Adobe and Windows critical patches coming in mid-December and January
Adobe Systems has published an advisory announcing that they will be releasing an "out-of-band" patch, sometime during the week starting on December 12, 2011, for their Acrobat and Reader programs for Windows, version 9.4.6. This is in response to cyber criminals exploiting a critical vulnerability discovered in the code used by those related programs.
The same vulnerability being exploited in Reader 9.4.6 also exists in the newer version 10.1.1 of Adobe Reader X and Acrobat X. However, those programs operate by default in protected mode, which nullifies the exploit vector being target in the ongoing attacks. Nonetheless, Adobe has scheduled a security update for these newer versions, to be released on January 10, 2012. That update will apply to all supported platforms of Adobe Reader.
If you use the Foxit PDF reader, they have released a new version to respond to the same vulnerability as exists in Adobe's Reader (see Foxit security notice here). You can download the latest version (5.1.3) of Foxit from their website.
Microsoft is going to be releasing 14 patches on December 13, 2011. Be sure you check for these Windows Udates during the afternoon of this coming Patch Tuesday. You may or may not need all 14 patches, depending on your Windows operating system and installed Microsoft Office programs. If you use Windows XP, with SP 3, you are definitely going to get a lot of patches! If you haven't upgraded to SP 3, your PC is in extreme danger of takeover by numerous vulnerabilities that were patched, but require SP 3 to receive them.
Other software vulnerabilities being exploited in the wild this week include a critical flaw in Yahoo Messenger 11.5.0.152 and older. This happens to include the current version! The World waits with bated breath for Yahoo to respond with a patched update. The flaw allows hostile status update messages to be placed by hackers and criminals, with links to malware servers. The victims are unaware that their status message system is being used to trick other people on their Yahoo Messenger contact lists.
To protect themselves until a patch is released, Yahoo users should set their Yahoo Messenger to "ignore anyone who is not in your Yahoo! Contacts." That should keep you safe from being exploited by strangers, but you could still be tricked if one of your existing contacts gets hacked. Keep this in mind and check for updates regularly, via the Yahoo Messenger Help menu item.
Finally, Oracle's Java (not JavaScript) has been and still is the darling of exploit kit authors. It is the most successful attack vector in use today. If you have a vulnerable version of Java installed on your computer, it can be exploited without any user interaction, to completely take over control of your computer. It is imperative that if you have Java, it must be the latest version (currently version 6 Update 29), with no old versions left on your hard drives (old versions can still be targets). Go to java.com to ensure that you have the latest version installed (then uninstall any older versions!).
If you don't use Java for any mission critical purposes, consider uninstalling ALL versions of it. If you must use Java, set the updater to check automatically every week, or even daily, at a time when your PCs are normally on. Do this via the Windows Control Panel Java applet. Mac users should use the Apple Software Updater, while Linux users should use the built-in software updater for their version of Linux.
In case you are wondering who is to blame for all of the exploit kits targeting your computers, read this BBC article about Russian exploit kit programmers. Blame Rasputin!
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.