Adobe Reader Security Issue Found

McAfee has discovered a vulnerability in Adobe’s Reader program that allows people to track the usage of a PDF file.

“Recently, we detected some unusual PDF samples,” McAfee’s Haifei Li said in a blog post. “After some investigation, we successfully identified that the samples are exploiting an unpatched security issue in every version of Adobe Reader.”

The affected versions of Adobe Reader also include the latest “sandboxed” Reader XI (11.0.2).

McAfee said that the issue is not a “serious problem” because it doesn’t enable code execution, however it does permit the sender to see when and where a PDF file has been opened.

This vulnerability could only be dangerous if hackers exploited it to collect sensitive information such as IP address, internet service provider (ISP), or even the victim’s computing routine to eventually launch an advanced persistent threat (APT).

McAfee said that it is unsure who is exploiting this issue or why, but have found the PDFs to be delivered by an “email tracking service” provider.

The vulnerability works when a specific PDF JavaScript API is called with the first parameter having a UNC-located resource.

“Adobe Reader will access that UNC resource. However, this action is normally blocked and creates a warning dialog,” Li said. “The danger is that if the second parameter is provided with a special value, it changes the API’s behavior. In this situation, if the UNC resource exists, we see the warning dialog.

“However, if the UNC resource does not exist, the warning dialog will not appear even though the TCP traffic has already gone.”

McAfee said that it has reported the issue to Adobe and is waiting for their confirmation and a future patch. Adobe wasn’t immediately available for comment at the time of writing.

“In addition, our analysis suggests that more information could be collected by calling various PDF Javascript APIs. For example, the document’s location on the system could be obtained by calling the Javascript “this.path” value,” Li added.

Source

Skype Confirms Glitch

Skype, a division of Microsoft, confirmed on Monday that a bug in its software has led to instant messages being shared with unintended parties.

The company said it will provide an update to fix the problem in “the next few days.”

According to user reports, the unintended recipients have been connected to just one of the two users who exchanging messages. The problem could have harmful consequences. For example, two co-workers using Skype to exchange IMs (instant messages) could, as a result of the problem, share the message with another contact in one user’s address book — potentially a third co-worker being unfavorably described in their IM exchange.

According to Skype, the problem only arises in “rare circumstances.”

The issue first came to light last week in Skype’s user forums. It seems to stem from the update issued by the voice, video and text messaging service in June.

Source…

Is Motorola Mobility A Patent Pimp Too?

Motorola Mobility has received $228m in patent licensing deals.

Motorola Mobility, which is in the process of being bought by Google, confirmed in its accounts that in June 2010 the firm signed a licensing deal with an unnamed company for which Motorola would receive $175m and future royalties. Those future royalties stacked up to an impressive $228m in just the nine months leading up to 2 October 2010.

Google’s attempt to buy Motorola’s handset division was generally regarded as a move to acquire the firm’s considerable patent portfolio. Motorola’s handset division is widely credited with being one of the major contributors to the development of mobile phones and while the firm’s smartphones might not be as fashionable as devices from Apple, HTC or Samsung, it clearly has patents that can bring home the bacon.

Although Motorola did not disclose the name of the other party in its licensing deal, there is a better than average chance that it is Research in Motion. The two firms came to a “long-term, intellectual property cross-licensing arrangement involving the parties receiving cross-licenses of various patent rights” in June 2010.

Source…

Motorola Being Dragged Into Patent Lawsuit

Intellectual Ventures has set its sights on Motorola with a new lawsuit alleging that the mobile device maker has infringed on six of their patents.

The patents cover a variety of technologies related to text messaging, docking stations and pushing software out to devices.

Intellectual Ventures, which owns 35,000 patents, said it approached Motorola in January about licensing patents, including several named in the case, according to the lawsuit. Motorola refused to license the patents, Intellectual Ventures said.

Motorola, which is the subject of several other patent lawsuits, declined to comment on the dispute.

The suit names a number of Motorola products as infringing, including the Atrix, Photon 4G, Milestone, Triumph and Brute i680.

Though Intellectual Ventures said it first approached Motorola in January, records at the U.S. Patent and Trademark Office show that all but one of the patents were transferred to the company in July and September.

It’s up to patent holders to file documents showing transfer of ownership with the patent office, so the discrepancy of timing probably means only that the company was slow in doing its paperwork, said David Mixon, a patent attorney with Bradley Arant Boult Cummings LLP.

While patent lawsuits have become commonplace in the mobile industry, this one has a unique twist. Google, which recently announced plans to acquire Motorola, is an investor in Intellectual Ventures, patent expert Florian Mueller noted in a blog post Thursday.

The source

Adobe Flash Exploited

Hackers have found a way to exploit  Adobe Flash Player by using a zero-day vulnerability by using Microsoft Excel documents that was confirmed by Adobe yesterday. Adobe representatives that they will not be able to patch Flash until next week. Therefore, if you use Flash you are on your own until next week.  Read More….