Adobe has released an update to its Shockwave Player, fixing 20 vulnerabilities that the company considers to be critical. “The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.” Users should update to Shockwave Player 11.5.8.612, downloading it from this page.
Apple has issued Security Update 2010-005, an 84 MB update that fixes a baker’s dozen flaws in Mac OS X 10.5 and 10.6, both client and server versions. One of the vulnerabilities that is corrected is described as follows:
A stack buffer overlow exists in Apple Type Services’ handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.
This flaw is similar to the “jailbreak vulnerability” that Apple fixed on its iOS. (We discussed the iOS update two weeks ago.)
Other fixes in this update cover networking, CoreGraphics, and update PHP to version 5.3.2.
Full information about the update is available here. You can get the update, as usual, through Software Update, or by download from Apple’s Downloads page.
Google has released an update to its Chrome browser, patching ten security flaws, which range from “medium” to “critical.” Since the program updates itself automatically, users shouldn’t have to do anything. But you can check in the Chrome menu > About Google Chrome to see if the update has been applied.
At the recent Black Hat security conference, a vulnerability in Adobe’s Acrobat and Reader software was demonstrated. This vulnerability “could cause the application to crash and could potentially allow an attacker to take control of the affected system,” and affects Adobe Reader and Acrobat 9.3.3 (and earlier), and Adobe Reader and Acrobat 8.2.3 (and earlier). Adobe considers this a critical vulnerability. This affects versions of these programs for Windows, Mac and Unix.
More information is available from Adobe’s security bulletin. Mac users can download Adobe Reader here, and can download Acrobat here. You can also use the programs’ auto-update features.
With iPhones becoming more popular, one important aspect of whether companies adopt the device is how they can manage and secure such phones. A Macworld article examines the possibilities for doing such things in an enterprise environment, and discusses the new security features added to iOS 4. It covers native security features, but also looks at third-party management servers that can be used with the iPhone. This is a long, fairly complex article, but those who are faced with the challenge of integrating the iPhone into a broader corporate security policy will find that it offers many answers, as well as suggestions for how to go further and solve this problem.
The Mac Security Blog hit a milestone today with its 600th post. For the past three years, we have been serving the Mac community with timely, essential information on Mac security, an area that is not well covered by other web sites. We’re very happy to have come this far, and we plan to continue our efforts to provide Mac users with the security information they need in the years to come.