A little something to keep you busy…   Adobe vulnerabilities that affect Microsoft Windows, Mac and Unix machines.

Patch ‘em up!

 

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA11-350A

Adobe Updates for Multiple Vulnerabilities

Original release date: December 16, 2011

Last revised: –

Source: US-CERT

Systems Affected

* Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh

* Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh, and UNIX

* Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh

* Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh

 

Overview

Adobe has released Security Bulletin APSB11-30, which describes

multiple vulnerabilities affecting Adobe Reader and Acrobat.

 

I. Description

Adobe Security Bulletin APSB11-30 and Adobe Security Advisory

APSA11-04 describe a number of vulnerabilities affecting Adobe

Reader and Acrobat. These vulnerabilities affect Reader and Acrobat

9.4.6 and earlier 9.x versions. These vulnerabilities also affect

Reader X and Acrobat X 10.1.1 and earlier 10.x versions.

 

An attacker could exploit these vulnerabilities by convincing a

user to open a specially crafted PDF file. The Adobe Reader browser

plug-in, which can automatically open PDF documents hosted on a

website, is available for multiple web browsers and operating

systems.

 

Adobe Reader X and Adobe Acrobat X will be patched in the next

quarterly update scheduled for January 10, 2012.

 

Additional details for the U3D memory corruption vulnerability can

be found in US-CERT Vulnerability Note VU#759307.

II. Impact

These vulnerabilities could allow a remote attacker to execute

arbitrary code, write arbitrary files or folders to the file

system, escalate local privileges, or cause a denial of service on

an affected system as the result of a user opening a malicious PDF

file.

 

III. Solution

Update Reader

Adobe has released updates to address this issue. Users are

encouraged to read Adobe Security Bulletin APSB11-30 and update

vulnerable versions of Adobe Reader and Acrobat.

 

In addition to updating, please consider the following mitigations.

 

Disable Flash in Adobe Reader and Acrobat

 

Disabling Flash in Adobe Reader will mitigate attacks that rely on

Flash content embedded in a PDF file. Disabling 3D & Multimedia

support does not directly address the vulnerability, but it does

provide additional mitigation and results in a more user-friendly

error message instead of a crash. To disable Flash and 3D &

Multimedia support in Adobe Reader 9, delete, rename, or remove

access to these files:

 

Microsoft Windows

“%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll”

“%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll”

 

Apple Mac OS X

“/Applications/Adobe Reader 9/Adobe

Reader.app/Contents/Frameworks/AuthPlayLib.bundle”

“/Applications/Adobe Reader 9/Adobe

Reader.app/Contents/Frameworks/Adobe3D.framework”

 

GNU/Linux (locations may vary among distributions)

“/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so”

“/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so”

 

File locations may be different for Adobe Acrobat or other Adobe

products that include Flash and 3D & Multimedia support. Disabling

these plugins will reduce functionality and will not protect

against Flash content that is hosted on websites. Depending on the

update schedule for products other than Flash Player, consider

leaving Flash and 3D & Multimedia support disabled unless they are

absolutely required.

 

Disable JavaScript in Adobe Reader and Acrobat

 

Disabling JavaScript may prevent some exploits from resulting in

code execution. Acrobat JavaScript can be disabled using the

Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable

Acrobat JavaScript).

 

Adobe provides a framework to blacklist specific JavaScipt APIs. If

JavaScript must be enabled, this framework may be useful when

specific APIs are known to be vulnerable or used in attacks.

 

Prevent Internet Explorer from automatically opening PDF files

 

The installer for Adobe Reader and Acrobat configures Internet

Explorer to automatically open PDF files without any user

interaction. This behavior can be reverted to a safer option that

prompts the user by importing the following as a .REG file:

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\AcroExch.Document.7]

“EditFlags”=hex:00,00,00,00

 

Disable the display of PDF files in the web browser

 

Preventing PDF files from opening inside a web browser will

partially mitigate this vulnerability. If this workaround is

applied, it may also mitigate future vulnerabilities.

 

To prevent PDF files from automatically being opened in a web

browser, do the following:

 

1. Open Adobe Acrobat Reader.

2. Open the Edit menu.

3. Choose the Preferences option.

4. Choose the Internet section.

5. Uncheck the “Display PDF in browser” checkbox.

 

Remove or restrict access to 3difr.x3d

 

By removing or restricting access to the 3difr.x3d file, Adobe

Reader and Acrobat will fail to render U3D content, which helps to

mitigate this vulnerability. PDF documents that use the PRC format

for 3D content will continue to function on Windows and Linux

platforms.

 

To disable U3D support in Adobe Reader 9 on Microsoft Windows,

delete or rename this file:

 

“%ProgramFiles%\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d”

 

For Apple Mac OS X, delete or rename this directory:

 

“/Applications/Adobe Reader 9/Adobe

Reader.app/Contents/Frameworks/Adobe3D.framework”

 

For GNU/Linux, delete or rename this file (locations may vary among

distributions):

 

“/opt/Adobe/Reader9/Reader/intellinux/plug_ins3d/3difr.x3d”

 

File locations may be different for Adobe Acrobat or other Adobe

products or versions.

 

Do not access PDF files from untrusted sources

 

Do not open unfamiliar or unexpected PDF files, particularly those

hosted on websites or delivered as email attachments. Please see

Cyber Security Tip ST04-010.

 

 

IV. References

 

* Security update available for Adobe Reader and Acrobat -

<https://www.adobe.com/support/security/bulletins/apsb11-30.html>

 

* Adobe Reader and Acrobat JavaScript Blacklist Framework -

<http://kb2.adobe.com/cps/504/cpsid_50431.html>

 

* Adobe Acrobat and Reader U3D memory corruption vulnerability -

<http://www.kb.cert.org/vuls/id/759307>

 

* Security Advisory for Adobe Reader and Acrobat -

<https://www.adobe.com/support/security/advisories/apsa11-04.html>

 

____________________________________________________________________

 

The most recent version of this document can be found at:

 

<http://www.us-cert.gov/cas/techalerts/TA11-350A.html>

____________________________________________________________________

 

Feedback can be directed to US-CERT Technical Staff. Please send

email to <cert@cert.org> with “TA11-350A Feedback VU#759307″ in

the subject.

____________________________________________________________________

 

For instructions on subscribing to or unsubscribing from this

mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

____________________________________________________________________

 

Produced 2011 by US-CERT, a government organization.

 

Terms of use:

 

<http://www.us-cert.gov/legal.html>

____________________________________________________________________

 

Revision History

 

December 16, 2011: Initial release

 

 

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.5 (GNU/Linux)

 

iQEVAwUBTuuZnz/GkGVXE7GMAQIN8ggAjjQO8LOasl98uasGZW2J5SHfkKr675Mf

ymRzBagFqO9QuId2RvFG2b9nuq5zdqETsrcG1t668wtYLUhBaoLmFXPe/KsDQ9n+

/p9PctVJFmJpV92S3kAHw+u4t1n/Aa/4IdK0oXNBDhkyXrp41F27LY+aQ8FWWuxZ

lL4jXSUQ/gLgb6hOhLjRCsQtEhAcPbX/mPNxl6bACXZaOVZT88fz9M7JXryDiJWO

uuFi3O2GT0Bd3fEsL57U/TSbq8SynadObMSj4/+Q1HmOHcD0L5gzd9/N4M3D1Emg

y7aeUpgycY5eFefY3LVVkb7JkTUbEZHbuNHydFKIJDRlaXBAo+D0QQ==

=rKM4

—–END PGP SIGNATURE—–

Microsoft has released Volume 11 of their “Microsoft Security Intelligence Report” or SIRv11, which provides “An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software in the first half of 2011″.

One tidbit of interesting information contained in the report is that in the first half of 2011, less than one percent of exploits were against zero-day vulnerabilities and 99 percent of all attacks during the same period distributed malware through familiar techniques like social engineering and unpatched vulnerabilities.

I encourage you to read it in its electronic format as it is 168 pages of eye-glazing information, and we wouldn’t want to kill a tree for it.

You can find the full report and further information at: http://www.microsoft.com/sir

 

I came across a very handy document from www.securingthehuman.org that explains which security standards and awareness compliance requirements might apply to your organization.
It is by no means a complete listing, but gives the one minute run-down of the majority of the biggies….

—

Last Updated: 19 July, 2011

1. Executive Summary
The purpose of this document is to identify different standards and legislations that require organizations to have security awareness programs. This information can then be used to help justify your security awareness program. Any questions or suggestions for this document should be sent to info@securingthehuman.org.

2. ISO/IEC 27001 & 27002
§ISO 27002 8.2.2 – All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. Learn more at: http://en.wikipedia.org/wiki/ISO_27001

3. PCI DSS
§12.6 – Make all employees aware of the importance of cardholder information security.
• Educate employees (for example, through posters, letters, memos, meetings and promotions).
• Require employees to acknowledge in writing that they have read and understood the company’s security policy and procedures.
Download the standard at:

https://www.pcisecuritystandards.org/security_standards/documents.php

4. Sarbanes-Oxley (SOX)
§404(a).(a).(1) – The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C 78m or 78o(d)) to contain an internal control report which shall – state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting;
Learn more at: http://en.wikipedia.org/wiki/Sarbanes-Oxley

5. Gramm-Leach Bliley Act
§6801.(b).(1)-(3) – In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical and physical safeguards –
• To insure the security and confidentiality of customer records and information;
• To protect against any anticipated threats or hazards to the security or integrity of such records;
• To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
Learn more at: http://en.wikipedia.org/wiki/Gramm-Leach-Bliley_Act

6. CobiT
§PO7.4 Personnel Training – Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls and security awareness at the level required to achieve organizational goals.
§DS7 – Management of the process of Educate and train users that satisfies the business requirement for IT of effectively and efficiently using applications and technology solutions and ensuring user compliance with policies and procedures is: […] 3 Defined when A training and education program is instituted and communicated, and employees and managers identify and document training needs. Training and education processes are standardized and documented. Budgets, resources, facilities and trainers are being established to support the training and education program. Formal classes are given to employees on ethical conduct and system security awareness and practices. Most training and education processes are monitored, but not all deviations are likely to be detected by management. Analysis of training and education problems is only occasionally applied.
Learn more at: http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

7. Federal Information Security Management Act (FISMA)
§3544.(b).(4).(A),(B) – Securing awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks.
Learn more at: http://en.wikipedia.org/wiki/FISMA

8. Health Insurance Portability & Accountability Act (HIPAA)
§164.308.(a).(5).(i) – Implement a security awareness and training program for all members of its workforce (including management).
Learn more at: http://en.wikipedia.org/wiki/Hipaa

9. NERC CIP
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standard.
§CIP-004-3(B)(R1) – The Responsible Entity shall establish, document, implement, and maintain a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as:
• Direct communications (e.g., emails, memos, computer based training, etc.);
• Indirect communications (e.g., posters, intranet, brochures, etc.);
• Management support and reinforcement (e.g., presentations, meetings, etc.).
Download the standard at: http://www.NERC.com/files/ CIP-004-3.pdf

10. US State Privacy Laws
Many states in the United States have their own individual privacy laws. You can find a listing of most of those state privacy laws at the Morrison & Foerster’s Privacy Library. Many of these privacy laws require some type of awareness training, or at a minimum that the privacy requirements are communicated to employees in that state.
Learn more at: http://www.mofo.com/privacy–data-security-services/

11. EU Data Protection Directive
The European Union has directed all European member countries to develop and define laws regarding the protecting of personal privacy of the citizens of their respective country. While each country’s implementation of this directive is different and unique, many of them require security awareness training to educate people on how to protect individual privacy.
Learn more at: http://en.wikipedia.org/wiki/Data_Protection_Directive

12. Australian Government InfoSec Manual
§0252 – Information security awareness and training: Revision: 2; Updated: Nov-10;
Applicability: U, IC, R/P, C, S/HP, TS; Compliance: must
Agencies must provide ongoing information security awareness and training for personnel on information security policies including topics such as responsibilities, consequences of non-compliance, and potential security risks and counter-measures.
Download the manual at:

http://www.dsd.gov.au/publications/Information_Security_Manual_2010.pdf

You can find the original latest version of this document here.

—

Should you need assistance with security and compliance at your Upstate or Greenville SC area business, Homeland Secure IT can assist. Call us at 864.990.4748 or email info@homelandsecureit.com for more information!

I’m often asked which is the best USB flash drive you can buy. My answer varies with the requirements of the individual or business that will utilize the device.

The average person requires a fast and reliable storage device to shuttle files to/from work or school, and does not require security features at all, but for those who do require encryption, there are a number of options available.

One manufacturer stands out from the crowd and that is IronKey and their line of flash drives from “Basic” to “Enterprise”, touted as “The world’s most secure flash drive”.

IronKey has recently released the D200 32GB “Personal” flash drive which you can read more about on their website.

This is an excerpt:  Your identity and personal data are too valuable to risk. IronKey Personal keeps you protected with military-grade encryption and easy-to-use identity management. The result of extensive R&D and the collaboration of some of the world’s leading experts in cryptography and the Internet, IronKey is the world’s most secure flash drive. IronKey Personal comes loaded with a secure private browser that lets you surf anonymously and protects your passwords whenever you go online. IronKey Personal simplifies your digital lifestyle while giving you added peace of mind.

IronKey secure 32GB USB devices provide higher speeds, managed and auditable encryption required to prevent data breaches with always-on encryption and achieve a safe harbor for compliance.

Who needs 32GB devices?

Uses for higher capacity drives include…

• Government: Military personnel needing to transport sensitive documentation.
• IT Department: Transporting patches, operating systems, applications and large files.
• Executives: Carrying company sensitive data including M&A, financials, strategy, and organizational data.
• Entertainment Industry: Digital Rights Management – studios can control the number of times trailers are viewed.
• Other Examples: High volume sensitive information that requires encryption outside a network include CAD files, Medical Imaging files, Financial, Legal and Mortgage Documents.

 

The other day I posted about the BEAST that can circumvent SSL encryption used with websites and how a proof of concept would be demonstrated soon and actual exploits in the wild even sooner.

No sooner had I posted about that than Google’s Chrome development team had posted that they have an update already prepared for the Chrome browser that in theory should protect from the man-in-the-middle BEAST attack.

More information can be found over on The Register …

When the update comes….  Install it =)

 

 

 

 

This may come as no surprise to those who have been around computer security for a while, but the BIOS viruses are making a comeback!

One of the first made its debut back in 1999 and was known as “CIH”.  But Symantec is reporting a new killer on the block called “Trojan.Mebromi” that affects the Award BIOS and seizes control of a system even before you get to the MBR (Master Boot Record).

Expect this trend to continue….

Read more about it here:

http://www.symantec.com/connect/blogs/bios-threat-showing-again

 

As always, please insure your systems are using the latest anti-virus (We suggest and sell Trend Micro products such as the amazing Trend Micro Worry Free Business Security), that all updates are applied to your Microsoft Windows operating systems, all applications and support programs from Microsoft Office, to Adobe Reader, Flash and JAVA are at the latest patch levels. Obtain a quality firewall, and use common sense! And don’t forget to BACKUP!

If you suspect your system may be infected, or want to know how to better protect your computer or an entire business full of computers and servers, please call us at 864.990.4748 or email info@homelandsecureit.com.  We offer virus removal and cleanup in the Greenville / Upstate, SC area.

We provide sales, licensing, installation and support for Trend Micro and Symantec products. We can sell you one seat, or protect your business with 1000 users!

Trend Micro has unveiled their Titanium update for 2012!

Keep your identity, data and social network protected from a new generation of threats. Staying safe online these days is about more than just avoiding malware. You have to protect your device, your privacy, your personal data, your social network, and your family against an army of new threats. Given that abandoning the Internet completely isn’t really an option, how do you accomplish all these goals at once? The new Trend Micro Titanium 2012 is packed with powerful new and enhanced features to help you protect the many aspects of your digital life-and can do it in a way that’s fast, simple, and easy to manage.

Nobody wants security software that hogs disk space, presents constant pop-ups and alerts, or that’s complicated to install—so Titanium 2012 provides automated security with a small footprint that anyone can use. Titanium 2012 offers the strong, fast security that gave Titanium its name—but this new version includes powerful features and enhancements to keep you protected from the next generation of threats:

• New social networking protection
• New easy to customize console
• New fake AV cleaner
• New proactive botnet protection
• New proactive PE virus protection
• New method to detect packer-encrypted malware
• Enhanced virus and spyware detection and cleaning
• Enhanced behavioral monitoring
• Enhanced rootkit detection and removal

The new Titanium 2012 is still powered by the Trend Micro™ Smart Protection Network™ infrastructure, our cloud security infrastructure that stops threats in cyberspace or “the cloud.” Smart Protection Network monitors the Internet 24/7, worldwide. It gathers and analyzes threat data, blocking viruses and other malware before they can reach your PC. And because processing is done in the cloud, Titanium 2012 uses less of your PC’s memory and disk space.

If you would like more information about Trend Micro’s Titanium 2012 Maximum Security product or any of the other Trend Micro products, from endpoint to server, from home to enterprise, please call us at 864.990.4748 or email info@homelandsecureit.com.

We specialize in providing Trend Micro licensing, sales, consultation, installation and support to Greenville / Upstate SC small, medium and enterprise business clients. We offer and recommend Trend Micro Worry-Free Business Security as the primary line of defense for small/medium businesses! From one computer to 1000!

One thing I am asked weekly is, “I just received an email alert telling me my mailbox exceeded the storage limit, why is that?”.

Wellllllll, first of all, these messages, though they come in email and look all official, signed by “System Administrator” or something similar, are likely phishing attempts.

If you hover over the URL listed to “re-validate” your mailbox, or to “increase your storage limit”, you will see that the link has nothing to do with your email host.

People who fall for this and follow the link through are presented with a form which asks for personal information to authenticate your account. That information is destined for parts unknown and could be used for anything from creating new accounts for you, to obtaining personal information about your finances, medical records, or who knows what. In most circumstances, it is going to be for monetary gain.

One I checked out for a client a few minutes ago prompted me to write this blog post…  It was a very authentic looking email that appeared to come from Google’s GMail service. Even the link looked right upon first glance even to me, and understandably to the person who received it. The web interface was in the style of Google’s and other than the VERY in-depth questions, would have passed for a Google page.  It was the supposed “Personal Profile Page”.

We’re talking about asking a person to input their first, last and middle name, street address, phone number, cell phone number, age, sex, birthdate, email address, which is fairly normal, but upon entering bogus information, it took me to a second page.  That one was for “Personal Identity Verification” purposes, “for your safety”. Heh…. It asked you to input security questions for help in identifying you in the future.   Mother’s maiden name, street you grew up on, enter a pin number, old Google password and a new one to change to for security purposes and something you should never be asked for, Drivers License number and expiration, SOCIAL SECURITY NUMBER and a CREDIT CARD number with expiration date “For account verification purposes only, no charge will appear”.

They had gone to the trouble of putting up a FAQ that was functional, and even a “Contact Us” link that gave you a webform to fill out with your information.

Bottom line here is – don’t believe everything you read, and certainly, don’t just enter your private information into sites just because it LOOK official……

If you have done this recently, you should contact your financial institutions immediately. Watch those credit card bills closely!

An article in The Register states, “Beware of Macs in enterprise” due to the findings by iSec Partners who claim large numbers of Macs are “in many ways more vulnerable than recent versions of Windows.”

The vulnerability they specifically mention is the DHX authentication scheme which is easy to compromise and apparently “trivial to force OS X server to resort back to” from the more secure Kerberos.

A proof-of-concept has been demonstrated by the group that works as such:  A test Mac connected to a LAN waits to be contacted by a machine running OS X server, and then it quickly copies all its authentication credentials. It then contacts other Macs on the network and pretends to be the administrator machine and when they respond it is able to access and download data from them.

More information can be found in the article above, but a rep from iSec sums it up by saying, “If we go into an enterprise with a Mac and run this tool we will have dozens or hundreds of passwords in minutes” and also that “Macs are fine as long as you run them as little islands, but once you hook them up to each other, they become much less secure.”

While we have not seen the tool used to demonstrate the threat, the theory is sound.

Apple has done little to protect their owners in regard to this, and all it would take is exploits such as this to be released into the wild and then one careless individual to cause a total compromise of networks comprised primarily of Macs.

Homeland Secure IT Alert for Wednesday, July 21st, 2011

The United States Computer Emergency Readiness Team has issued their recommendations for protection against network intrusions.  I have included the entire document below, but the most current version of the document can be found here.  Please keep in mind that these recommendations are not related to any one platform. These are “Best Practices” regardless of whether your business uses Microsoft, Linux or Mac OS X or whether your organization relies upon cloud computing instead of localized servers.

—

National Cyber Alert System
Technical Cyber Security Alert TA11-200A

Last updated July 20, 2011

—

Should your Greenville or Upstate SC based business or organization require assistance with this, please contact us at 864.990.4748 or email info@homelandsecureit.com. We offer firewalls and security appliances from our partners such as Cisco, WatchGuard, SonicWALL, and more!