Thursday, October 28, 2010

Protect yourself against new Flash and Reader zero-day.

Flash and Reader are under attack, and a fix is not due until  November 9, 2010. What you could do until then:

Flash
Reader

Advisory at
http://www.adobe.com/support/security/advisories/apsa10-05.html

Shockwave for Director 11.5.9.615

A new version of Shockwave for Director was released today, with critical security fixes.  SecBrowsing was just updated to point to the latest secure version, 11.5.9.615.

http://www.adobe.com/support/security/bulletins/apsb10-25.html

Thursday, October 21, 2010

New RealPlayer vulnerabilities and versions

The open question is, how can either a website or even the actual browser detect if the RealPlayer version installed is vulnerable.


I've tried to make sense of their vulnerability matrix in the past, but I think I'm going to give up this time:

http://service.real.com/realplayer/security/10152010_player/en/

If you can help me understand it, I'd be grateful!

My personal recommendation is to at least disable it and only enable it if you run into a website that needs it.

Critical 0-day vulnerability in Adobe Shockwave for Director -- disable now

There's a zero-day vulnerability with code sample available. In the past, that usually lead to active exploits within a few days.

The only defense right now is to disable Shockwave:
  • Type about:plugins, hit enter.
  • Find "Shockwave for Director" (no, not Shockwave Flash)
  • If you can't find it, good! Otherwise, click "Disable".
Adobe has released an advisory but there's no patch to download yet
http://www.adobe.com/support/security/advisories/apsa10-04.html

In a previous post I was counting over 1 vulnerability per week:
http://secbrowsing.blogspot.com/2010/08/one-security-hole-per-week-for-obscure.html

In an even older post I tried to answer some common questions such as "What is Shockwave for Director?"
http://secbrowsing.blogspot.com/2010/05/how-to-uninstall-shockwave-and-other.html

Monday, October 18, 2010

Java 6u22 released

The release contains "a collection of patches for multiple security vulnerabilities". The advisory from Oracle is available at
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

SecBrowsing was updated to warn if you are running a vulnerable version.

Thursday, October 7, 2010

Adobe reader 9.4.0 released

SecBrowsing was just updated to point to Adobe Reader 9.4.0, which was released a couple of days ago, and is available at http://get.adobe.com/reader/.

Many security vulnerabilities were fixed. The advisory from Adobe is available here: http://goo.gl/RCiD.