Adobe on Tuesday released a security bulletin that includes fixes for 28 vulnerabilities in Adobe Reader and Acrobat, including a critical hole that has reportedly been exploited in the wild in limited attacks.
Affected software includes version 9.1.3 of Reader and Acrobat; Acrobat 8.1.6 for Windows, Macintosh, and Unix; and version 7.1.3 of Reader and Acrobat for Windows and Macintosh. The vulnerabilities could cause the applications to crash and could allow an attacker to take control of a user's computer.
Adobe recommends that people update to Adobe Reader 9.2 and Acrobat 9.2, or Acrobat 8.1.7 or Acrobat 7.1.4. For Adobe Reader users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates.
One of the updates addresses a hole that Trend Micro says has been exploited by a Trojan horse that arrives as a PDF file containing malicious JavaScript. That exploit affects Microsoft Windows 98, ME, NT, 2000, XP, and Server 2003, according to Trend Micro.
"All users of Adobe Reader or Acrobat will need to update their software with today's release because these updates include fixes for the most critical kind of bugs," said Andrew Storms, director of security operations at nCircle.
This is Adobe's second quarterly security update for Adobe Reader and Acrobat.
Also on Tuesday, Microsoft issued a security advisory with a record number of bulletins, including the first fixes for critical holes in Windows 7.
Microsoft released a record number of 13 bulletins for 34 vulnerabilities on Patch Tuesday--and the first critical update for Windows 7--as well as fixes for zero-day flaws involving Server Message Block (SMB) and Internet Information Services (IIS).
The most severe of the three SMB flaws, which were first reported last month, could allow an attacker to take control of a computer remotely by sending a specially crafted SMB packet to a computer running the Server service. Exploit code for one of the SMB holes has been posted to the Web, Microsoft said.
Windows 7 is affected by two critical patches intended to mend vulnerabilities that could allow remote code execution if a malicious Web page were viewed, one part of a cumulative security update for Internet Explorer and the other in .Net Framework and Silverlight.
The official release date for Windows 7 is October 22, but the new operating system has been available to some large businesses with volume licenses since the summer. The code was finalized in July.
Other critical patches in the security bulletin for October fix a vulnerability in Windows Media Runtime that could be exploited if a user opened a malicious media file or received malicious streaming content from a Web site or application, and if a specially crafted ASF (Advanced Systems Format) file is played using Windows Media Player 6.4.
Among the critical updates: a cumulative security update of ActiveX Kill Bits that is being exploited and that affects ActiveX controls compiled using Active Template Library (ATL); and another patch resolving several vulnerabilities in ATL ActiveX Controls that could allow remote code execution if a user loaded a malicious component or control. ActiveX and ATLs were the subject of an emergency patch Microsoft released in July.
The final critical bulletin fixes a hole in Windows GDI+ (Graphics Device Interface) that could allow an attacker to take control of a computer if the user viewed a malicious image file using affected software or browsed a malicious Web page.
"Microsoft has repeatedly had to fix problems related to the Graphics Device Interface in Windows, and vulnerabilities in the component have been exploited broadly in the past. We can expect that security researchers will be looking to reverse-engineer today's patches, which may very well lead to exploits being created," said Dave Marcus, director of security research and communications at McAfee Labs.
Related "For the Record" podcast, with Symantec's Ben Greenbaum
Listen now:
Download today's podcast
Nine of the vulnerabilities were previously disclosed, which meant that attackers had time to come up with so-called "zero-day" exploits before the patches were available, Marcus noted.
The most alarming vulnerability in the mix is the SMB flaw, which was introduced by the patch for a different vulnerability, according to Josh Phillips, virus researcher at Kaspersky Lab.
Andrew Storms, director of security operations at nCircle, said the bug that is likely to have the biggest impact will be the critical one that affects Windows Media Runtime and involves a speech codec bug that has limited exploits in the wild. "This is a typical file-parsing issue and similar to vulnerabilities that have allowed attackers to create drive-by attacks that infect unsuspecting video viewers," he said.
Meanwhile, the critical SMB vulnerability is relatively difficult to exploit given default firewall conditions, but the IIS bugs are easy to exploit, Storms added.
"The sheer volume of the bulletins and patches is extreme," said Jason Miller, senior data team leader for Shavlik Technologies. "This is really going to affect administrators. It's going to be very challenging because of the time and research that's going to be needed" to patch systems.
Also released were five bulletins rated "important" to fix vulnerabilities in IIS, for which exploit code has been publicly released and for which there have been limited attacks, along with Windows CryptoAPI, Windows Indexing Service, Windows Kernel, and Local Security Authority Subsystem Service.
The update for Windows CryptoAPI relates to flaws in the way domain names are verified on the Internet, which could allow attackers to impersonate a site and steal information from unsuspecting Web surfers. The holes were revealed by researchers Dan Kaminsky and Moxie Marlinspike at Defcon in August.
Affected software includes Windows 7; Windows 2000; Windows XP; Windows Vista; Server 2003 and 2008; Office XP, 2003, and 2007; Microsoft Office System; SQL Server 2000 and 2005; Silverlight; Visual Studio .Net 2003; Visual Studio 2005 and 2008; Visual FoxPro 8.0 and 9.0; Microsoft Report Viewer 2005 and 2008; Forefront Client Security 1.0; and Office software including Visio, Project, Word Viewer, and Works.
The installation also removes the Win/FakeScanti Trojan, which displays fake malware warnings and then asks computer users to pay for fake antivirus software.
(For more information and analysis from Symantec, listen to my colleague Larry Magid's podcast.)
Update: This story was updated at 2:15 p.m. PDT with additional comment and at 11:47 a.m. PDT with more details and reaction from experts.
There is a critical JavaScript vulnerability in the Firefox 3.5 Web browser, Mozilla has warned.
The zero-day flaw lies in Firefox 3.5's Just-in-time (JIT) JavaScript compiler. Proof-of-concept code to exploit the vulnerability has been posted online by a security research group, Mozilla said in a post on its security blog on Wednesday. Security company Secunia rated the vulnerability as "highly critical" on Wednesday.
The hole could allow a hacker to launch a "drive-by" attack, according to Mozilla. That means an attacker may be able to execute malicious code on a target machine, if the victim visits a Web site containing an exploit.
No patch is currently available, but Mozilla developers are working on a fix. A workaround suggested in the blog post is to disable the Firefox 3.5 JIT compiler. However, Mozilla warned this would result in decreased JavaScript performance in Firefox.
The JIT compiler is part of TraceMonkey, which was added to Firefox for its 3.5 update released at the end of June. TraceMonkey is meant to optimise the browser, which is faster than previous iterations of Firefox, according to Mozilla.
On Wednesday, the United States Computer Emergency Response Team said users and administrators should completely disable JavaScript functionality in Firefox 3.5.
The Sans Institute also said people could disable JavaScript, and suggested using NoScript, an open-source Firefox plug-in that only allows script to be executed by trusted Web sites.
Tom Espiner of ZDNet UK reported from London.
Red, white, and blue flags flapping in the breeze, smoking grills, and blazing sunshine. There's no better time to celebrate America's 233rd birthday. And what better way to wish Uncle Sam (and ourselves) many happy returns than a schmaltzy screensaver for your desktop? Show off your patriotism and passion for dazzling explosives with this collection of Independence Day downloads.
Liberty Shines Screensaver See an entire Fourth of July day from the water, looking onto Manhattan's shoreline. Lady Liberty and New York are the daylight stars in this well-animated screensaver. As dusk falls, the buildings light up and the fireworks begin to sparkle and burst behind this enduring symbol of America's freedom.
Fireworks Screensaver
This classic fireworks screensaver draws you in to the spectacular display you shoot onto your desktop. Interact with the screensaver by choosing the number of rockets to compose your grand finale. If your tastes run high, you'll be able create in no time a blast befitting America's birthday.
Patriotic Scenic Reflections Screensaver
If to you Independence Day is more than just barbecue and pyrotechnics, you'll want a patriotic screensaver like this one on your desktop. This one displays more than 80 classic images of American icons, including a proud bald eagle, the Washington Monument, and the Statue of Liberty.
3D Magic Mahjongg
Brush aside the old-school graphics and you'll find a July Fourth-themed tile-matching game with addictive gameplay. The game opens with a stack of tiles covered with fireworks, flags, and Liberty Gells. Your job is to strategically match two unobstructed tiles. Pair them all off and you win the game, but get stuck and you'll have to start again.
3D Fireworks Extravaganza demo
If nothing but the most realistic fireworks will do to celebrate the Declaration of Independence, this could be the screensaver for you. The colorful blasts look right, and we are sure they are even better in the full version. Like many of its screensaver cousins, the trial download unfortunately obscures the view with a nag screen.
3D Fireworks by the Bay
New York, Boston, and Philadelphia aren't the only places to celebrate the turning of the years! While San Francisco postdates the Declaration of Independence, the City by the Bay sure knows how to honor it. This jubilant screensaver shoots off rockets from San Francisco Bay over the city's unique nighttime skyline.
Flags Demo
You have an American flag waving in the breeze outside your door. But what about inside your home? You can easily show your pride there, too. Just download this patriotic screensaver to proudly hoist the stars and stripes on your desktop while you step away.
Awesome Navy Aircraft Screen Saver Lite
Nothing says patriotism like the U.S. Navy. This high-flying screensaver features a slew of professional-quality photos of fighter jets and helicopters in action.
4th of July Dreams Screensaver
This nifty screensaver features a festive fireworks display against the backdrop of various symbols of American heritage including the Lincoln Monument, Mount Rushmore, the Statue of Liberty, and the Washington Monument.
Microsoft will issue a patch on Tuesday to fix a critical vulnerability in PowerPoint that could be the same hole that has been exploited in limited and targeted attacks.
The vulnerability affects Microsoft Office 2000, 2003, 2007 and XP, as well as PowerPoint Viewer and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 file formats, according to an advance notification released on Thursday.
In a security advisory in early April, Microsoft warned about a vulnerability in PowerPoint that had been targeted by attacks that were tailored and not widespread.
That vulnerability could be exploited by getting a person to open a PowerPoint file rigged for the attack, the company said. When the file is opened, PowerPoint will access an invalid object in memory. That then allows an attacker to remotely execute code on the system.
Earth Day may or may not appeal to your eco-conscience, but keeping the reins steady on your computer's carbon footprint and energy consumption makes good technological and financial sense. Reducing your energy output can prolong the life of your hardware--especially a laptop or Netbook--and can help save cash, which we all know is the 'greenest' motivation around.
This collection of environmentally friendly software lassos together these apps, plus a few others to help understand and appreciate our planet's cities, flora, and outer space neighbors.
ENERGY-SAVERS
Edison
(Credit:
CNET)
Edison for XP and Windows Vista is the newest one-stop app for monitoring how much energy and money you save when you tighten up your computer's sleep and shutdown schedules. A slider lets you decide after how many minutes you want to shut down your computer's display and hard drive during the peak work day. You can program differing criteria for off hours. Manual customization is also possible if you need to ease into greener computing.
... Read more
We can't keep you from getting pinched if you've neglected to deck yourself in verdant hues this St. Patrick's Day, but we can help keep you in the spirit of green with these energy-saving apps. Of course, we'd never tease you so mercilessly with a collection of "green apps" without also pointing out our jolly supply of leprechaun and other St. Patrick's Day screensavers. Without further ado, make merry with these eco-minded downloads.
Edison shows how much energy and cash you save by suspending systems sooner.
(Credit: CNET)Edison for XP and Windows Vista is the newest one-stop app for monitoring how much energy and money you save when you tighten up your computer's sleep and shutdown schedules. A slider lets you decide after how many minutes you want to shut down your computer's display and hard drive during the peak work day. You can program differing criteria for off hours. Manual customization is also possible if you need to ease into greener computing.
How many extra pages do you generally recycle after printing a page from a Web site? We all agree, it's better for the environment if you can avoid inking up those unwanted extras in the first place. The free GreenPrint World and premium GreenPrint Home Premium can help.
Vista users wishing to shrink their energy footprint a size can get started with Vista Battery Saver, a freeware app that disables certain Vista features, particularly when your power reserves dip below a predefined threshold. This app is especially useful for owners of Vista laptops who are running on limited batteries.
A perpetually running computer is an energy-dumping computer. Luckily, even if you're too lazy to shut your computer down yourself, freeware like Auto Shutdown can schedule shutdowns for you. Not only that, this app gives you five modes for taking your rig offline, and lets you program hot key combinations to launch the sleep or "off" mode of your choice without opening the program's interface.
Schedule hibernation and shutdowns and assign actions a hot key shortcut.
(Credit: CNET)If you've got Google Desktop, Google's Energy-saving gadget will monitor your power savings from your Google Desktop dashboard. You'll have to make some concessions, of course, like letting your computer hibernate or shut down after shorter intervals of idleness, but seeing that you spared enough energy to power a jumbotron at a baseball game may cause you to rethink just how valuable 24-7 access to the computer is to you.
Technician geeks get another take on computer energy usage in SpeedFan, a fast and free, but complex program for accessing fan speeds, temperature, and voltage in PCs with hardware monitor chips. This application won't appeal to, or even make sense, to most average users, but the data-rich app will be a jackpot for some.
With Valentines day just a couple of days away, why not get in to the spirit? We put together a collection of screensavers and Valentine's Day themed downloads to get you in the mood for the most romantic of holidays. Hopefully, it will also act as a reminder to those who might forget. Ahem.
Some of these downloads are paid and others are free, but any one you choose will certainly put you in the spirit of Valentine's Day.
(Credit:
CNET Networks)
Cool EasyCard lets you create Valentine's cards (or any type of greeting) with your own photos and the words you want to say. If you're tired of trying to find just the right words in the greeting card aisle, leave nothing up to chance by saying the right thing just the way you want to say it.
(Credit:
CNET Networks)
Hearts, Roses, Love is an elegant and simple screensaver to get you in the mood for Valentine's Day with class. The beautifully designed screensaver doesn't offer a lot of bells and whistles, but is just enough to make your desktop come alive with the Valentine's Day spirit.
(Credit:
CNET Networks)
Cuddly kitties and canines is exactly what the name would imply: photos of cute kittens and puppies surrounded by Valentine's themed decorations. If you're an animal lover, check out this cute and simple screensaver.
(Credit:
CNET Networks)
Free Valentine's Day Screensaver features high-quality images and smooth transitions to make this screensaver the perfect way to enjoy the holiday. If you want a little more than a themed screensaver, or prefer several changing Valentine's day images, this is the download for you.
(Credit:
CNET Networks)
Valentine 3D Screensaver lets you view a lovely setting with wine glasses, a Valentine's Day message, and a cuddly teddy bear. Smooth, nice-looking graphics make this screensaver a great choice for those who leave their computers on during this most romantic of dates. Later, you should consider turning off your computer entirely.
(Credit:
CNET Networks)
3D Dancing Cupid gets you in the mood for the holiday with a retro screensaver designed to bring out the silliness in everyone. If you're the type who likes a dancing screensaver, Cupid is a little guy who knows how to get down. On the dancefloor--get you're mind out of the gutter.
(Credit:
CNET Networks)
3D Love Clock lets you put a personalized, heart-shaped clock on your desktop. You'll never forget your loved ones during this most important of romantic holidays--or what time it is. Customize your clock further by adding a picture of your loved one.
Kitty Kilobyte is off to Europe for her annual vacation abroad. Like many of us, she loves travel but hates flying. When she asked Power Downloader if he had any advice--such as a program that was so boring it would put her to sleep for 10 hours--he came back with an alternative plan.
MahJong Suite 2008 has clear and simple navigation so that players can focus on the fun.
(Credit: TreeCardGames)Instead of boring herself to sleep, Power Downloader suggested Kitty try a brain challenge--an engaging game that would take her mind off the pre-flight horrors of the TSA and the in-flight trauma of getting stuck with the middle seat. Power D's recommendation this week is MahJong Suite 2008. With more than 50 mahjong and Concentration-style layouts, this attractive and addictive suite is a bonanza for tile-game lovers. The convenient browser organizes layouts by difficulty, number of levels, and several other factors. If you like, the game will choose a random layout for you.
Give the demo a spin to see how you like the gameplay and feel of the various options, but don't forget that the demo doesn't allow reshuffling. Even with that limitation, Power D reminded Kitty, the 30-day trial should be more than enough time to determine if this suite is right for you. Assuming you happen to finish the layouts, there's a built-in game editor so you can quickly design more. There's even included statistics, so numbers fanatics can keep track of their progress, no matter who's fighting them for the armrest.
Firefox 3 gained market share rapidly, even before it was 24 hours old.
(Credit: Net Applications)Firefox 3 is spreading fast, claiming more than 4 percent of the share of Web browser usage less than 24 hours after its release.
According to Net Applications, which monitors browser usage at major Web sites, Firefox 3 rapidly ascended to what I'd call force-to-be-reckoned-with status, something Web designers shouldn't be ignoring. For comparison, Apple's Safari had 6.25 percent share in May, and Opera had 0.71 percent.
Undoubtedly, most Firefox 3 activity is from existing Firefox users, but it's still a notable achievement, given that software companies constantly struggle to get users to adopt the latest products.
Mozilla, which sponsors and oversees development of the open-source Web browser, released Firefox 3 for download on Tuesday. It primed the publicity pump with an effort to set a 24-hour download record, and interest by the abundant Firefox loyalists brought Mozilla's servers to their knees for nearly two hours Wednesday.
Mozilla has been fulfilling pent-up demand ever since. Sometime after 7 a.m. PDT, downloads crossed the 7 million mark, according to Mozilla's download counter, which is fun to watch, even though it's badly formatted.
The download rate, which peaked at 14,000 per minute Tuesday, was about 6,600 per minute Wednesday morning.
For full coverage, including reviews and videos, see CNET's Firefox 3 resource center.
