The Mac Security Blog
A few days ago, we wrote about a zero-day Adobe Acrobat and Reader flaw, for which active exploits have been seen in the wild. Adobe has announced that they will patch this flaw with their next quarterly update, due to be issued on January 12. Why will it take them so long?
Computerworld looks at the question and talks to Brad Arkin, Adobe’s director for product security and privacy. Adobe, it seems, doesn’t have the manpower to push out a patch more quickly, and is worried about disturbing its quarterly patch cycle, the next release of which is due on January 12. Arkin gives all types of reasons why he thinks this is a good idea, but for users, its certainly not a good idea. It leaves tens of millions of computer users vulnerable to a vulnerability that is being exploited (though only on Windows computers for now) for nearly a month.
We’ll repeat our oft-cited recommendation: skip using Acrobat or Reader unless you really need to: Apple’s Preview does most of what you need with PDFs, unless you’re creating complex documents. If you must use the Adobe software, turn off Javascript: in Adobe Reader or Acrobat, choose Preferences > Javascript, then uncheck Enable Acrobat Javascript.
The Mozilla Foundation has issued a security update to the Firefox web browser, fixing 10 flaws, 5 of them deemed critical. The organization describes these flaws in their security bulletin:
Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
Update your version of Firefox using the program’s auto-update feature, or download the latest version here.
Yesterday, in an article about a zero-day Adobe Acrobat and Reader threat, we posted instructions about how to deactivate Javascript in these two applications. There is little need for this to ever be activated anyway, so you might as well turn it off to protect yourself against this current threat, and against future vulnerabilities that may arise with these programs.
Adobe has issued a security bulletin telling users how to deactivate Javascript. So if you missed it, here’s what you need to do. In Adobe Reader or Acrobat, choose Preferences > Javascript, then uncheck Enable Acrobat Javascript. That’s it; uncheck that option, and you’ll be safe. And keep it unchecked unless you know that you absolutely have to use Javascript in one of these applications.
We have talked here in the past about rogue security software: this has nothing to do with Sarah Palin, but is software that pretends to be security software, but turns out to either do nothing (but collect the money you paid for it) or installs spyware or other malware. (See the articles here and here, as well as a discussion of the economics of scareware.)
The Internet Crime Complaint Center has issued an intelligence note warning users that rogue scareware poses serious threats to computer users. Many of these programs begin by displaying pop-up ads that tell you that your computer is compromised:
An ongoing threat exists for computer users who, while browsing the Internet, began receiving pop-up security warnings that state their computers are infected with numerous viruses.
In addition to the cost that users pay for software that they think will rid them of (non-existant) security threats,
Downloading the software could result in viruses, Trojans and/or keyloggers being installed on the user’s computer. The repercussions of downloading the malicious software could prove further financial loss to the victim due to computer repair, as well as, cost to the user and/or financial institutions due to identity theft.
What’s most interesting in this alert, is that this turns out to be very big business. The FBI reports that scareware has already cost some $150 million to victims of these scams.
We’ve said it here before, but it’s worth repeating: computer security is too serious an issue to trust companies who just happen to pop up in your search results. Trust a brand, like Intego, with more than ten years of experience, and who is a specialist in Mac security software. Intego VirusBarrier X5 also ensures that you don’t get tricked by blocking all known Mac scareware. So keep your Mac safe, but make sure you choose the right software to do so.
Just last week, we reported on the latest security update to Adobe’s Flash. Installed on nearly every personal computer in the world, Flash is used for a wide range of animation and rich content delivery: you may see Flash ads, with simple graphics, you may come across games that use Flash for on-line play, and when you watch a YouTube video, you’re using Flash to view it.
Infoworld discusses Flash’s “security woes”, with an in-depth article about recent vulnerabilities and how Adobe handles security. They list a number of issues, then go on to ask, “Is Adobe immature when it comes to security?”
Obviously, the answer to that question depends on who you ask. Adobe doesn’t think they’re immature; “Adobe is vigilant in doing everything that we can to prevent any new vulnerabilities from being introduced and also [in] reacting swiftly to any vulnerabilities that are identified after we ship a product,” said Brad Arkin, Adobe’s director of product security and privacy. But we see, time and again, that Adobe drags their feet in releasing patches for Flash.
Part of this is because they have moved to a scheduled quarterly patch release, copying Microsoft with their “patch Tuesday”. Releasing patches once every three months is far from sufficient to deal with the number of vulnerabilities that are found in Flash, as well as in other popular Adobe software, such as Shockwave and Adobe Reader.
To further confuse the issue, Apple shipped Snow Leopard with an insecure version of Flash. Because of the time it takes to get such third-party software integrated into the operating system, the version of Flash provided with Snow Leopard did not have the latest security fixes.
The biggest problem for Flash on Mac OS X, however, is that there is no way to update the software automatically, and Flash itself doesn’t check for updates. As we said recently:
Unfortunately, most users rarely update Flash, since it’s not an application and doesn’t do automatic checks for updates. Given the risks of infected Flash content, and the ability for that content to run on any web page with no user interaction, Adobe should add some kind of auto-update check to the Flash plug-in. As it stands, the only way users know they need to update the software is when they read an article such as this, or if, in rare cases, they visit a page that requires a specific version of Flash and they find that their plug-in is out of date.
Adobe says there is an auto-update function in Flash Player, and explains how administrators can configure it. However, we have never seen an update notification on any of our Macs, and this for years. We have asked friends and colleagues, and they, too, have never seen such notifications. If you access the Flash Player Global Notifications settings panel, you’ll likely to be under the impression that the software is set to check for updates; this setting is checked by default. Yet it doesn’t seem to work for Macs.
Adobe says, on this page, “Automatic notification is available on all Microsoft Windows platforms for the following browsers: Microsoft Internet Explorer, AOL, Mozilla, Netscape, or Opera.” This suggests that the auto-update feature does not work for Mac OS X. It seems, however, that 80% of computer users are using out-of-date Flash Player plug-ins. So even on Windows, this auto-update feature either doesn’t work, or doesn’t work very well. The Mozilla Foundation recently announced that Firefox 3.6 will contain a built-in system to check for outdated plug-ins, such as Flash Player.
Why Adobe doesn’t have an auto-update feature for Flash for everyone is surprising. For Mac users, the only time most of them update Flash is when Apple provides a Flash update in one of its Mac OS X system or security updates.
Until Adobe introduces some sort of working auto-update system to Flash, Mac users will be at risk for vulnerabilities. Whether Adobe patches Flash Player or not changes nothing, because it’s likely that most Mac users never update their version of Flash unless it’s provided as part of an operating system update.
Adobe is investigating reports of a new zero-day attack against its Adobe Acrobat and Reader software that has been spotted in the wild. In a post on the Adobe security blog, the company says, “This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild.”
Adobe says little more about this vulnerability, but Shadowserver provides more information:
Several tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable.
As to the cause of the vulnerability, Shadowserver tells us that they “have examined multiple different copies of malicious PDFs that exploit this issue,” and that “this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself.”
For now, the safest way to deal with this is to simply deactivate Javascript. There are very few reasons to use Javascript in PDFs to begin with, and it is, as we have seen over time, one of the common vectors of attack, both to programs like Adobe Reader and to web browsers.
In Adobe Reader or Acrobat, choose Preferences > Javascript, then uncheck Enable Acrobat Javascript.