Adobe has a dismal record for addressing security vulnerabilities in their software, some of which, e.g., Acrobat Reader and Shockwave, is widely used. Right on the heels of their announcement that they plan to step up their reactions to security issues, we see this story from ZDNet:

Critical Adobe Shockwave flaw affects millions
by Ryan Naraine
June 24th, 2009

Adobe’s Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from the software maker.

The flaw affects Adobe Shockwave Player 11.5.0.596 and earlier versions. Details from Adobe’s advisory:

This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system. Adobe has provided a solution for the reported vulnerability (CVE-2009-1860). This issue was previously resolved in Shockwave Player 11.0.0.465; the Shockwave Player 11.5.0.600 update resolves a backwards compatibility mode variation of the issue with Shockwave Player 10 content. To resolve this issue, Shockwave Player users on Windows should uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available here: Adobe – Adobe Shockwave Player. This issue is remotely exploitable.

Adobe boasts that 450 million Internet-enabled desktops have installed Adobe Shockwave Player.

Another Adobe Critical Security Flaw – Shockwave is a post from: PsychNet Reviews and Recommendations

©2010 PsychNet Reviews and Recommendations. All Rights Reserved.

Related posts

• WordPress Install File Poses Security Risk (2)
• Basic Computer Security 2009 Part 2 (2)
• Basic Computer Security 2009 Part 1 (0)
• Adobe promises quarterly security updates. Quarterly??!!? (0)

Important Security Fix for WordPress
By Jeff Starr
Tuesday, May 5, 2009

The other day, my server crashed and Perishable Press was unable to connect to the MySQL database…

The problem that I painfully discovered when my server crashed is that WordPress does not always display the default page for all database-related issues. Apparently, if the database is missing entirely, WordPress assumes that it has not yet been installed and loads the Installation Page.

Yikes! This is exactly what happened when my server crashed, MySQL was unavailable, and the WordPress Installation Page was displayed to over 100 visitors while I scrambled to resolve the issue.

During the event, there were several attempts to assume control of my site through the Installation Page. Fortunately, I was working on the site (via FTP, cPanel, phpMyAdmin, and so on) during the attacks, and was able to terminate an inevitable hostile takeover…

It happened to me, and it could happen to you
To me, this scenario represents an enormous security risk for all currently available versions of WordPress (up to 2.8 at the time of this writing). If WordPress serves up the Installation Page the next time your database goes down, anyone could easily gain full control of your entire server…

A temporary solution, until WordPress does it better
After restoring full functionality to my site, deleting multiple “Hello world!” posts and “About” pages, and removing the newly added Administrator, it was time to prevent this situation from happening again. The easiest way to do this involves deleting, blocking, or modifying the wp-admin/install.php file, which contains the script that generates the Installation Page.

See full post for additional measures

WordPress Install File Poses Security Risk is a post from: PsychNet Reviews and Recommendations

©2010 PsychNet Reviews and Recommendations. All Rights Reserved.

Related posts

• Another Adobe Critical Security Flaw – Shockwave (0)
• Basic Computer Security 2009 Part 2 (2)
• Basic Computer Security 2009 Part 1 (0)
• Adobe promises quarterly security updates. Quarterly??!!? (0)