Adobe fans - get ready for the patch but watch out for the scams.
Don't pay for free software. You're giving scammers money and undermining the reputation of the free software.
Adobe fans - get ready for the patch but watch out for the scams
Adobe has been in the news this week after alerting Flash, Acrobat and Reader users about a forthcoming out-of-band patch for its products.
By wrapping a Flash file in an Excel spreadsheet, potential attackers have demonstrated a remotely-exploitable vulnerability.
(The attack doesn't seem to be in-the-wild, and the exploit files I've heard of seem to rely on a sequence of already-known and already-detectable malicious operations, so there is no cause for alarm. But do look out for the Flash patches when Adobe publish them next week.)
One of the side-stories to this Flash-in-Excel risk is the suggestion that the creators of the exploit chose Excel as the container, instead of the more common PDF, because the exploit couldn't be made to work on computers running Adobe Reader X.
The good news, says Adobe proudly, is that the new Adobe X security sandbox would prevent this attack. On Windows, anyway. Mac and Linux users aren't sandboxed yet.
The bad news is that any broadly-publicised good news about product Y is easily exploited by scammers. If people are positive about Y, and a new version of Y is being talked about in the same breath, then scammers rush to offer you Y, but under false pretences.
And that's just what Naked Security reader Wez reported to us today. He received an email offering him the very latest releases of the amazing Acrobat X:
The email explicitly claimed to come from Adobe in Ontario:
It didn't, of course. This scam is similar to a Fake Anti-Virus (FakeAV) ripoff, except that the hokum product is a program to process PDF files.
Like FakeAV, the site is very thin and shallow, consistingly of little more than a home page, a generic "privacy policy" which gives no company information at all, and a range of download options that all lead to the same page:
The next page, of course, is where you pay:
Who knows what you'll get? You certainly don't get a download link if you don't pay, so there's no evaluation period for this product. But if you do pay, you're promised - for two days only - a FREE GIFT!!!
Guess what? The free gift software you're being offered is OpenOffice. It really is free. Always. In fact, you can download it free right now from the openoffice.org website.
It's no big leap to assume, in fact, that the whole deal you are being offered is OpenOffice. After all, OpenOffice itself lets you edit and create PDFs. In that case, you'd be buying OpenOffice and getting it for free at the same time.
Good news on the social networking security front is that Twitter has finally got its act together to offer an Always use HTTPS option.
Don't forget that it's not just experienced hackers who can sniff Twitter cookies and use them to impersonate you.