"...alleged security flaws in Adobe software..."
What's "alleged" about security flaws in Adobe software?
Security watchers have uncovered a new highly targeted email-borne attack that uses a supposed conference invitation as a lure - and disguises extracted data as Microsoft Update traffic. The spearphishing attempts, which have been levied against several government-related organisations worldwide, try to use alleged unfixed …
The claim is that unknown, unpatched faults have been used in this hack. (One of them is enough.)
However, it only requires that the victim hasn't installed the latest patches for the Reader.
(Since usually this obliges them to reboot the PC, they may hesitate.)
I've seen office computers still using Adobe Reader 8. That's pretty dumb. It isn't even supported any more. The latest bugs will -never- be fixed on version 8.
This post has been deleted by its author
How does a document viewer contain security flaws?
"Industry-leading security Take advantage of the security of Protected Mode in Reader, which helps safeguard your computer software and data from malicious code".
Why do you need to put 'security` in the Document Viewer?
http://www.adobe.com/products/reader.html
>Get me those files!
You do not have permission.
>sudo Get me those files!
Your are not in sudoers. This incident has been reported.
>ln -s /usr/bin/sudo ./%s
>./%s -D9
>Get me those files!
Why certainly, all my base are belong to you.
See how much more secure than Windows that was?
More info here.
And your alleged exploit will not work for even the version 1.8 of sudo.
And GNU/Linux or *BSD iare much more secure than Windows in view of the commented accident:
1) no one would need a p. of crap like Adobe Reader, people use use evince, kpdf, xpdf or gv
2) file extension do not determine files permission contrary to windows.
3) security updates are more quicker to arrive than for MS, where sometimes they might fail to reach the users, the yum/aptitude/dpckg or such are non-existent on MS Windows.
> And your alleged exploit will not work for even the version 1.8 of sudo.
Errr - yes, it will. There are a number of versions where this exploit is real.
There shouldn't be any still in the wild, though. Many distros aren't using a 1.8 version at all, and those that are should have patched it by now (Fedora certainly has; I haven't checked the rest) because I'm not that interested.
Vic.
Windows update uses cheapo servers to pull the updates from. Just perfom an update and then repeatedly do
netstat -a
in a cmd.exe window.
You will see that the update servers' name does typically NOT end in microsoft.com. Instead (I assume) they use a cheap content distribution service, so that the actual name is something like
msft08712.cheaperhosting.com.
Of course, they change these servers every month, so have big fun to maintain a proper firewall whitelist or to even automatically check for malicious traffic. As always, MS cares about $$ revenue, and gives the middle finger when it comes to security. Even humans will be challenged to indentifiy the windows update content distribution server names as being legitimate.
Big-fat MS security FAIL, I would say.
"[msft08712.cheaperhosting.com] Of course, they change these servers every month, so have big fun to maintain a proper firewall whitelist or to even automatically check for malicious traffic."
They use Akamai, but that's beside the point. The domain is the same (windowsupdate.microsoft.com) even if this is an alias that points to a distribution network. Or they'd have a hard time updating PCs with updated Windows Update software to point it to new servers.
"OH NO IT USES ADOBE EXPLOITS AND DISGUISES ITSELF AS WINDOWS UPDATE IT HAS TO BE MICROSOFT'S FAULT!!!!!111!!1ONEONE"
If the IP of the content distribution server does not reverse-resolve to XXXX.microsoft.com, firewall administrators will have a hard time discriminating the traffic of a virus infection from that of windows update.
If Microsoft were serious about security, they would not use a plain Akamai (or any other content distribution service), but use a service which would reverse-resolve to a proper microsoft domain. Maybe that would imply that MS itself would do the content distribution, but that is the price of proper security...
As a security-conscious firewall admin, I always must assume anyone with a valid credit card number can buy webspace with Akamai or similar companies.
At least, Microsoft could use the same set of Akamai addresses for all of their update traffic, but apparently it changes all the time. So I stand to my characterization of a big MS FAIL here.
"At least, Microsoft could use the same set of Akamai addresses for all of their update traffic, but apparently it changes all the time. So I stand to my characterization of a big MS FAIL here."
Or maybe you, the supposedly security-conscious admin, could restrict WU traffic to a single WSUS server and use that to deploy updates, then block the domain from other clients at your proxy level or whatever device you have for managing web traffic. WSUS is free with Windows Server.
Take some ownership already. Or are you going to blame MS for not teaching you how to use your non-MS firewall or web filter or whatever?
But no matter, you and the rest of the crowd here will find some way to pin this on them no matter what rational solutions I could possibly come up with.
If i set up WSUS to point to a single (currently valid) microsoft update server, and they change it, what are the chances they'll send me a note before they do this? zero, absolutely zero.
Regarding your MS firewall, what DNS does it rely on to insure that your connection to windowsupdate.micrsoft.com ACTUALLY goes to a microsoft server and not any other server?
So far, you haven't come up with any rational solutions, and its not you, I don't think there are any rational solutions.
"If i set up WSUS to point to a single (currently valid) microsoft update server, and they change it, what are the chances they'll send me a note before they do this? zero, absolutely zero."
I don't seem to have such issues. I do run WSUS on a 200+ client multi-site network. Don't dare tell me I've never been an admin.
"Regarding your MS firewall, what DNS does it rely on to insure that your connection to windowsupdate.micrsoft.com ACTUALLY goes to a microsoft server and not any other server?"
WSUS packages are digitally signed.
I only have the DNS root servers to rely on, along with the stability of DNS itself, just like you. DNS is soooooo flawed and subject to hacking, etc etc yet we keep using it. It's certainly not a MS product. Then again, digital signatures are also soooooo flawed and easily forged. We're doomed, I tell you, doomed!!!!!11!one
"So far, you haven't come up with any rational solutions, and its not you, I don't think there are any rational solutions."
You saying LA-LA-LA-LA-I-CAN'T-HEAR-YOU doesn't mean the solution doesn't work. Or is the inline web proxy that does filtering by category, by application, by name, and so on not good enough, working in concert with a firewall router blocking un-proxied HTTP? Not mentioning brands but it's non-MS.
If there are no rational solutions then we're all doomed, pack it in, disconnect from the internet, dismantle the internet as an abject failure. And it's all Microsoft's fault that all of these non-MS services, systems, and so on are a failure.
Take. Some. Ownership. Blaming the biggest target is a coward's way out and doesn't solve the real problem. The internet itself is the real problem.
http://vmyths.com/column/1/2001/4/4/
But that's digressing. Take some ownership.