Saturday, November 6, 2010

Patches! Getcher patches!

You'll want one, and maybe both, of these.

Adobe releases patch for Flash:
Critical vulnerabilities have been identified in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.95.1 for Android. These vulnerabilities, including CVE-2010-3654 referenced in Security Advisory APSA10-05, could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Flash, of course, is what makes movies work on the Internet (like today's video here of Hank Williams Jr and Sr).  Given how wide spread Flash is (basically it's in everything except the iPhone and iPad), you really want to get the patch.

And Paypal has just just updated their iPhone app to close a nasty security hole:

PayPal has submitted an updated iPhone application after learning that the previous one failed to check the digital certificates that confirmed the authenticity of the online-payment website.

The hole leaves iPhone users who rely on the app open to man-in-the-middle attacks when connecting over unsecured networks such as Wi-Fi hotspots. PayPal learned of the flaw on Tuesday, when a Wall Street Journal reporter asked for comment. A day later, the company rushed out a patched version to Apple's app store.
Err, security@paypal.com is unlikely to get a lot of helpful suggestions from the Bad Guys, but we'd like to hope that the White Hat researchers would toss a line their way.

I expect that up upgrade the app via the iTunes store, but don't use many iPhone apps and don't use PayPal at all, so I'm not sure.  FTY, their Android app is not vulnerable.

5 comments:

  1. Thanks for the info - patching now.

    In a similar vein, make sure you "patch" your smoke and CO detectors tonight by replacing the batteries!

    http://blog.wymanhq.org/blog/post/2010/11/06/Public-Service-Announcement.aspx

    ReplyDelete
  2. It was 20 years after they came out that I bought my first music CD player. As a non-adopter at the opposite spectrum of early adopters, it will be a long time before I have a "smart" phone. My detectors are hard-wired and require no batteries.

    ReplyDelete
  3. I downloaded that patch yesterday morning, and now- finally after restoring my computer twice. The last time all the way back to Thursday is it now not completely FUBAR.

    I already told the wife to back-up her stuff, and if I get hit, I'll just throw it back to factory.

    ReplyDelete
  4. I cringe at the thought of doing anything secure on a smartphone of any OS.

    Jim

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.