Also, I have been lax about updating this blog, so I have included several older items that have been sitting in my outbox that will affect some of you. Many vulnerabilities are being found these days in various unusual media players like the Real Player and the Shockwave Player, so if you don't need them I recommend uninstalling them rather than fighting to keep them updated.
Mozilla plugs Firefox drive-by-download zero-day | ZDNet
By Ryan Naraine | October 28, 2010, 10:54am PDTAdobe under attack: New PDF, Flash zero-day | ZDNet
Mozilla has quickly rushed out a Firefox security patch to provide cover for a zero-day flaw that was being exploited in drive-by malware downloads. ... The patch, rated “critical,” fixes a buffer overflow issue that was under attack at the Nobel Peace Prize web site. ... The vulnerability is fixed in Firefox 3.6.12, Firefox 3.5.15, Thunderbird 3.1.6, Thunderbird 3.0.10 and SeaMonkey 2.0.10. According to malware hunters tracking the threat, Firefox users who surfed to the Nobel Peace Prize site were silently infected with Belmoo, a Windows Trojan that gives the attacker complete control of the machine.
By Ryan Naraine | October 28, 2010, 12:11pm PDTKoobface Worm Targets Java on Mac OS X — Krebs on Security
Adobe’s security response team is scrambling to respond to new zero-day attacks against a computer hijack vulnerability in two of its most widely deployed products: Flash Player and Adobe PDF Reader.
The flaw, which is currently being exploited in the wild with booby-trapped PDF documents, affects Windows, Mac, Linux and Solaris users. The zero-day attacks are currently targeted Windows users.
A new version of the infamous Koobface worm designed to attack Mac OS X computers is spreading through Facebook and other social networking sites, security experts warn.'Highly critical' flaws hit RealPlayer | ZDNet
Security software maker Intego says this Mac OS X version of the Koobface worm is being served as part of a multi-platform attack that uses a malicious Java applet to attack users. According to Intego, the applet includes a prompt to install the malicious software:
By Ryan Naraine | October 18, 2010, 10:54am PDTAdobe Shockwave Player "Shockwave Settings" Use-After-Free Vulnerability
Multiple “highly critical” security holes in RealNetworks’ RealPlayer software could expose millions of computer users to remote code execution attacks.
According to an advisory from Secunia, these flaws can be exploited by malicious people to compromise a user’s system.
This RealNetworks security notice details seven different vulnerabilities affecting Windows RealPlayer SP 1.1.4 and and RealPlayer Enterprise 2.1.2.RealPlayer users are strongly encouraged to apply the available security patches.
Zero Day readers, why aren't you patching Flash Player? | ZDNet
Juha-Matti reports that an odd Shockwave vulnerability has been identified (http://secunia.com/advisories/42112/.) I call it "odd" because it's not the typical "download crafted flash file and it executes code." The victim has to open the Shockwave settings window while having the malicious website open. It's a new hurdle, but I'm not sure that it's insurmountable.
Adobe’s plan to rush out a fix for the latest Flash Player zero-day vulnerability got me thinking about patch adoption rates among ZDNet Zero Day readers.
According to our statistics counter, the majority of you (security-savvy readers?) are very tardy in applying Flash Player updates.