News from the Top

Adobe has released security updates for Flash Player and Shockwave Player . The update deals with this security bulletin , a bug that an attacker may use to exploit older versions of the Flash Player, Shockwave Player, and/or Adobe Acrobat to take control of your computer system. An update for Acrobat Reader is expected before the month ends (Friday).

There’s a new security hole in Adobe Acrobat Reader and Adobe Acrobat, where the attacker can exploit a problem with the Flash plug-in inside a PDF file to install malware onto your computer. Such malware could introduce viruses that could damage files on your computer, as well as install software that could capture your various logins and passwords, banking information, key codes for games, and credit card numbers

The problem currently affects Windows PCs only, and an update will be released by Adobe by July 31st, 2009. In the meantime, it’s recommended that you delete a file on your system to remove Flash capability from Acrobat Reader/Acrobat:

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content. Depending on the product, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll. Windows Vista users should consider enabling UAC (User Access Control) to mitigate the impact of a potential exploit. Flash Player users should exercise caution in browsing untrusted websites. Adobe is in contact with Antivirus and Security vendors regarding the issue and recommend users keep their anti-virus definitions up to date.

An oft-requested feature is the ability to embed video on the forums. We’ve gone and done just that.

To post a video, just post the link to the video. For example:

http://www.youtube.com/watch?v=i3p6c2m4BCU

or

http://www.vimeo.com/1950685

They will embed the flash player into the post. These videos will not autoplay – you will still have to click on the play button to start the video.

If you are on dialup, you can disable the embed by going into your User Preferences and checking the “Hide Embedded Content” checkbox. After saving your preferences, video embeds will appear as links instead.

We currently support only YouTube and Vimeo embeds.

There is a previously unknown security vulnerability (thus, “zero-day”) in Adobe’s Flash Player that malware authors (“the bad guys”) are exploiting to infect computers that happen across infected sites (think mad pop-ups, password sniffers, keyloggers, viruses, trojans, data loss, endless headaches, etc.). Since Flash Player is extremely popular, everyone will probably be subject to this attack.

A report on SecurityFocus, a leading security-research website, reveals the widespread problem at hand:

Continued investigation reveals that this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages), most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.

More information can be found at the following sites:

• Adobe Flash zero-day exploit in the wild
• Adobe’s response
• Security Focus report

To prevent being exploited, you may wish to uninstall Adobe Flash Player from your computer until Adobe releases an update, or temporarily disable it with extensions such as NoScript for FireFox.

Adobe has announced three security advisories for various versions (7, 8, and 9) of its Adobe Flash Player, which concerns the ability of Flash files to log keystrokes and capture vital information (such as usernames, passwords, credit card numbers, etc.) It’s strongly recommended that you update your Flash player to the latest version.