Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Thursday, 26 February 2009 09:10

Microsoft, Adobe apps poke holes in Mac OS X security

Mac users should pay attention to three recent security vulnerabilities involving mainstream products. Two of them involve the same vendor, and so far only one has been patched.

Among the security vulnerabilities to hit the headlines recently, at least three have the potential to expose Mac OS X as well as Windows to malware.

First up there's the Excel vulnerability. Microsoft officials say the affected versions of Excel are part of Office 2000, 2002, 2003, 2004, 2007 and 2008, and that the Open XML File Format Converter for Mac is also vulnerable.

The good news is that exploits have only been seen for Office 2007 running in Windows 2000 and XP, and that other versions are more likely to crash than execute the malware embedded in the rogue documents.

Furthermore, the vulnerability relates to the older binary .xls file format, not the current XML-based .xlsx format.

It also seems that the real-world attacks detected so far have been narrowly targeted.

While the risks are slight, it would seem wise to be especially cautious if an unexpected .xls file turns up in your email before Microsoft releases a patch.

Though it's not clear when that's likely to be, March's Patch Tuesday seems a likely target.

Vulnerability number two comes from Adobe - but Apple's implicated too. See page two.

Secondly, there's a vulnerability in Adobe Reader and Acrobat. Malicious PDF files can use this to get up to no good - one exploit installs a remote access backdoor on Windows systems.

One partial workaround is to disable JavaScript in the programs' preferences, while others merely prevent the automatic display of PDFs.

The problem is that the underlying vulnerability can be exploited without resorting to JavaScript.

It appears that Reader 9 and earlier and Acrobat 9 and earlier are affected by the vulnerability, and Adobe doesn't qualify this with reference to specific platforms. The company plans to release an update by March 11 (the day after Microsoft's Patch Tuesday).

The bad news for Mac users is that Intego has determined that the PDF handling code in Mac OS X 10.5 also has this vulnerability. That means it could be exploited by a PDF that's opened in Preview, Safari, Mail or even Quick Look.

There's no known Mac exploit for this issue, but opening PDF files is such a commonplace activity that it does present a worry.

Not opening PDFs is hardly an option, so its fortunate that many desktop and gateway security products now provide protection against attacks targeting this vulnerability.

The third flaw is in another Adobe product - find out which on page 3.

Issue number three also involves Adobe, but this time the product is Flash Player.

Flash Player and earlier ( for the Linux version) contains a flaw that means a Shockwave Flash file may destroy an object without removing all references to it. If an attacker can the memory used to store objects, a reference to a deleted object can be used to trigger execution of arbitrary code.

Adobe recommends users update to Flash Player version, which corrects the issue. The company has also released Flash Player for those who cannot upgrade to Flash Player 10.

The issue was originally disclosed to Adobe last October.

The "critical" update also addresses input validation, clickjacking and privilege escalation issues in Flash Player. Some of those issues are specific to Windows or Linux.

The latest version of Flash Player can be installed using the software's auto-update mechanism or by downloading it from Adobe's web site.

The company recommends that users check the version of Flash Player installed in each of the browsers they use.

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News