Core Security Technologies issued an advisory disclosing a vulnerability that could affect millions of individuals and businesses using Adobe’s Reader PDF file viewing software. Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content. Upon making the discovery, CoreLabs immediately alerted Adobe to the vulnerability and the two companies have since coordinated efforts to ensure that a patch could be created and made available to protect users of the program.

>>Permalink

Late on Thursday Microsoft released an advisory about a new privilege escalation vulnerability affecting IIS and SQL Server on Windows XP, 2003, Vista, and Server 2008.

It’s likely that this is the same flaw discussed by Cesar Cerrudo in his talk, “Token Kidnapping”, at the HITB Security Conference 2008 in Dubai. Cerrudo had discovered a privilege-escalation vulnerability earlier, and said in March, “Design weaknesses can be abused on Windows XP, Vista, Internet Information Services 7 and Windows Server 2003 and 2008”.

>>Permalink

PC and Mac owners are being advised against opening Excel documents from sources they do not trust after a security hole was discovered in Microsoft’s spreadsheet software that could allow hackers to make targeted attacks on computers.

The German Federal Agency for Security in Information Technology (BSI) in Bonn is publicising the hole.

The flaw affects the 2003 Service Pack 2, Viewer 2003, 2002, and 2000 versions for the PC and Excel 2004 for Mac. If a user registered with administrator rights opens one of the rigged Excel files, then the attack can “compromise the entire target system,” the BSI notes. No patch to correct the problems has been released to date.

>>Permalink