Bugs and Fixes: Adobe gives Users Privacy Controls; Skype Patches Extremely Dangerous Vulnerability
This month Skype released a long awaited patch for a vulnerability that is extremely dangerous and could allow an attacker to remotely gain control of a system. Adobe released privacy controlls earlier this month, allowing you to control how much privacy you want. Microsoft also released a tiny Patch Tuesday.
Skype Publishes Updates For Skype For Mac Users
Last month Skype and Pure Hacking, a group of hackers in Australia, found a vulnerability in Skype for Mac 5.x which could cause Skype to crash when an attacker would send a specially crafted message. This vulnerability, according to Pure Hacking, can allow an attacker to remotely gain control of a shell, an interface feature for an application.
Pure Hacking says that that "the long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous."
This vulnerability, according to Skype, is not being explotied in the wild, but Skype urges you to update to the latest version of Skype for Mac (fixed in 220.127.116.112 and later) to avoid any possible attacks.
Additionally, on May 9th, Skype released another update for Skype for Mac users but they did not specify the issues addressed in the new update and will not until a significant proportion of their user-base has upgraded--to avoid making them vulnerable before they can update. To read more about these updates--and to download them--visit: Skype Security Blog-May 6, Skype Security Blog May 9, and Pure Hacking's Blog.
Adobe Patches Security Vulnerabilities With User Controlled Privacy
Adobe released four security bulletins and advisories this month affecting Adobe RoboHelp (a software used to create help files), Audition, Flash Media Server, and Flash Player. Fir
The first update fixes a critical vulnerability in RoboHelp 8 and 7, and in RoboHelp Server 8 and 7. If an attacker successfully exploited this vulnerability your security would be compromised. To fix this vulnerability Adobe recommends that you download and apply the update found here.
In Adobe Audition 3.0.1 and earlier versions a critical vulnerability, which could allow an attacker to run malicious code on your system, has been identified. To be affected by this vulnerability the attacker would have to convince you to open a special malicious binary Audition Session (.ses) file (if you don't know what this is it probably does not affact you). Another vulnerability affecting Adobe Flash Media server 4.0.1 and earlier versions causes data and memory corruption. Both of these vulnerabilities could allow arbitrary code execution on your system and as usual you should up date your system as soon as possible.
Multiple vulnerabilities were found in Adobe Flash Player 10.2.159.28 and earlier versions that could cause the application to crash all potentially allow an attacker to take control of your system. Adobe reports that there are malware attempting to exploit one of the vulnerabilities, but also states that they have not received word of a successful attack. To fix this Adobe released Flash Player 10.3 with increased user-control that allows you to set your own privacy settings. The new update allows any browser using Flash to clear local storage including cookies which can be used by an attacker to to a number of things like track you. You should upgrade to the latest version of Flash Player to take advantage of the new privacy settings.
Microsoft Releases Tiny Patch Tuesday
This month Month Microsoft released only two security bulletins (compared to last month's massive release), MS11-035 and MS11-036, which are rated critical and important, respectively. Both vulnerabilities could allow for remote code execution if an attacker successfully exploited the bugs.
Vulnerability MS11-035 affects Windows Internet Name Service (WINS), a name server and service for another system called NetBIOS (if you don't know what either of these are then it probably doesn't affect you). In order for an attacker to use this vulnerability you would have to receive a specially crafted WINS replication packet on an affected system which is running the WINS service. WINS is not pre-installed on any affected operating system and only affects you if you manually installed the component. This vulnerability is rated critical for all servers running all supported editions of Windows Server 2003, Server 2008 (except Itanium), and Server 2008 R2 (except Itanium).
Vulnerability MS11-036 affects Microsoft PowerPoint and could affect you if you opened a specially crafted PowerPoint file. If an attacker successfully exploited these vulnerabilities they could gain the same rights as the logged-on user. MS11-036 affects all supported editions of Microsoft PowerPoint 2002, 2003, 2007, and Microsoft Office 2004 and 2008 for Mac. To prevent this attack you could install and configure Office File Validation (OFV) which scans Office binary file formats before opening them in Office documents.
Another attack called "DLL load hijacking" or "binary planting" is under review by Microsoft but is still not fully patched according to Acros Security, a security research lab. Since applications don't call DLL's (dynamic-link library-Microsoft's library which allows multiple programs to use it at the same time) full path name and only use the filename, attackers can trick your system into loading a malicious file with the same name allowing for remote code execution. According to Acros, the vulnerabilities affect Windows 7, Vista, and XP.
Additionally, you should always keep your system up to date. To learn more about each update--and to download them manually-visit: Microsoft Safety and Security Center, Microsoft Security Advisory (2269637), Across Security, and Computer World's Security Topic Center.