The Mac Security Blog
Adobe has released updates to its Reader and Acrobat PDF viewing and editing software to address two critical vulnerabilities that Adobe updated in Windows versions 9.x of these programs in December, as well as four other issues. These vulnerabilities “could cause the application to crash and potentially allow an attacker to take control of the affected system.”
More information about the update, along with download links, is available here.
Adobe has issued a security advisory regarding a zero-day vulnerability that is being exploited in the wild against Windows computers. This critical flaw affects Adobe Reader and Acrobat for Mac, as well as Windows and Unix, but attacks are only being seen against Windows computers for now. As Adobe says in their security advisory:
This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.
So, Mac users don’t need to worry yet. However, given that “Adobe categorizes this as a critical issue,” there will be a fix for the Mac versions of these programs “as part of the next quarterly update scheduled for January 10, 2012.”
These kinds of zero-day attacks are increasingly common against Adobe Reader and Acrobat, as PDFs are ubiquitous. As of yet, we have not seen any of these attacks target Macs, but it is certainly possible that Macs will be attacked in the future.
Remember, you can use Preview to view and annotate PDFs on Mac OS X. Unless you need special features that are present in Adobe’s software, this is the safest thing to do.
Adobe has released yet another update to Flash Player, fixing a dozen vulnerabilities, some critical. This brings the program up to version 11.1.102.55. Adobe’s security bulletin discusses the vulnerabilities that are patched.
It’s worth noting that the main Mac we use for writing these blog posts has not been updated for several versions of Flash – it’s currently running 10.3.183.5 – and we have never received any sort of alert that a new version was available. Contact with Adobe offered no answer to why this occurs, and we know many people who have also not gotten alerts for updates.
So don’t trust Adobe’s “auto-updater,” and check yourself when you read about new versions. You can use the Flash Player preference pane, which is in System Preferences, to see the version of Flash Player you have, and you can click the Check Now button to go to a web page which will tell you if you are up to date or not.
To get the latest version of Flash Player, go to the Adobe Flash Player Download Center. Adobe has also created a patched version of Flash Player 10, for those who cannot run Flash Player 11; you can get that here.
The company has also updated Adobe Air: you can get the latest version, 3.1.0.4880 here.
We’re curious: do you get auto-update alerts for Flash Player on your Mac? Let us know in the comments.
Adobe has issued a security update for its Shockwave Player plugin, patching vulnerabilities that “could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.” The update corrects four memory corruption vulnerabilities. The new version is 11.6.3.633, and is available here.
Security researcher Feross Aboukhadijeh discovered a flaw in Adobe Flash that could allow malicious users to “turn on your webcam and microphone without your knowledge or consent to spy on you.” You may not realize this, but one of the “features” in Flash is the ability for Flash objects to utilize your webcam (or iSight camera) and microphone. Ostensibly, this is so you can interact via Flash with other users, but we’ve never seen this in actual use.
It turns out that a sophisticated clickjacking technique could allow malicious users to set up a web page using CSS opacity to hide the Adobe Flash Settings Manager (a Flash object, naturally, that adjusts settings on your computer), and overlay it with buttons. When you click a button that seems to do something you want to do, the hidden Settings Manager setting gets turned on. Abjoukhadijeh has set up a demo page where you can see how this works.
Adobe has fixed their Settings Manager so this problem can no longer occur. Nevertheless, you might want to go to the Settings Manager page and, on the Global Privacy Settings tab, check Always Deny for the Camera and Microphone settings. Unless you have actually used a webcam and microphone with Flash, or plan to do so, there’s no reason for these settings to be active.
Adobe has released updates to its Flash Player software to correct a zero-day vulnerability that is being exploited in the wild. According to Adobe:
There are reports that one of these vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. This universal cross-site scripting issue could be used to take actions on a user’s behalf on any website or webmail provider if the user visits a malicious website.
All users of Flash Player should update the software as soon as possible to version 10.3.183.10. You can download a new version of Flash here.