Here are some of the most significant bugs from the past week in the BugBlog:
Adobe now has a patch for the security problems in Adobe Reader and Acrobat 7.0.8 and earlier versions. The bugs, which were in the 1/4 BugBlog, may allow both cross-site scripting attacks and the ability of the attackers to take over the victim's computer. Adobe's earlier advice was to upgrade to the Adobe Reader 8. They now have a patch that will fix version 7.0.8 of the Reader as well as Acrobat Elements, Standard, and Professional; good news for those latter users, since the upgrade from 7.0.8 to 8.0 will normally not be free. Get the patch from Adobe's website.
The Month of Apple Bugs (MOAB) project has come up with a series of bugs in the UFS filesystem that can be triggered via DMG files (disk image files). At least one of the bugs can be remotely exploitable via Safari if the "opening safe files after downloading" option is turned on. These bugs occupy the #9 through #12 spot on the list at the project's site. As workarounds, avoid DMG files from untrusted sources, and turn off that Safari option.
There is a bug in the Vector Markup Language (VML) in Microsoft Windows that can allow remote attackers to run hostile code on your computer. The vulnerability will occur via Microsoft Internet Explorer 5.5, 6, and 7, which means it affects Windows 2000, Windows XP, and Windows Server 2003. Vista is unaffected. Microsoft says this is a Critical Update, and it is available on their Technet site. They also have workaround information there, if you can't install the patch right away. Microsoft credits Jospeh Moti working with the iDEFENSE Contributor Program for finding this bug.Powered by Sidelines