Adobe has announced that they will release an update for a newly-reported vulnerability in Acrobat and Reader on all platforms by May 12th.

The vulnerability was the first of two acknowledged by Adobe on Wednesday. They say the updates will cover Windows versions of Acrobat and Reader 9.x, 8,x and 7.x, and UNIX and Mac versions 9.x and 8.x.

Adobe also has confirmed the second vulnerability, but says they have only been able to confirm it as exploitable on UNIX. They are still investigating this issue. The researcher who reported the vulnerability only claimed to have tested on Linux.

In the meantime there are still no reports of exploits in the wild. If you want to mitigate the vulnerability(*) you can do so by disabling JavaScript in Acrobat or Reader. To disable JavaScript in the Reader or Acrobat follow these instructions:

1. Launch Acrobat or Adobe Reader.



2. Select Edit>Preferences



3. Select the JavaScript Category



4. Uncheck the 'Enable Acrobat JavaScript' option



5. Click OK

* - As with some other recent Acrobat vulnerabilities, disabling Javascript may not actually block the vulnerability, but it will block all likely exploits of it in the wild. Especially in early stages, attackers take proof of concept code and perform little or no modification to it. The POC code in this case is in JavaScript.

A San Jose Mercury News news report says that over 300 hospital devices, including MRI systems, were infected with the Conficker worm and attacking other devices on the network.

It's surprising at first to hear of hospital technical equipment running on Windows, but it's quite common. Walk around a hospital and you'll see lots of Windows-based devices.

One actually surprising claim in the story is a claim attributed to a device manufacturer that the FDA requires 90 days of notice before applying software patches, such as the patch issued by Microsoft in October that would block the vulnerability exploited by Conficker.

Even if true, it doesn't seem to be the problem here; the patch was issued in October, 90 days after which is January. The story states that the infected machines were found by outside researchers in March.

On top of that, the infection strongly indicates a lack of proper network security at the hospital. Good firewall configuration on the device could have blocked the attack, for example, and it's clear that users were allowed to bring unprotected outside systems, probably some notebook computer, onto the same network as the MRI. There's a lot of blame to go around here.

The recent Facebook phishing attack we reported on the other day has apparently continued at least for a second day.

This report on Silicon.com notes that the first one, using the FBaction.net domain, was stopped within a few hours. As we warned, it came back the next day with another domain, in this case BAction.net.

The attack comes to you in your Facebook inbox as a terse message with a link in it. Click on the link and you are prompted to log in to a fake Facebook login page. Log in and the attackers have your credentials, which they then use to pass the attack on to everyone in your Friends list. Always be certain when you log in to Facebook that you are actually logging in to facebook.com.

If you or one of your friends has this problem and Facebook finds out you may end up with Facebook resetting your password for security purposes. Be on the lookout for notices from Facebook about this.

The F-Secure blog makes the excellent point about Facebook's security questions that some of them are not especially rigorous, and that they are inappropriate for Facebook as an application.

To see your privacy questions log in, choose the Account Settings option on the Settings menu, then click "change" next to "Security Question." (Click on the image for a full-scale view of it.)

Look at these questions and then think about who you interact with in Facebook. That's right, your friends and relative, the people you grew up with. Who else is likely to know who your third grade teacher was, or who got your first kiss, or any of the others?

There are plenty of famous examples of compromises due to weak security features, such as the hacking of Sarah Palin's or Salma Hayek's e-mail. These people have special problems in that their personal histories are often publicized (and in fact they pay publicists to do it), but you can suffer from the same problem if someone close to you wants to compromise your account.

The easiest way for Facebook to address this problem is to allow the user to define their own question and the answer to it. That at least lets security-minded users be more rigorous. Alternatively, if you think you can remember it, you could lie about the answers to one of these questions (such as saying that your first kiss was with your third grade teacher), but you'd have to remember that lie and if you can remember the lie you're not likely to forget your password.

One can only assume that the privacy people at Facebook have been a little distracted lately.

I've received a few e-mails like this one recently. The subject line is "Congratulations.You have been selected" and the (spoofed) sender is Kmart payments dept. [kmartsurvey@kmart.com]:

Click on the image to see a full-size version of the e-mail.

Just in case it's not obvious to you to begin with, this is a scam, a phishing attempt. The phishing sites in the link are on compromised web servers. Every time I've checked so far the site linked to in the e-mail the webmasters have gotten to it first, and the page is either down or replaced with a warning to the user that they were sent there by a scam.

The release candidate of Windows 7 is out. You can see out hands-on evaluation here.

Of course, every time a major release like this comes out it gets leaked on to BitTorrent, the open peer-to-peer network, and that has happened with Windows 7 as well. But downloading and installing these copies of it is inadvisable if you believe the Neowin report that these torrents have been infected with a trojan horse. They show an Avast generic detection of a trojan.

"Oh yeah, sure it's infected, they just want to trick us into not using it" you may be saying to yourself. Well, maybe, but it's a credible story from where I sit, since we know that earlier this year pirated torrents of Apple's iWork '09 and Adobe Photoshop CS4 were infected with a trojan that was used to create a botnet. It definitely could be as true of these torrents; it's not like there's any quality control out there on BitTorrent.

Neowin users have other advice: that you check the MD5 checksum against one known to be good, but that's not a guarantee that someone didn't build a new ISO with a new MD5. We're not too fond of piracy in any event and recommend that you wait for a genuine copy in the next few months.

There's a myth out there that users whose license situation with Windows is not clear, or who perhaps have nakedly pirated the software, do not get security updates. Perhaps they think that by applying security updates they will get tracked down. This probably accounts for a large chunk of the population of those who don't apply security patches and end up successfully compromised by Conficker and other exploits out there.

It's not true, as explained by the Windows Team Blog here. All Windows users get all security updates. It doesn't matter if you haven't run the Windows Genuine Whatever program, everyone gets security updates. And it's more than just individual patches: major versions of Internet Explorer, including IE8, have so many security features in them that they are available to everyone irrespective of their "genuine" status.

If you're not applying security updates because you think you're not entitled or you'll get tracked down, you can rest assured that this isn't the case. By applying critical updates automatically you help not only yourself but everyone else who might be attacked if your system is compromised. So do all your Internet neighbors a favor and make sure you're set up for automatic updates and that everything is in stalled. You can do this by checking the Windows Security Center in the Control Panel and by running Windows Update manually to make sure no High-priority updates are left uninstalled.

According to Threatpost, identity thieves are spamming Facebook users through the Facebook mail system with one-line messages with a subject line of "Hello" and a link in the body to the site "fbaction.net". The link is disguised as a Facebook link. This site fakes the Facebook login page.

When users try to log into this site the attackers get their Facebook credentials. The attackers then log in with the credentials and spam everyone on the Friend list.

fbaction.net is now widely blocked, but don't be surprised if the scam reappears with the message slightly adjusted and a new domain name.

There have also been charges of scams today on Facebook through their IM feature.

Microsoft released Internet Explorer 8 to Windows Update yesterday as part of a flurry of generally non-security updates. IE8 shows up as a "High-priority" update.

IE8 is not being "pushed" to users through Automatic Updates as has been reported by some. As Microsoft said it would do not too long ago IE8 is being offered on Automatic Updates and Windows Update. If you chose 'notify me' or 'download but do not install' as your Automatic Updates setting, it may appear to you that it's being pushed but it's only being offered.

On either service read the list carefully. A lot of updates went out yesterday.

[Update: Click here for an explanation of how it all works from Microsoft.]

An anonymous researcher has posted two new vulnerabilities in Adobe Reader along with proof of concept. Adobe has confirmed one of them, is working on the other and will deliver updates.

The initial reports claimed remote code execution in Adobe Reader and were tested only on Linux. The two vulnerability reports were Adobe Reader 'getAnnots()' Javascript Function Remote Code Execution Vulnerability and Adobe Reader 'spell.customDictionaryOpen()' JavaScript Function Remote Code Execution Vulnerability. The proof of concept exploit code was very similar, basically with only the vulnerability trigger differing.

After investigating the first vulnerability report Adobe confirmed that it affected all versions of Reader and the Acrobat program itself, and on all supported platforms., Updates for all of these products will be forthcoming on a schedule Adobe will announce.

Both vulnerabilities, or at least the proof of concept exploits, rely on JavaScript for execution. Adobe is recommending disabling Javascript if you are sufficiently concerned about the reports, although there are no reports of actual exploits in the wild yet. To disable JavaScript in the Reader or Acrobat follow these instructions:

1. Launch Acrobat or Adobe Reader.


2. Select Edit>Preferences


3. Select the JavaScript Category


4. Uncheck the 'Enable Acrobat JavaScript' option


5. Click OK

Adobe is also working with security companies to add detection for these exploits to their products. In addition to the PSIRT blog Adobe will be posting information about updates on this to their Security Bulletins and Advisories page.

Microsoft's Office 2007 Service Pack 2 is available for download.

The changes in SP2 are listed in this knowledge base article. The most prominent one is that Office apps will be able to save directly to the PDF format. Previously this required a separate download. The other changes, apart from rolling up the security updates since SP1, improve both features and performance of every application in Office.

The download size can be as much as 290.2 MB depending on which components you have installed.

Office 2007 SP2 is the first service pack to support uninstall both from the command line and the Service Pack Uninstall Tool.

Microsoft has announced that updates will be coming for Windows that will limit the display of the AutoRun task to removable optical media.

When you attach new media to Windows, be it a CD-ROM or removable hard drive or a network share or a USB key, the AutoPlay dialog window comes up:

It's possible for programs to add themselves into the AutoPlay menu as an "AutoRun" task. This program gets displayed in a special section of the AutoPlay menu. A lot of malware, most famously Conficker, has abused this process to add their own programs into the AutoPlay process. Conficker does this in a particularly sneaky way:

(Graphics courtesy of Microsoft.)

Note that it uses the standard folder icon to attempt to confuse the user into running Conficker in order to browse the device. Conficker writes this infection to any removable media it can reach.

Once again, it's not just Conficker. According to Microsoft, in the second half of 2008 17.7 of malware infections detected by their Forefront Client Security products can propagate via AutoRun, and the trend began over a year ago.

Microsoft has announced that updates will be coming for Windows XP and Vista to disable the AutoRun task if the media is not removable optical media, which basically means CDs and DVDs. Windows 7 will also have this behavior as the release candidate.

A new update of Firefox, version 3.0.10, has been released to fix a bug that was re-introduced in the recent 3.0.9 update.

MFSA2009-23: Crash in nsTextFrame::ClearTextRun() is a critical vulnerability that caused frequent crashes for some users, particularly those who used the HTML Validator add-on.

Mozilla discovered the bugs were similar to others fixed as security flaws in the past. The new update re-fixes the crash bugs. The advisory doesn't say it in so many words, but presumably these crash bugs could lead to arbitrary code execution and hence the "critical" rating. Firefox is no stranger to regression bugs.

The release notes also claim that this version fixes "a major stability issue," but the complete list of bugs fixed only lists two bugs, both of which appear to be variants of the security issue described above.

Roi Saltzman of IBM's Rational Application Security Group has reported to Google, and Google has fixed, a bug in Chrome that could allow Chrome to "...Chrome load arbitrary and potentially malicious URIs using the ChromeHTML URI handler". Update Chrome to go to version 1.0.154.59, which fixes the issue.

Ironically, the bug requires the use of Internet Explorer as a launcher. When loaded in Internet Explorer, a specially crafted HTML page can launch Google Chrome with an arbitrary URI without requiring any user interaction. This is related to an old controversial issue with IE, that when it is used to launch protocol handlers, in this case the chromehtml:// handler, it does not sanitize the inputs before calling the handler, in this case Google Chrome. Much the same issue came up with IE and Firefox in 2007 with respect to the firefoxurl:// protocol.

In both cases the authors of the protocol handling program, Firefox and Chrome, chose to characterize the bug as being in IE, but that they would fix it because Microsoft wouldn't. It seems to me the most you can claim is that it's a bug in both products, but it's principally a bug, in this case, in Chrome, because even if IE does everything they ask that can't excuse Google from sanitizing their own inputs.

Hat tip to Ryan Naraine at ZDNet.

Salma Hayek is into designer clothes delivered to her apartment, "Japanese face massages," and iPhone apps from the iTunes store according to the screen shots posted by the hackers who busted into her mac.com account. It's all pretty mundane stuff in the life of the rich and famous.

The lesson to learn from this, other than how to dress like Salma, is how to choose a secure password. The hack, posted on 4chan, was accomplished with the knowledge of Hayek's birthday (September 2) and "her best known movie role," which were then used to reset the password. It's the same sort of problem Alaska Governor Sarah Palin faced when someone hacked her Yahoo! Mail account during last year's campaign. Your secret questions really should be personal stuff that strangers can't easily determine. Famous people need to be especially careful, since the details of their lives are more readily available.