If it seems like Adobe's Acrobat Reader is constantly under attack, well, that's because there's some truth to it. The latest threat comes in the form of another zero-day bug being exploited in targeted attacks, Adobe said.
Not a whole lot of information has been made available on the newest threat, though according to an advisory from VUPEN Security, the vulnerability in question is an unspecified memory corruption error that occurs when users open a specially crafted PDF file. VUPEN says the bug can be exploited remotely.
"Adobe plans to resolve this issue as part of the upcoming Adobe Reader and Acrobat quarterly update, scheduled for release on October 13," blogged David Lenoe of the Adobe Product Security Incident Response Team. "Adobe Reader and Acrobat 9.1.3 customers with DEP (Data Execution Prevention) enabled on Windows Vista will be protected from this exploit."
In the meantime, Johannes Ullrich, a researcher with the SANS Institute, says users can avoid the potential threat by first converting PDFs into another format, like Postscript, and then back into PDF form. At the same time, Ullrich warns this isn't 100 percent certain to remove the exploit and could actually infect the machine mucking around with the file. Fantastic.
Anyone else using Foxit Software's super-lean freebie PDF reader, Foxit Reader?
It's a good thing most of use have long since moved on from dial-up, because come Tuesday, Microsoft said it will send out its largest-ever number of security updates to fix and plug holes in every version of Windows, including the first update for Windows 7 RTM. Internet Explorer, Office, SQL Server, Forefront Security client, and some developer tools will also be in the mix.
"Thirteen is not a lucky number," said Andrew Storms, director of security operations at nCircle Network Security, in response to the monster update scheduled for October 13. "They've been a busy bunch at Microsoft, that's for sure."
Microsoft will ship 13 updates in all next week, eight of them considered critical. That's enough to break the record of 12 updates shipped in February 2007 and October 2008.
Five of the updates will affect Windows 7, even though the OS has yet to formally launch. However, enterprises with volume licenses, party hosts, and others have been able to obtain and run the finalized the OS for awhile now.
Over 10,000 Hotmail email accounts were leaked to the web earlier this week as the result of a massive phishing scam, which may not have taken a whole lot of effort. After all, if you're going to choose "123456" as your password, compromising your account is like shooting fish in a barrel.
In this case, there were 64 said fish in a barrel full of over 10,000 compromised Hotmail accounts, making it the most commonly used password of the bunch, according to a researcher who combed through all the posted accounts.
About 42 percent of the passwords consisted of lowercase letters from "a" to "z," and just 6 percent secured their email accounts by mixing alpha-numeric characters. And almost 2,000 passwords were only six characters long (the longest was 30 characters).
An interesting side note - a bunch of the top 20 passwords were Spanish names, which might suggest that the victims were of Spanish origin or lived in Spanish-speaking communities, Wired.com reports.
In what security experts are calling one of the biggest security breaches of all time, Microsoft on Monday confirmed that several thousand Windows Live Hotmail account usernames and passwords were leaked to the Web. The Redmond company says the breach was likely the result of an elaborate phishing campaign.
"We determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts," a Microsoft spokeswoman said in an email to Computerworld.
Neowin.net first reported the incident, claiming that "more than 10,000" credentials had been compromised. But the number could actually be much, much larger. Neowin.net said it only saw a partial list representing usernames starting with the letters "A" and "B." Dave Jevans, the chairman of the Anti-Phishing Working Group (APWG), surmises that the actual number could be over 100,000 accounts.
"A 0.5 percent rate, which is what 100,000 users would represent, isn't unreasonable for 10 to 20 million users," Jevans said. "They wouldn't have to spam every user to get that."
According to Microsoft, Hotmail stands at 400 million registered users strong, though the company didn't say how many of those are active users.
AVG Technologies today announced the newest version of "the world's most popular free anti-virus software," AVG 9. For several years, AVG freebie security software had been a favorite in the enthusiast community (and among several Maximum PC staffers), but many -- us included -- felt that version 8 was a step in the wrong direction. In our antivirus roundup from a year ago, we noted that AVG Internet Security 8.0 (the full fledged paid security suite) consumed more RAM and dragged down system performance more than any other AV program we tested.
Performance shouldn't be a problem with AVG 9.0, at least according to AVG's claims. The AV maker says version 9.0 runs 50 percent faster than the previous version, while also improving performance and ease of use.
"AVG 9.0 will provide home computer users with a more powerful and more streamlined solution that adds protection without impacting user experience, taking us back to our core strength of low impact, high performance security," said J.R. Smith, CEO, AVG Technologies. "We've always believed that everyone has the right to a safe online experience. With AVG 9.0, we are providing first-class assistance to our users in their development of tools and measures for their safety from all of the threats posed by cybercriminals and identity thieves, whether they'r working, playing, banking, or shopping on the Web."
AVG cited scan optimization as a top priority for its latest release. Taking a page from Norton Internet Security 2009/2010 and a handful of other AV programs, AVG skips safe files in subsequent scans to improve performance unless the file structure changes. This is what accounts for the up to 50 percent faster speed, as well as improvements of up to 10 to 15 percent for boot times and memory usage, AVG says.
AVG 9.0 paid versions are available now. The freebie version will be made available within the next two weeks.
With the imminent launch of Windows 7 and its much-hyped Windows XP mode, the word "virtualization" is going to be everyone's lips throughout the month of October. Never one to let a fad slide on by, I'm jumping on the bandwagon in this week's freeware and open-source application roundup. I'll be taking a look at five different programs that enrich your computing experience with some kind of virtual add-on.
What does that even mean? A number of things. Windows XP mode is a great example of the common definition of virtualization--running a second operating system inside your primary operating system in a way that typically allows you to quickly switch between the two and access the contents of your primary machine's hard drives from the virtualized environment. Virtual desktops are a lesser derivative of this concept. Instead of running a separate operating system, you're merely extending the size of your workspace by stacking on additional desktop layers that you can swap back-and-forth. You can also install a virtual keyboard that sits overtop your programs--analogous to what Windows offers for tablet PCs--if you're concerned about keyloggers somehow getting their hands on your mission-critical information.
I won't go on, as that might spoil some of the fun applications you'll find after the jump. The virtual world, er, world of virtualized software is vast and interesting, featuring many applications that can expand your computer's functionality without adding a crazy amount of complexity. The coolness of these apps is only rivaled by their ability to save you precious time and headaches from doing things the old-fashioned way.
Have you checked your bank account balance online lately? If so, you may want to consider verifying the numbers with a paper statement, because what you see on your computer screen might not be indicative of banking activity that's occurring right under your nose, according to a new security report.
Hackers have a new piece of malware to play with, one which not only picks your online pocket, but also hides the evidence of any wrong doing by rewriting online bank statements on the fly. Once the Trojan horse infiltrates a user's PC, it goes to work by altering the HTML coding before it's displayed in the victim's browser, making sure to erase any evidence of money transfers or other unauthorized transactions.
"The Trojan is hooked into your browser and dynamically modifies the text in the HTML," said Yuval Ben-Itzhak, CTO of computer security firm Finjan. "It's a very sophisticated technique."
A gang targeting customers of leading German banks first began employing the ruse in August and managed to steal Euro 300,000 (about $440,000 USD) in just three weeks. Finjan estimates that the gang using the scheme could potentially steal about $7.3 million annually.
While so far relegated to German banks, Ben-Itzhak warned that this technique is likely to spread to other countries.
Microsoft confirmed on Monday that it would be releasing its free security suite to the public sometime this morning Pacific time, although no specific hour was given for the launch.
Formerly codenamed "Morro," Microsoft's Security Essentials is the company's replacement for Windows Live OneCare, the fee-based security suite that Microsoft axed back in June. Shortly after, Security Essentials was made available in beta form to a limited number of testers.
Not only will Security Essentials be free, but Microsoft said users will not have to register their copy, nor will a time limit be placed on the software.
"Consumers have told us that they want the protection of real-time security software, but that they are confused by trials and renewals and concerned about performance and as a result, too many are unprotected," said Amy Barzdukas, general manager for consumer security at Microsoft in a statement.
The Essentials software runs on Windows XP, Vista, and Windows 7.
The folks over at The Register got a response from Facebook about all the flak they’ve been catching about their Mailbox API. Facebook says that their new API is less intrusive than Gmail’s scanning efforts.
Gmail is known to sift through an email and provide targeted ads depending on what it finds. Facebook claims they will white list approved applications and the user will still need to explicitly grant the application access to their information. Also according to Facebook, the fact that they don’t stand to make money (via ads) means their effort is less litigious than Gmail’s.
They offered that the potential applications of the API might outweigh the risks for some users. One likely use will be to expose your Facebook inbox through POP, making it accessible on devices in a similar way as email applications.
It is still debatable whether it is advantageous to give developers access to potentially sensitive data within Facebook. Which do you think is worse: Facebook’s mailbox API or Gmail’s email scanning?
Facebook has plans to make available an inbox and notification API and security experts everywhere aren’t pleased. The API will expose users’ mailbox messages and notifications to applications developed around the framework.
Graham Cluley, a Sophos senior technology consultant said "the idea of Facebook applications being given free rein to mine users' inboxes and sent folders sends a shiver down my spine” in an interview with The Register. The API is clearly a point of contention for many security analysts who feel that Facebook may be revealing too much to developers.
Ultimately, it is going to come down to how Facebook handles the permissions of these applications. If they skirt the privacy concerns and bury the details in fine print about users’ rights, there will certainly be trouble. However, the liability falls onto the user to make sure their privacy isn’t invaded by their approved applications.
How do you feel about Facebook apps being able to dig into your messages?