Thursday, April 21, 2011

Adobe Critical Updates Again:
Acrobat Reader 10.0.3 &
Adobe Acrobat X 10.0.3
(Out-Of-Band but ahead of schedule!)

--
You can read about it HERE and HERE.

You can directly download the Adobe Reader 10.0.3 update HERE.

You can directly download the Adobe Acrobat X 10.0.3 update HERE.

The security flaws involved are those Adobe posted on April 11th in the second article linked above. These are the promised updates of Reader and Acrobat, ahead of schedule by four days. Thank you Adobe!

Computer PWNing through the use of PDFs and Flash media is thick and fast these days, particularly on Windows, including Windows 7 (7ista). I have read speculation that hackers have a pile of 'zero-day' Adobe security hole hacks that are being used one after the other as Adobe provide patch after patch, trying to keep up. Note that it is possible to at least compromise a Mac using similar cracking methods and Trojan horses.

THEREFORE, user beware. I wrote in detail about precautions and protections available if you must use PDFs and/or Flash. Simply scroll back through my previous blog posts.

:-Derek
--

Sunday, April 17, 2011

CRITICAL Patches for:
Adobe Flash Player
& Acrobat Pro
& Adobe Reader
& Adobe AIR
(Out-Of-Band!)

--
Sorting through this flock of updates is confusing. Therefore, for the sake of simplicity, I've thrashed through the Adobe mess for you. Below you will find links to relevant Adobe announcements as well as direct links to the update installers, lead with a *:

I) Adobe Reader & Adobe Acrobat 10.0.2 Updates:

Security updates available for Adobe Reader and Acrobat


*Adobe Acrobat 10.0.2 Pro update for Macintosh

II) Adobe Flash Player 10.2.159.1 & Adobe AIR 2.6.19140 Updates:

Security update available for Adobe Flash Player [& Adobe AIR]

*Adobe Flash Player 10.2.159.1 for Macintosh


NOTE: I tacked "[& Adobe AIR]" onto the link to the Flash announcement because it is the only place you'll find it stated that an update of Adobe AIR is available and required. (0_o)

I swear there's lead in the water at Adobe. I wish they'd get their act back together.
--

Saturday, April 16, 2011

No Finished 64-Bit QuickTime X For You!
Mac OS X Lion Still Requires QuickTime 7

--
In the true spirit of Apple users, I get seriously pissed off when Apple screw up badly. And OMG has Apple screwed up this time:

In a rather wacked-out article by FairerPlatform, we learned that Apple is only barely upgrading QuickTime 10 in Mac OS X 10.7 Lion. This forces We-The-Technos to continue to (I can't believe this) STILL INSTALL QUICKTIME 7.x.

I can't vent my frustration and rage any better than what I posted over at MacDailyNews:

A very well deserved RANT at Apple:

OMFG APPLE! WTF is wrong with you guys that you STILL CAN’T FINISH QUICKTIME 10!?!?!?!?!

This is when Apple users justifiably get PISSED-THE-HELL-OFF at Apple.

Let’s get real here:

1) There never has been any ‘QuickTime 10.0.x’. There has only been QuickTime 10.0.0.0.0.0. Apple dumped QT 10.0 on us in 2009 and left the buggy thing laying there with no improvements to follow! THAT SUCKS!

2) Now we apparently are going to get a mere token of an upgrade with 10.1.0 that still cannot come close to the functionality of QuickTime 7.x Pro, therefore, we STILL HAVE TO INSTALL QUICKTIME 7.x!!!!!! THAT SUCKS TOO!

Besides the CRAP functionality of QuickTime 10, and the fact that QuickTime 7.x is only 32-bit, there is one other CRITICAL reason to RANT for Apple to actually FINISH QuickTime 10:

SECURITY!!!

Q: What Apple software has the single WORST SECURITY? It’s not Mac OS X folks.

A: It’s QUICKTIME as in QuickTime 7.x!

MOVE YOUR LAZY ASSES APPLE and FINISH 64-bit QUICKTIME 10 RIGHT NOW!!!! It should have been finished A YEAR AGO!!!!!

I hope other Apple users are equally pissed off at this stoooopidity from Apple. (And folks, I NEVER troll).

Did I adequately get my annoyance across? Will Apple be adequately shamed? Do you think Apple will get the clue that I noticed their laziness?

Clearly, this is NOT going to be the year of full, 64-bit secure Quicktime. The waiting drags on and on...

:-P
---

Tuesday, April 12, 2011

Warning: New Adobe Flash Flaw

--
Another month, another Adobe Flash security flaw. The following is a full quote from the most excellent SANS NewsBites Vol. 13 Number 29:
--Adobe Warns of Zero-Day Flaw in Flash
(April 11, 2011)
Adobe has issued a warning of a zero-day vulnerability in Flash Player that is being actively exploited in targeted attacks. The vulnerability can be used to take control of computers or to cause them to crash.  The attack is spreading as a Flash (.swf) file embedded in a Microsoft Word (.doc) file that arrives as an attachment.  Adobe did not say when a patch will be available.
Internet Storm Center:
http://isc.sans.edu/diary/Yet+another+Adobe+Flash+Reader+Acrobat+0+day/10696
http://news.cnet.com/8301-27080_3-20052894-245.html?tag=mncol;title
http://www.zdnet.com/blog/security/adobe-warns-of-new-flash-player-zero-day-attack/8524
http://www.computerworld.com/s/article/921572/Adobe_confirms_critical_Flash_zero_day_bug
[Editor's Note (Ullrich): In the past, I have observed users using Flash games embedded in Excel and Word documents to bypass corporate controls to prevent users from running these games. It may be a good awareness item to note the particular danger of these embedded flash files.]
You can sign up for the SANS Institute newsletters HERE.

I've also been reading about computers being PWNed via infected PDFs and Flash embedded in Excel spreadsheets.

My advice continues to be adherence to the Rules of Computing #1 and #2:

1) Make A Backup. Every day. Two of them. One on site. One off site.

2) Verify every file and application you receive or gather off the Internet as LEGITIMATE before you open it. That means doing homework. It's worth it.

Then add to that:

A) Avoidance of automatically running anything embedded in PDFs or Excel or Word or PowerPoint presentations you receive. Make sure YOU are in control of what runs when and where. No automatic anything. Make yourself the boss of your computer. The LUSER Factor remains a large problem for all of us. But we humans have a lot better scrutiny than a brainless computer program.

B) Don't Use Flash! Or at the very least use one of the many great utilities to stop Flash from running until YOU decide you want to run it. Also use utilities that KILL Flash cookies. These utilities include: The Safari Cookies extension. ClickToFlash.The Flashblock add-on for Firefox. The NoScript add-on for Firefox. The FlashFrozen application.

OF INTEREST: I read this week about a new Adobe initiative that will allow combining Flash with PHP in order to create non-Adobe Air apps for smart phones and all iOS devices. My initial response, knowing the poor security of both technologies, is OMFG. But rather than get all FUDed out, let's simply see what happens.

Stay safe. Stay secure. Laugh at the FUD. Enjoy the facts.

:-Derek
--