Sunday, March 29, 2009

Just In: Adobe Reader, IE 7 Holes Under Attack

If you were an Internet crook, the following item would be music to your ears: A zero-day flaw--a security hole with no fix available before attacks could be launched--exists in Adobe Reader and Acrobat, and can be exploited by a poisoned PDF file in an attempt to take over a vulnerable computer.

As Symantec reported in February, crooks have hit the flaw with small-scale attacks that e-mail PDF attachments to specific targets. Adobe says a patch should be ready for version 9 of both programs by the time you read this, with fixes for earlier versions to follow. Read Adobe's alert and get a link to the eventual fixes.

Word Docs Target IE 7

Bad guys went after a bug in Internet Explorer 7 a week after Microsoft distributed a fix. Those attacks employed a malicious Word document, but the Internet Storm Center has warned that crooks could also add hidden code to a hijacked Web site to create a drive-by download attack. You can in­­stall the patch for this browser flaw via Automatic Updates, or you can download it.
ad_icon

The same patch batch from Microsoft addresses a security vulnerability in the company's Visio diagramming software; an attack through this hole can be triggered if you open a hacked Visio file.

Meanwhile, Mozilla fixed six security holes in its Firefox browser, one of which was deemed critical. Firefox version 3.0.6 and later has the fixes; click Help, Check for Updates to make sure that you have the latest version. The same critical flaw can hit the Thunderbird e-mail program if Java­Script is enabled for e-mail (it's disabled by de­­fault, and discouraged by Mozilla). Version 2.0.0.21 closes the hole.

Media File Mayhem

If you use RealNetworks' RealPlayer, beware of a risk involving malformed Internet Video Recording (IVR) files. According to security company Fortinet, simply previewing a poisoned IVR file in Windows Explorer could allow an at­­tacker to run any command on a vulnerable PC. Versions 11 through 11.04 are at risk, while 11.05 and later are not affected. Check your version by clicking Help, About RealPlayer, and, if you need it, click for the upgrade.

Finally, OpenOffice users should know that a default installation of the productivity suite's latest version (3.0.1) adds an old, insecure version of Sun's Java (Java 6 Update 7). According to the Washington Post, which originally reported the issue, the suite should work fine with the latest edition, Java 6 Update 12; remove your old Java versions and install the new one. You can also read the original report. The OpenOffice team should have a new version (with an updated Java version) by the time you read this, and you can also get a Java-less install via peer-to-peer download.

No comments: