Ryan Naraine

Adobe ships fix PDF Reader zero-day

Adobe has released a security bulletin to patch a “critical” code execution flaw affecting the ubiquitous PDF Reader and Acrobat software.
However, the patch is only available for Adobe Reader 9 and Acrobat 9.  Earlier versions of the software are affected by the vulnerability — and in the wild attacks — but Adobe says those fiixes are delayed for at least another week.

MS Patch Tuesday: 3 bulletins, 8 vulnerabilities

Microsoft’s batch of security patches for March 2009 has been released released with fixes for 8 vulnerabilities in the Windows operating system.

In all, the Redmond, Wash. software maker shipped three bulletins, one rated “critical,” the company’s highest severity rating.  Here are the raw details:

How to mitigate Adobe PDF malware attacks

Dave Kennedy and Kevin Long from Verizon’s security team are offering some of the best advice I’ve seen regarding the ongoing attacks against an unpatched Adobe Acrobat/PDF vulnerability.
I’ve complained bitterly about the lack of mitigation guidance from Adobe and I’m happy to see the Verizon researchers filling in the blanks and offering suggestions to reduce your exposure to these attacks.


Tech security company Fortify and security consulting firm Cigital are getting ready to release a set of best practices that tech companies and other businesses can follow to ensure that the software they develop is secure.

The authors developed the model by studying the security practices at Google, Microsoft, Adobe, and other tech companies, as well as non-tech companies that write their own software like Wells Fargo, and Depository Trust & Clearing Corp.

Wired’s Threat Level blog is reporting that a 27-year old Los Angeles man was sentenced to four years in prison after pleading guilty last year to infecting as many as 250,000 computers and stealing thousands of peoples’ identities and hijacking their bank accounts.

According to a Patch Tuesday advance notice from Microsoft, there will be three security bulletins released on March 10, one rated critical.

The other two bulletins are rated “important” and can expose Windows users to spoofing attacks. All supported versions of Windows will be affected by next Tuesday’s releases, including the newer Windows Vista and Windows Server 2008.

The open-source Mozilla group has released Firefox 3.0.7 with fixes for at least eight security flaws, some rated critical.

The most serious of the vulnerabilities could be exploited by attackers to run code and install software, requiring no user interaction beyond normal browsing, Mozilla warned in a series of security advisories.

On the Microsoft Secure Windows Iniative blog, software engineer Chengyun discusses the default behaviour of ActiveX controls embedded in Office documents.  The software giant also provides information on how can an attacker abuse ActiveX and how Office users can change the behavior of ActiveX controls embedded in Office documents.

Microsoft’s research unit is investing resources in a new Web browser that could eventually signal a shift away from the ubiquitous Internet Explorer.

According to a research paper released this week, the project is called Gazelle and is positioned as a secure web browser constructed as a multi-principal operating system.