Security News

Adobe has posted a security advisory for the zero day in Adobe Acrobat and Reader that I blogged about yesterday.

They say they are

“planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow”

Last time the updates for version 7 followed along about 8-10 months later if memory serves. Their little incentive for people to upgrade. I’m surprised they haven’t sunset-ed version 7 already. I’ve looked for software support life-cycle information from Adobe and haven’t found it.

The recommended mitigation for this vulnerability is disabling javascript until a patch is available. I’ve never seen anyone mention what effect that might have.

Every article says to disable javascript in Adobe through Edit -> Preferences -> javascript. In an enterprise you would want to know Is there a way to disable javascript in Adobe programatically (by pushing a registry entry via a login script, SMS or Group Policy).

Using Process Monitor from Sysinternals, I see that when you disable javascript in the GUI it sets HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs\bEnableJS to 0. Googling bEnableJS, I found that SANS ISC has a ADM file (used in Group Policy for the non-windows admin types) they posted during the last Adobe exploits back in November. It disables javascript for 6, 7 and 8 Acrobat and Reader.

As linked from SANS ISC, shadowserver is reporting targeted attacks using a zero day vulnerability in Adobe Acrobat and Adobe Reader. Versions 8 and 9 are vulnerable.

Disable javascript in Acrobat/ Reader to avoid the code execution vulnerability, however the application will still crash.

Free On-Demand WebinarWatch this FREE on-demand webinar for tips on email security now, as well as strategies for your new instant messaging and collaboration tools!WATCH NOW! Fill out the easy form …

Advisor: U.S. needs policy to defend cyberspace

On-Demand Webinar > Watch it now!SPONSORED BY: AvayaLearn 5 easy ways to deliver greater value with Unified Communications by leveraging your existing communications infrastructure. Enable your co…

Web 2.0 tools can boost employee morale and increase productivity, but there’s resistance from top executive suites through middle managers and IT departments.

With the stimulus bill all but signed it looks like the government will be handing out $19 billion in an effort to digitize America’s health record system. The problem is we have a noble goal but no plan or direction on how it should be accomplished. The stated goal, which has garnered substantial support, is to build a National Electronic Health Records (EHR) system. But the plan or direction on how to get us there is completely missing from the stimulus bill.

Read more

A biometric solution helps Stock Yards Bank & Trust manage passwords and aids in compliance efforts.

Cabal forms to fight Conficker, offers bounty

Free On-Demand WebinarSee how more and more IT departments are focused on cost-effective network solutions and upgrades in response to today’s economy. Learn to provide simple, easy-to-use, secu…

With only 100 compromised ATM cards thieves were able to grab $9 million bucks from the banking system in a new style of attack. Law enforcement sources told Fox 5 it’s one of the most frightening well-coordinated heists they’ve ever seen. “We’ve seen similar attempts to defraud a bank through ATM machines but not, not anywhere near the scale we have here,” FBI Agent Ross Rice told Fox 5. “We’ve never seen one this well coordinated,” the FBI said.

Read more

Click to Download/Listen (8:37)

This week’s Speaking of Security podcast features a discussion with Roland Cloutier, VP and CSO of EMC on the release of the new Security for Business Innovation Council report examing the information security challenges created by the current economic crisis.

Some employees are taking advantage of access policy gaps without realizing they are breaking privacy laws.

Kaspersky exposes sensitive database, says hacker


>> Advertisement <<

Can you answer the ERP quiz?

These 10 questions determine if your
Enterprise RP rollout gets an A+.

http://www.findtechinfo.com/as/acs?pl=781&ca=909

As I am sure many of you have heard, Heartland Payment Systems recently disclosed that it suffered a credit and debit card data breach in 2008.  At this point, little is known beyond the  announcement that “after being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter…

For those of you who live in colder climes you must have had a little chuckle
to yourselves watching us over here in the UK trying to deal with a few inches
of snow  recently! The transport network pretty much ground to a halt,
the Federation of Small Businesses estimated that 20% of the UK’s working population,
or 6.4 million people, around the country would not make it to work.

RFID passports cloned wholesale


>> Advertisement <<

Can you answer the ERP quiz?

These 10 questions determine if your
Enterprise RP rollout gets an A+.

http://www.findtechinfo.com/as/acs?pl=781&ca=909

This Web site was created to be a clearing house for technical IT Security queries, and we are still fielding quite a few of those. But we continue to receive a broad variety of fascinating questions …

Click to Download/Listen (8:45)

This week RSA takes a deeper look into the RSA/Microsoft partnership and explores how the value of building security into business applications can create flexible, consistent and adaptable information security for today’s organizations.