STE WILLIAMS

The Mozilla Foundation has set up camp alongside Apple in the “cookies are bad” section of the Internet, decreeing that three versions hence its flagship Firefox browser won’t accept cookies from anyone other than the publisher of websites it visits.

That version will be number 22 and is due for release on June 25th, 2013. That leaves the world’s web publishers a decent amount of time to adapt to the regime devised by Stanford graduate student Jonathan Mayer, who is also a contributor to the Firefox codebase and explains the new policy in a blog post here.

The post explains the new cookie policy enforced in the browser as follows:

Q: How does the new Firefox cookie policy work? A: Roughly: Only websites that you actually visit can use cookies to track you across the web. More precisely: If content has a first-party origin, nothing changes. Content from a third-party origin only has cookie permissions if its origin already has at least one cookie set.

Mayer points out that this plan is very similar to that employed for nearly a decade in Apple’s Safari browser, so should not set alarm bells ringing.

The practical effect of the change will be to stop advertising and networks using cookies when users visit pages containing their ads or widgets. Many users will appreciate that, as it will make it harder for their online activities to be mined, analysed and turned into “helpful” ads or other content.

Developers may need to do a little work to cope with the change, as Mayer writes “If a user does not seem to have intentionally interacted with your content, or if you’re uncertain, you should ask for permission before setting cookies. Most analytics services, advertising networks, and unclicked social widgets would come within this category.”

That could mean occasional problems for users, with some commenters on mozilla.dev.privacy who worry that some sites worrying about what might happen to users of early builds whos visit sites that expect untramelled cookie-dispensing rights.

Overall, however, commenters like the new policy which, once it comes into force will mean nearly 30 per cent (see browser share stats here) of web browsing will be done with browsers hostile to thrid-party cookies.

Firefox may, however, offer an out for all concerned, with Mayer’s post suggesting the new policy could exempt sites that sign up to the Do Not Track proposal. Mayer maintains that effort’s web site.. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/25/firefox_cookies_policy/

The Federal Trade Commission (FTC) has announced a settlement with smartphone-maker HTC over complaints that its handsets are riddled with security failings, and the government watchdog says it will check on compliance for … wait for it … the next 20 years.

The FTC complaint claims that when HTC customized Android and Window Phone code for its smartphones, it made little or no effort to address user security. The coding was claimed to be sloppy, HTC didn’t do any penetration testing on its handsets or train engineers in secure coding techniques, and the company’s staff used coding methods that are well-known to be poor security practices.

As a result, the personal information of millions of Android users was put at risk by HTC’s shoddy programming, the FTC claims, saying that applications were able to mask the level of data they were harvesting from end users. The FTC also cites security issues from the use of monitoring software by Carrier IQ, and HTC Loggers on HTC’s Android and Windows Phone handsets.

Meanwhile, HTC’s own user manuals contain “deceptive representations”, the FTC charged, and it said that the manufacturer’s Tell HTC application was at fault, as well. Those flaws could allow access to not only a customer’s private data, but also their GPS location and the content of text messages.

Under the terms of the deal HTC admits no guilt, but the list of things that it has agreed to do suggests that there wasn’t much security work being done by the Taiwanese manufacturer. The full settlement gives the company seven core tasks which you would have thought it would have done already.

These include actually assigning someone in the company to be responsible for security, doing a risk assessment on its current coding practices and handsets, designing safeguards against flawed code, and training in-house staff on good security practices, such as where to get updates and patches.

HTC also has to issue patches for the security holes it does have (Android 4.0 users will already have them, according to some reports), hire an independent third party with professional computer security credentials to check on the new internal processes, and submit a full report on progress to the FTC every other year for the next 20.

“The settlement with HTC America is part of the FTC’s ongoing effort to ensure that companies secure the software and devices that they ship to consumers,” said the government organization in a statement. For the next 30 days, members of the public can add their comments to the settlement here – keep it clean, please. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/22/ftc_setlles_htc_security/

Customer service provider Zendesk has been hacked – potentially blowing the lid on the anonymity of some users of Twitter, Pinterest and Tumblr.

Zendesk, which handles helpdesk emails for the aforementioned trendy blog trio, copped to the breach of its network in a blog post last night. It admitted its system was illegally accessed this week and a hacker got into support information for those three clients.

The intruder downloaded email addresses for users who’d got in touch with Tumblr, Twitter and Pinterest via Zendesk for support, as well as the message subject lines. Although no sensitive information beyond this was swiped, the hacker can at least associate the email addresses with their owners’ profiles and potentially unmask any anonymous tweeters, pinsters or tumblers behind them.

“We’re incredibly disappointed that this happened and are committed to doing everything we can to make certain it never happens again,” the firm said. “We’ve already taken steps to improve our procedures and will continue to build even more robust security systems.

“We are also completely committed to working with authorities to bring anyone involved to justice and make certain we fully understand what happened. As this process unfolds, we aim to update our customers in as transparent and timely a manner as possible about new developments.”

Twitter’s support had this to say about the breach:

Emailing a small percentage of Twitter users who may have been affected by Zendesk’s breach. No passwords involved. zendesk.com/blog/weve-been…

— Support (@Support) February 22, 2013

Meanwhile Tumblr emailed all of its affected users reminding them not to give out their password by email and warning them to watch out for unexpected emails.

“We’re working with law enforcement and Zendesk to better understand this attack,” the blogging site said. “Please monitor for email and Tumblr accounts for suspicious behaviour and notify us immediately if you have any concerns.”

Zendesk is a customer service that sorts out support emails and queries from clients’ users. Tumblr said it had been using the service for the last two and a half years. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/22/zendesk_hack_hits_twitter_tumblr_users/

Threats from social networking, video and filesharing pale in comparison to malicious content in business critical apps, according to a survey by network security firm Palo Alto Networks.

While 339 social networking, video, and file-sharing applications represent 20 per cent of network bandwidth use, they account for less than 1 per cent of threat logs.

Contrary to popular belief, exploits continue to target enterprises via commonly used business applications. Of the 1,395 applications studied, 10 were responsible for 97 per cent of all exploit logs observed and nine of them are business critical applications.

The top 10 applications by threat are: MS SQL; MS RPC; Web Browsing; Server Message Block; MS SQL Monitor; MS Office Communicator; SIP; Active Directory; Remote Procedure Call; and DNS.

The study, based on an analysis of network traffic of more than 3,000 organisations between May and December 2012, involved making sense of 12.6 petabytes of data, 5,307 unique threats and 264 million threat logs. Malware often hides inside custom applications, traffic analysis by Palo Alto suggests. Custom or unknown applications are the leading type of traffic associated with malware communications, accounting for 55 per cent of malware logs, but only consuming less than 2 per cent of network bandwidth.

SSL is used as both a security mechanism and a masking agent, with 356 applications that appeared in the study using SSL in one way or another. SSL by itself represented 5 per cent of all bandwidth and the sixth highest volume of malware logs. HTTP proxy, used both as a security component and to evade controls, exhibited the seventh highest volume of malware logs.

“The volume of exploits targeting business critical applications was stunning and serves as a data centre security wake-up call,” said Matt Keil, senior research analyst at Palo Alto Networks and author of the report. “These threats will continue to afflict organisations until they isolate and protect their business applications by bringing threat prevention deeper into the network.”

Correlating threats with specific applications allows security teams to get a better handle on risks in their networks, allowing them to adopt smarter security controls and procedures.

The latest Palo Alto Application Usage and Threat Report, the first version to correlate data on application usage and threat activity, can be downloaded here (registration required). A blog post summarising the main findings is here.

Data from the report can be explored using an interactive data visualisation tool, available here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/22/app_threat_analysis/

The website of US TV network ‪NBC‬ was hacked to deliver Java and PDF exploits.

The attack against NBC.com – which hosts entertainment and TV content – used a cybercrime toolkit called Redkit that was ultimately aimed at delivering Citadel, a banking Trojan. NBC acted promptly to cleaned up its promotional site, admitting the problem on NBCNews.com, part of its NBC News Digital group, which it said was not affected by the hack.

It’s unclear how many people were affected. An analysis of the attack by security consultancy Foc-IT can be found here. A blog post by anti-virus firm Eset can be found here.

“We’ve identified the problem and are working to resolve it. No user information has been compromised,” NBC said in a statement.

NBC News Digital credited security researcher Ronald Prins of Fox-IT in the Netherlands with tweeting the first warning about the problem. Prins tweeted a warning against visiting NBC.com yesterday morning, saying it was spreading malware. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/22/nbc_hack/

A high profile security report released earlier this week detailing Chinese military involvement in widespread online attacks is itself now being used as a lure in spear-phishing attacks, according to researchers.

The report, APT1: Exposing One of China’s Cyber Espionage Units, published by security firm Mandiant, made headlines across the globe as one of the first to detail a concrete link between the Communist Party and advanced persistent threat (APT) style attacks on a range of targets worldwide.

It claimed to have tracked down a group known as “APT1” or the “Comment Crew”, which operated out of the same Shanghai tower blocks as a unit of the People’s Liberation Army – 61398.

Now security vendor Symantec has spotted new targeted attacks using the report’s notoriety to trick users into opening a malicious email attachment.

It explained the following in a blog post:

The email we have come across is in Japanese, but this does not mean there are no emails in other languages spreading in the wild. The email purports to be from someone in the media recommending the report. The attachment is made to appear like the actual report with the use of a PDF file and the name of the company as the file name. However, like in many targeted attacks, the email is sent from a free email account and the content of the email uses subpar language.

The PDF file hides malware detected as Trojan.Pidief which, if opened, executes exploit code for an Adobe Acrobat and Reader remode code execution vulnerability.

In this instance the exploit code doesn’t drop any malware onto a user’s computer, although Symantec warned that there may be other variants in the wild which are more dangerous.

A second malicious version of the report was spotted by security researcher Brandon Dixon.

Labelled “Mandiant_APT2_Report.pdf” – this malicious file is password protected but if opened appears to contain elements of the CVE-2011-2462 Adobe Reader exploit spotted back in December 2011, he wrote in a blog post.

“Once executed on the system, a new process under the name ‘AdobeArm.tmp’ was identified running and the original Mandiant APT1 report is shown,” Dixon continued.

“This payload was collected back on November 6, 2012 and was completely unchanged showing a reuse in payloads even after several months.”

The threat will then try to contact a domain used in previous attacks on human rights activists, he said.

Mandiant issued a notice on Thursday warning users only to retrieve the official report from its own web site.

“We are currently tracking the threat actors behind the activity and have no indication that APT1 itself is associated with either variant,” it added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/22/apt1_report_used_spear_phishing/

The White House has unveiled a fresh strategy for combating the theft of American trade secrets – days after a high-profile Chinese cyber-espionage campaign against US corporate giants was exposed.

The strategy, outlined in a 141-page report [PDF] published on Wednesday, focuses on a five-part plan featuring diplomatic efforts, cooperation with private industry to bolster information security, legislation, law enforcement operations and public education campaigns. The US Departments of Commerce, Defense, Homeland Security, Justice, State and Treasury; the Office of the Director of National Intelligence; and the Office of the United States Trade Representative were all involved in drawing up the strategy, and will all be involved in aspects of putting it into play.

The US government report, which cites numerous examples of Chinese espionage and a lesser number of attacks traced to Russia and the countries, makes a fascinating read.

Although recent news headlines focused on state-sponsored cyber-espionage, the new Administration Strategy on Mitigation of Theft of US Trade Secrets also highlights the role of corrupt company insiders in the pilfering of trade secrets. Cyber-espionage is presented as making an existing threat far worse:

Foreign economic collection and industrial espionage against the United States represent significant and growing threats to the nation’s prosperity and security. Cyberspace—where most business activity and development of new ideas now takes place — amplifies these threats by making it possible for malicious actors, whether they are corrupted insiders or foreign intelligence services (FIS), to quickly steal and transfer massive quantities of data while remaining anonymous and hard to detect

Other targets of industrial espionage include firms in Canada, France, Germany, the UK and South Korea as well as US corporations, who seem to bear the brunt of attacks. And what other Western intelligence sources are telling their US counterparts, as summarised in the strategy document, bears repeating: “Russia also is seen as an important actor in cyber-enabled economic collection and espionage against other countries, albeit a distant second to China.”

The report states: “Trade-secret theft threatens American businesses, undermines national security, and places the security of the US economy in jeopardy. These acts also diminish US export prospects around the globe and put American jobs at risk.”

A key section of the document blames most of this malfeasance on China:

Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC {intelligence community] cannot confirm who was responsible.

Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.

Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.

Seven of eight highlighted cases of trade-secret theft in early section of the report involve Chinese nationals or Chinese firms. The exception involves the alleged theft of Goldman Sachs’ computing trading source code by an employee of Russian extraction. The Obama administration aims to clamp down on both corporate and state-sponsored trade secret theft.

A summary of the Department of Justice’s economic espionage and trade-secret criminal cases since January 2009 lists 18 Chinese suspects, one South Korean and an Indian. It also lists a case involving an attempted sale of Akamai trade secrets to Israel that the Israelis actively helped in thwarting. All the cited cases involve current or former employees of negotiable morals rather than infiltration by outside hackers.

The report is noteworthy in listing the main targets of trade-secret theft: these include information and communications technology; military technologies (particularly marine systems and drones – unmanned aerial vehicles) and other aerospace technologies; and technologies in sectors likely to experience fast growth, such as clean energy; healthcare and pharmaceuticals; and natural resources (including oil and gas).

Intelligence agencies have “used independent hackers at times to augment their capabilities and act as proxies for intrusions, thereby providing plausible deniability”, the report states. It singles out the use of the Iranian Cyber Army, a hacker group with links to the Iranian government, in “social engineering techniques to obtain control over internet domains and disrupt the political opposition” as an example of this so-called “hackers for hire” trend.

Other second-tier threats include hacktivists and Wikileaks:

Similarly, political or social activists may use the tools of economic espionage against US companies, agencies, or other entities, with disgruntled insiders leaking information about corporate trade secrets or critical US technology to ‘hacktivist’ groups like WikiLeaks.

Hacktivists are very much a footnote to the report which focuses on corrupt insiders – such as current and former employees – and state-sponsored hackers based in China as by far the most significant threat.

Cyber-espionage to swipe US trade secrets has been going on for the last six or seven years, we’re told, but are occurring with increasing frequency and getting much more media attention of late. The new strategy brings together existing initiatives in diplomacy, promotion of best practice and law enforcement action rather than introducing anything more radical, such as active defence. Strategies involving active defence may involve anything from hacking back against attackers to deliberately feeding hackers misinformation and snaring them with honeypots. The policy document also omits mention of recent debates about charging foreign cyber-spies with hacking into US corporations.

Instead the emphasis is placed far more on the Cyber Intelligence Sharing and Protection Act, or CISPA, legislation designed to facilitate sharing of intelligence about cyber-attacks and talk of how suspicions of industrial scale trade-secret theft may impact international trade negotiations – such as the Trans Pacific Partnership. The threat of trade sanctions against China is raised as a possible move although it’s not fully detailed.

The Obama administration’s announcement follows a spate of admissions by US high-tech firms, including Apple and Facebook, that they’ve fallen victim to hacking attacks linked to Java-based browser exploits. A separate run of attacks using spear-phishing and custom malware to compromise systems was levelled at The New York Times and The Wall Street Journal.

A detailed report drawn from a long-running investigation by security response firm Mandiant blamed a Shanghai-based Chinese military unit for spearheading many cyber-espionage campaigns over several years. China has denied these claims, arguing that it has often been a victim of cyber-attacks and called for greater international cooperation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/21/us_revamped_cyber_strategy/

Following a recent spate of incidents in which high-profile accounts have been compromised by hackers, Twitter has implemented a security protocol designed to make it harder for fraudsters to send out emails that appear to come from Twitter.com addresses.

“We send out lots of emails every day to our users letting them know what’s happening on Twitter,” the company’s postmaster, Josh Aberant, wrote in a blog post on Thursday. “But there’s no shortage of bad actors sending emails that appear to come from a Twitter.com address in order to trick you into giving away key details about your Twitter account, or other personal information, commonly called ‘phishing’.”

To help curb such attempts, Aberant says Twitter has begun using Domain-based Message Authentication, Reporting, and Conformance (DMARC), an email-authentication technology developed by a number of prominent online companies, including AOL, Comcast, Facebook, Google, Microsoft, PayPal, and Yahoo!, among others.

At the heart of DMARC are the decade-old DomainKeys Identified Mail (DKIF) and Sender Policy Framework (SPF) mechanisms, which can be used to attach digital signatures to emails and validate their authenticity.

Because DKIF and SPF are difficult for organizations to implement effectively on their own, however, DMARC establishes a way for companies to collaborate and establish shared policies so that spoofed messages are recognized and handled appropriately.

“While this protocol is young, it has already gained significant traction in the email community with all four major email providers – AOL, Gmail, Hotmail/Outlook, and Yahoo! Mail – already on board, rejecting forged emails,” Twitter’s Aberant said.

   

DMARC lets mail senders and recipients share policies explaining how to spot forged mail and what to do about it

Getting duped into giving away a Twitter account password would leave any average user red-faced. But it can be particularly bad news for celebrities and companies that use the site as part of their online marketing strategies, as several have already learned.

Just this week, an unknown prankster gained control of the Twitter feed for fast-food chain Burger King and let loose a series of bizarre posts promoting its rival, McDonald’s. Twitter quickly shut down that account, but Jeep fell victim to a similar attack the next day – and these were hardly the first such incidents.

It’s not known just how hackers gained control of each of these accounts, but phishing for the passwords could certainly have been one way. Now that Twitter has implemented DMARC, however, such methods are far less likely to be successful – provided, of course, that the targeted Twitter account holders’ email systems also support it.

There’s a good chance that they will. According to DMARC.org, which manages the DMARC specification, 80 per cent of email boxes of typical US customers are now protected using the technology, as are 60 per cent of email boxes worldwide.

If you’re unlucky enough to be among that group, however, you’ll have to deal with the phishing problem another way – and there’s always Top Gear host Jeremy Clarkson’s method. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/21/twitter_adds_dmarc_security/

The founder of a project that aims to offer a global web application vulnerability scanner has defended the potentially controversial technology. The tech is a useful tool to check the security of websites you use for shopping, or to which you’ve submitted your personal data, but it could equally be a tool for budding VXers – although, as its founder points out: checking for the existence of vulnerabilities is not the same as exploiting them in an actual attack.

Alejandro Caceres, CTO at Hyperion Gray, presented the PunkSPIDER project at the ShmooCon 2013 cyber security conference in Washington DC on Saturday, 16 February.

“[PunkSPIDER] is a global web application vulnerability repository that is on track to cover the entire internet – we’ve discovered hundreds of thousands of vulnerabilities already,” Caceres explained. “This information is being made available for free to the general public in a search engine format, because we believe that the general public, not just the security community, should have access to information about the security status of the websites they use every day.”

The scanner and its architecture can handle a massive number of web application vulnerability scans, “set them loose on the internet, and make the results available to you”. It runs off of an Apache Hadoop cluster.

Caceres added that the presentation was “really well-received despite (or maybe because of) it being a bit controversial,” he added.

Early reactions to the PunkSPIDER have been mixed, although many have praised the technology for its innovation. PunkSPIDER is built on a scalable architecture, built for stability, and designed to help organisations to run vulnerability detection and mitigation of their publicly available assets.

However others have criticised PunkSPIDER as offering little more than a “centralized database for scriptkiddies”.

Caceres told El Reg: “In fact, the goal of my project [is] to alert firms to such vulnerabilities – for free – so that they could have their web developers fix it.

Not of much use to black hatters, actually

“I think there are probably quite a few folks out there who are conflating checking for the existence of vulnerabilities with exploiting them in an actual attack. But just to be clear, no one can conduct an exploit from PunkSPIDER nor is it intended for this purpose,” Caceres added.

Possible comparisons between PunkSPIDER and Metasploit are also wide of the mark because there’s no “sploit-ing” involved with PunkSPIDER.

“The main difference is that Metasploit is a repository of exploits that can be readily used against targets, whereas PunkSPIDER is a repository of specific discovered vulnerabilities on websites,” Caceres, adding that the technology is more like a SHODAN¹ for live web app vulnerabilities.

Caceres said the abuse of PunkSPIDER by script kiddies is a legitimate concern but argued that the tool helps the owners of Mom and Pop websites far more than it helps unskilled black-hat hackers. As a general note, the vulnerabilities that PunkSPIDER discovers are the most basic vulnerabilities that simple web development best practices could easily avoid.

“We’re not giving script kiddies any information that they can’t get on their own,” Caceres said. “In fact any and every website on the public internet is likely to get scanned for vulnerabilities by someone within weeks of going up. If the average website owner could plug in an IDS and watch the traffic on their website, they could see this for themselves – I do this in my day job and it’s admittedly pretty astonishing.”

Caceres acknowledged that PunkSPIDER can be “used for good or for evil” but the same point could be made about Metaploit and even Google hacking, as pioneered by Johnny Long, adding that he hoped the PunkSPIDER project will help to raise awareness about the issue of insecure and unsafe websites.

“There are enough threats on the internet already, we have no excuse for not eliminating the most common and simple of these,” Caceres explained.

“We also take extreme care to do very safe checks against sites, and we respect robots.txt and don’t crawl sites that don’t want to be crawled.”

He adds: “But one of my main points is that the average website owner doesn’t focus on website security, so we’re trying to make it more accessible to them (for free) and also point out that if they don’t take a few basic precautions, someone will break into their site – it’s only a matter of time. The first thing that we hope any website owner does when they hear about PunkSPIDER is go search for their own site or sites,” he said, adding that he hopes the tool will also be useful to ordinary web surfers.

Kickstarting a community

The open-source project is seeking donations. “I’m committed to PunkSPIDER being a free and open-source project for the duration of its existence, and I don’t have any plans to monetise the project in any way, aside from seeking donations to cover my operating costs whenever possible, thus the Kickstarter,” Caceres explained.

“I hope it becomes a community project, with like-minded people contributing new ideas for how to further its underlying mission. One idea I’ve already received is for a Firefox plugin that tells a user when they are visiting a site that has registered vulnerabilities in our database,” he added.

Other ideas include is publishing a set of PunkSPIDER rules that sysadmins can apply to their firewalls to block users from visiting unsafe sites. ®

Bootnote

¹ The Shodan search tool indexes routers, servers and other internet devices creating a means to pinpoint industrial control systems that might be vulnerable to tampering, among other applications.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/21/punkspider/

Adobe has pushed out an emergency security update for its PDF viewing software Reader and Acrobat to plug zero-day vulnerabilities that emerged last week.

The cross-platform update, issued yesterday, addresses flaws that were being actively exploited by miscreants to compromise and take over Microsoft Windows and Apple Mac OS X computers. Word of the bugs spread following the publication of a report by security biz FireEye on 12 February. Adobe acted quickly to publicise workarounds a day later, prior to pushing out patches for Windows, Mac and Linux systems on 20 February.

The updates cover all supported product versions (Reader and Acrobat 9, 10, 11) and unsurprisingly they’re all rated critical. Adobe’s advisory is here.

Paul Ducklin of antivirus outfit Sophos praised Adobe for its prompt response.

The update completes a pretty wretched month for Adobe. Earlier this week Mozilla released a new version of its Firefox browser that featured a built-in JavaScript-powered PDF viewer, allowing users to dispense with plugins from Adobe and its rivals. And at the start of the month the software giant was obliged to release emergency Flash patches that threw a fire blanket over not just one but two zero-day security vulnerabilities.

It subsequently emerged that Microsoft Office files containing code that exploited flaws in Adobe’s Flash player software were used to pull off corporate espionage against Windows-using businesses in the aerospace industry. Security experts at Lockheed Martin are credited with aiding Adobe; it’s a safe bet, therefore, to assume the defence titan was a target of this cyber-spying.

In fairness, all software developers have to deal with zero-day vulnerabilities from time to time. Foxit, which makes a PDF-viewing browser plugin to rival Adobe’s, was hit by one such calamity only last month. But Adobe Flash is second only to Oracle’s Java in terms of the number of security exploits targeting software in a modern hacker or cyber-spy’s toolkit; any un-patched holes in Adobe’s software are often seized and attacked in a race against the vendor and users. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/21/adobe_reader_acrobat_0days/