2008 May 29 « Visible Procrastinations

Archive for May 29th, 2008

Firefox 3 – Download Day 2008

Published May 29, 2008 firefox Leave a Comment
Tags: firefox, firefox 3

The Firefox community is always up to some cool, collaborative way to declare their passion for Firefox. What better way to do this than band together to set a Guinness World Record for the most software downloaded in 24 hours?! — The Mozilla Blog [1]

Sounds like a good deal, right? All you have to do is get Firefox 3 during Download Day to help set the record for most software downloads in 24 hours – it’s that easy. We’re not asking you to swallow a sword or to balance 30 spoons on your face, although that would be kind of awesome.
By the way, the official date for the launch of Firefox 3 will be posted here soon – so check back! Join our community and this effort by pledging today. — Download Day 2008 [2]

Sound like fun

[1] Set a Firefox World Record! (2008-May-28 ) [The Mozilla Blog]
[2] Download Day 2008 (2008-May-28 ) [Spread Firefox]
[3] Firefox 3 Release Candidate 1 is available 3.0rc1 (2008-May-28 ) [Mozilla]

Security Update 2008-003

Published May 29, 2008 apple , patch , security Leave a Comment

Only one is needed, either Security Update 2008-003 or Mac OS X v10.5.3.

Security Update 2008-003
Security Update 2008-003 is recommended for all users and improves the security of Mac OS X. Previous security updates have been incorporated into this security update. (Not required if you have updated to Mac OS X 10.5.3)

Mac OS X 10.5.3 Update
The Mac OS X 10.5.3 Update is recommended for Mac OS X 10.5, 10.5.1, and 10.5.2 Leopard. It includes general operating system improvements that enhance the stability, compatibility, and security of your Mac. To update to Mac OS X 10.5.3, use Software Update or the standalone installer.

Available for:
Update is recommended for Mac OS X 10.5, 10.5.1, and 10.5.2 Leopard
* PPC [72MB]
* Server PPC [88.9MB]
* Server Universal [118MB]
* Intel [111MB]

Security Update 2008-003 / Mac OS X v10.5.3

AFP Server : CVE-ID: CVE-2008-1027
Apache : CVE-ID: CVE-2005-3352, CVE-2005-3357, CVE-2006-3747, CVE-2007-1863, CVE-2007-3847, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388
AppKit : CVE-ID: CVE-2008-1028
Apple Pixlet Video : CVE-ID: CVE-2008-1577
ATS : CVE-ID: CVE-2008-1575
CFNetwork : CVE-ID: CVE-2008-1580
CoreFoundation : CVE-ID: CVE-2008-1030
CoreGraphics : CVE-ID: CVE-2008-1031
CoreTypes : CVE-ID: CVE-2008-1032
CUPS : CVE-ID: CVE-2008-1033
Flash Player Plug-in : CVE-ID: CVE-2007-5275, CVE-2007- 6243, CVE-2007- 6637, CVE-2007-6019, CVE-2007-0071, CVE-2008-1655, CVE-2008-1654
Help Viewer : CVE-ID: CVE-2008-1034
iCal : CVE-ID: CVE-2008-1035
International Components for Unicode : CVE-ID: CVE-2008-1036
Image Capture : CVE-ID: CVE-2008-1571
Image Capture : CVE-ID: CVE-2008-1572
ImageIO : CVE-ID: CVE-2008-1573
ImageIO : CVE-ID: CVE-2007-5266, CVE-2007-5268, CVE-2007-5269
ImageIO : CVE-ID: CVE-2008-1574
Kernel : CVE-ID: CVE-2008-0177
Kernel : CVE-ID: CVE-2007-6359
LoginWindow
Mail : CVE-ID: CVE-2008-1576
ruby : CVE-ID: CVE-2007-6612
Single Sign-On : CVE-ID: CVE-2008-1578
Wiki Server : CVE-ID: CVE-2008-1579

55th Anniversary of the first ascent of Mount Everest

Published May 29, 2008 Everest , Exploration , Mountaineering , adventure , climbing 1 Comment

It is fifty five years since Edmund Hillary and Sherpa Tenzing Norgay reached the summit of Everest at 11:30 a.m. local time on May 29, 1953 via the South Col Route.

Mount Everest: The historic ascent of 1953
(…) On the 28th the ridge camp was established at 27,900 feet (8,500 metres) by Hillary, Tenzing, Lowe, Gregory, and Ang Nyima, and Hillary and Tenzing passed the night there. The two set out early on the morning of May 29, reaching the South Summit by 9:00 AM. The first challenge on the final approach to the summit of Everest was a fairly level ridge of rock some 400 feet (120 metres) long flanked by an ice “cornice”; to the right was the East (Kangshung) Face, and to the left was the Southwest Face, both sheer drop-offs. The final obstacle, about halfway between the South Summit and the summit of Everest, was a steep spur of rock and ice—now called the Hillary Step. Though it is only about 55 feet (17 metres) high, the formation is difficult to climb because of its extreme pitch and because a mistake would be deadly. Climbers now use fixed ropes to ascend this section, but Hillary and Tenzing had only ice-climbing equipment. First Hillary and then Tenzing tackled the barrier much as one would climb a rock chimney—i.e., they inched up a little at a time with their backs against the rock wall and their feet wedged in a crack between the rock and ice.

They reached the summit of Everest at 11:30 AM. Hillary turned to Tenzing, and the men shook hands; Tenzing then embraced Hillary in a hug. Hillary took photos, and the two searched for but did not find signs that Mallory and Irvine had been to the summit. Tenzing, a Buddhist, made an offering of food for the mountain; Hillary left a crucifix Hunt had given him. The two men ate some sweets and then headed down. They had spent about 15 minutes on the top of the world. (…)
– www.britannica.com

“Well, we knocked the bastard off !”
– Edmund Hillary, on first climbing Mount Everest

Adobe Flash Player v9.0.124.0 Vulnerability?

Published May 29, 2008 security Leave a Comment
Tags: adobe, Flash, vulnerability

A vulnerability has been reported in Adobe Flash Player versions 9.0.124.0 and older, which is the current version available for download now. Adobe has not yet released a patch nor an official advisory. Stay tuned for further developments. [1]

Symantec have now seen this exploit in the wild;

The ThreatCon is currently at Level 2: Elevated.
The DeepSight ThreatCon is currently at Level 2 in response to the discovery of in-the-wild exploitation of a vulnerability affecting Adobe Flash Player. The flaw occurs when processing a malicious SWF file. Originally this issue was believed to be unpatched and unknown, but further technical analysis has revealed that it is the previously reported Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability (BID 28695), discovered by Mark Dowd of IBM. Adobe has released an official statement noting that Flash Player versions 9.0.124.0 aren’t affected by these attacks and confirming that the SWF files are in fact leveraging this flaw. We are continuing to investigate our findings as well, because we seem to be observing crashing on some 9.0.124.0 versions. — 2007-May-29 Symantec [2]

The vulnerability is disputed by Adobe PSIRT;

The exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071). This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere – customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit. — Adobe PSIRT [5]

MITIGATION:

Update to a non-vulnerable version of the Flash player.
* Upgrade to Flash Player 9.0.124.0 (?)

If you have a vulnerable version of the Flash player.
* Avoid browsing to untrustworthy sites.
* Consider disabling or uninstalling Flash until patches are available.
* Deploy script-blocking mechanisms, such as NoScript for Firefox, to explicitly prevent SWFs from loading on all but explicitly trusted sites.
* Temporarily set the kill bit until patches availability is confirmed.
CLSID d27cdb6e-ae6d-11cf-96b8-444553540000

[1] Adobe flash player vuln (2008-May-27 ) [SANS]
[2] ThreatCon (2008-May-29 ) [Symantec]
[3] Retired: Adobe Flash Player SWF File Remote Code Execution Vulnerability (2008-May-27 ) [SecurityFocus]
[4] Potential Flash Player issue (2008-May-27 ) [Adobe PSIRT]
[5] Potential Flash Player issue – update (2008-May-28 ) [Adobe PSIRT]
[6] Followup to Flash/swf stories (2008-May-28 ) [SANS]
[7] Malicious swf files? (2008-May-27 ) [SANS]
[8] Adobe Flash Player Unspecified Vulnerability (2008-May-28- ) [Secunia]