So Patch Tuesday has been and gone, and many of you will already have updated automatically. If you haven’t, do. there seems to be a curious complacency in some quarters about Powerpoint clientside exploits and targeted attacks, but a lot of dross gets passed around as slide-decks. For example, many an old hoax has been given a new lease of life by distribution as a PPT or PDF, and most malware distribution feeds on credulity. Hmm. That almost sounds like a paper I’m writing. :)
Talking of PDFs, Adobe yesterday published a new security bulletin. addressing the vulnerabilities labeled as CVE-2009-1492 and CVE-2009-1493 by http://cve.mitre.org. This update is described by Adobe as critical, and as Adobe auto-updating is not very consistent, Adobe users need to check that page. (And the other links, if you want more information: the bulletin isn’t very detailed and is a bit sparse on links.)
CVE-2009-1492 affects Adobe Reader 9.1 and Acrobat 9.1, and earlier, and could allow a remote attacker to take control of an affected system. CVE-2009-1493 only seems to affect Adobe Reader for UNIX and is also remotely exploitable.
Adobe recommends update to versions 9.1.1, 8.1.5, or 7.1.2. It also says it expects to provide updates for Adobe Reader 7 and Acrobat 7 before the end of June.
Adobe must feel that the entire anti-malware industry is out to get it at the moment (not made up for by its popularity with the bad guys), so it’s nice to be able to say that at least they’re making updates available before they’re aware of exploits. A little more info on vulnerabilities, at least once they’re addressed, and more consistency on updating would be nice, though.
Since everyone knows there is, never was, and never could be any OS X – targeting malware, I won’t mention the impressive volume of updates released by Apple yesterday. I guess my MacBook is going to be busy with automatic downloads for a while when I get back to it tomorrow.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET