It should come as no surprise really.  True, Microsoft may be the king of the office, but eventually something was going to replace those poisoned Word docs, Excel spreadsheets, and PowerPoint presentations.  And if something was going to do it, it was going to be something easily as cross-platform and heavily used.

That something, was Adobe Reader PDF files.

At least, so says F-Secure.

And the reasoning, besides the obvious of being a cross-platform big target?  Well all of the vulnerabilities, of course!  I mean who in the security world doesn’t know that Adobe = holes.  It’s enough to rival Microsoft.  Apparently.  Which is why 2009 saw 49% of attacks targeting Adobe Reader through its vulns.

Clearly it should go without saying, if you don’t know why someone would send you a file, don’t open it.  And if you’re not sure, ask.  All of the poisoned documents in the world do no harm if you’re smart enough to not open them in the first place.

Users of the popular (or maybe not so much) web browser Opera no longer have to feel left out.  Now you too can suffer from a security vulnerability!

Though a number of security websites are claiming that this hole in Opera can be used to execute code remotely, Opera officials themselves are playing it down, saying that an exploit really can only be used to cause the web browser to crash; not to actually execute code.  They also say that enabling Data Execution Prevention (DEP) will mitigate any possible damage that an exploit could possibly cause.  (Assuming that you have it turned on.  Which you probably should.)

Time may tell whether the remote execution extremists are right, or whether Opera representatives really are telling the truth when they say it’s a crash-only bug.

And then again, time may not tell.

Because Opera coders are working right now on a fix that should be available shortly.  They have no intention of leaving their web browser insecure.

But also, how many hackers do you really know who target Opera in the first place?  What percentage of net denizens even use the browser?  And what percentage of that percentage use it on an operating system that’s insecure by default?

Yeah.  Kinda puts it all into perspective there, doesn’t it?

It’s big news!  Kind of.  The OpenSSL package has been found to have a potentially serious vulnerability that can be exploited to force it to divulge private keys used in encryption.

Only here’s the catch, it’s done through causing errors by fiddling with the power supply.

So servers, you’re probably pretty safe.  Unless hackers are able to sneak into your building and cause minor variations of voltage to your power supplies, they’re not going to be breaking your keys wide open.

But consumer devices, like Blu-Ray players, that could be a different matter entirely.

The attack basically works like this:  Bob The Hacker fiddles with the power supply of the device running OpenSSL for its security.  He triggers a single-bit error in a multiplication operation.  The bug in the OpenSSL library’s authentication for RSA public keys encryption algorithm is specifically in the fixed window exponentiation algorithm, which results in this one-bit error actually causing OpenSSL to reveal four bits of the private key.  And eventually after collecting enough failed authentication attempts, Bob The Hacker can piece together what all of the bits in the real private key are.

The security researchers who discovered this bug found that using almost 9000 repeated attacks of this method, and then feeding the resulting data into their cluster of 81-machines with 2.4 GHz Pentium-4s running their own custom software, they can eventually determine an entire 1024-bit private key … in 104 hours.

So for cracking a key in a Blu-Ray player, it’s not exactly for the faint of heart then.

There’s an underlying fear that, theoretically, over a very extended period of time, the natural power supply fluctuations may reveal enough errors on their own for a snooper to one day crack a server’s authentication in this manner.  It might take months.  It might even take years.  But theoretically, maybe, it might be possible to almost happen.

And, of course, there is a simple solution, which OpenSSL being open source, is at this moment being worked upon.  And that is, of course, adding an additional level of randomization, in the underlying error-checking algorithm.  It won’t take long at all before this fix is available to the world and private keys are safe once more.

Assuming they were ever in any real danger in the first place.

Microsoft has confirmed a bug in Internet Explorer in which, if you visit a malicious website, and then press the F1 key for help, the malicious website can use VBScript to execute code on your machine.  It’s a potentially disastrous vulnerability, but one fairly well mitigated by the fact that hardly anyone really needs help using the internet.  Without the user opening up Internet Explorer’s help file, this particular security hole is no threat at all.

Further mitigating this remote execution IE vuln is that only versions of Windows which support IE’s Enhanced Security Configuration are affected.  Meaning that Windows 2000 (Win2K), Windows XP (WinXP), and Windows Server 2003 are vulnerable.  Where as Windows Vista, Windows 7, and Windows Server 2008 are not.  At least not typically.  Whether or not the Enhanced Security Configuration can be turned off, and if anyone has actually done this is another matter.

When we’ll ever see a fix, that’s anyone’s guess.  In the mean time, just don’t press F1 while using Internet Explorer.  Especially if a website tells you to.

Aw, heck, who are we kidding?  Just don’t use Internet Explorer!

Those of you who may remember the Adobe Download Manager ActiveX vulnerability that potentially opens up your computer to risk of having any old software package installed and not just those from Adobe, you’re in for a pleasant surprise.  Adobe fixed it.  Already!

In what can only be described as blazing speed, Adobe has fixed the security flaw in their Adobe Download Manager.  That was like less than a week!  This is how computer security should be handled.

If only Microsoft could be so swift.