Black Raven Dragoons

[Zancarius]

Unsurprisingly, this week has seen the discovery of another flaw in Adobe software. This time it appears the problem is in Acrobat. You'll want to update as soon as possible.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Cyber Security Alert SA10-279A


Adobe Reader and Acrobat Affected by Multiple Vulnerabilities

Original release date: October 06, 2010
Last revised: --
Source: US-CERT


Systems Affected

* Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh, and UNIX
* Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh
* Adobe Reader 8.2.4 and earlier versions for Windows, Macintosh, and UNIX
* Adobe Acrobat 8.2.4 and earlier versions for Windows and Macintosh


Overview

Adobe has released Security Bulletin APSB10-21, which describes
multiple vulnerabilities affecting Adobe Reader and Acrobat.


Solution

Update

Adobe has released updates to address this issue. You are
encouraged to read Adobe Security Bulletin APSB10-21 and update
vulnerable versions of Adobe Reader and Acrobat.

Disable JavaScript in Adobe Reader and Acrobat

Disabling JavaScript may prevent some exploits. To disable
JavaScript in Acrobat, do the following:

* Open Adobe Acrobat Reader.
* Open the Edit menu.
* Choose the Preferences option.
* Choose the JavaScript section.
* Uncheck the "Enable Acrobat JavaScript" checkbox.

Disable the display of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser will
partially protect you against this vulnerability. Applying this
workaround may also protect you against future vulnerabilities.

To prevent PDF files from automatically being opened in a web
browser, do the following:

* Open Adobe Acrobat Reader.
* Open the Edit menu.
* Choose the Preferences option.
* Choose the Internet section.
* Uncheck the "Display PDF in browser" checkbox.

Do not access PDF files from untrusted sources

Do not open unfamiliar or unexpected PDF files, particularly those
hosted on websites or delivered as email attachments. Please see
Cyber Security Tip ST04-010.


Description

Adobe Security Bulletin APSB10-21 describes a number of
vulnerabilities affecting Adobe Reader and Acrobat. An attacker
could exploit these vulnerabilities by convincing a user to open a
specially crafted PDF file.

These vulnerabilities could allow a remote attacker to take control
of your computer or cause it to crash.


References

* Security update available for Adobe Reader and Acrobat -
<http://www.adobe.com/support/security/bulletins/apsb10-21.html>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/alerts/SA10-279A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "SA10-279A Feedback VU#491991" in
the subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2010 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

October 06, 2010: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTKx1lj6pPKYJORa3AQJi3wgAu27ZyLgjQXy1v++hV4NYoZ+JTV+7XSYx
R9pPojs/dZeqdhef9qU27RrBj+PxagJOWxpNc7s37AwApjdZ7Z3ty52xwqfGEDLC
IikVeMzV9T4q4ET7vZDYoDvc0yDT9t4lfQod2x3Ueg3dPKIG58gQDv4kX3E5lnKU
nEmiyibfcX0tzClA4Q6xiOHnwpfwY8AL2P2hc4LMhDVYD7ySv1vpqCmjPgftpSZ+
YoxAvD0QB2FuY1cOCWGVyYB6pbP/Y34sSScX/LhpCNWpmABpk10/271IYq+Nc9Qr
mYSHbG6rDMq6xQvBeQe+a3gzTLZDoG0JLU4I32CL+Y/AuUhMAypXrg==
=3plD
-----END PGP SIGNATURE-----

[Snobal]

When does it stop? Good griref...

[Zancarius]

When Adobe goes out of business, gets bought out, or fires their board of directors.

[Zancarius]

Looks like Adobe wasn't the only one bit:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

US-CERT Current Activity

Foxit Releases Foxit Reader 4.2

Original release date: October 7, 2010 at 8:31 am
Last revised: October 7, 2010 at 8:31 am


Foxit has released Foxit Reader 4.2 to address multiple
vulnerabilities. Exploitation of these vulnerabilities may allow an
attacker to execute arbitrary code, compromise the digital signature
of PDF signatures or cause a denial-of-service condition.

US-CERT encourages users and administrators to review the Foxit
security bulletin released on September 29, 2010, review the bug fix
list for Foxit Reader 4.2, and apply any necessary updates to help
mitigate the risks.

Relevant Url(s):
<http://www.foxitsoftware.com/pdf/reader/bugfix.php>

<http://www.foxitsoftware.com/pdf/reader/security_bulletins.php#identity>

====
This entry is available at
http://www.us-cert.gov/current/index.ht ... _reader_41

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTK3Aqj6pPKYJORa3AQL7iAgAmNljdeZCD8dt0hsSE5GcdOIPmY5NBrG5
REycwAvgt6EA+rJjVgJXxO7slN1FfhONC3s4dJ009LSTBqNkW9dPJqtYDllahvSf
roe015SQjz9pZlP4YBTMTlMj9wi0dwYZZF7wvoYYv5ioZhejW2atr/93WBkoh3Ak
EpQzkoFJG7KTCS78Yw/ZMdEehjbNDnZpCGCdU95hk9cVMm2McFpVW8E1HkIx0qcd
V3/bgcbZhx2t6DshqtqiZirzyQCfHT08zujMd8XuYHdXFXKXjZTuvpFLwNRYeMN1
GuCdFxwInb+K9jJ6rHWQra3VOODLzh6e6YDHhY7hStsKaKiJIW2Z+Q==
=AwF7
-----END PGP SIGNATURE-----

If you're running Foxit, you may want to upgrade.

[Menacea]

When does it stop? Good griref...

When HTML5 makes the magical leap to becoming the mainstream* video player and turns Flash into RealPlayer.


*(not gonna happen)

[Zancarius]

*(not gonna happen)

Certainly not as long as H.264 is encumbered by a bazillion patents. Although Google's open video specification seems to be gaining some ground (though some people are nervous about the possibility of patent violations thanks to MPEG-LA).

I guess there's also Xiph's Theora video, but I get the idea that the ogg vorbis format is so convoluted as a container that it's not particularly fun to develop for. Though I'd argue all the hard work has already been done since they could just, you know, link to the ffmpeg library and be done with it like everyone else does. Wikipedia requires all video be uploaded in the Theora format. I also often wonder if Theora is going to be remotely playable in 10 years...

But yeah, I agree. There's too many people dragging their feet over the whole mess to really push HTML5 video. It'd be nice, and as an application developer, I'd like to have some reasonable stable standard for web accessibility. I guess that's more of a pie in the sky ideology, really, because there's no such thing as "real" standards. (Sarcasm aside, the W3C has done a really good job in spite of companies like Microsoft doing everything in their power over the course of a decade and a half to avoid having to follow industry drafted standards.)

Rant off.