Zero-Day vulnerability in Adobe products enables takeover of system

Looks like there is a new vulnerability out that affects Adobe Flash, Player and Acrobat reader. Exploit is out on the Internet. Attackers are able to take over your system if you open up infected files (flash, PDF etc).

From this Adobe advisory:

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.

There is no fix yet. Stay tuned.

Advertisements

Facebook “Un Named App” scare leads to malware

Excellent write up by Trendmicro on the ‘un named app’ discussion that is spreading on Facebook. If you search Google for this, you may be tricked into downloading Malware to your machine and get compromised.

Here is the article.

[…] Nothing to worry about here as far as your Facebook is concerned, this does not appear to be a genuine malicious app. In fact a thread on Yahoo answers appears to demonstrate in a reproducible fashion that “Un named App” is nothing more than your “Boxes” tab on your Facebook profile page.

Beware though, there is still real risk attached to this Chinese whisper. Criminals have picked up on the concern among Facebook users (or possibly they were responsible for starting the rumour?) and they have already started to poison Google search results.

Google search result:

Google search result

I queried Google for “facebook unnamed app” and the third result on the first page pointed to a malicious website set up for the purposes of distributing fake anti-virus software, this time called “Security Tool”. If you are unwary enough to click the link you will be presented with a dialogue box informing you that you have a huge number of infected files on your machine and prompting you to use Security Tool to clean them up. The software of course is no real security solution and is designed to fool the victim into parting with hard-earned cash.

Be careful what you surf for.

Adobe fixes critical holes in Shockwave

Adobe quietly released a HIGHLY CRITICAL update to Shockwave on Tuesday. Exploiting these vulnerabilities enables an attacked to inject code and – shock – take over your system. Yes, you need to update your Shockwave installation ASAP. And yeah, you even have to uninstall your old version first!

Adobe advisory is here:

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations to the latest version using the instructions provided below.

[…]

Adobe recommends Shockwave Player users uninstall Shockwave version 11.5.2.602 and earlier on their systems, restart their systems, and install Shockwave version 11.5.6.606.

Download Patches from here: http://get.adobe.com/shockwave/.

How to secure your Smartphone (Blackberry, iPhone, Windows Mobile-based phones)

Considering that more and more people use Smartphones like Blackberries and iPhones, mobile security becomes more and more of an issue. You have an anti-virus scanner on your laptop? A firewall? You keep it up to date with the latest patches? That is awesome; I commend you for it. But what about your phone that you use to access your e-mail? How do you protect your Smartphone from getting hacked?

This is the first part of a series on how to secure your Smartphones. Credits to PCMag.

BlackBerry (System 4.5 and higher)

Go to Options, then Security Options, then:

  1. Password-protect start-up. Under General Settings, set Password to Enabled. You may also want to change other settings here, such as the number of password attempts allowed before the device is locked, and whether the device should automatically lock on holstering. Commit your changes by pressing the Back button (the half-circle arrow) and enter your new password when prompted. Choose a password you’ll remember and that will be quick and easy to type using the device’s keypad. Confirm that password, then exit to the main menu. Lock your phone by pressing and holding the * button to confirm that it has been password-protected.
  2. Encrypt data. Scroll past General Settings to Content Protection, and enable it. Under Strength, you can select Strong (80 bits), Stronger (128 bits), or Strongest (256 bits). I recommend using Stronger for faster encryption/decryption or Strongest for the most security. Selecting Yes for Include Address Book will keep your contacts secure but also result in disabling caller ID when the phone is locked. Circle-arrow back out, then create an encryption key by randomly moving the trackball and typing characters. A good practice is to regenerate an encryption key every two to four weeks: Under Security Options | General Settings, click on any service, then click Regenerate encryption key.
  3. Secure passwords. Please don’t fall into the trap of saving usernames and passwords in your mobile device’s browser. Anyone who finds your device and unlocks it then has access to all of your online accounts. Instead, use the Password Keeper utility to store and encrypt this info.
  4. Lock down Bluetooth. By default, Bluetooth is on. In addition to wasting your battery, this leaves you open to Bluetooth-based attacks. From the Home screen, go to Set Up Bluetooth. When prompted to Add Device select Cancel. Press the Menu button, then select Options. Set Discoverable to No, so other devices can’t find your BlackBerry, and set Security to High—or if the Bluetooth devices you use with your BlackBerry support it, set Security to High + Encryption to encrypt Bluetooth data transmissions. From the following checklist, enable only those services you think you are going to use with Bluetooth—most commonly headset and hands-free. Exit and save.
  5. Clear memory. Also under Security Options, memory clearing can delete sensitive data, such as unencrypted e-mail messages and username, password, and other certificate-related info, from memory. You can set the BlackBerry to clear memory under certain circumstances—for example, when you holster your BlackBerry or lock it.

Smartphone (Windows Mobile 6)

  1. Password protect start-up. Go to Start | Settings | Lock and configure a password. Check the box next to Prompt if the device is unused for and then select a time period from the drop-down box, something in the 5-to-30-minute range. You can set your password to be a simple four-digit PIN or a strong alphanumeric string and then enter your password in the boxes below. You can also set a hint, but remember that this can be read by anyone with physical access to your phone. At this point, it would help to go to Settings | Today, click the Items tab and check the box next to Device Lock to provide a quick locking option on your Home screen.
  2. Encrypt data. Under Settings | Security | Encryption, check the box that says Encrypt files placed on the storage card, then click OK. A storage card can actually contain both encrypted and nonencrypted data, but encrypted data can be read only from the device in which it was encrypted and written, or from a Windows PC using ActiveSync and Windows Mobile Device Center. There’s also a big gotcha lurking: If you have to perform a hard reset of your device or update the ROM, you will lose the encryption key stored on the device, and with it, access to your data. Companies can push encryption policies to Windows Mobile devices using Exchange Server 2007.
  3. Secure passwords. This requires a third-party solution, such as KeePass or some other eWallet type of encrypted password manager.
  4. Lock down Bluetooth. Go to Start | Settings, then the Connections tab, then Bluetooth. On the Mode tab you can enable or disable Bluetooth and make your device visible; Off and Not visible are the more secure settings. Scroll all the way right to the Security tab and check the box to require authentication for data beaming.
  5. Clear the memory and cache. In Internet Explorer, go to Menu | Tools | Options; in the Memory tab you can set a history retention time in days or clear the history manually. Click the Delete Files button to clear the Web cache. Navigate to the Security tab and click the Clear Cookies button.

iPhone

Unfortunately, you won’t find a list item called “Encrypt data” below. At this point, there doesn’t seem to be any encryption available for iPhones.

  1. Enable Passcode Lock and Auto-Lock. Click the main iPhone Settings icon, then click the General tab and select Auto-Lock. Select the time period you want, then exit out to the Home screen. Once Auto-Lock locks the phone, Passcode Lock will require a four-digit PIN to unlock it. Click the iPhone Settings icon, then General, then Passcode Lock. From there enable Turn Passcode On. Enter your passcode. Tap Require Passcode and then choose “immediately.”
  2. Secure passwords. There’s no native way to do this, so you’ll have to use a third-party password manager.
  3. Lock down Bluetooth. It’s great that Bluetooth is off by default on iPhones, but you should also set yours to require an eight-character PIN for connections with Macs. Turn on Bluetooth only when you need it.
  4. Clear the memory and cache. Back on the Passcode Lock screen, you can disable SMS Preview while the device is in its locked state, and also turn on the Erase Data function. This will wipe the iPhone clean after ten failed passcode attempts. You can clear cookies, browser cache, and history from the Settings menu in Safari.

This should get you started.

Patch your Adobe Reader ASAP or get hacked like Google did!

Go to http://www.adobe.com/support/security/bulletins/apsb10-02.html and get your latest patch.

The hackers who tried to steal source code from dozens of companies used an exploit in Adobe Reader to get it done..

From Wired:

A hack attack that targeted Google in December also hit 33 other companies, including financial institutions and defense contractors, and was aimed at stealing source code from the companies, say security researchers at iDefense.

The hackers used a zero-day vulnerability in Adobe Reader to deliver malware to the companies and were in many cases successful at siphoning the source code they sought, according to a statement distributed Tuesday by iDefense, a division of VeriSign. The attack was similar to an attack that targeted other companies last July, the company said.

A spokeswoman for iDefense wouldn’t name any of the other companies that were targeted in the recent attack, except Adobe.

Adobe acknowledged on Tuesday in a blog post that it discovered Jan. 2 that it had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

The company didn’t say whether it was a victim of the same attack that struck Google. But Adobe’s announcement came just minutes after Google revealed that it had been the victim of a “highly sophisticated” hack attack originating in China in December.

Neither Google nor Adobe provided details about how the hacks occurred. Google said only that the hackers were able to steal unspecified intellectual property from it and had focused their attack on obtaining access to the Gmail accounts of human rights activists who were involved in China rights issues.

But according to iDefense, whose customers include some of the 33 companies that were hacked, the attacks were well targeted and “unusually sophisticated” and aimed at grabbing source code from several hi-tech companies based in Silicon Valley as well as financial institutions and defense contractors.

The hackers gained access to the company networks by sending targeted e-mails to employees, which contained a malicious PDF attachment. The malicious code exploited a zero-day vulnerability in Adobe’s Reader application.

Don’t get hacked! Patch now.