The prevailing wisdom is that if you keep your operating system up to date with the latest security patches, and you run antivirus software, you're probably safe from malware. Unfortunately, that's just not true.

Consider yesterday's news that Trend Micro has discovered a new zero-day exploit in Adobe Reader. Who doesn't have Adobe Reader on their machine? If you have it, how careful are you about keeping it up to date? To be fair, the likelihood that you are going to try to open an infected PDF file is probably fairly small, but on the other hand, Adobe Reader is only one of probably hundreds of applications on your machine. As Mozilla recently discovered, thousands of Firefox users have potentially vulnerable older versions of Flash running on their machines.

So what's a responsible computer user to do? It's a difficult problem. Some software vendors are very responsible about pushing out updates to their software when needed. Others leave it in the user's hands. There are tools that will scan your machine and let you know when updates are available, but I'm not a big fan of these; I think users should know just what is changing on their system.

The best you can do is to be vigilant and consider your software at the same level you do the operating system when ensuring your machine is up to date. Obviously web-facing software or software that interacts with downloaded files are the biggest concern, and anything that is ubiquitous or incredibly popular, like Microsoft Office or your favorite browser.

What do you do to make sure your machine is as secure as you can make it?

[via InSecurity Complex]

Several sites are reporting that a major attack on Wordpress blogs started yesterday. The latest version of Wordpress, 2.8.4, is not vulnerable to this particular worm, so upgrading now could save you a lot of headaches. The worm creates a new, hidden administrator account on your blog, allowing whoever's behind this thing to access the guts of your blog, databases and all.

How do you know if your site has been affected? Lorelle on Wordpress offers two possible ways to find out:

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are "eval" and "base64_decode."

The second clue is that a "back door" was created by a "hidden" Administrator. Check your site users for "Administrator (2)" or a name you do not recognize.

Wordpress has acknowledged the attacks and encouraged users to upgrade their sites. Wordpress.com users aren't affected, as the whole system has already been updated to 2.8.4. If you've already been afflicted by the attack, start on the steps in Wordpress' FAQ.

[via Mashable]

Since we last brought you news about a UAC vulnerability in Windows 7, Microsoft opened their ears to the beta testers at the time and quickly released a patch that plugged the security hole.

However, another UAC flaw has been discovered in Windows 7. In fact, it's been quietly lurking around in the dark corners of the internet since February. What's different about this one is that not only does Microsoft not intend to fix the exploit, they're saying the functionality is by design, because UAC's primary purpose isn't security, or something like that.

I think.

After all, this whole situation would make a little more sense if Microsoft didn't just mark the popular proof-of-concept for this vulnerability as malware in the beta version of their new Microsoft Security Essentials software, as pictured above. Just to add a little more confusion to the situation, Windows Defender (another Microsoft security tool, which happens to be bundled with Windows 7) doesn't detect the exploit.

The verdict? It looks like the jury is hung on this one.

This vulnerability could be exploited to essentially circumvent UAC on some Windows 7 machines, and that's bad news. We'll keep you up-to-date with any developments on this security flaw.

First you got your hands on a leaked copy of the Windows 7 RTM. Bad idea, says Microsoft.

Then you tracked down 7loader, which took advantage of a leaked Lenovo product key. We know it's out there, came the nonchalant reply from Redmond.

And now, thanks to a cooperative effort, the workaround has already been defeated. The official blog post touts improvements in Windows 7, which "already includes an improved ability to detect hacks, also known as activation exploits, and alert customers who are using a pirated copy." The post continues, stating that no systems will ever be sold using the particular OEM key that was utilized by the exploit.

So what's Microsoft's real goal here? "Our objective isn't to stop every "mad scientist" that's out there from dabbling; our aim is to protect our customers from commercialized counterfeit software that impacts our customers' confidence in knowing they got what they paid for."

Sure...There's absolutely no reason it would have anything to do with crippling the biggest Windows competitor on the market - pirated copies of Windows.

2009 has been a rough one so far for Adobe when it comes to security. Reader has become an increasingly popular target for malware authors, and Flash has been plagued with vulnerabilities.

Trend Micro reaserchers have hit on new flaws in Adobe Reader 9.1.2, and Flash Player 9 /10. According to Trend, "Once a user opens a specially crafted PDF file, two binary executables are dropped and executed on his/her system." Adobe's blog post states "There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows" though other platforms are also vulnerable. A workaround is offered, though you may want to use an alternative PDF viewing application like Sumatra, xPDF, or Foxit Reader. You can also use a web-based service like Zoho Viewer or PDFMeNot.

Even after announcing they would switch to a Microsoft-style "Patch Tuesday" schedule to redouble their security efforts, the exploits keep on surfacing. It's a major problem for us all, since both Flash and Reader are so widely used. We know Adobe said they're re-committing themselves to security, so let's hope they follow through.

What's going on here, Mozilla?

It's only been a couple days since the Firefox 3.5.1 update was released to address a critical vulnerability in the Javascript JIT compiler and there's already a new exploit causing quite a ruckus. You can actually hear the chuckles coming from Redmond if you listen closely.

It would be unreasonable to assume that the first patch for Firefox 3.5 would make it bulletproof. Still, after the long delays that proceeded its release the rapid discovery of two such vulnerabilities is a bit surprising. Past releases of the browser have had their share of security issues as well, but as Firefox becomes more popular its security shortcomings are going to be much more publicly exhibited.

It's interesting to note that Secunia has still yet to post a single exploit for Chrome 3. If you're security minded, now might be a good time to take it for a test drive.

[via Security Focus]

As if it wasn't bad enough news that IE's market share continues to slide against Firefox, Chrome, Safari, and Opera, news is spreading today about another new flaw affecting Internet Explorer.

The drive-by exploit targets msvidctl.dll, a DirectShow component, and is popping up on numerous recently-compromised websites. Sophos' Graham Cluely speculates that the attack may have been timed to catch people off guard on the Fourth of July weekend.

Until a fix has been released by Microsoft your best bet is to use an alternative web browser. If you want to stick with IE, the Internet Storm Center has posted a workaround. Run regedit, and update the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftInternet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}

and set its value to: 00000400

If the value does not exist in your registry, you can create it as a new DWORD value.

Recently, a critical Javascript vulnerability was discovered in Adobe Reader which affected several versions on all platforms. It was the second major exploit this year targeting the application.

Adobe has responded quickly, putting together updates for Windows, Mac, and Linux in less than two weeks. While an immediate "Patch Tuesday" fix a la Microsoft would have been even better, it's good to see Adobe prioritizing security.

That's an important and necessary step. Unwary PDF users will continue to be an attractive target for hackers and Adobe must be increasingly vigilant.

If you took F-Secure's advice and temporarily switched to another PDF reader temporarily, the newly-patched Reader is ready for download if you are. I've not been a fan of Reader in the past - due to its footprint and sluggish startup times - but version 9 is a major improvement over older versions.

More details about the exploit and download links for all platforms are available from the Adobe security bulletin.

It hasn't been the best couple of weeks for Adobe Reader.

First there was the advice from F-Secure's Mikko Hypponen to stop using Reader and switch to an alternative. Now there's word of a new security flaw that is known to affect versions 8.14 and 9.1 for Linux and could also affect other versions of the program on other operating systems.

The exploit takes advantage of the javascript getAnnots() function in Reader and could, as with its predecessor, allow an attacker to remotely execute arbitrary code.

Even the U.S. Department of Homeland Security is on the case. They advise temporarily disabling javascript as an intermediate fix:

"To disable JavaScript in Adobe Reader, open the General Preferences dialog box. From the Edit-Preferences-JavaScript menu, un-check Enable Acrobat JavaScript."

Adobe has acknowledged the problem in a blog post, though it states nothing more than "we know about it, and we'll have an update once we get more information." Security is serious business. Let's hope Adobe jumps to the pump this time and promptly issues a patch.

[via CNet]

Security pro Charlie Miller came in to Pwn2Own 2009 with a plan, and things unfolded exactly the way he wanted them to. Within seconds of the competition's start, he had already gained control over the fully-patched MacBook running Apple's Safari web browser.

"It took a couple of seconds. They clicked on the link and I took control of the machine," said Miller. It's safe to say that when Apple proclaimed Safari "the fastest browser on the planet," that they weren't referring to how soon it would fail at the competition.

None of the three browsers on display made it out unscathed: a competitor known only as Nils was the next to overcome Safari, and he later took down Firefox and Internet Explorer 8. It's an important reminder to all of us that - regardless of what browser we're using - someone out there is hard at working looking for an exploit that could put us at risk, too.
[via ZDnet]

According to security firm Secunia, the just-released Internet Explorer 7 contains a "Redirection Information Disclosure" vulnerability, which allows one site to fetch data from another site through the browser, which opens it up to all kinds of cross-site scripting (XSS) attacks. Interestingly, the same vulnerability has been known and unpatched in IE6 since April. It's one thing not to patch an old browser, but seems quite another to release a brand new browser with the same vulnerability that you've been aware of for six months. If you're running Internet Explorer and want to see the exploit in action, Secunia has set up a demo page.

A group called Packet Storm has published a paper detailing how the true IP addresses of Tor users can be discovered by the party that controls their traffic's exit node. In case all of that was Greek to you, let's back up: Tor is system that anonymizes internet traffic by routing it through a network of Tor nodes. The aim is to make it impossible to know where traffic originated, and Tor has become popular lately among the privacy minded, especially with the debut of Torpark, a version of Firefox with Tor's anonymizing features built in. Unfortunately, Packet Storm's paper shows that if you control the last node in the chain, it's possible to determine the traffic's originating IP using a combination Flash and cookie attack. The paper's author recommends turning off Flash, ActiveX, Java, and JavaScript if you use Tor and don't want your IP sniffed out. Tor's developers have yet to make an official statement about the exploit.

[Via Netscape]

Have you ever wondered why Firefox makes you wait three seconds before you can click on the Install button when you want to install an extension? Most users (self included) assume that it's just to make users read the dialog. It turns out that's not the case--Jesse Ruderman explains that it's actually a security feature to keep people from unwittingly installing malicious code. He describes an ingenious exploit in which a user is presented, for example, a security (CAPTCHA) image to type in. JavaScript is used to initiate an extension installation when the user starts typing, and when the user types 'y' or enter, it triggers the 'Accept' or 'Install' button, allowing the malicious software to be installed. Since many users type faster than they could respond to the box popping up, the software is installed before they can react. (If you're confused, head over to Ruderman's blog, he explains it better than I can.) The delay in Firefox gives the user time to react and stop typing. Mozilla describes the solution in bug 162020, but the same vulnerability exists in other browsers, most notably Internet Explorer and its ilk.