web, you are continuously being tracked. Not only by the websites you are visiting, but also by major companies that embed their 'content' into other websites through ads and analytics.
As a result, companies like Google and Facebook have an almost complete picture of your online activity.

Your online counterspy
Incognito protects your privacy by blocking Google Adsense and Google Analytics on non-Google pages. In addition, it allows you to optionally block Facebook content on third-party websites as well as embedded YouTube movies outside of the YouTube website.

No ad-blocker
Although effectively blocking Google Adwords, Incognito is no dedicated ad-blocker. It simply prevents companies from gathering information outside of their own website.
It's FREE.

A similar tool for Firefox is Google Sharing.
The Firefox Addon for the GoogleSharing system. GoogleSharing ultimately aims to provide a level of anonymity that will prevent google from tracking your searches, movements, and what websites you visit.
It's also FREE.

I also use Safari AdBlocker. And Safari Cookies. I also frequently use software from The Tor Project (formerly The Onion Project), including Vidalia and Tor Button for Firefox, which provides excellent proxy anonymity on the TubeWebs.

IOW: I am the boss of my Internet browsing, not the government, not Google, not the Red Hacker Alliance, not hacker/crackers, not Apple, not Microsoft, not the Neo-Con-Jobs, not nobody, not no how but ME. It is in keeping with my Positive Anarchy point of view. I make all the honest, responsible choices I wish to with total disregard for the extraneous interests of others. Control freaks: Go have an aneurism over it. :-P

Speaking of which: Over at my MacSmarticles blog this coming month, I'm going to be providing lesson articles on how to setup and use Tor, via Vidalia and Tor Button for Firefox. Sorting out how to use tools is a huge PITA if you're not a computer geek. Therefore, I shall be translating the methods into human-speak for mere mortals. Because this is geek level technology, it's still a bit time consuming. But once you get the hang of the protocol and set it all up for the first time, it ain't no big deal.

You too can be 100% INCOGNITO on the Webnets!


The Stranglers
© 1979

We're not here to destroy
We are here to employ

We have come to make you function
So we can eat at our functions

We are the meninblack ...

Information can destroy
So we'll treat you just like toys

Healthy livestock so we can eat
Human flesh is porky meat...

We are the meninblack...

We don't approve of artificial food
We grow you for our own good

First we gave you the wheel
Then we made you live to kill

So the best stock will survive
We eat you all alive

We are the meninblack ...

Wednesday, October 6, 2010

October Adobe Security Updates:
Acrobat, Reader and AIR

Rather quietly, in keeping with Adobe's bad PR attitude, their latest 'CRITICAL' security updates have hit the net. Below are some direct links to help you past the clickity-click-click garbage you have to endure when going through Adobe's home page.

I) Adobe Acrobat Pro v9.4.0 update

IIa) Adobe Reader v9.4.0 update - multiple languages INTEL version

IIb) Adobe Reader v9.4.0 update - multiple languages PPC version

III) Adobe AIR v2.0.4.13090 update

And of course you've already installed Adobe Flash Player v10.1.0 update from two weeks ago, right?

What's been fixed?

Adobe Acrobat and Reader:
This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.
--Quoting from CVE-2010-2883:
Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.3.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information.
Adobe AIR: Beats me! As of today, Adobe have provided NO release notes for AIR v2.0.4. Imagine my cynicism. When Adobe bother to provide release notes, they will appear HERE.

Can anyone spare Adobe an anvil? Mine's in for repair. ;-)

And now it's time for a laugh! Every month this summer Adobe have had 'CRITICAL' security flaws discovered and patched in Acrobat, Reader and Flash Player. There have also been two updates to Adobe Air. Despite this situation, Adobe still hold to the bizarro naive notion of 'quarterly updates'. Here is their message to the world regarding this situation, as of today:
Note that today’s updates represent an accelerated release of the quarterly security update originally scheduled for October 12, 2010. With this accelerated schedule, Adobe will not release additional updates for Adobe Reader and Acrobat on October 12, 2010. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.
Right. So we'll all meet back here on February 8th. Sure. Everything will be safe and sound until then! Uh huh.

We know better. See you back here next month!