[SecurityRatty] tag: player

Highly Critical Vulnerabilities In VLC Media Player

Fri, 07 Nov 2008 22:20:16 +0000

Two “highly critical” vulnerabilities in the cross-platform VLC Media Player could put users at risk of remote code execution attacks, according to a warning from security researchers. An error in the CUE demuxer can be exploited to cause a stack-based buffer overflow via a specially crafted CUE image file. In second vulnerability, an error in [...]

Six Security Vulnerabilities Updated By Adobe In Flash Player 9

Thu, 06 Nov 2008 20:24:16 +0000

Adobe has released another Flash Player 9 update to cover at least six documented security vulnerabilities that could expose users to a wide range of hacker attacks. The patch, rated “critical” by Adobe, affects Flash Player 9.0.124.0 on all platforms. The latest Flash Player vulnerabilities include: CVE-2008-4818: This update includes a change to the way Flash Player [...]

Adobe fixes 6 flaws in Flash

Thu, 06 Nov 2008 02:00:00 +0000

For the second time in two days, Adobe Systems has issued a security update to fix multiple vulnerabilities in one of its most-popular programs, Flash Player.

NBA Preview and Flashback

Tue, 28 Oct 2008 20:42:50 +0000

NBA starts today, it is always good to have something to look forward to once the weather gets cold in Minnie. I follow two teams. The Celtics who have a decent chance at repeating as champs. KG and Pierce should be back in full force, hopefully Ray Allen holds up. Perkins and Rondo may get a little better with experience. Biggest loss is Posey and we will miss him a lot more than people think. A real glue guy, defense, passing, rebounding, makes the smart plays and as a middleware guy myself I can relate. He will make CP3 even more dangerous.

The other team I follow is the Timberwolves. I think they will be pretty good this year. Al Jefferson is a beast down low. Only four players averaged 20 and 10 last year and he is one. He is the best big man in the post after Duncan. Getting Love and Miller for OJ Mayo was a smart deal by McHale. I think McCants can be a decent instant offense 6th man. Would be good to see Foye step up this year. Weakness looks to be defense

*Flashback*

I am biased but I think the 1980s was the most fun time to watch NBA. Everyone talks about Bird and Magic, but there were a lot of great players back then. Here is my all underrated 1980s team (no Celtics included due to conflict of interest and unobjectivity)

C: Moses Malone - beast of a big man, immovable force under the hoop with fantastic foot work for a big man. It is too bad he was traded by Portland because he and Bill Walton would have been the best big man combo of all time.

PF: Bobby Jones - great defender, good rebounder, good passer for a big man. Typical Tar Heel -fundamentally sound. He would be the James Posey of this team. (Runner up: Calvin Natt)

SF: Bernard King - what a renaissance. Watch his moves on youtube, he was not that tall like say Alex English but he could go in the lane and score on anybody. Jordan of course is an all around better player but I think King was a better scorer and that is saying something. The playoffs when he was putting up 50 and 60 a night he was a terrifying force.

SG: Andrew Toney - they called him the Boston strangler and as Celtics fan there was no one I was more afraid of. Its a real shame his career got cut short. (Runner up: George Gervin)

PG: Tiny Archibald - Ok, one Celtic, but he is seriously underrated - would go flying into the lane, disappear in the trees, Tiny would fly out the bottom of the pile, and the ball would pop out the top and drop in. Probably the last great player to come out of NYC. (Runner up: Mo Cheeks)

Sixth Man - World B. Free - no doubt about this one, he was great as a sixth man. And this guy was plain fun to watch. He would bomb it from 30 feet, when he was on he was a force. He would kick his leg into the defender when he was shooting a j to draw the foul. (Runner up: Michael Cooper)

Flash 10 Fixes Clickjacking Flaw

Thu, 16 Oct 2008 10:07:56 +0000

Not long after "clickjacking" attacks appeared several weeks ago it became clear that the culprit was Adobe's Flash. And the problem, as we say in the software biz, wasn't a bug, it was a feature. This feature has been modified in the new Flash 10 player to address the problem. The problem is clipboard access. By default, Flash 9 allowed a Flash program to read and write to the clipboard. "Clickjacking" attacks took advantage of this to persistently stuff a value. usually a malicious URL, into the clipboard, in the hope the user would visit it. The attack is as cross-platform as Flash, working on Macs as well as Windows. In Flash 10 the clipboard methods will only work when called through ActionScript which originates with a user action, like pressing a button. No longer will a silent Flash app be able to hijack the clipboard completely without the user noticing. This change was just one of many security changes in the Flash 10 player. Changes in how Flash handles policy files means that developers will have to address their use of them. Errors on socket connect() calls will be handled differently. And much in the same philosophy as with clipboards, file uploads and downloads may only occur in script that begins with a user action. There are other changes as well. The flip side of this fix is that it is not implemented in Flash 9. This means that the only way to escape clickjacking attacks is to upgrade to Flash 10.

Adobe Fixes Clickjacking Vulnerability In Flash Player 10

Wed, 15 Oct 2008 18:33:49 +0000

Adobe has released Flash Player 10 with numerous major security improvements, including patches and mitigation for at least five serious security vulnerabilities. According to Adobe, the vulnerabilities covered with Flash Player 10 could allow an attacker to bypass the software’s security controls. Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could [...]

Adobe fixes 'clickjacking' flaw

Tue, 14 Oct 2008 20:00:00 +0000

Adobe Systems has released a new version of its Flash Player software, fixing a critical security bug that could make the Internet a dangerous place for Web surfers.

PC Webcams Might Be Abused Through Clickjacking To Silently Spy On Users

Tue, 07 Oct 2008 19:32:08 +0000

An Israeli security researcher has released a demo of a “clickjacking” attack, using a JavaScript game to turn every browser into a surveillance zombie. The proof-of-concept game uses a PC’s video cam and microphone to secretly spy on the player. The release of the demo follows last month’s partial disclosure of the cross-platform attack/threat, which affects [...]

Modified Zeus Crimeware Kit Comes With Built-in MP3 Player

Mon, 29 Sep 2008 13:55:03 +0000

Modified versions of popular open source crimeware kits rarely make the headlines due to the fact that anyone can hijack a crimeware kit's brand, build and innovate using its foundations, and claim it's a new version released by the original authors. That's of course in between the tiny time frame until he's exposed as the fake author of Zeus that may have in fact came up with a unique feature that the original authors didn't include.

This modified version of Zeus is yet another example of how cybercriminals are actively modifying crimeware kits, literally making such practices as keeping version numbers irrelevant. While the administrator is managing his botnet, he can load local, or tunein the built-in online radio stations the author of this modification included, next to changing Zeus entire graphical layout.

Let's take into consideration another example, the infamous Pinch DIY malware builder, that's been around for over 4 years. With the populist arrest of its authors in 2007, cybercriminals are still innovating on the foundations offered by Pinch, and thanks to its publicly obtainable source code. It's also worth pointing out that these two Zeus and Pinch modifications are courtesy of a single individual, that in between modifications of popular crimeware kits, seems to be busy porting different modules on different malware kits and web based malware, knowingly or unknowingly contributing to the convergence of spamming, DDoS, web based malware, and botnet management kits.

From a sarcastic perspective - what's next? Perhaps a built-in slideshow of random screenshots taken from malware infected desktops in the botnet, or even a pink layout modification for female botnet masters. Customerization, and customer tailored services can make anything happen, and naturally enjoy the higher profit margins.

QuickTime Crashing Zero-day Attack Code Published, Malicious Code Execution Possible

Thu, 18 Sep 2008 10:57:04 +0000

According to Aaron Adams, a Symantec Corp.’s DeepSight threat notification network researcher, new attack code that exploits an unpatched vulnerability in Apple Inc.’s QuickTime was published on milw0rm.com in Tuesday, just a week after the company updated the media player to plug nine other serious vulnerabilities. The exploit takes advantage of a flaw in the “<? [...]