Security Updates for Foxit, QuickTime/iTunes

Foxit Software has issued an update to make it easier for users to spot PDF files that may contain malicious content. Also, Apple has pushed out new versions of QuickTime and iTunes that correct nearly two dozen security problems in those programs.

Last month, researcher Didier Stevens said he’d discovered that he could embed an executable file — such as a malicious program — inside of a PDF file. Worse, Stevens found that PDF readers from Adobe Systems and Foxit contained a feature that would run those embedded files upon request, in some cases without even warning the user.

Stevens found that when he triggered the feature in Adobe Reader the program throws up a warning that launching code could harm the computer (although he also discovered he could change the content of that warning in Adobe Reader).

Foxit, however, displayed no warning at all and executed the action without user approval. According to Stevens, the Foxit fix shipped last week changes the reader so that it now warns users if a PDF document tries to launch an embedded program.

Unlike previous attacks on PDF readers — which can generally be blocked by selecting the option to disable Javascript in the programs — this attack leverages features built into these readers. Adobe Reader contains an option to disable opening non-PDF attachments with external applications (under Preferences, click Trust Manager, and then uncheck the box at the top of the next window). However, I could find no such option in Foxit.

If you are using Foxit, please upgrade to this latest version, which is v. 3.2.1.0401. To update, click the Help menu, and then Check for Updates Now, or download the latest installer from this link here. And if you see a warning like the one above, it might be smart to click the “Do Not Open” button.

In other patch news, Apple has pushed out a security update for its QuickTime and iTunes media players. The QuickTime update, version 7.6.6, fixes at least 16 security flaws affecting both Mac and Windows systems. iTunes 9.1 addresses at least seven security holes for OS X and Windows versions. The patches are available through Software Update on the Mac, through the Apple Software Update package bundled with iTunes/QuickTime on Windows, or via Apple Downloads.

Оставьте комментарий