Thursday, October 28, 2010

Protect yourself against new Flash and Reader zero-day.

Flash and Reader are under attack, and a fix is not due until  November 9, 2010. What you could do until then:


Advisory at

Shockwave for Director

A new version of Shockwave for Director was released today, with critical security fixes.  SecBrowsing was just updated to point to the latest secure version,

Thursday, October 21, 2010

New RealPlayer vulnerabilities and versions

The open question is, how can either a website or even the actual browser detect if the RealPlayer version installed is vulnerable.

I've tried to make sense of their vulnerability matrix in the past, but I think I'm going to give up this time:

If you can help me understand it, I'd be grateful!

My personal recommendation is to at least disable it and only enable it if you run into a website that needs it.

Critical 0-day vulnerability in Adobe Shockwave for Director -- disable now

There's a zero-day vulnerability with code sample available. In the past, that usually lead to active exploits within a few days.

The only defense right now is to disable Shockwave:
  • Type about:plugins, hit enter.
  • Find "Shockwave for Director" (no, not Shockwave Flash)
  • If you can't find it, good! Otherwise, click "Disable".
Adobe has released an advisory but there's no patch to download yet

In a previous post I was counting over 1 vulnerability per week:

In an even older post I tried to answer some common questions such as "What is Shockwave for Director?"

Monday, October 18, 2010

Java 6u22 released

The release contains "a collection of patches for multiple security vulnerabilities". The advisory from Oracle is available at

SecBrowsing was updated to warn if you are running a vulnerable version.

Thursday, October 7, 2010

Adobe reader 9.4.0 released

SecBrowsing was just updated to point to Adobe Reader 9.4.0, which was released a couple of days ago, and is available at

Many security vulnerabilities were fixed. The advisory from Adobe is available here: