Security

Adobe Addresses Security Vulnerabilities in Flash, but not Acrobat or Reader

by

Adobe has released a new version of the Flash plugin for Mac, Windows, and Linux, that addresses a serious security vulnerability. The update fixes a critical flaw which could cause your computer to be hacked merely by viewing a malicious SWF (Shockwave Flash) file, according to Adobe’s advisory

Adobe has a Web page that will automatically display what Flash version you’re using, and allow you to download the update, if needed.

Meanwhile, there’s no fix yet for a serious security flaw in Adobe Acrobat and Reader that was reported a few weeks ago. (More Info at Macworld)

via Macworld

Important! Safari RSS Security Risk

by

If you use a Mac, it’s very important that you read this, even if you don’t use Safari.

Republished from Brian Mastenbrook:

Disclosure of information vulnerability in Safari
Posted on Sun, 11 Jan 2009
Last edited Tue, 13 Jan 2009

I have discovered that Apple’s Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user’s hard drive without user intervention. This can be used to gain access to sensitive information stored on the user’s computer, such as emails, passwords, or cookies that could be used to gain access to the user’s accounts on some web sites. The vulnerability has been acknowledged by Apple.

All users of Mac OS X 10.5 Leopard who have not changed their feed reader application preference from the system default are affected, regardless of whether they use any RSS feeds or use a different web browser (such as Firefox). Users of previous versions of Mac OS X are not affected.

Users of Safari on Windows are also affected. Users who have Safari for Windows installed but do not use it for browsing are not affected.

The details of this vulnerability have not been made public to the best of my knowledge, but secrecy is no guarantee against a sufficiently motivated attacker. Because this vulnerability could be exploited by a phishing site in a way that would not cause affected users to suspect their information had been stolen, users of Mac OS X Leopard should protect themselves until a fix is issued by Apple by choosing a default feed reader other than Safari, such as Mail. To select a different feed reader:

  1. Open Safari and select Preferences… from the Safari menu.
  2. Choose the RSS tab from the top of the Preferences window.
  3. Click on the Default RSS reader pop-up and select an application other than Safari.

The only workaround available for users of Safari on Windows is to use a different web browser.

Apple has not made information available on when a fix for this issue will be released. Users with questions or concerns should contact Apple as I have no additional information about this vulnerability which can be shared at this time.

I found a serious security bug in H&R Block’s online tax software

by

UPDATE (4.12.08): The bug mentioned here has been resolved. Read the post and the updates at the bottom for the entire story.

I’ve been using H&R Block’s online tax services to do my taxes this year. While corresponding with one of their tax professionals through their online message center, I discovered a very serious security hole in their software. I won’t describe the exact steps here because I don’t want anyone to take advantage of this, but by clicking through the tax software in a specific order, I found that all of the messages in my message center were replaced with random messages between other customers and their tax pros. Many of these messages contained confidential information and had very sensitive attachments, like W2s and other financial documents, that I was fully able to download. The process of doing this is repeatable, so it’s definitely a bug.

I tried reporting this to H&R Block, but I don’t think I was very successful. Here’s how it went…

I called the H&R Block tech support number and spent 20 minutes on hold. A young woman finally answered and said, How may I help you? I explained that I was calling to report an urgent issue, where I could see other customer’s private information in my message center. Her only response was to give me another phone number to call.

I called the new number and spent another 20 minutes on hold. A young woman finally answered and said, How may I help you? I explained that I was calling to report an urgent issue, where I could see other customer’s private information in my message center. Her only response was, So… how may I help you? I repeated that I was calling to report a serious bug in their system to which she replied, I can open a support ticket for you, if you like? At this point I asked for her supervisor. After 40 minutes on hold, the supervisor came on the line and said, How may I help you?

By now, I’m pretty pissed off. I can’t believe I just spent an hour and a half on the phone trying to relay this issue and I’m no closer than I was when I started. I gave the supervisor the facts, and he asked me for my username. He logged into my account, but for whatever reason the screens he sees are different than the ones that I see, so he couldn’t click on the required items. My only option was to verbally describe the screens and steps required to reproduce the bug. He put me on hold for a few minutes, and then came back on and thanked me for reporting this issue. That’s it.

When I relayed the procedure to the supervisor, I rattled it off fairly quickly. I actually expected him to escalate the issue to a higher level tech support and I would be repeating it in more detail to someone else. But, he didn’t, at least not with me still on the phone. He didn’t appear to be taking any notes either, so I don’t know if he actually got it or not. It’s possible they were recording the call, but there was no standard message about that at the beginning, so I don’t know.

In addition to the security bug itself, I can’t believe I had such a hard time communicating the seriousness of this problem. Not only is H&R Block potentially screwing its customers, but they’re also opening themselves up to a giant lawsuit. One thing is for sure… I will NOT be using H&R Block Online again next year.

UPDATE (4.10.08): I don’t know if my support call yielded any results, but I did forward this blog post to the tax pros I had interacted with through the H&R Block website, and they are taking action. I was contacted by two different support people and we ran through the procedure to replicate the bug. They’re looking into it now. I’ll continue to update this post with any new information I receive.

UPDATE (4.11.08): H&R Block has informed me that they’ve identified the cause of the bug and are working on the fix now. They hope to have it implemented by late tonight. I’ll be testing this later to confirm the fix. They’re also doing research to determine how many people may have been impacted by the bug. They told me that initial data suggests it was a relatively small number of users. I’ll update this post when I know more.

UPDATE (4.12.08): This morning I tested the system on my account and my girlfriend’s. Everything appears to be fixed.

Although this whole thing started out a bit rocky due to undertrained phone-support employees, I am glad to see that once the word reached the right people they did take swift action in solving the problem. To some degree I guess this incident is a testament to the power of blogging. I can’t say this with absolute certainty, but I personally believe that forwarding this post to the tax pros I worked with did more to get this resolved than my phone call to tech support.

In the interest if absolute transparency, I should also mention that in return for the trouble I had with tech support, and my assistance in trouble-shooting the system, H&R Block did refund the cost of this years return and offered me free tax preparation for next year.