These are weekly reviews of the reports from CERT. Nothing too horrible this week, but I provide more insights into what to look for and why. I did review the Shockwave Player vulnerability after recording the video and determined that since it is not a common component for most of our audience it did not merit a separate bulletin and notice. This is a weekly feature here at Managed Solutions.
Update Your Adobe Acrobat Products Immediately
Here at Managed Solutions we do not raise the red flag often, but after reviewing the latest CERT advisory, we’ve done just that. Do not delay, upgrade your Adobe Acrobat and Acrobat Reader Products immediately to the latest version, apply the security patches or install adobe updater recommended updates. The US-CERT Bulletin for today SB10-018 indicates 6 different CVSS Score of 10 vulnerabilities for Adobe Acrobat and Acrobat Reader. Basically a CVSS Score of 10 indicates the highest threat level due to the remote code execution capability and these issues should be taken very seriously. There is a link at the bottom of this article to the resources at Adobe’s website as well as a download for the Windows Version of Adobe Acrobat, please pass the word.
Access the security updates
We’ve learned that some people are having problems downloading the update directly from Adobe’s website so we’ve put the Windows version of Adobe Acrobat Reader 9.3 here for download.
Firefox and Safari More Vulnerable than Internet Explorer Q1-Q2 2009
According to an Internetnews.com article this morning a study released today by security vendor Cenzic Firefox accounts for 44% of all browser vulnerabilities for January through June 2009. Safari (Apple) is second at 35% and Internet Explorer (Microsoft) is third at 15%. If you follow the space this will not come as a surprise. My advice would not be to recommend changing back to Internet Explorer if you use Firefox or Safari and like it. The advice would be to minimize the add-ons you use and always run the updater when prompted to do so.
If you are interested in learning about issues like this as they emerge, sign up for our alerts.
Internet Explorer Users Run Windows Updates – VU#180513 KB #972890 – ActiveX control
Update 7/15/2009 – the link to “Disable” below will now take you to a page with a link to the security update for this issue. Not long ago an exploitable flaw with ActiveX control for streaming video was discovered and is being exploited. The flaw itself has not been patched and there are only work-arounds that involve disabling the controls. For this reason we are advising the following until a patch is available:
1. Use an alternative browser such as Mozilla Firefox.
2. Disable the vulnerable Active X controls.
3. Be extremely cautious about what links are clicked/web pages are visited. (Only recommend to very experienced users)
If you have questions about this vulnerability feel free to contact us.
IE7 and Adobe Security Alert
We have received a notice from US-CERT about a security flaw involving Internet Explorer 7 and Adobe Acrobat. The flaw only affects windows based machines that have Internet Explorer 7 and Adobe Acrobat products. If you have both of these products installed your system could be compromised if you opened a pdf file that was crafted to exploit this flaw. This flaw has been labelled critical, and we are prioritizing addressing this flaw with our customers.
Who should be concerned?
- Anyone with both Internet Explorer version 7 and Adobe Acrobat installed.
- Anyone using Adobe Acrobat products version 8.1 or earlier in conjunction with Internet Explorer 7.
If I meet the criteria that makes me vulnerable, what should I do?
- You should avoid opening PDF files from untrusted sources.
- You should apply an update for your Adobe Acrobat as soon as possible.
- If unable to install an update, you should disable the mailto: URI handler on your Adobe Product (See Adobe Security Bulletin APSB07-18 for details on how to do this).
Where can I get more information about this problem?