26th Week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 26th week of 2010. I am Jay Johnson and these are the headlines:

Adobe Reader and Acrobat updates close 17 critical holes (pause)
OpenDNS launches family protection while
Google can kill or install apps on citizen Androids (pause)
Developers plug critical PNG graphic bug and Finally
Password protect your wireless, or face a fine

And now for this week's newswire details
Adobe has released updates 9.3.3 and 8.2.3 for its Reader and Acrobat products to close 17 holes. The vendor says that all the holes can be exploited to inject and execute code. Simply visiting a specially crafted web page with a vulnerable Reader plug-in is enough for an attack to be successful. Among the holes is the flaw in the authplay.dll library for playing embedded Flash content. After almost three months, Adobe has finally also decided to make it harder for attackers to exploit the launch function to execute code. The function is part of the PDF specification and can be used for executing embedded scripts and EXE files. Although Adobe Reader asks users to agree to the execution of the file, this dialogue can be designed in such a way that users have no idea they may be allowing an infection into their systems. The vendor previously maintained that the feature is essentially useful and only becomes a problem when misused. Adobe also announced that only fully patched versions will be offered at the vendor's download centre from mid-July. The download centre has previously only offered major releases such as version 9.3, which retrieve further patches for instance to update to 9.3.3 upon installation. Adobe said it was also pleased about the effects of the automatic update feature which was introduced with Reader and Acrobat 9.3.2. Adobe says that it sees users installing updates three times faster than before. By default, the updater downloads an update and requests user confirmation before installing the update but Reader can be configured to silently update and install available updates without requesting user confirmation.

(pause)
Internet domain name resolution company, OpenDNS is looking to make Internet home protection easier. The company has launched Family Shield, a free service aimed at protecting children from inappropriate material. The system, which requires no new software to be installed, has been preconfigured to block pornographic sites. It works through pointing the home Internet access to a special OpenDNS IP address. The service will be automatically updated every 24 hours to ensure that families have maximum protection claimed OpenDNS. Because the product has been aimed at home users, it also looks to protect gaming consoles as well as PCs said OpenDNS. The company said that it would also block fraud and malware sites. Allison Rhodes, OpenDNS's director of marketing said we've had demand for a pre-configured version of OpenDNS for years, and we're now delivering it.

(pause)
Google has the power to not only remove applications from users' Android phones, but remotely install them as well. Last week, Google told the world it had exercised its Android Remote Application Removal Feature, reaching out over the airwaves and lifting two applications from citizen handsets, and as pointed out by the man who built this pair of vanished applications security researcher Jon Oberheide the company can use the same persistent handset connection to install applications as well. When Google announced that it had actually used its kill switch to remove Oberheide's applications, it didn't mention Oberheide or his applications by name. It merely said that it had removed two free applications built by a security researcher for research purposes and that these applications intentionally misrepresented their purpose in order to encourage user downloads, but they were not designed to be used maliciously, and did not have permission to access private data or system resources beyond permission. Oberheide wrote in his blog that an attacker could use such an approach to gain a large install base for a seemingly innocent application and then push down a local privilege escalation exploit as soon as a new vulnerability is discovered in the Linux kernel and root the device.

(pause)
Developers have plugged a critical hole in a PNG reference library used by many browsers to render graphics file. The 1.2.44 and 1.4.3 updates to the libpng open source reference library address a bug that, left unfixed, created a mechanism for hackers to inject code onto vulnerable systems. Older versions of the Portable Network Graphics (PNG) format library contained a buffer overflow style flaw. The bug was discovered by developers at Mozilla. It's unclear which browsers supported the vulnerable library files. Previous problems involving the rendering of PNG files have spawned drive-by download attacks, so the resolution of the latest problem at an early stage is to be welcomed. In related news, developers also fixed a similar flaw in the libtiff library. Version 3.9.4 of the libtiff library plugs a buffer overflow bug that might be abused by specially crafted SubjectDistance tags.

(pause)
Internet users in Germany, whose wireless networks are left password unprotected, can be fined up to 100 Euros, according to a recent ruling by Germany's top criminal court. The ruling is in response to a musician's lawsuit against a user whose unprotected wireless network was used for downloading and sharing music over P2P. The ruling is not just missing the emphasis on the importance of strong passwords, but it also doesn't expect users to constantly update the security of their wireless networks. Moreover, it's not even building awareness on the fact how the choice of the encryption protocol, can greatly slow down a potential attacker, in a combination with strong password. With GPU-accelerated WiFi password recovery speeds prone to increase over time, as well as the increasing availability of do it yourself cracking kits, emphasizing on the use of strong passwords in a combination with right encryption protocol, next to basic MAC address filtering, is the right security awareness building approach.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.