Patches for Adobe

APSB10-25 Security update available for Shockwave Player (10/28/2010)
On 28 Oct 2010, Adobe released a new version of Shockwave Player. This version fixes a number of vulnerabilities, impacts include arbitrary code execution.

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.8.612 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities, including CVE-2010-3653, referenced in Security Advisory APSA10-04, could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.8.612 and earlier versions update to Adobe Shockwave Player 11.5.9.615 …

UPDATE: http://get.adobe.com/shockwave/

APSA10-05 Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat (10/28/2010)
On 28 Oct 2010, Adobe released information regarding a critical flaw in Adobe Flash Player, Adobe Reader and Acrobat. There are reports that this vulnerability is being actively exploited in the wild. A patch is expected by by November 9, 2010.

A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems.
This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.
We are in the process of finalizing a fix for the issue and expect to provide an update for Flash Player 10.x for Windows, Macintosh, Linux, and Android by November 9, 2010. We expect to make available an update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions during the week of November 15, 2010.

MITIGATION: Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

Firefox 3.6.12

Firefox v.3.6.12 was released 27th October 2010, this release fixes a critical security issue that could potentially allow remote code execution.

Fixed in Firefox 3.6.12 [4]
MFSA 2010-73 Heap buffer overflow mixing document.write and DOM insertion

Vulnerability ratings: 1 Critical
Affects: Windows
Evaluation: Update now

LINKS:
[1] Firefox Updated: Firefox 3.6.12 (2010-Oct-27) [Mozilla]
[2] Firefox features [Mozilla]
[3] Mozilla Firefox 3.6.12 Release Notes (2010-Oct-27) [Mozilla]
[4] Security Advisories for Firefox 3.6 [Mozilla]

CRP10-xx

Android, Telstra, HTC and a world of pain!

PAIN POINT #1 : Obtaining the Update
After discovering that the Froyo update was finally available for the Telstra HTC Desire it was time for a download!
_HTC Desire_RUU_Bravo_Froyo_Telstra_WWE_2.26.841.2
_Radio_32.48.00.32U_5.11.05.14_release_150162_signed.exe
Three hours later for a 177MB download we have the file; have we not heard of load balancers and local mirroring!

PAIN POINT #2 : Say goodbye to your data; your sms history; your applications; your customisation
“Installing the ROM Update Utility (RUU) will delete ALL information and data on your Android phone.”
Yes there is the disclaimer that you will be deleting the data on your phone; but not even a resynch via HTC Synch will get you back from a clean slate. You need to reconfigure your phone from scratch, re obtain your applications, and run back through your list of customisations. (You are soon to learn that the whole HTC synch is not worth it’s space on your hard drive for the value that it gives in restoring after the update). FFS how hard is it to have your desktop package restore a settings profile! Have a quick look at what we could do with our iPaq or Palm five years ago and you’ll be scratching your head with why this is accepatable in a current release smartphone package.

Now we see it; the phone exists

Now we don’t; nothing up my sleeve, the phone’s gone

Then the phone gets stuck at phone stuck at the bootloader, I unplugged my phone took out the battery and reset for another attempt.

ERROR [171] may mean something to someone but as a debug message it’s up there with some of the worst error messages that I have seen; “The computer says no!”.
~ must be my Android sdk? delete that and the error still exists
~ must be that version 2.x of HTC Sync needs an upgrade; upgrade to v3.x and the error still exists
~ WTF!

PAIN POINT #3: Ok, the instructions suck!
Once you have your sync UNPLUG the droid start the RUU application then plug the droid back in – nothing else worked for me after many iterations.

After having taken so long to release how much testing and quality control acctually happened for this release?

(I have since discovered the Telstra Desire Froyo Update forum on Whirlpool – start around page 30, some good suggestions in the following pages.)

PAIN POINT #4: Your Android phone is now ready for use (?!)
once you reconfigure it and install your applications that is.

I have since discovered others experiencing the same pain, this appears to be a problem for the early technology adopter community (ie. a very tech savvy audience) how is the average user going to fare with this farce?

This weeks links (2010-10-25)

In Brief:

* 100 essential YouTube channels for educators (via @feliciaday)

* Six months after Google first released the 2.2 or ‘Froyo’ version of its mobile operating system, HTC has made the update available to Australian owners of its flagship HTC Desire handset – through its website, if not directly over the air.
– HTC’s update “nightmare”: Desires finally get Froyo (2010-10-26) [iTWire]

* ROM Upgrade for HTC Desire (Telstra)(2)
Release Date: 2010-10-26

Firefox 3.6.11

Firefox v.3.6.11 was released 19th October 2010, this release fixes several security issues and fixes several stability issues.

Fixed in Firefox 3.6.11 [4]
MFSA 2010-72 Insecure Diffie-Hellman key exchange
MFSA 2010-71 Unsafe library loading vulnerabilities
MFSA 2010-70 SSL wildcard certificate matching IP addresses
MFSA 2010-69 Cross-site information disclosure via modal calls
MFSA 2010-68 XSS in gopher parser when parsing hrefs
MFSA 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter
MFSA 2010-66 Use-after-free error in nsBarProp
MFSA 2010-65 Buffer overflow and memory corruption using document.write
MFSA 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)

Vulnerability ratings: 5 Critical, 2 High, 1 Moderate, 1 Low
Affects: Windows, Linux, and Mac OS X
Evaluation: Update now

LINKS:
[1] Firefox Updated: Firefox 3.6.11 (2010-Oct-19) [Mozilla]
[2] Firefox features [Mozilla]
[3] Mozilla Firefox 3.6.11 Release Notes (2010-Oct-19) [Mozilla]
[4] Security Advisories for Firefox 3.6 [Mozilla]

CRP10-xx

This weeks links (2010-10-18)

A great visualisation of Sir Ken Robinson‘s talk “Changing Education Paradigms”, created by RSA Animated … topped full of win!

In Brief:

* J Trav’s Persona – a set on Flickr [FLICKR]

Viewers of the Persona diptychs take a voyeuristic delight in not only glimpsing the items usually tucked away in bags and pockets, but in identifying with strangers by relating to the tokens they carry with them. Alongside the meticulously arranged items that each person carries, Jason situates a portrait in which the subject always seems confident and at home, comfortable in their own skin. In these snapshots, each person appears as Jason sees them, which is always beautiful. Assembling the Persona diptychs has not only allowed Jason to combine his love of photography with his knowledge of the uniqueness and beauty in each of his subjects, but also has allowed him to share this knowledge with others.
-Sam NeSmith
[From The Atlantan, July/Aug 2009]

* Victoria continues with more speed camera FAIL! Hume speed cameras suspended over fault (2010-Oct-) [ABC News]

Still waiting for Froyo

* There’s only two things we can say with certainty about Telstra’s “official” Froyo update for the HTC Desire: it’s already overdue, and no one at Telstra seems to know yet when and how it will be delivered.
– Telstra’s Froyo Desire Update: Who Knows? (2010-Oct-19) [lifehacker.com.au]

* On Telstra’s official Twitter account, a customer enquiring about the update was told it would appear “within the next few days”. Given the flexible definition of a month Telstra has already used, holding your breath might not be wise. A subsequent tweet suggested that approval by Google was a factor in the hold-up. Delays on official Android upgrades are not unusual, sadly. Update: Telstra has also confirmed that the update won’t be over the air due to its size, but will be offered via the HTC web site.
– Telstra Desire Customers Still Waiting On Froyo Update (2010-Oct-18) [lifehacker.com.au]

* Over the weekend, Justin from the Telstra Twitter team announced that the Froyo update for HTC Desire owners wasn’t going to be an OTA update after all. Turns out, all that 2.2 goodness is just too big, so instead the OS update will be made available from HTC’s website for download.
– Telstra HTC Desire Froyo Update Not OTA After All (2010-Oct-18) [gizmodo.com.au]

Music Monday #038 – The Radiators

The Radiators
The Radiators are a rock band from Sydney, Australia, formed in 1978. Their best known songs include “Coming Home”, “No Tragedy” and “Gimme Head” (covered in 2004 by Melbourne band, Your Wedding Night)
The Original Band Members are; Brian Nichol – Vocals, Fess Parker – Lead Guitar, Geoff Turner – Bass Guitar, Chris Tag – Drums, Brendan Callinan – Keyboards. The nucleus of the band; Nichol, Parker and Turner still remain and continue to tour throughout Australia.
Their first album was Feel the Heat released in 1980 by WEA Records Australia.
– wikipedia

Time for some music …
Continue reading ‘Music Monday #038 – The Radiators’

[TED] Hans Rosling: The good news of the decade?

I have posted about Hans Rosling’s amazing visualisations of data several times on this site. This is his most recent talk from the TED site;

Hans Rosling: The good news of the decade?
Hans Rosling reframes 10 years of UN data with his spectacular visuals, lighting up an astonishing — mostly unreported — piece of front-page-worthy good news: We’re winning the war against child mortality. Along the way, he debunks one flawed approach to stats that blots out such vital stories.
– TED

Netbooks in the Classroom: Effects on Teaching and Learning

Notes and thoughts from last night’s ARC Monthly Research Seminar;

Topic: Netbooks in the Classroom: Effects on Teaching and Learning

Date: 12 October 2010, 5.30-6.30pm | Presented by: Assoc Prof Esther Care, Deputy Director ARC; Kerry Woods, Research Fellow ARC; Haruka Tsurutani, Research Officer ARC

Abstract: The Department of Education and Early Childhood has implemented the Netbook Project with almost 10,000 students at more than 340 government schools across Victoria receiving a netbook, or small portable computer, for use at school and at home. Netbooks provide anytime, anywhere access to information and learning. Through a netbook, a student can complement learning that takes place in the classroom using software programs, referring to resources that have been downloaded onto the netbook, or working with audio, picture or video files that have been saved. The Assessment Research Centre has been conducting an evaluation of the Netbook Project through 2009-2010. In this presentation we present three perspectives on the Project bringing to the fore the goals of the Project, experiences of teachers, and responses of students.

Continue reading ‘Netbooks in the Classroom: Effects on Teaching and Learning’

Patch Tuesday Wednesday (OCT-2010)

Welcome to another Patch Tuesday, this month we have sixteen (16) new security bulletins.

Today, as part of our regular monthly security bulletin release process, we are releasing 16 comprehensive updates addressing 49 vulnerabilities affecting Windows, Internet Explorer (IE), Microsoft Office, and the .NET Framework. This release represents our commitment to provide predictable, high-quality updates as part of the service our customers get when they buy Microsoft products.

Looking at the number and type of updates this month, we have a fairly standard number of bulletins affecting products like Windows and Office. This month we also have a few bulletins originating from product groups that we don’t see on a regular basis. For example, SharePoint, the Microsoft Foundation Class (MFC) Library (which is an application framework for programming in Windows), and the .NET Framework. It’s worth noting that only six of the 49 total vulnerabilities being addressed have a critical rating. Further, three of the bulletins account for 34 of the total vulnerabilities. [1]

Bulletin	KB number	Description	Severity	Impact	Software
MS10-071	2360131	Cumulative Security Update for Internet Explorer	Remote Code Execution	Critical	Microsoft Windows, Internet Explorer
MS10-072	2412048	Vulnerabilities in SafeHTML Could Allow Information Disclosure	Information Disclosure	Important	Microsoft Windows
MS10-073	981957	Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege	Elevation of Privilege	Important	Microsoft Windows
MS10-074	2387149	Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution	Remote Code Execution	Moderate	Microsoft Windows
MS10-075	2281679	Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution	Remote Code Execution	Critical	Microsoft Windows
MS10-076	982132	Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution	Remote Code Execution	Critical	Microsoft Windows
MS10-077	2160841	Vulnerability in .NET Framework Could Allow Remote Code Execution	Remote Code Execution	Critical	Microsoft Windows, Microsoft .NET Framework
MS10-078	2279986	Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege	Elevation of Privilege	Important	Microsoft Windows
MS10-079	2293194	Vulnerabilities in Microsoft Word Could Allow Remote Code Execution	Remote Code Execution	Important	Microsoft Office
MS10-080	2293211	Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution	Remote Code Execution	Important	Microsoft Office
MS10-081	2296011	Vulnerability in Windows Common Control Library Could Allow Remote Code Execution	Remote Code Execution	Important	Microsoft Windows
MS10-082	2378111	Vulnerability in Windows Media Player Could Allow Remote Code Execution	Remote Code Execution	Important	Microsoft Windows
MS10-083	2405882	Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution	Remote Code Execution	Important	Microsoft Windows
MS10-084	2360937	Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege	Elevation of Privilege	Important	Microsoft Windows
MS10-085	2207566	Vulnerability in SChannel Could Allow Denial of Service	Denial of Service	Important	Microsoft Windows
MS10-086	2294255	Vulnerability in Windows Shared Cluster Disks Could Allow Tampering	Tampering	Moderate	Microsoft Windows

PATCH NOW:
NOW: MS10-082, MS10-083

PATCH SOON:
MS10-071 (CVE-2010-3325 and CVE-2010-3324 have been disclosed publicly)
MS10-083 (This vulnerability has been disclosed publicly)

LINKS:
[1.] October 2010 Security Bulletin Release (2010-Oct-11) [MS: MSRC]
[2.] October 2010 Microsoft Black Tuesday Summary (2010-Oct-11) [SANS]
[3.] Microsoft Security Bulletin Summary for October 2010 (2010-Oct-11) [MS]
[4.] Microsoft security updates for October 2010 (2010-Oct-11) [MS]