Just hours after Adobe fixed a vulnerability in its PDF viewing applications, users became warned of a continuing security threat.
Adobe Acrobat and Adobe Reader became hot programs for spammers after a glitch was discovered to exploit the program’s “mailto” command. Hackers used this in connection with a malicious PDF code to send out bulk e-mails with dangerous PDF attachments.
Hackers are actively exploiting a zero-day hole in RealNetworks’ RealPlayer media player
The in-the-wild attacks, which began late last night (October 18), targets a previously unknown and unpatched ActiveX vulnerability in the way RealPlayer interacts with Microsoft’s Internet Explorer browser.
Only systems on which both RealPlayer and IE have been installed are vulnerable.
The flaw is causing drive-by malware downloads when an IE user simply browsers to a maliciously rigged Web page, according to an alert issued by Symantec DeepSight Threat Management System.
The issue affects an ActiveX object installed by RealPlayer, accessible over the web using Internet Explorer. By instantiating the object and invoking a specific method and attacker is able to corrupt process memory and execute arbitrary code with the privileges of the browser. The attack currently known to be in-the-wild has been confirmed to download malicious code to the compromised host.
Click for more on IE users beware: RealPlayer zero-day flaw under attack »
Mozilla has released a new patch for Firefox, which will update the browser to version 2.0.0.8
The update, distributed since earlier today via the software’s auto-update feature, patches eight vulnerabilities. Two of them are rated as “critical” and could allow an attacker to run code or install software on a client PC.
The new version brings two new localized versions of Firefox, Georgian and Romanian. Probably most significantly, the browser is now compatible with Apple’s Leopard operating system. However, Mozilla noted that there are several known “issues” in this version. Among others, “some” media plug-ins as well as add-ons containing binary components are not working properly, the organization said.
Seagate is to build automatic encryption into all its enterprise hard drives, the company announced at Storage Expo 2007 in London.
All enterprise drives will be fitted with Seagate’s Full Disk Encryption (FDE) as standard.
(TCG) is designing a security protocol for the drives, and the IEEE 1619.3 Key Management Subcommittee is setting up a management standard to ensure interoperability.
Microsoft is warning of yet another URL-handling bug that can lead to a system hijack.
A mere two days after Patch Tuesday brought a host of remote-code execution vulnerabilities to light, Microsoft issued a security advisory warning of yet another problem: a URL-handling vulnerability that could lead to systems getting hijacked if running Internet Explorer 7 on Windows XP or Windows 2003.
Adobe said on Wednesday some of its programs contain yet-to-be-fixed flaws that make computers vulnerable to attack.
On October 5, Adobe posted a notice on its Web site that said it had unknowingly incorporated vulnerabilities into versions of Adobe Reader and Acrobat software that could allow malicious programs to get on to a PC without the user’s knowledge.
Click for more on Adobe: Acrobat, Reader vulnerable to hacks »
Microsoft has released the latest monthly security updates for October 2007.
The updates are available for download from the Microsoft Download Center and also from Windows Update/Microsoft Update.
Critical:
Important:
Microsoft has also released the usual update for the Windows Malicious Software Removal Tool and the Windows Mail Definition Update (x86) (x64).
“They used a shotgun to kill a flea”
In what one California official characterized as a case of overkill, U.S. officials disrupted access to all state government Web sites this week after a county Web page was hacked.
The federal government stepped in after learning that a Marin County, California, Web page redirected users to a pornographic Web site. Federal authorities, who have ultimate authority over most local and state Web sites, attempted to block all domains ending in ca.gov on Tuesday, Hanacek said.
Click for more on U.S. blocked California state Web sites to stop porn »
An encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state.
PGP Corporation’s widely adopted Whole Disk Encryption product apparently has an encryption bypass feature that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled.
Click for more on PGP backdoor? Undocumented Bypass in Whole Disk Encryption »
Sun Microsystems has shipped patches to fix a batch of “highly critical” vulnerabilities in Sun Java JRE (Java Runtime Environment), affecting Windows, Solaris and Linux users.
According to researchers, the flaws can be exploited to bypass certain security restrictions, manipulate data, disclose sensitive/system information, or potentially compromise a vulnerable system.
Click for more on Sun issues patches for ‘highly critical’ Java flaws »
