Suppose you've been reading this blog and others, and you've decided to upgrade your information on security vulnerabilities. So you subscribe to a few of the newsletters from SANS, check out the CERT newsletters and site on a regular basis, and in general are flooded with information that you never knew existed. "How could there be so many security issues in the software I use on a daily basis?" you ask. But there are.
So you read an article like this one from the 12/4/06 (yesterday's) @RISK newsletter from SANS:
Description: The AcroPDF ActiveX control, included with Adobe Reader and Adobe Acrobat contains multiple vulnerabilities in its "setPageMode()", "setLayoutMode()", "setNamedDest()", and "LoadFile()" methods. A web page that instantiates this control and calls one of these methods could exploit these vulnerabilities and execute arbitrary code with the privileges of the current user. Users can mitigate the impact of this vulnerability by disabling the affected ActiveX control via Microsoft's "kill bit" mechanism for CLSID "{CA8A9780-280D-11CF-A24D-444553540000}".Status: Adobe confirmed, no updates available.
Council Site Actions: All responding council sites are waiting on
additional information from the vendor. Almost all sites rely on the
automatic update feature for their clients.
Now what do you do?
Really, there's not a lot TO do. You've got two basic choices (since the vendor hasn't released a fix): (a) Stop using the software, or (b) Wait for a fix. The important thing is that you now know that you need to be more careful when opening PDF file attachments to email or PDFs someone sends you, or PDRs from a web site.
Generally, the rules haven't changed: Don't open email or visit web sites that you aren't sure about.
I once had an otherwise pretty intelligent guy tell me: "I get lots of unsolicited emails. Resumes. Job applications. Papers. If I didn't open them, I couldn't do my job!" Ok. I accept that. Just don't ask me to connect your computer to my network.
