Danger, Will Robinson! Adobe is warning that "critical vulnerabilities" have been found in Adobe Reader and Acrobat 8.1.1 and earlier. They are recommending that Acrobat 8 and Adobe Reader users install the 8.1.2 update as soon as possible. Those who are using Acrobat 7 are advised to install the 7.1.0 update quickly as well.
A full summary of the security concerns and links to the update files can be yours by visiting the Adobe security update site. Note that while Acrobat & Reader 8.1.2 have been out for some time, the 7.1 update is fresh this week and the security issue is newly disclosed.
It's been six months between major upgrades to browser credentials manager and all-around swell pal 1Password, and the Agile team has not been napping; the new version 2.6 offers anti-phishing tech courtesy of integration with PhishTank.com, compatibility with SSB fave Fluid, and a more streamlined password-changing option to avoid the proliferation of old credentials.
Single-user licenses of 1Password are $34.95 and 3-license family packs are $49.95 (otherwise known as $35 and $50; can we agree that pricing downloadable items as if they were sportscars or boxes of detergent, while psychologically valid, is darned silly) and upgrades from 2.5 to 2.6 are free of charge for most users. MacHeist II bundle owners are covered for this upgrade, however those who got a free license via Macworld's Mac Gems promotion will have to cough up the dough for the new version.
There's been some talk about PayPal blocking Safari from using its services, and I'm among those concerned about it... even if only from a convenience standpoint. Originally the news was gleaned from statements by PayPal Chief Information Security Officer Michael Barrett regarding browsers without phishing protection -- which most assumed included our beloved Webkit-based compass. But in a brief addendum to a post at the Wall Street Journal last week it was reported that -- while Paypal will be blocking older browsers (IE4-era) and older operating systems -- Safari is safe from the cut.
I'm relieved, at least from the previously mentioned convenience standpoint. I prefer Safari as my surfing browser1 and I frequently use PayPal. It's too bad that there are still a good number of sites that, while not blocking Safari, just plain don't work with it yet. Add to that some of the great plugins available for Flock/Firefox and you'll almost always find me with multiple browsers open. In much the way that the iPhone is preventing Gargoylism* by consolidating peripherals, I'm hoping for a day when I open just one browser in the morning. I'm getting a little teary-eyed thinking about it.
1Since I know it will be bandied about in the comments, I'd like to offer these reasons for preferring Safari: It's faster (in general). It's more elegant (or prettier, either way it's subjective). It's AppleScriptable (which I make daily use of). And it's more elegant (redundant, but worth mentioning again).
Since the rules of the contest ensure that the vulnerabilities are immediately turned over to the Zero Day Initiative and the vendors are notified, this hole (presumably in Safari, although possibly in QuickTime or Java as last year's was) should be patched in due course, and users are no more or less secure today than they were yesterday. It is a little troubling, however, that the other two laptops (Vista and Ubuntu) are still standing.
As many of you have reported, there are a few hiccups for some who have installed the latest Leopard security update. Two of the areas of concern are ssh (no connectivity or a crash) and printing (errors out, documents never finish spooling), with various fixes offered (reinstalling the 10.5.2 combo update, installing a standalone SSH build) and various degrees of success reported.
One emergent common thread for some of the problems is the presence of a Rogue Amoeba audio utility, and the gang in the petri dish have responded with a revised version of the Instant Hijack framework. The new 2.0.3 version aims to address a bug that has been latent since the introduction of Leopard's position-independent executables feature, where certain sensitive processes (like, say, ssh) could be run from a randomized memory address, avoiding attack vectors that depend on targeting a specific vulnerable spot within the code.
Up until the 2008-002 security patches, according to RA, the PIE feature wasn't used for anything yet -- after the update, surprise surprise, ssh is being moved around when it runs. Since Instant Hijack inspects newly launched processes to see if they have audio properties, it tries to look at the ssh instance in memory -- hey, wherdja go? Hence the problem.
If you have been experiencing ssh issues and have Rogue Amoeba apps installed, try the patch and let us know what happens.
If you happen to use Microsoft Office 2008 as your office suite of choice, Microsoft has an update for you. This security update, which brings the suite to version 12.0.1, features "several changes that improve security, stability, and performance" and includes "fixes for users of Mac OS X 10.5 Leopard." Sync behavior in Entourage and a file corruption bug in PowerPoint are among the areas of improvement.
The update also features "fixes for vulnerabilities that an attacker can use to overwrite the contents of a computer's memory by using malicious code." That's good because we don't want that, do we?
To download this new update, head on over to the Microsoft Mac Business Unit site and go to the Downloads section. For a full explanation of what this update does, check out the Microsoft support article.
As with any update, be sure to let us know what happens if you decide to apply it.
Alternate title: The MacBook Air is a device, but it's not a "Device."
Programmer Michael Nygard is used to travel. He's got the process down, from airport to hotel. Unfortunately, the TSA isn't as prepared.
While passing through airport security recently, he was pulled aside and made to sit in the holding area. He watched as a gaggle of TSA workers examined his things, especially his laptop ...
"'There's no drive,' one says. 'And no ports on the back. It has a couple of lines where the drive should be,' she continues...."
As you've probably guessed, Michael's MacBook Air had them all baffled. Fortunately, a younger member of the team eventually arrived and explained that it's not a "device," but a computer with a solid state hard drive. It's good to know they're keeping up with this kind of thing.
Here's a warning to everyone traveling to SxSW this weekend with a MacBook Air: schedule a few extra minutes for the airport.
I've seen some very convincing PayPal phishing sites in recent years. I've also worried many times that friends and relatives less savvy in the ways of the phisher may inadvertently hand off a password or two and blame me – the one who talked them into a PayPal account to begin with – for the draining of their life savings. Thankfully PayPal shares my concern for said friends and family members and has published a guide to "Safer Browsers." Apple's Safari web browser, however, was not included in the list of recommended browsers.
This is not all that surprising, at least to anyone who's followed Safari security concerns. Despite having improved in certain areas, such as IDN spoofing, Safari still lacks some fundamental security features found in Internet Explorer (7+), Firefox and Opera. Features such as Extended Validation certificates are heavily promoted by PayPal, despite the warnings of critics who feel that many targets of phishing scams don't notice the green background in the URL field until it's too late -- if at all. Plugins like Saft do their bit, adding a few security features too. But until Safari catches up with IE and Firefox in the area of security, it's not likely that PayPal's list is going to include the otherwise spectacular browser.
This morning I was having a light hearted conversation about all the iPhone features developers have been able to harness and add to their apps. The back and forth was telling. We can now use Google Maps to tell us where you are. We can use Core Telephony to send out SMS messages. We can read your contacts database and look through your phone history. We can grab your microphone and listen to what you're saying and use your camera to shoot pictures without you even knowing and...
Holy freaking cow.
And then I thought for a second and concluded: "...it's exactly like programming for a Mac".
Security concerns are not unique to the iPhone and its full featured capabilities are nothing new for computing. What makes the iPhone seem different is that it fits in your pocket. Mobile WinCE never did all this stuff.
So it's up to developers to program responsibly. Just like Macs. Just like Windows. Just like Linux.
There's great news for iPhone users from the makers of 1Password. For those who might need a recap, 1Password is a cross-browser password manager, form auto-filler and digital wallet for your Mac. The application has had its fair share of updates recently, including the new capability to create a secure bookmarklet for your iPhone with your protected password and login information. It's been announced that 1Password will be adding a new version of the bookmarklet feature, with the ability to automatically fill out login info and web forms on your iPhone.
Ars Technica's David Chartier got a chance to demo the bookmarklet at Macworld and reports that it works well, including the feature to store multiple identities per website, and the word is that the developers hope to ship this new feature within the week. You can get more information on 1Password and download a demo at the Agile Web Solutions site. Oh, and in case you hadn't noticed, it's also included in the MacHeist bundle if you get there before time runs out.
US-CERT and Information Week are reporting a new vulnerability in QuickTime's handling of RTSP streams, which has been demonstrated to crash QuickTime Player on Windows and may also affect the Mac version. See the writeup by researcher Luigi Auriemma, who first announced the flaw.
Unlike the RTSP bug patched in QuickTime 7.3.1 last month, this vector works by overflowing an HTTP error buffer sent when the RTSP port 554 is closed on the malicious server, and the QuickTime client tries to switch to port 80. Sneaky.
Since we're almost certain to see iTunes 7.6 and possibly QuickTime 7.3.2 at Macworld anyway, expect another rev of QuickTime to close this hole after those versions ship -- since Apple wasn't notified in advance of this hole, it's unlikely to be caught in the pending updates, as commenter Nicholas points out (unless Apple found the vector independently).
So while I was gone off, enjoying the wild wonders of Arizona, seems like a big kerfuffle tumulted, disturbed, and then resolved. Mike Rose just dropped me an IM, asking whether the whole "Mikey" thing meant that the iPhone was especially susceptible to malicious influences. Was this the canary in the coal mine? Are bad things coming down the road iPhone-wise?
In my opinion? Not so much. This bad patch showed more that users could be quick to respond and capable of handling flackitude than that the iPhone was a particularly vulnerable platform. Less harm was done by Mikey the 11 year old than by the whole recent QuickBooks debacle.
It's a given when one computes that bad things happen. Some harm is intentional, some not. What we saw at play here, and is especially obvious in retrospect, was a quick community response. The strong network of Apple/iPhone enthusiasts got the message out and acted with precision and decisiveness. Well done, guys.
If you already installed either Security Update 2007-009 or Safari 3 Beta 3.0.4 Security Update for Windows, you may have noticed a wee bit of instability in Safari post-update. The behavior in question is euphemistically described by Apple as "an unexpected termination of the Safari application when browsing to certain web sites," or translated into English: Safari go boom now.
Fortunately, before heading out to celebrate Christmas with their long-suffering families, Apple security engineers cranked out 1.1 updates to both the recent security patches, available for download now. If your Safari experience hasn't been all it can be since the updates, try the new patch versions and see if they improve matters.
As reported, the RTSP vulnerability in QuickTime was accompanied by working exploit code, accelerating the process of malefactors and miscreants turning it into actual malicious payloads. Symantec & other outlets have since reported that the QuickTime exploit has been seen in the wild; the exploit causes Windows clients to download a secondary malware package.
The Second Life exploit starts to veer disturbingly towards Snow Crash territory. I don't want to spoil Neal Stephenson's brilliant breakthrough novel for those who haven't read it, so go read it. For the rest of us, doesn't the idea of a 'virus video' that attacks anyone who watches it seem awfully familiar?
Over the weekend, securityresearchers announced a vulnerability in QuickTime's handling of the RTSP streaming protocol, and Windows-only exploit code is already circulating. The flaw allows attackers to craft specially formatted RTSP responses that cause a buffer overflow, and as a result they can execute arbitrary code in the context of the logged-in user. Unfortunately, there are plenty of ways to get someone to click a malicious RTSP link, including sending it in email or including it on a website. While Symantec notes that IE and Safari for Windows appear to be resistant to the exploit code, opening a malicious RTSP link in current versions of Firefox or in QuickTime Player would allow the exploit to run.
For now, there is no Mac version of the exploit (cold comfort to the millions of iTunes for Windows users); hopefully there will be a QuickTime security patch on both platforms before any additional exposure occurs. Rich Mogull at TidBITS has some helpful tips for securing your network, including blocking the RTSP protocol both at the firewall and for outbound connections via Little Snitch. Update 10:30 am Thursday: Commenter Moulles points out that a cross-platform exploit for the RTSP flaw, which could target either PCs or Macs, has now been published.
Danger, Will Robinson! Adobe is warning that "critical vulnerabilities" have been found in Adobe Reader and Acrobat 8.1.1 and earlier. They are recommending that Acrobat 8 and Adobe Reader users install the 8.1.2 update as soon as possible. Those who are using Acrobat 7 are advised to install the 7.1.0 update quickly as well. 
There's been 
Once the second-day rules 
If you happen to use 
Alternate title: The MacBook Air is a device, but it's not a "Device."
I've seen some very convincing PayPal 
This morning I was having a light hearted conversation about all the iPhone features developers have been able to harness and add to their apps. The back and forth was telling. We can now use Google Maps to tell us where you are. We can use Core Telephony to send out SMS messages. We can read your contacts database and look through your phone history. We can grab your microphone and listen to what you're saying and use your camera to shoot pictures without you even knowing and...
There's great news for iPhone users from the makers of 
If you already installed either 
