The Mac Security Blog
Well, at least Adobe meets their schedules. They announced, some three weeks ago, that they would patch a zero-day vulnerability that affects Flash (already fixed) and the Acrobat product family in the end of June. And here we are at the end of June and Adobe has released fixes for these programs.
The fix is for Adobe Reader and Acrobat, versions 9.3.2 and earlier, for Windows and Macintosh (and Reader for Unix). Adobe discusses the vulnerabilities in a security bulletin, and that document also contains links to downloads, though users can use the programs’ auto-updaters as well to apply the fixes.
Adobe considers these vulnerabilities to be critical, and all users should update their software.
Last month, Google announced a secure search URL, which you can use to send search terms and receive results from the search engine in encrypted form. This means that using this URL will prevent anyone sniffing on a network from detecting what you’re searching for.
However, Google has had to change the URL to https://encrypted.google.com, apparently under pressure from educational institutions so students’ searches will not bypass content filters. Using the old URL, https://www.google.com, meant that it was not possible to block the use of the encrypted search feature, because the only difference in the URL is the https prefix instead of http. With the new URL, schools can block encryted.google.com, so such searches will not be possible and content filters will be able to block searches and results.
What does this mean for the rest of us? Just that you need to update your bookmark if you do use the encrypted Google search page.
ConsumerSearch, a web site that rates products based on reviews on other sites, has named Intego VirusBarrier X6 the best Mac security suite. ConsumerSearch has looked at reviews in the press and user reviews to determine this rating. This site, which is run by about.com, in turn owned by the New York Times Company, has an impressive list of products analyzed and rated. Intego is proud to be yet again recognized for the quality of its software.
The Mozilla Foundation has released an update to its Firefox web browser, which includes a number of security fixes as well as a feature called “Crash Protection”, which claims to ensure that when plug-ins crash, the web browser will keep on working, once users refresh the page they are viewing. Since Firefox relies on many third-party plug-ins – optional, but widely used – this feature, which is described on the Mozilla Developer Central blog, should “significantly reduce the number of Firefox crashes experienced by users who are watching online videos or playing games.” However, this crash protection feature is not yet available for the Mac OS X version of Firefox, and there’s no information as to when it will be.
As for security fixes, the Mozilla Foundation discusses them in two security advisories (here and here), calling them critical.
As always, users can update their copy of Firefox by using the program’s built-in update function, or download a fresh copy here.
Apple has updated its Mac OS X Security Configuration Guide for Snow Leopard Server (the client version has been available for a while). You’ll find it on this page, which has links to versions of this document for both client and server versions of Mac OS X stretching back to Panther (10.3). These documents are well worth a read if you’re in an enterprise environment, and contain plenty of tips on hardening your computers, and removing or turning off certain functions or features that could pose security risks.
In the security business, it’s generally the rule to publish information about security patches: what they fix, or at least the type of threat that has been mitigated. Opera has updated its web browser, and their changelog for the latest version lists several security issues, but some of their descriptions read,
Fixed an extremely severe issue; details will be disclosed at a later date.
Fixed a moderately severe issue; details will be disclosed at a later date.
Fixed a less severe issue; details will be disclosed at a later date.
This is quite odd, but it seems that these issues may also affect other browsers. In a Cnet article, Opera spokesman Thomas Ford “explained that this was because of responsible disclosure practices, contingent upon agreements with each individual security researcher, and that other browser publishers may not have yet had time to patch their browsers.” So we may be dealing with issues that pose threats to other browsers, which may need to be updated as well. We’ll keep you posted.
In the meantime, if you use Opera, make sure you download the latest version.