This just arrived in my in-box. I wouldn't touch it with a barge pole. The Link goes to www.adobe-pdf-download.org and the name of the company in item 1. is misspelled.

Subject: Download Adobe PDF Reader For Windows

Dear valued customers,
Adobe PDF is pleased to announce new version for PDF Reader which enable you to view, create, edit  and print PDF documents. The PDF format as a global exchange document format is created by Adobe and is the most efficient way to exchange information.

You can simply follow the following instructions to make your PDF Reader/Writer most updated.

1. Visit Abode PDF website.

2. Download new version of Adobe PDF and get your application updated.

Thank you for choosing us, the worldwide leader PDF Reader.

Adobe PDF

Copyright Adobe PDF

Share this post

Hide Sites

Most of us open and read PDF attachments or downloads (our banks and government departments produce many documents for download this way) despite the fact that the security of the Adobe Acrobat reader has long been suspect. But now the company has confirmed that it is positively unsafe. Ryan Narain at ZDNet has the full story. Adobe confirms PDF zero-day attacks. Disable JavaScript now

Malicious hackers are exploiting a zero-day (unpatched) vulnerability in Adobe’s ever-present PDF Reader/Acrobat software to hijack data from compromised computers.

According to an advisory from Adobe, the critical vulnerability exists in Adobe Reader and Acrobat 9.2 and earlier versions. It is being exploited in the wild.

The company has activated its security response process but declined to offer any more details until an investigation is complete.

Unfortunately, the company did not provide any mitigation guidance for customers.

The folks at ShadowServer describe the situation as “very bad.”

We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad.

Here’s what we know so far:

We can tell you that this exploit is in the wild and is actively being used by attackers and has been in the wild since at least December 11, 2009. However, the number of attacks are limited and most likely targeted in nature. Expect the exploit to become more wide spread in the next few weeks and unfortunately potentially become fully public within the same timeframe. We are fully aware of all the details related to the exploit but do not plan to publish them for a few reasons:

1. There currently is no patch or update available that completely protects against this exploit.
2. There is little to no detection of these malicious PDF files from most of the major Antivirus vendors.

With that said we can tell you that this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself. Furthermore the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult.

In the interim, Adobe PDF Reader/Acrobat users are urged to immediately disable JavaScript [as follows]:

Open Acrobat and Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

Or, better yet, use an alternative PDF Reader software program.

I use one called Foxit that works perfectly well, it also has a paid version called Foxit Pro that enables me to edit most PDF files except those locked with password protection. Although there's a learning curve, its very handy.

Share this post

Hide Sites

In its December newsletter (pdf file), Internet NZ is alarmed by media  stories  indicating a  change  in direction  in  the  latest  round  of  Anti-Counterfeiting  Trade Agreement (ACTA) negotiations.

The ACTA negotiating round was held in Korea in early November, and  has  reportedly  shifted  focus  to  deal  with  non-commercial infringement of copyright material by ordinary citizens, and arguing for termination of people's Internet accounts.

"If correct, this  is cause  for alarm and shows a significant change  in ACTA's focus,” says InternetNZ Policy Director Jordan Carter. [Read more →]

Share this post

Hide Sites

This potential problem for those of us thinking about storing our data "in the cloud" of the internet is more about contractual obligations and corporate attitude than actual technical issues which can occur any time and in odd ways.

But it IS worth thinking about. Mozy glitch fogs the reliability of storage clouds [Read more →]

Share this post

Hide Sites

That's the question asked by my go-to guy on security issues, Bruce Schneier

If someone asks, "for best security, should I do A or B?" the answer almost invariably is both. But security is always a trade-off. Often it's impossible to do both A and B ... and you have to choose.

Yes, antivirus programs have been getting less effective as new viruses are more frequent and existing viruses mutate faster. Yes, antivirus companies are forever playing catch-up, trying to create signatures for new viruses. Yes, signature-based antivirus software won't protect you when a virus is new, before the signature is added to the detection program. Antivirus is by no means a panacea.

On the other hand, an antivirus program with up-to-date signatures will protect you from a lot of threats. ... And -- here's the best part -- it can be free. AVG won't cost you a penny. To me, this is an easy trade-off, certainly for the average computer user who clicks on attachments he probably shouldn't click on, downloads things he probably shouldn't download, and doesn't understand the finer workings of Windows Personal Firewall.

[...] One of the newest trends in IT is consumerization, and ... What it means to business is that people -- employees, customers, partners -- will access business networks from wherever they happen to be, with whatever hardware and software they have. ... Your business will have no way to know what they're using, and -- more importantly -- you'll have no control.

[...] Bottom line: antivirus software is neither necessary nor sufficient for security, but it's still a good idea. It's not a panacea that magically makes you safe, nor is it is obsolete in the face of current threats. As countermeasures go, it's cheap, it's easy, and it's effective. I haven't dumped my antivirus program, and I have no intention of doing so anytime soon.

Since many threats are based on social skills that encourage you to click on links without really thinking about what you are doing, clever software can only go part of the way. How many people do you have in your organisation who, on hearing to their delight that you are to receive $10 million from the UN that you never even applied for, "just click the link to get the details"?

One is too many.

How do you cover that possibility? Comments open as usual.

Share this post

Hide Sites