Adobe Reader 9
One of our readers, Steve, let us know that the Adobe website has Version 9 of Reader available for download. Be sure to notice that they kindly offer a "Free eBay Desktop" is checked by default and it is a 33.5MB download.
As far as security upgrades, Adobe says the Security enhancements provides new digital signature functionality. The new version also adds support for 256-bit AES encryption. Other security features include SOAP/WSDL, XSD, Kerberos, W3C XML digital signatures, 256-bit AES, OASIS WS-Security, HTTP/HTTPS, RSA, XML encryption, and ECMAScript for XML (E4X) in the JavaScript interpreter. Reader is also NIST PKI test-suite compliant.
UPDATE Downloaders Beware: Tim M. wrote in to let us know that installing Adobe 9 leaves you with an "Acrobat.com" icon on your desktop. It appears to be a beta version of software based on Adobe AIR and you do not have the option not to install it. The icon launchs an app for sharing files, etc... on line. This makes us wonder what kind of security implications arise from your users having online collaboration tools in a Beta distribution? Included in the download are Adobe Buzzword, web-based online word processing and Adobe ConnectNow meeting facilitator, both allowing workers to share information. The programs can be manually removed via Control Panel, Add or Remove Programs.
More info here: http://www.adobe.com/acom/
UPDATE 2: One of our readers Rauno let us know that a smaller installer, AdbeRdr90_en_US_Std.exe without these two extra apps, is available from Adobe's FTP website at ftp://ftp.adobe.com/pub/adobe/
Microsoft Updates 2 DirectX Bulletins
Microsoft has issued a "Security Bulletin Major Revision" involving its DirectX products. These revisions include the following two previously released bulletins and particularly affect administrative users as the resulting compromise allows the attacker to gain user rights.
MS08-033 Vulnerabilities in DirectX Could Allow Remote Code Execution (951698) is rated as critical and states that DirectX 9.0 was added as affected software. This vulnerability can be exploited through a specially crafted media file. http://www.microsoft.com/technet/security/Bulletin/MS08-033.mspx
MS07-064 Vulnerabilities in DirectX Could Allow Remote Code Execution (941568) is also rated critical and has been updated to reflect DirectX 9.0 and 9.0a as affected software. This vulnerability can be exploited through a specially crafted media file via streaming. http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx
Yet another opportunity to remind administrators to try not to log in with admin rights unless it is absolutely necessary. It is much better to use a non-admin profile for routine tasks and surfing. And yes, it might be more cumbersome, but surely, more secure.
Firefox Releases 3.0.1 and fixes 3 security vulnerabilities
A security advisory released yesterday by Mozilla fixes the following issues and more:
MFSA 2008-34 Remote code execution by overflowing CSS reference counter. This vulnerability affects the CSSValue array data structure.
Comments