Famous Apple security expert Charlie Miller is preparing to announce 20+ new Zero Day security holes in Mac OS X at CanSecWest.  Charlie says “OS X has a large attack surface consisting of open source components, closed source third-party components and closed source Apple components; bugs in any of these types of components can lead to remote compromise.”   He further explains “Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.”  As I have been saying for years, Apple users are currently safer only because hackers see a larger ROI (return on investment) attacking Microsoft Windows based machines.

I have been noticing Apple Mac users more frequently requesting and installing third party anti-virus protection software than in previous years.   More key players in the anti-virus industry are releasing their flagship security products for the Mac OS.   When the Mac OS becomes a key target to hackers the damage caused will be quite significant due to most Apple users not installing third party security software solutions and the general mindset that the Mac OS is secure from hackers and exploits.

Author: Christopher

Many agree Adobe has never responded to security vulnerabilities in their popular products quickly. Known vulnerabilities would take weeks and in some cases months before being addressed. Most recently in February Adobe confirmed a known vulnerability in their Acrobat PDF software and admitted the vulnerability is actively being used by hackers. Brad Arkin, Adobe’s director for product security and privacy mentions this event is what prompted a new security practice.

Adobe has started reviewing the code in Adobe Reader and Adobe Acrobat products and is identifying “at-risk areas” that will be addressed and ultimately re-written. “We’re going to broadly look at the whole application, but focus on at-risk areas, where we’ll do threat modeling, static code analysis and look for potential vulnerabilities,” said Arkin. “We’re going to do a lot more pro-active work,” he promised. “We want to shake loose vulnerabilities.”

Arkin promises a regular patching cycle and in fact will deliver patches the same day as Microsoft. Although their patch cycle is quarterly, not monthly, the patches will be delivered the second Tuesday of the month. This schedule has not officially started.  Arkin also mentioned JavaScript will not be disabled by default in future builds of Adobe Acrobat products.

More information on Adobe Acrobat’s new security initiative can be found on Adobe’s Asset blog.

Author: Christopher

Another serious vulnerability in Adobe Acrobat is making its way around the Internet.  So far testing has confirmed  the vulnerability in Adobe Acrobat 8.1.0, 8.1.1, 8.1.2, 8.1.3, and 9.0.0.  This affects the latest version of both 8.x and 9.x versions of Adobe Acrobat.  Although the exploit is not JavaScript based, it is trigger via JavaScript, so for now disabling JavaScript will help mitigate this threat.  Adobe has acknowledge the vulnerability and has plans on releasing a patch around March 11th.

For now, if you want to disable JavaScript in Adobe Acrobat, you can go into the Edit menu and select preferences.   Under preferences you will see a JavaScript option group, from there you can un-check the box to disable JavaScript.

This can also be disabled via the registry or a GPO under HKEY_CURRENT_USER

Author: Christopher