Posts Tagged ‘security flaw’

SumatraPDF Adobe Acrobat Reader free software ( Secure ) Alternative

Friday, July 19th, 2013

Whether you're forced to use MS Windows but still want to use as much as possible Free Software – i.e. Stay away from Non-Free Adobe Acrobat Reader. There is Sumatra PDF – a good alternative that reads well most of PDFs. For rendering PDF Sumatra PDF usees muPDF library. SumatraPDF is minimalistic software it does exactly what it is meant for – reads PDF. Unfortunately from version 0.6 of Sumatra there is DRM implemented (Digital Right Managements) so it is not possible to copy from DRM-ed documents.
Sumatra opens  following formats: Open XML Paper Specification, DjVu, EPUB, XPS, CHM, CBZ and CBR, and MOBI files.
As of  time of writting official Sumatra PDF version is at ver. 2.3.2

sumatra pdfafter install thank you screenshot

I've made mirror of Sumatra PDF 2.3.2 installer here , Sumatra PDF zipped is here

Sumatra pdf reader screenshot ms windows 7
Sumatra PDF works on Windows XP, Vista, Win 7 & 7

  One of key advantages of Sumatra PDF over Adobe Acrobat Reader is you don't need to update it all the time and it is much less likely that Sumatra PDF is hit by security flaw in PDF format. 

For people who use Linux / BSD or some other Unix and want to stay free from proprietary Adobe Acrobat Reader two nice alternatives are default's GNOME PDF reader Evince and KDE's Okular

How to make a mysql root user to login interactive with mysql cli passwordless

Wednesday, June 29th, 2011

MySQL Logo Passwordless root login .my.cnf

I’m using access to the mysql servers via localhost with mysql cli on daily basis.
With time I’ve figured out that it’s pretty unahandy to always login with my root mysql password, I mean each time to enter it, e.g.:

root@mysql-server:~# mysql -u root
Enter password:
...

Thus to make my life a way easier I decided to store my mysql root password in order to allow my root admin user to be able to login to my mysql server without asking for password. This saves time and nerves, as I’m not supposed to look up for the password file I store my server mysql root pass.

To allow my mysql cli interface, to login passwordless to the SQL server I had to create the file /root/.my.cnf readable only for my root user and store my MySQL username and password there.

Here is a sample /root/.my.cnf file:

root@mysql-server:~# cat /root/.my.cnf
[client]
user="root"
pass="mysecretMySQLPasswordgoeshere"

Now next time I use the mysql console interface to access my mysql server I don’t have to supply the password, here is how easier is the mysql login afterwards:

root@mysql-server:~# mysql -u root
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 3520
Server version: 5.0.77 Source distribution

Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the buffer.

mysql>

The only downside of using .my.cnf to store permanently the mysql server root and password is from security standpoint.
If for instance somebody roots my servers, where I have stored my root user/pwds in .my.cnf , he will be able immediately to get access to the MySQL server.

Another possible security flaw with using the mysql passwordless login “trick” is if somebody forgets to set proper file permissions to, .my.cnf

Once again the file should possess the permissons of:

root@mysql-server:~# ls -al /root/.my.cnf
-rw------- 1 root root 90 Apr 2 00:05 /root/.my.cnf

Any other permissons might allow non-privileged users to read the file and gain unathorized admin access to the SQL server.
 

New critical Adobe Flash Player security flaw allows a malicious attacker to get access to Windows, Linux, Mac OS and BSD

Wednesday, April 20th, 2011

Flash swf Player artistic logo exploit

A new zero-day exploit for the Adobe Flash Player has been published on http://exploit-db.com .
The exploit published is targetting Windows 7 systems.
Even though the published version of the exploit is said to affect Windows 7 installations, the shellcode with this proof of concept exploit (PoC) could surely be changed to a one that would also take effect in Linux.
Most likely Linux exploitation will be a harder task to achieve, however thesecurity advisory issued http://www.adobe.com/support/security/advisories/apsa11-02.html recommends an immediate update of the flash player.

According to some rumors the 0 day adobe flash vulnerability has been exploited since a long time to get access to confidential U.S. governmental documents.

A classical ways said that malicious hackers uses is by sending a flash (.swf) containing email, by simply opening the email attachment the victim gets exploited.

Adobe officially has reported, there are no official information if attacks has targetted other company software like Adobe Acrobat Reader which supports embedded flashes.
According to Adobe Adobe Reader is not vulnerable to this kind of attacks as it uses a protected mode which would mitigate the attack (though I hardly doubt this claim).

The affected versions of Adobe’s Flash player are:

  • Flash Player 10.2.153.1 for Windows
  • Flash Player 10.2.153.1 for Apple Macintosh
  • Flash Player 10.2.153.1 for Linux and Solaris
  • Flash Player 10.2.156.12 for Android Mobile platform

as well as the Authplay.dll library used by Adobe’s Acrobat Reader

Earlier versions of Flash player are also affected by the critical security vulnerability.
There are already rumors that the exploit is exploited using a crafted (.swf) files embedded into Microsoft Word .doc files.

This new critical vulnerability is another example clearly showing how insecure a user who has flash enabled in their browser is.

According to preliminary information, exploitation of this critical security flaw can be sucessfully achived in most (if not all) browsers …

By so far browsing on Linux was always considered to be a way more secure than on Windows, with this issue rising up this kind of believe is questioned.
Surely many Linux distributions and FreeBSD and BSD derivatives used as Desktops will probably not package timely newer version of the adobe flash (flashplugin-nonfree) package on time

Today the flash player is a de-facto standard and is wide spread among most modern internet connected operating system obviously it’s unificated use, creates unified problems.

The example with this flash security issue is a good example against why non-free technologies should not be set as standards.
If the flash player and standard was free and everybody could create and distribute flash players for free. Such a vulnerability affecting so many operating systems and so many browsers would never come true

To sum it up, this issue will surely create a lot of problems and opens a serious security hole for us the Linux users.

Therefore be sure to update your flash player before someone has exploited you through the web.