blog trackingRealtime Web Statistics Flash Archives - Page 3 Of 5 - Gregory D. Evans | Worlds No. 1 Security Consultant | Gregory D. Evans | Worlds No. 1 Security Consultant - Part 3

Posts Tagged ‘Flash’

Adobe patches new Flash zero-day bug with emergency update

Adobe today warned that hackers are exploiting a critical vulnerability in its popular Flash Player program, and issued an emergency update to patch the bug.
View full post on Computerworld Security News

View full post on National Cyber Security » Announcements

HP Warns of ProCurve Switches with Malware-Laden Flash Cards

The company says HP 5400 zl series switches purchased after April 30, 2011 may be affected.

View full post on eSecurityPlanet RSS Feed

View full post on National Cyber Security

Adobe Reader vulnerabilities patched and bundled Flash Player removed

Adobe Systems has released new versions of Adobe Reader 10.x and 9.x, addressing four arbitrary code execution vulnerabilities and making several security-related changes to the product, including the removal of the bundled Flash Player component from the 9.x branch.

All of the vulnerabilities fixed in the newly released Adobe Reader 10.1.3 and Adobe Reader 9.5.1 versions could be exploited by an attacker to crash the application and potentially take control of the affected system, Adobe said in its APSB12-08 security bulletin. Users are advised to install these updates as soon as possible.

The company also announced that Adobe Reader 9.5.1 no longer includes authplay.dll, a Flash Player library that was bundled with previous versions of the program to enable the rendering of Flash content embedded in PDF documents.

The presence of the authplay.dll component in Adobe Reader has caused some security issues in the past, primarily because of the inconsistent update schedules for Adobe Reader and Flash Player.

Authplay.dll contains much of the stand-alone Flash Player’s code, which also means that it shares most of the latter’s vulnerabilities. However, while Flash Player is patched by Adobe when needed, Adobe Reader used to follow a more strict quarterly update cycle.

Product Security Incident Response Team

This often resulted in situations where some known vulnerabilities got patched in Flash Player, but remained exploitable through authplay.dll for months, until the next scheduled update for Adobe Reader.

Such is the case with the new Adobe Reader 10.1.3 version, which incorporates three previous Flash Player security updates that were released separately during the last three months.

Starting with Adobe Reader 9.5.1, Adobe Reader 9.x will use the stand-alone Flash Player plug-in that’s already installed on computers for browsers like Mozilla, Safari or Opera, in order to play Flash content in PDF files.

This functionality will not work with the ActiveX-based Flash Player plug-in for Internet Explorer or the special Flash Player plug-in version bundled with Google Chrome.

Adobe plans to remove authplay.dll from the 10.x branch of Adobe Reader in the future as well and is currently working on APIs (application programming interfaces) to make this possible, said David Lenoe, group manager for Adobe’s Product Security Incident Response Team (PSIRT).

Vulnerability management vendor Secunia welcomes Adobe’s decision to remove authplay.dll from Adobe Reader, because it will make addressing Flash vulnerabilities easier for users, Secunia’s chief security specialist, Carsten Eiram, said.

3D content rendering

“However, the default option in Adobe Reader should be to not support Flash content in PDF files, requiring users to specifically enable this,” Eiram said. “Most users do not need it and Flash content embedded in PDF files has historically been exploited as a vector to compromise Adobe Reader users’ systems.”

This is actually the approach Adobe has taken with the 3D content rendering feature. Starting with Adobe Reader 9.5.1, this feature has been disabled by default because it’s not commonly used and can be exploited in certain circumstances, Lenoe said.

“We’ve seen 0-days targeting this part of the functionality and it seems to be one of the more flawed features,” Eiram said. “We’ve for a long time been recommending users to disable the plugins used for 3D parsing.”

In addition to making these security patches and changes, Adobe also decided to cancel its quarterly update cycle for Adobe Reader and Acrobat and return to its previous patch-as-needed policy. Future Adobe Reader updates will continued be released on the second Tuesday of the month, but it will no longer happen every four months.

“We will publish updates to Adobe Reader and Acrobat as needed throughout the year to best address customer requirements and keep all of our users safe,” Lenoe said.

“The quarterly update cycle never worked for Adobe,” Eiram said. “Vulnerability fixes should always be provided as quickly as possible; it’s not justifiable to unnecessarily postpone a vulnerability fix for up to three months simply due to policy reasons.”

Article source:

View full post on National Cyber Security » Computer Hacking

HP enterprise switches shipped with malware on flash cards

According to a new security bulletin from HP, some of their ProCurve 5400zl switches may have shipped with malware-laden compact flash cards. While HP does state that inserting one of the infected cards into a computer could compromise the system, they don’t offer many other details — like whether or not the malware can self-propogate while the card is sitting in a switch.

They also didn’t specify which malware was found on the cards, and it’s not yet known how the cards became infected in the first place. Not all 5400zl switches are affected, however, just the specific serial numbers listed on HP’s website, all of which were sold starting in May of 2011.

Two resolves are being offered. For administrators who don’t mind a little downtime, HP will ship a replacement management module and deal with the malware removal. The switches can also purge the unwanted contents of the cards themselves via a script that can be run after establishing a console session. The second option, HP says, should have no impact on network operation and it also avoids the potential threat posed by inserting the card into a PC to attempt malware removal.

This isn’t the first time a big-name company has discovered that products they’ve shipped had been used as malware mules. Dell had a similar issue in 2010, when the Spybot worm was found hiding out on replacement motherboards. Like these ProCurve switches, digital cameras, MP3 players, and mobile phones from companies including Olympus and Samsung have shipped in the past few years with infected memory cards.

More at Security Week

Article source:

View full post on National Cyber Security » Virus/Malware/Worms

Flash Player 11.2 fixes critical vulnerabilities and adds silent updates

Adobe have released Flash Player 11.2, addressing two critical arbitrary code execution vulnerabilities and introducing a silent update option.

One of the patched vulnerabilities stems from how older versions of Flash Player checks URL security domains, and only affects the Flash Player ActiveX plug-in for Internet Explorer on Windows 7 or Vista.

Both vulnerabilities can trigger memory corruptions and can be exploited to execute arbitrary code remotely. However, Adobe is not aware of any exploits for these flaws being used in online attacks at this time, said Wiebke Lips, Adobe’s senior manager of corporate communications.

Users of Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris are advised to update to the new Adobe Flash Player 11.2 for their respective platforms. Users of Adobe Flash Player for Android are advised to update to Flash Player

Flash Player 11.2 also introduces a new updating mechanism that can be configured to check for and deploy updates in the background automatically, without requiring user interaction. The feature has been in Adobe’s plans for a long time and is expected to decrease the number of outdated Flash Player installations that attackers can target.

“The new background updater will provide a better experience for our customers, and it will allow us to more rapidly respond to zero-day attacks,” said Peleus Uhley, platform security strategist at Adobe. “This model for updating users is similar to the Google Chrome update experience, and Google has had great success with this approach. We are hoping to have similar success.”

The move was welcomed by Thomas Kristensen, chief security officer at Secunia, which develops the popular Personal Software Inspector (PSI) patch management program.

“A silent and automatic updating mechanism for Flash would help the majority of users. A more consistent and rapid updating of the user base is likely to impact the attackers’ preferences for Flash,” he said.

Of course, this will only happen after the vast majority of users upgrade to Flash Player 11.2 or a later version using the old method that requires explicit approval.

When Adobe Flash Player 11.2 is installed, users are asked to choose an update method. The available choices are: install updates automatically when available (recommended), notify me when updates are available, and never check for updates (not recommended).

The silent updater will try to contact Adobe’s update server every hour until it succeeds. If it receives a valid response from the server that no update is available, it will wait 24 hours before checking again.

For now, the automatic update option is only available for Flash Player on Windows, but Adobe is working on implementing it for Mac versions as well, Uhley said.

However, even if the automatic update option is enabled, Adobe will decide on a case-by-case basis which updates will be deployed silently and which won’t. Those that change the Flash Player default settings will require user interaction.

The new updater will update all Flash Player browser plug-ins installed on the system at the same time. “This will solve the problem of end-users having to update Flash Player for Internet Explorer separately from Flash Player for their other open source browsers,” Uhley said.

In addition to keeping the Flash Player install base up to date more easily and reducing the time required to effectively respond to zero-day attacks — attacks that exploit previously unknown vulnerabilities — the new silent updater could also reduce the number of scams that distribute malware as Flash Player updates.

“The pretext of a Flash Player update has been intensively used by cyber-crooks to lure users into downloading malicious content,” said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender. “By eliminating the update wizard, users will likely get more difficult to con on the pretext of a legitimate update required by an application they trust.”

Unfortunately, this silent update model can’t be applied to all applications, Botezatu said. He gave the example of Internet Explorer 6, which Microsoft is trying to phase out, but that companies still widely use because their business applications are dependent on it and don’t work on newer versions.

Adobe is doing its part to convince users to move away from Internet Explorer 6 by dropping support for the browser from upcoming Flash Player versions. “We will no longer include testing on Internet Explorer 6 in our certification process and strongly encourage users to upgrade to the newest version of Internet Explorer,” Uhley said.

Article source:

View full post on National Cyber Security » Computer Hacking

Password in flash cs3

This tutorial show you how to make a password for your game/movie in flash cs3 with actionscript 2.0

View full post on National Cyber Security

Google Chrome update fixes 12 vulnerabilities and patches Flash Player

Google released a new version of its Chrome browser in order to update the bundled Flash Player plug-in and address serious security vulnerabilities.

Google Chrome 17.0.963.56 fixes 12 security flaws, seven of which are considered high severity, four of medium severity and one of low severity.

Security researcher Jüri Aedla received a special $1,337 reward for discovering and reporting an integer overflow vulnerability in libpng, the library used by Chrome to process PNG images.

Other high-severity flaws were identified in the browser’s PDF codecs, its subframe loading, h.264 parsing and path rendering components, as well as its MKV, database, column and counter node handling code.

In theory these vulnerabilities should be considered critical because they could facilitate the remote execution of arbitrary code on the targeted systems.

However, because Google Chrome has a sandboxed architecture, exploiting these vulnerabilities alone would not provide attackers with the necessary level of access to run malicious code.

Six vulnerabilities patched in this release were discovered with the help of an open-source tool called AddressSanitizer, Google Chrome engineer Jason Kersey said in a blog post on February 15.

Chrome 17.0.963.56 also includes a new Flash Player version that Adobe released earlier this week, Kersey said. The Flash Player update addresses seven critical security flaws.

Google paid a total of $6,837 to security researchers who reported vulnerabilities patched in this release. The company recently expanded its Chromium Security Rewards Program to also cover vulnerabilities found in Chrome OS.

Article source:

View full post on National Cyber Security » Computer Hacking

Adobe Patches Flash Player Security Flaws

The emergency update patches seven vulnerabilities.

View full post on eSecurityPlanet RSS Feed

View full post on National Cyber Security

Adobe issues support for Flash Player sandboxing in Firefox

Adobe has launched the pubic beta of a new Flash Player sandbox feature for Firefox users, making attacks more difficult for cybercriminals.

Add to digg
Add to StumbleUpon
Add to
Add to Google

View full post on SearchSecurity: Security Wire Daily News

View full post on National Cyber Security

Blurry Cellphone Shots Could Be Eliminated With This Flash Boosting Chip [Photography]

# photography STMicroelectronics hopes to make the wimpy LED flash on your smartphone as bright as the xenon flash in your camera with a new chip that packs a supercapacitor for quick bursts of power. More »

View full post on cellphone security — Yahoo! News Search Results

View full post on National Cyber Security

Page 3 of 5«12345»

My Twitter

  • RT @Aldana_Angel: Hackers ... Hacky Day .·. is out! Stories via @_plesna @GregoryDEvans @joepettit2
    about 4 hours ago
  • RT @Aldana_Angel: Hackers ... Hacky Day .·. is out! Stories via @_plesna @GregoryDEvans @joepettit2
    about 5 hours ago
  • RT @Aldana_Angel: Hackers ... Hacky Day .·. is out! Stories via @_plesna @GregoryDEvans @joepettit2
    about 7 hours ago
  • RT @Aldana_Angel: Hackers ... Hacky Day .·. is out! Stories via @_plesna @GregoryDEvans @joepettit2
    about 7 hours ago
  • Hackers ... Hacky Day .·. is out! Stories via @_plesna @GregoryDEvans @joepettit2
    about 7 hours ago By Gregory D. Evans

Hacker For Hire By Gregory Evans

Gregory D. Evans On Facebook

Parent Securty By Gregory D. Evans

National Cyber Security By Gregory D. Evans

Dating Scams By Gregory Evans