SSCC 56 – Albert Gonzalez, Patch Tuesday, Texas data loss and Adobe zero day

Sophos Security Chet Chat logoMichael Argast joins me this week to summarize the important security news and talk a bit about this week’s Microsoft patch release.

We started with the bizarre tale of Albert Gonzalez and his claims that he hacked TJX while working for the US Secret Service. We discussed the loss of 3.5 million people’s personal data by the state of Texas.

We advised people to watch for attacks targeting the latest Adobe zero day, and looked at the top priorities for deployment this Patch Tuesday.

If you prefer a news summary for the week in text format, visit the Sophos Security Hub for the latest selected hot topics or subscribe to our weekly newsletter, Sophos enews.

(12 April 2011, duration 15:29 minutes, size 10.1MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 56.

All of our past podcasts are available from http://podcasts.sophos.com and on iTunes.

New Adobe Flash zero day in the wild – infects through MS Word documents

Word/Flash logoAdobe has issued a security advisory concerning a new zero day flaw (CVE-2011-0611) in Adobe Flash Player 10. As usual this also means that other applications that support Flash content like Adobe Reader and Microsoft Office are also affected.

Brian Krebs wrote a blog post earlier today describing some targeted attacks using a Microsoft Word attachment that had an embedded Flash object used to exploit this flaw.

Mr. Krebs notes that the samples in the wild were largely being used in spear phishing attacks targeting the US Government and related contractors and agencies.

Adobe’s advisory notes that Adobe Reader X utilizes a sandbox which prevents this exploit from working in Adobe Reader X on Windows. Windows machines with Flash installed are still vulnerable through their browsers and other applications.

The vulnerability impacts Adobe Flash Player 10 (all Operating Systems) and Adobe Reader 9 and X for Windows and Macintosh. It does not affect Adobe Reader for Android, Unix or Adobe Reader/Acrobat 8.

The only mitigation at this point is to remove Flash entirely and be sure you are using Adobe Reader 8/Adobe Reader X (Windows only).

Adobe mentioned they are working to release a fix for all affected software as soon as possible, with the exception of Adobe Reader X for Windows.

This is the same stance they took with the last Flash vulnerability that was mitigated through the use of Adobe Reader X’s sandbox.

Personally I find this approach distasteful, and it was one of the concerns I had when Adobe had announced their sandbox technology. It’s great that the sandbox is working against some of these exploits, but it suggests it is ok to consume malicious code because you have “protection”.

It would be better to release security fixes with the same priority regardless of the version of the software.

The observed attack currently only targets Windows users, but once a fix is made available by Adobe I recommend everyone update to the latest Flash software.

SophosLabs have published their analysis, including links to our identities in our knowledgebase.