Microsoft Updates Office 2004 and 2008

Microsoft has released updates for Office 2004 and 2008, which include security fixes for “vulnerabilities that an attacker can use to overwrite the contents of your computer’s memory with malicious code.”

The Microsoft Office 2004 11.5.8 update is a mere 9.7 MB, and the Microsoft Office 2008 12.2.4 update is 221.5 MB.

If you use Office, it’s a good idea to keep up with these updates, as they not only provide security fixes, but also improve performance and stability. If you haven’t kept up with Office updates, you cannot, unfortunately, apply the latest update without applying previous updates. (Microsoft does not make any combo updates like Apple does.) So you can find previous updaters for your software on this page.

Security Threats Are More than Just Malware

An InfoWorld article, Underrated computing threats that you need to know about, looks at a number of threats to your computer’s security that don’t come directly from malware. Traditionally, malware is considered to be viruses, worms, or Trojan horses, all types of malicious code that either duplicates itself (viruses and worms) or inserts code, and often executables, onto your computer (Trojan horses).

But with the rise in attacking techniques, malware writers have been looking at new ways to attack your computer. Some of these methods take advantage of vulnerabilities in software such as Adobe Flash or Acrobat, two programs that have shown a number of weakness in recent times. These are especially dangerous, because you can just visit a web site and get hit.

One common manifestation [. . .] comes when the user visits a Web site with a Flash-powered banner ad. No clicking required: as soon as the ad comes up, it delivers its payload. Sometimes it also comes in the form of one of Adobe’s other products — for example, an infected .PDF document, which opens spontaneously upon visiting an ad.

While attacks of this type are not yet targeting Macs, it is highly possible that they will in the future.

Threats also come from Firefox plug-ins, QuickTime flaws, and weaknesses in other applications. There are also risks in following short URLs, the kind used on Twitter posts, because you can’t see where they lead until you get there.

Finally, DNS poisoning is a way of hijacking routers so their DNS servers take users to bogus web sites; a highly sophisticated form of phishing.

It’s worth keeping in mind that the threats to your computer are more than just malware, and especially more than simply viruses. Because of these new threats, Intego added a whole range of new defensive features in its VirusBarrier X6. From a two-way firewall to web threat protection, VirusBarrier X6 protects Macs from network threats as well as malware.

New Version of OpenOffice Contains Security Fixes

OpenOffice.org has issued version 3.2 of its productivity suite, which contains a half-dozen security fixes. In addition to a whole slew of new features, this version protects against a number of vulnerabilities. It’s not clear whether these vulnerabilities affect Macs, but users of this suite should still update to the latest version, by downloading it here.

Firefox Updates Older Versions of Its Browser

The Mozilla Foundation has issue security updates for older versions of its Firefox browser, patching versions 3 and 3.5 to correct a critical vulnerability. If you’re running the latest version of Firefox – version 3.6 – you don’t have to worry, but if, for some reason, you’re running one of these older versions, you should update them now.

The Mozilla Foundation’s security advisory states:

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

Use Firefox’s built-in updater, or download a new version of the browser here. The new versions are 3.0.18 and 3.5.8, respectively. Note that this update also applies to other Mozilla Foundation software, Thunderbird and SeaMonkey.

Adobe Patches Recent PDF Flaw in Reader and Acrobat

Adobe has issued a security bulletin announcing security fixes for its Reader and Acrobat software. This follows a recent out-of-band update for Flash just last week. Adobe calls the vulnerability critical, and describes it as follows:

this vulnerability . . . could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability . . . has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe says it does not know of any attacks exploiting this vulnerability in the wild, but the urgency of this release suggests that is is very dangerous.

At the same time, Computerworld reports that 80% of all exploits come through rogue PDF files. Citing a report from ScanSafe, they quote Mary Landesman, a ScanSafe senior security researcher, who says, “Attackers are choosing PDFs for a reason. It’s not random.” Landesman also says that attackers are using PDFs as a vector for attack because they are successful.

Intego has long pointed out that malware is not limited, as many Mac users think, to viruses alone. This is one reason why Intego’s new VirusBarrier X6 combines standard malware protection with powerful network protection features, allowing the program to stop new types of attacks. While other anti-malware software for Mac is limited to a signature-based approach in detecting malware, VirusBarrier X6 uses combined threat detection techniques to stop all types of attacks.

Google Buzz Has Multiple Security Issues

Google Buzz, the recently-announced social networking tool, designed to integrate with Gmail, the company’s free, web-based e-mail, has had a rough time since its unveiling. First, the company turned it on for all Gmail accounts, without asking users. Then, its default setting was that users’ contacts were published on their Google Buzz profiles; a serious violation of privacy that Google had to tweak. In addition, mobile users’ locations are posted whenever they send any messages using Buzz, raising other issues.

But beyond that, a cross-site scripting flaw has been found in Google Buzz’s underlying code. Computerworld reports that attackers can add their own code to “trusted web sites such as google.com” and create phishing attacks using Google domain pages.

Unfortunately, Google doesn’t give a hoot about privacy, with its CEO Eric Schmidt having said, on CNBC, “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” With a company who has this type of cavalier attitude toward privacy, is it really safe to trust them with confidential information such as e-mail?

For example, Chris Matyszczyk writing at CNet, recently highlighted the highly personal nature of ads that display on his Gmail page. Is it worth that type of intrusion just to get free e-mail?

Finally, spammers have already latched on to Google Buzz, so it’s going to end up like all the other “social networks” that are so full of spam that they just become annoying.

You might want to opt out of Buzz; to do this, look at the bottom of your Gmail page for the “Turn off Buzz” link and click it. (Though that might not be enough; you may have to purge all your followers first.) Because if you have a Gmail account and don’t turn it off, it’s on by default, and with the number of privacy and security issues found so far, it may be best just to ignore it.

Follow-up: Macworld UK is reporting that EPIC (the Electronic Privacy Information Center) has filed a complaint with the Federal Trade Commission in the US, has filed a complaint against Google for Buzz privacy issues. The complaint begins as follows:

This complaint concerns an attempt by Google, Inc., the provider of a widely used email service to convert the private, personal information of Gmail subscribers into public information for the company’s social network service Google Buzz. This change in business practices and service terms violated user privacy expectations, diminished user privacy, contradicted Google’s own privacy policy, and may have also violated federal wiretap laws. In some instances, there were clear harms to service subscribers. These business practices are Unfair and Deceptive Trade Practices, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of the Federal Trade Commission Act.