Security updates released for Adobe Reader zero-day vulnerability to arbitrary code execution

Adobe is warning customers of a critical zero-day bug that is active in the wild affecting its Adobe Acrobat PDF reader software.

The bug, tracked as CVE-2021-28550, affects eight versions of Adobe software (full list below) and exploits vulnerabilities in the software including arbitrary code execution, memory leaks and exposure of private information.

10 critical and four important vulnerabilities were addressed in Adobe Reader and Acrobat in addition to five critical flaws in Adobe Illustrator that were resolved by Tuesday’s security patch release. The technical specific details of the bug were not available to Adobe software users until after the 43 patch fixes were downloaded which meant that before manual user installation, the zero-day bug allowed for hackers to execute virtually any command on targeted systems.

Users can download these new security fixes by initiating the auto update feature of Acrobat and Reader by going to Help –> Check for Updates and installing via the Adobe Download Centre. This will remove the user intervention necessity to manually install security updates and allows Adobe products to update automatically upon detection of patch releases.

List of affected Adobe software versions:

– Acrobat DC, 2021.001.20150  and earlier versions - Windows

– Acrobat Reader DC, 2021.001.20150  and earlier versions – Windows

– Acrobat DC, 2021.001.20149  and earlier versions - macOS

– Acrobat Reader DC, 2021.001.20149  and earlier versions – macOS

– Acrobat 2020, 2020.001.30020 and earlier versions – Windows & macOS

– Acrobat Reader 2020, 2020.001.30020 and earlier versions – Windows & macOS

– Acrobat 2017, 2017.011.30194  and earlier versions – Windows & macOS

– Acrobat Reader 2017, 2017.011.30194  and earlier versions – Windows & macOS


NHS COVID-19 update blocked for breaching privacy rules

The NHS COVID-19 app, run by the Department for Health and Social Care (DHSC), has had its latest update blocked due to a breach in the privacy terms outlined by Apple and Google.

NHS Coronavirus app, available on Apple and Android devices, was designed to include a new feature that would allow users (upon showing a positive COVID test result) to upload a list of all locations and establishments they have visited using a phone scan QR code.

The Exposure Notification System built into the app’s software would then alert other users who had entered the same venue to monitor their symptoms or to immediately be tested. This update relies on location tracking for its function – a tracking type heavily reliant on Bluetooth monitoring of surrounding devices with the app installed – outlawed by Apple and Google privacy agreements.

This is the latest in a calamitous string of COVID app mishaps by the UK Government who had only recently scrapped plans for their own rival system to the Apple and Android contact tracing system.

Total development of the UK based rival tracking app cost £12 million over a 3 month period, but was eventually rejected due to battery life issues, privacy concerns over Bluetooth’s potentially invasive interaction with, and data collection from, other apps installed on the device such as Facebook and Twitter. As a consequence, the Apple and Android app was adopted even with the concerns over restrictions of location data.

As the UK returns to a quasi-normal state with Phase 2 of lockdown lifting measures being rolled out today, this news comes as a blow for the Department of Health who have released a statement reassuring the public that the update blockage does not affect the overall functionality of the NHS COVID-19 app and that there are “discussions ongoing with our partners to provide beneficial updates to the app which protect the public”

Instead of the updated version, the previous form of the app will still be obtainable in both the Google Play and iOS App Stores.


Google and Apple unite over user privacy

 

Google and Apple’s respective CEOs have joined forces over the issue of customer privacy, with Apple CEO Tim Cook publicly refusing the Federal Bureau of Investigation (FBI) ‘backdoor’ access to iPhone software.

Google CEO Sundar Pichai backed Apple’s decision on Twitter, arguing that assisting the FBI to gain such access to a private individual’s smartphone would be a ’troubling precedent.’

The mobile phone privacy dispute with the FBI over encryption comes 2 months after Farook and Tashfeen Malik killed 14 people in a mass shooting in San Bernadino, California, with investigators demanding that Apple now assist the authorities in accessing Farook Malik’s iPhone 5C.

Both Apple and Google argue that ‘backdoor’ decryption would put the privacy of millions of ordinary smartphone users at risk from Government intrusion, with Tim Cook famously arguing that ‘You can’t have a back door that’s only for the good guys’. In theory, each iPhone’s encryption method is unique, and Apple argue that there should be no possible method for accessing a given user’s data.

On Tuesday however a Federal Judge ordered Apple to disable Farook Malik’s suspected phone setting which enforces usage delays or wipes the iPhone in the event of multiple incorrect password attempts, giving the FBI the opportunity to automatically test millions of possible passwords without penalty.

Both companies’ actions are being driven by the issue of reputation: giving law enforcement authorities the ability to access an individual’s data would utterly undermine smartphone manufacturers’ advertisement of user security.

With neither side willing to back down, expect the dispute to go to the courts, with the key issue being whether Apple can control permitted access to this iPhone, and this iPhone only.

 

For specialist IT Support, contact Lineal today: 01271 375999 or email: [email protected]


Has Microsoft been tracking your Computer?

 

Almost certainly – but don’t panic. Details of anonymous data gathered from Windows 10 users were released this week, with Microsoft publishing more usage information surrounding Windows 10 tracking.

In a blog post, Microsoft explained that the data is gathered for “Standard diagnostic, anonymous analytics that enables us to deliver the best Windows 10 experience possible.”

Via Windows 10 tracking, Microsoft have now measured more than 200 million active devices running the new operating system, 2.4 billion search questions asked of Virtual Assistant Cortana, and more than 44.5 billion minutes spent using the new Microsoft ‘Edge’ browser.

Routine data collection is unlikely to concern most users – and has clearly been announced to show Windows 10’s success. Microsoft also casually notes that the new operating system, released in the summer of 2015, has been “Outpacing… Windows 8 by nearly 400%.”

The accelerating adoption of Windows 10, including among 22 million Enterprise and Education customers, offers Microsoft renewed hope for growing the user base of associated products, such as Azure cloud computing, Windows Phone and the impressive Office365.

If concerned, users can ‘turn off’ all feedback (aside from error reports) by setting the feedback option to ‘Basic’ in their settings.

Taking a more nuanced view, this admission illustrates an industry ever more capable (and willing) to be flexible with privacy concerns of customers in the quest for the perfect user experience.

 

Need Windows IT support and advice? Contact Lineal today: www.lineal.co.uk or 01271 375999


The Windows 10 update you didn’t notice

 

Windows 10.1 updates security

With ‘Windows 10.1’ now barely a month old, and the Microsoft operating system already running on over 12 million business PCs, how fares Microsoft’s free updates strategy?

Windows 10.1 update was released with relatively little fanfare (be honest, you didn’t notice) adds features that, understandably with hindsight, might have been a distraction at the main Windows 10 release back in July.

Packaged within were mainly performance and security upgrades – Windows 10.1 will now boot almost 30% faster than an old Windows 7 system on the same device, the Cortana virtual assistant has some new handwriting recognition skills and there are new enterprise tools for mobile devices. Microsoft Edge runs smoother too, offering previews of tabs before viewing and syncing favourites across devices.

Most importantly, after recent corporate data breaches in the news, Microsoft have added a range of new security safeguards. These including ‘Windows Hello’, supporting enterprise grade biometrics including fingerprint and facial recognition – sadly currently only available for US users.

Aside from controversy surrounding user privacy then (if you didn’t notice your Windows 10.1 update, that’s maybe because Microsoft installed it automatically on your device without asking you) the first free update went ahead with relevant additions and limited fuss.

Starting free updates officially moves Microsoft into line with Apple’s OS X business model that has become the industry standard. Yet limited promotion of Windows 10’s ongoing development risks downplaying Microsoft’s progress.

Which would be unfair, because Microsoft is plainly taking extra care to develop the business security of their product range, including the excellent Office365, Microsoft Azure and now Windows 10.1. Microsoft is clearly listening to business’ fears, and businesses should welcome it.

 

For help and support with Microsoft enterprise IT, contact Lineal today.