In the past couple of years, auto-update mechanisms that allow software applications to check for and install patches or new versions have become far more prevalent. Some software vendors have looked to push auto-updaters beyond the traditional “an update is available, do you want to install it?” format. Last year, Apple began using its updater to push additional software applications. Google’s Chrome browser silently installs updates, including new major versions, with no user interaction or notice. A new updater for Adobe Reader appears to be a hybrid of Chrome’s silent installer and more tradiitonal updaters.
On Wednesday, Feburary, 10, at 1pm EST, we will be hosting a public web chat to discuss auto-update mechanisms from the standpoint of balancing their security benefits with questions about appropriate disclosure and user control. Brad Arkin of Adobe will be participating, and the Google Chrome team has been invited to join, as well. The chat will incorporate VoIP audio (requires headset or microphone/speaker on your computer) as well as text, using dimdim’s Flash-based web conference system. Pre-registration is free and recommended. Just enter your e-mail address in the widget below. Feel free, as well, to help publicize this chat by clicking the “Share Widget” link.
Two new tricks have been reported that try to get users to download malicious software. The first is to send links via Twitter. Dmitry at Kaspersky Labs explains:
This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video.
If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular.
In reality, this is a Trojan downloader that proceeds to download 10 banker Trojans onto the infected machine, all of which are disguised as MP3 files.
As alluded to above, the second recently-popular method is to encourage people to download a fake version or update of Adobe Flash Player. As noted in an Adobe alert:
We have seen coverage from the security community of a worm on popular social networking sites that is using social engineering lures to get users to install a piece of malware. According to the reports, the worm posts comments on these sites that include links to a fake site. If the link is followed, users are told they need to update their Flash Player. The installer, posted on a malicious site, of course installs malware instead of Flash Player.
Adobe continues with the following useful advice:
We’d like to take this opportunity to reiterate the importance of validating installers and updates before installing them. First off, do not download Flash Player from a site other than adobe.com – you can find the link for downloading Flash Player here. This goes for any piece of software (Reader, Windows Media Player, Quicktime, etc.) – if you get a notice to update, it’s not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious.
Second, all Adobe software for Windows is signed with a digital certificate that is validated by Windows when you install our software. The Publisher will always be ‘Adobe Systems, Incorporated’, and you can verify this when you double-click the installer, or by right-clicking on the installer, selecting ‘Properties’, and going to the ‘Digital Signatures’ tab.
For Flash Player in particular, you can always go to this page to verify what version of Flash Player you have installed, and what the current version of Flash Player is for your Operating System. The current Flash Player version is 9.0.124.0.
