Ward Off an Ongoing PDF Zero-Day Attack

image
Illustration: Harry Campbell
These days, the makers of popular software may as well put big bull's-eyes on their products. When nearly everyone uses a particular program, a security hole in that application instantly creates a huge pool of targets for online crooks.

Here's an example: This month Adobe closed a hole in its Acrobat and Reader programs even as they were already under attack--a true zero-day scenario.

Security researcher Secunia says the attack starts when the victim opens a booby-trapped PDF file. The flaw affects Adobe Reader 8.0 through 8.1.2, and Reader 7.0.9 and earlier. It also impacts Adobe Acrobat Professional, 3D, and Standard 8.0 through 8.1.2, as well as 7.0.9 and earlier. Choose Check for Updates under the program's Help menu for the patch, or find it at Adobe's site.

Meanwhile, Microsoft patched Internet Explorer again, this time to repair two defects in IE's handling of Active Scripting. One bug lets an attacker make a Web page that, when viewed, can steal data from a page opened in a different browser tab--such as an online banking session.

As for the other bug, a successful exploit could completely compromise your PC, and you can be hit simply by visiting a poisoned Web page, or even by using Windows Instant Messenger.

These bugs affect every IE version, from 5.01 on Windows 2000 SP4 all the way up through IE 7 on Vista SP1. You can pull down the patch from Microsoft's site or over Automatic Updates.

IE isn't the only browser requiring some under-the-hood repairs. Apple released Safari 3.1.2 to fix a "carpet bomb" bug, initially thought to be mostly an annoyance until researcher Aviv Raff discovered a way to combine it with a Windows bug to create a serious threat. You can snag the fix through the company's site or via Apple Software Update.

Apple also shipped QuickTime 7.5, which addresses five nasty bugs. Some of the holes affect Windows Vista, some XP Service Pack 2 (SP2), and some OS X. Stumble across a site with a QuickTime file containing rigged PICT images, AAC-encoded audio, or Indeo video, and you'd be hit. Nab the fixes from Apple's site, or from Apple Software Update.

DirectX Fixes

Next up are two flaws in DirectX (versions 7 and 8.1 for Windows 2000, as well as versions 9 and 10 for newer Windows editions), which handles multimedia for Windows. Click a link for a booby-trapped video that targets the first of these vulnerabilities, and you could be left screaming instead of streaming.

The other risk hits the Synchronized Accessible Media Interchange (SAMI), which allows for adding closed captioning to media files. Again, you could be nailed by visiting a poisoned site or opening a tainted e-mail attachment. Both bugs affect all supported versions of Windows, including Windows 2000 SP4, XP SP2 and SP3, and Vista and Vista SP1.

If you don't already have the patch (which corrects both flaws) installed automatically, you can obtain the fix, as well as more info, from Microsoft's site.

Bugged? 

Found a hardware or software bug? Send us an e-mail on it to bugs@pcworld.com.

Subscribe to the Security Watch Newsletter

Comments