Adobe Reader, IE 7 Holes Under Attack

28.03.2009
If you were an Internet crook, the following item would be music to your ears: A zero-day flaw--a security hole with no fix available before attacks could be launched--exists in Adobe Reader and Acrobat, and can be exploited by a poisoned PDF file in an attempt to take over a vulnerable computer.

As Symantec reported in February, crooks have hit the flaw with small-scale attacks that e-mail PDF attachments to specific targets. Adobe says a patch should be ready for version 9 of both programs by the time you read this, with fixes for earlier versions to follow. Read .

Word Docs Target IE 7

Bad guys went after a bug in Internet Explorer 7 a week after Microsoft distributed a fix. Those attacks employed a malicious Word document, but the has warned that crooks could also add hidden code to a hijacked Web site to create a drive-by download attack. You can in­­stall the patch for this browser flaw via Automatic Updates, or .

The same patch batch from Microsoft addresses a ; an attack through this hole can be triggered if you open a hacked Visio file.

Meanwhile, Mozilla fixed six security holes in its Firefox browser, one of which was deemed critical. Firefox version 3.0.6 and later has the fixes; click Help, Check for Updates to make sure that you have the latest version. The same critical flaw can hit the Thunderbird e-mail program if Java­Script is enabled for e-mail (it's disabled by de­­fault, and discouraged by Mozilla). Version 2.0.0.21 closes the hole.

Media File Mayhem

If you use RealNetworks' RealPlayer, beware of a risk involving malformed Internet Video Recording (IVR) files. According to security company Fortinet, simply previewing a poisoned IVR file in Windows Explorer could allow an at­­tacker to run any command on a vulnerable PC. Versions 11 through 11.04 are at risk, while 11.05 and later are not affected. Check your version by clicking Help, About RealPlayer, and, if you need it, .

Finally, OpenOffice users should know that a default installation of the productivity suite's latest version (3.0.1) adds an old, insecure version of Sun's Java (Java 6 Update 7). According to the Washington Post, which originally reported the issue, the suite should work fine with the latest edition, Java 6 Update 12; remove your old Java versions and . You can also read . The OpenOffice team should have a new version (with an updated Java version) by the time you read this, and you can also get a .