Firefox, Thunderbird patched; Adobe Flash patch due today, other stuff

More patching: Firefox has been patched to plug a 0-day flaw that was being exploited "in the wild", and Mozilla Thunderbird has been patched to fix the same bug (which was not exploitable in TBird).  Adobe's Flash Player and Adobe Reader 9 both have a vulnerability that is also currently being exploited; Adobe is supposed to issue a patch for the Flash player today (November 4, 2010) but Reader won't be patched for another 11 days.  Adobe Reader 8 apparently doesn't have the vulnerability. 

Also, I have been lax about updating this blog, so I have included several older items that have been sitting in my outbox that will affect some of you.  Many vulnerabilities are being found these days in various unusual media players like the Real Player and the Shockwave Player, so if you don't need them I recommend uninstalling them rather than fighting to keep them updated.

Mozilla plugs Firefox drive-by-download zero-day | ZDNet

By Ryan Naraine | October 28, 2010, 10:54am PDT
Mozilla has quickly rushed out a Firefox security patch to provide cover for a zero-day flaw that was being exploited in drive-by malware downloads. ... The patch, rated “critical,” fixes a buffer overflow issue that was under attack at the Nobel Peace Prize web site. ... The vulnerability is fixed in Firefox 3.6.12, Firefox 3.5.15, Thunderbird 3.1.6, Thunderbird 3.0.10 and SeaMonkey 2.0.10.  According to malware hunters tracking the threat, Firefox users who surfed to the Nobel Peace Prize site were silently infected with Belmoo, a Windows Trojan that gives the attacker complete control of the machine.

Adobe under attack: New PDF, Flash zero-day | ZDNet

By Ryan Naraine | October 28, 2010, 12:11pm PDT
Adobe’s security response team is scrambling to respond to new zero-day attacks against a computer hijack vulnerability in two of its most widely deployed products: Flash Player and Adobe PDF Reader.

The flaw, which is currently being exploited in the wild with booby-trapped PDF documents, affects Windows, Mac, Linux and Solaris users. The zero-day attacks are currently targeted Windows users.

Koobface Worm Targets Java on Mac OS X — Krebs on Security

A new version of the infamous Koobface worm designed to attack Mac OS X computers is spreading through Facebook and other social networking sites, security experts warn.

Security software maker Intego says this Mac OS X version of the Koobface worm is being served as part of a multi-platform attack that uses a malicious Java applet to attack users. According to Intego, the applet includes a prompt to install the malicious software:

'Highly critical' flaws hit RealPlayer | ZDNet

By Ryan Naraine | October 18, 2010, 10:54am PDT
Multiple “highly critical” security holes in RealNetworks’ RealPlayer software could expose millions of computer users to remote code execution attacks.

According to an advisory from Secunia, these flaws can be exploited by malicious people to compromise a user’s system.

This RealNetworks security notice details seven different vulnerabilities affecting Windows RealPlayer SP 1.1.4 and and RealPlayer Enterprise 2.1.2.

RealPlayer users are strongly encouraged to apply the available security patches.

Adobe Shockwave Player "Shockwave Settings" Use-After-Free Vulnerability

Juha-Matti reports that an odd Shockwave vulnerability has been identified (http://secunia.com/advisories/42112/.) I call it "odd" because it's not the typical "download crafted flash file and it executes code." The victim has to open the Shockwave settings window while having the malicious website open. It's a new hurdle, but I'm not sure that it's insurmountable.

Zero Day readers, why aren't you patching Flash Player? | ZDNet

Adobe’s plan to rush out a fix for the latest Flash Player zero-day vulnerability got me thinking about patch adoption rates among ZDNet Zero Day readers.

According to our statistics counter, the majority of you (security-savvy readers?) are very tardy in applying Flash Player updates.