Apple, Adobe Apps Get Patched
Also: The danger lurking on USB thumb drives and in social networking sites.
Apple has released a Mac OS X Update, which includes security fixes.
Cybertrust doesn't perceive any of the issues addressed as being of significant
importance, and I recommend that the patch be applied within 90 days.
Some of the issues addressed by Apple
Security Update 2006-006 resemble other recent vulnerabilities in
that they require that the user be convinced to open a malicious file
or Web page. The file types include Flash, JPEG2000 (affecting ImageIO)
and PICT (affecting ImageIO). The Web page vulnerability exists in the
Cybertrust recommends that the update be applied in the next 90 days,
and that users do not use other applications while running Software Update.
While the 10.4.8 update is not applicable to OS X 10.3 users, Security
Update 2006-006 is available to them.
Exploit Released for Mac OS X Flaw
An exploit has been published and made available to the public which takes
advantage of one of the vulnerabilities patched by Apple's latest security
update. The vulnerability involves the ability for malicious code to be
run locally, which will elevate the user's privilege to the privilege
of the application being invoked. This could lead to the criminal's code
running in the highest security.
Apply the Apple
Security Update 2006-006 patch.
Online Dating Increases Cyber Crime Risk
According to a survey jointly conducted between CA Inc. and the National
Cyber Security Alliance (PowerPoint here),
about three-quarters of adults give out some sort of personal information
while participating in online social networking sites, exposing themselves
It's impossible to imagine participating in a social networking environment
without giving out some form of personal information. If you want to discuss
something via e-mail, you must provide an e-mail address to someone. Similarly,
if you're going to date or discuss things with friends, you're likely
going to use your name.
The survey says that 84 percent of individuals are at risk because they
download files from other people's profiles. These files might be pictures
or other files commonly distributed among friends. Again, while it's certainly
true that such files could allow spyware or bots to be implanted on victims
machines, it's hard to imagine social networking without them.
The companies' recommendations on how to protect yourself seem rudimentary,
and the survey didn't seem to elicit any new advice from them. Don't post
your Social Security number together with your name, for example, seems
like an obvious one. Of course, as software producers, they took the opportunity
to recommend that you have up-to-date personal firewall, anti-spyware,
anti-virus and spam filtering software.
column was originally published in our weekly Security
Watch newsletter. To subscribe, click here.
IT Risks Rise on USB Drives Using Auto-Run Apps
With the introduction
of a new memory stick, the U3 Smart Drive, thumb drivers can now automatically
launch applications when they are inserted. It seems they simply make
themselves appear as a CD drive to the OS, which typically allows code
to automatically execute upon insertion. This, some claim, means an entirely
new threat to our data.
The U3 drive is not rocket science; it's a capability that CDs have had
all along (the editor of this newsletter says he's also received many
press releases on thumb drives that auto-run). Some seem to think it will
be faster, but its greatest threat is more likely the fact that it can
be contained in such a small device that could be hard to scan for on
The best defense is to ensure that USB ports are disabled by default,
if USB devices are not to be used in your organization. This doesn't work
very well when keyboards or printers are also using USB, as they can simply
be unplugged and a U3 (or any other thumb drive) inserted.
Various companies have developed software that prevents the use of thumb
drives, and are likely effective against U3 type drives equally.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.