Wednesday, October 6, 2010 at 09:07AM Adobe has released a security update for Acrobat and Acrobat Reader to address CVE-2010-2883 and CVE-2010-2884. This update was released ahead of schedule, users should apply this update promptly, it is marked as critical.
As a note we recommend using Preview.app for PDF files, within seatbelt for hard core users.
Saturday, September 25, 2010 at 04:47PM Jeremiah Grossman's Auto Fill Flaw can still be exploited by socially engineering a user to perform staged clicks on a form or page. In his online example the users location is used to provoke the first key. Other examples can be simple trickery such as type "DuD" to prove your a human. He has posted the technical details on his blog, the result is that the users Auto Fill information is passed without the knowledge of the user.
Auto fill altthough viewed as a convenicnce to users can result in sharing information the user did not plan to disclose. In Safari you should make sure to turn these settings off including on iOS devices.
Recommended Settings
When thinking about privacy and the sharing of any personal information educate users in the concepts of trust and verification. If the form is completed automatically the user skips triggering mechanisms that can prevent these kinds of information gathering attacks.
Monday, September 20, 2010 at 08:03PM Apple has released an update for OSX Server 10.6.4 to address an password bypass vulnerability in AFP Server. A malicious users may be able to bypass authentication if they are aware of a users of the system. Administrators should apply this software update to OSX Server, a restart is required.
Tuesday, September 14, 2010 at 10:53AM Adobe has continued to struggle with cross-product vulnerabilities in large part due to shared resources and product integration. So with little effort a vulnerability in Reader can be altered to affect Air or Flash. It is clear that Adobe is struggling with the same issues that Microsoft has recently got a handle on, namely risk managment across the complete product line. Administrators should consider an Adobe specific risk and response action plan that transverses the complete product line. Think in terms of the "Adobe Risk Trifecta."
Education is the primary tool that can deal with a host of vulnerabilities, especially if the attacks are carried out via user specific sufaces such as email. Preview.app should be set to handle PDF files, do not forget to disable auto opening in Safari. In addition Click to Flash or Flash Block are excellent tools to block flash content. For extreme cases PDF can be blocked completely at the gateway or Preview.app can run within a sand-box. Make sure that systems which are servers do not have any services or applications that are not needed before it becomes part of production deployment. Only run and load what meets the requirerments.
Adobe has posted time table for the Reader update and will most likely update Flash and Air in the coming days. Please visit the reference links for more information.
drStrangeP0rk
Friday, September 10, 2010 at 07:24AM Apple has released an update to IOS 4 to address vulnerabilities in ImageIO, WebKit, VoiceOver (Accessibility) and FaceTime. Users should update their IOS devices as soon as possible. There are also reports that new jail breaks related to IOS4.1 are in the final stages. Apple recently changed the developer agreement which may allow developers to use Flash. This will represent new risk related to IOS devices and their use since Flash has been used as a excellent delivery tool for malware and exploits.
