This week's security events includes news of a free laptop tracking system, patches released to fix two critical holes in Firefox, a critical vulnerability of the BlackBerry Enterprise Server, and the release of Adobe Acrobat 9.
A free laptop tracking system
A yearlong research project between the University of Washington and the University of California-San Diego has yielded a tool that allows for the free tracking of lost or stolen laptops. Unlike existing tools on the market, installing this software will not result in any loss of privacy, as this tracking method does not entail any invasive remote control hardware or software. The Mac OS X version has the option to configure it to take photos via its built-in iSight camera.
Called Adeona, it is an open-source software that users can install on personal laptops that they wish to secure. Once in place, Adeona will set up an encrypted connection in which its up-to-date IP address will be sent to open source OpenDHT storage servers. In the event of laptops being lost (or stolen), another instance of Adeona can be installed on another computer. The correct password will then allow the victim to track his device via IP addresses. I suppose the assumption is that a thief will eventually use the laptop at his or her place of residence where there is a possibility of them being nailed via their IP address being linked to their ISP account.
Two critical holes in Firefox pluggedMozilla released patches that fix two critical holes in the popular Firefox Web browser affecting both versions 2.0 and 3.0 branch of the software. One of the critical flaws is a variant of a vulnerability that could be exploited to do what is known as a carpet bombing attack. The other patch modifies the way that Firefox handles references pertaining to CSS, which (if left unfixed) could result in a forced crash where arbitrary code can be executed. (Note: Firefox 2.0 will only be supported by Mozilla until mid-December. No support in the form of security updates will be released after this date. As such, users are encouraged to upgrade to Firefox 3.0.)
Critical vulnerability in BlackBerry Enterprise Server
Administrators with BlackBerry Enterprise Server (BES) on their network might want to take note of a new flaw that involves the opening of PDF documents. As a result of a bug in the PDF Distiller component of the BlackBerry attachment service, it is possible for a maliciously crafted PDF document to result in a server compromise. A user will need to open a PDF document to trigger the flaw.
BlackBerry does not give any further information on the nature of the bug, but it can be used to inject and execute code on the server. BlackBerry Enterprise Server 4.1 Service Pack 3 (4.1.3) to 4.1 Service Pack 5 (4.1.5) and BlackBerry Unite! prior to 1.0 Service Pack 1 (1.0.1) Bundle 36 are affected.
An official patch in the form of BES 4.1 service pack 6 has been released by RIM. If it is somehow not possible to install the patch, the recommendation is to disable PDF processing in the Attachment Service as a workaround. Precise instructions to do so can be found in this security advisory from RIM.
Adobe Acrobat 9 released
It appears that version 9 of the Adobe Acrobat Reader is now available for download. It remains to be seen whether this latest version is leaner, or more bloated.
Mark Hofman over at SANS Internet Storm Center summarizes the features nicely:
If you intend to download Adobe Acrobat Reader 9 — or compel your users to do so — use the below link, which some users have reported is the smallest download. Some other links might result in a "Free eBay Desktop" being selected as default, or a beta software based on Adobe AIR which cannot be unselected at install time.
Use this link from Adobe's FTP website: ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.0/enu