Slashdot

itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."

I Don't Believe in Imaginary Property writes "A Microsoft Office 2003 bug is locking people out of their own files, specifically those protected with Microsoft's Rights Management Service. Microsoft has a TechNet bulletin on the issue with a fix. It looks like they screwed up and let a certificate expire. There's no information on when the replacement certificate will expire, though, or what will happen when it does."

An anonymous reader writes "So far, there are over 35 pages of people posting about why EA released Pandemic Studios' final game, Saboteur, to first the EU on December 4th and then, after knowing full well it did not work properly, to the Americas on December 8th. They have been promising to work on a patch that is apparently now in the QA stage of testing. It is not a small bug; rather, if you have an ATI video card and either Windows 7 or Windows Vista, the majority (90%) of users have the game crash after the title screen. Since the marketshare for ATI is nearly equal to that of Nvidia, and the ATI logo is adorning the front page of the Saboteur website, it seems like quite a large mistake to release the game in its current state."

eldavojohn writes "A number of blog posts are surfacing that are calling out the helpful open source community on their documentation. No, not the documentation for the highly skilled technical people, but the documentation from beginner to apprentice. A two-part series by Carla Schroeder lists bad documentation as 'Linux Bug #1' and advises users to use Google as the documentation. We've discussed before some of open source's documentation being out of date. Is it really as bad as these blogs paint it? Has it come down to using Google before a man page?"

MojoKid sends in a piece that takes a step back from Google's much-analyzed OS to look at what it is trying to accomplish. "Last week, Google open-sourced its Chromium OS project, more than a year before the operating system is scheduled for release. In doing so, Google hopes a variety of developers and companies will become involved in the project, and has pledged to release regular updates as well as a comprehensive log of bug reports and fixes. This article takes a look at Google's design vision for Chromium, the unique benefits it offers, and a bit of why Google is throwing its hat into this particular ring in the first place. Chromium, after all, is a Linux-based OS entering the smartbook/netbook market at a time when the product segment is already being well served by a variety of Linux distros, XP, and Windows 7. In the midst of all these options, do we need another operating system? We just might."

duguk writes "Microsoft has confirmed that it is investigating a problem described as the 'black screen of death,' which affects Windows 7 — and reports suggest it affects Vista and XP, too. The firm said it was looking into reports that suggest its latest security update, released on Tuesday 25 November, caused the problem. The error means that users of Windows 7 and earlier operating systems see a totally black screen after logging on to the system." Update: 12/01 22:35 GMT by KD : Microsoft now says that its November Windows updates are not causing the BlackSOD: "The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports."

jtavares2 writes "In what is being dubbed Throttlegate, scores of users on many message boards have been complaining about nexplicably aggressive throttling policies on their Dell Latitude E6500 and E6400 laptops which cause their CPUs to be throttled to less than 5% of their theoretical maximums even while at room temperatures. In many cases, the issue can be triggered just by playing a video or performing some other trivial, but CPU intensive, task. After being banned [PDF] from the Dell Forums for revealing 'non-public information,' one user went so far as to write and publish a 59-page report [PDF] explaining and diagnosing the throttling problem in incredible detail. Dell seems to be silent on the issue, but many users are hoping for a formal recall."

Eukariote writes "In an article outlining hidden strife in the processor world, Andreas Stiller has reported the scoop that Microsoft advised against the use of Intel Nehalem Xeon (Core i7/i5) processors under Windows Server 2008 R2, but was pressured by Intel to refrain from publishing this advisory. The issue concerns a bug causing spurious interrupts that locks up the Hypervisor of Server 2008. Though there is a hotfix, it is unattractive as it disables power savings and turbo boost states. (The original German-language version of the article is also available.)"

mario.m7 writes "Poste Italiane, the Italian postal service, suffered yesterday from an abnormal computation in ATM and credit card operations, since the decimal comma was not taken into account. The whole sum was therefore multiplied by 100, resulting in a 115,00 Euro transaction being debited as 11.500 Euro! Thousands of accounts are deep in the red and locked (link pumped through translator), so that no more operations are possible. Poste Italiane is gradually recovering the problem, fixing the error and re-crediting the sum debited in excess. Consumer associations have offered support to clients in case this lasts longer and causes damage."

derrida writes "After over a year of intensive development and refactoring, Inkscape 0.47 is out. This version of the SVG-based vector graphics editor brings improved performance and tons of new features, including: timed autosave, Spiro splines, auto-smooth nodes, Eraser tool, new modes in Tweak tool, snapping options toolbar & greater snapping abilities, new live path effects (including Envelope), over 200 preset SVG filters, new Cairo-based PS and EPS export, spell checker, many new extensions, optimized SVG code options, and much more. Additionally, it would be wrong to not mention the hundreds of bug fixes. Check out the full release notes for more information about what has changed, enjoy the screenshots, or just jump right to downloading your package for Windows, Linux, or Mac OS X." We've been following the progress of Inkscape for years (2006, 2005, 2004).

An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.

seven of five writes with this excerpt from an Associated Press report: "A problem with the FAA system that collects airlines' flight plans caused widespread flight cancellations and delays nationwide Thursday. It was the second time in 15 months that a glitch in the flight plan system caused delays. The FAA said in a statement that it is having a problem processing flight plan information. 'We are investigating the cause of the problem,' the agency said. 'We are processing flight plans manually and expect some delays. We have radar coverage and communications with planes.'"

itwbennett writes "Pity the poor engineer who had to find this one. One of the more interesting of the handful of bugs that have appeared since the launch of Verizon's Droid smartphone has to do with the on-board camera's auto-focus. Apparently it just didn't work. And then suddenly it did. Naturally, this off-again, on-again made the theories fly. But the real reason for the bug was revealed in a comment on an Engadget post by someone claiming to be Google engineer Dan Morrill: 'There's a rounding-error bug in the camera driver's autofocus routine (which uses a timestamp) that causes autofocus to behave poorly on a 24.5-day cycle,' said Morrill. 'That is, it'll work for 24.5 days, then have poor performance for 24.5 days, then work again. The 17th is the start of a new 'works correctly' cycle, so the devices will be fine for a while. A permanent fix is in the works.'"

dag writes "Drupal 6 Social Networking is an interesting book about how to build social networks and why Drupal is a good choice as a platform for building communities. Even if you don't have any Drupal experience yet, this book explains what is needed when you start from scratch and looks at the different facets of a social network." Keep reading for the rest of Dag's review.

rastos1 and several other readers noted that the SSL vulnerability we discussed a couple of weeks back, which some researchers had claimed was too theoretical to worry about, has now been demonstrated by exploit. The attack description is available on securegoose.org. "A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the SSL protocol. The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams. All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website."

xploraiswakco writes with the first Microsoft-confirmed Windows 7 zero-day vulnerability, with a demonstration exploit publicly available. The problem is in SMBv2 and SMBv1 and affects Windows 7 and Windows Server 2008 R2, but not Vista, XP, or Windows Server 2003. A maliciously crafted URI could hard-crash affected machines beyond any remedy besides pushing the white button. "Microsoft said it may patch the problem, but didn't spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of December 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall." Reader xploraiswakco adds, "As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445, too."

itwbennett writes "The percentage of devices on the Internet that are configured to accept DNS queries from anywhere — what networking experts call an 'open recursive' or 'open resolver' system — has jumped from around 50 percent in 2007 to nearly 80 percent this year, according to research sponsored by DNS appliance company Infoblox. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers, said Cricket Liu, vice president of architecture with Infoblox. Georgia Tech researcher David Dagon agreed that open recursive systems are on the rise, in part because of 'the increase in home network appliances that allow multiple computers on the Internet. ... Almost all ISPs distribute a home DSL/cable device. Many of the devices have built-in DNS servers. These can sometimes ship in "open by default" states.' What's worse, says Dagon, is that many of these devices do not include patches for a widely publicized DNS flaw discovered by researcher Dan Kaminsky last year."

richardkelleher writes "It seems it doesn't always roll downhill, sometimes it is armor. The case-bearing leaf beetle apparently protects itself by constructing armor made from excrement. Females of these species typically construct bell-shaped receptacles made of feces around an egg immediately after they lay one."

Trinity writes "Researchers from VUPEN have discovered critical vulnerabilities in Adobe Shockwave, a technology installed on over 450 million Internet-enabled desktops. The vulnerabilities could allow remote code execution by tricking a user into visiting a web page using Internet Explorer or even Mozilla Firefox. Version 11.5.1.601 as well as earlier ones are affected. The vendor recommends upgrading to version 11.5.1.602." Especially sobering when you consider Adobe's current push to be essentially required as an intermediary player for anyone who wants to see certain government data.

jamie writes with news of a Facebook app developer who found a significant security hole while he was trying to get around function limitations for his application. Quoting: "Luckily — just with browser AJAX requests — a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X [would be] able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data. In certain cases this could limit a Flash application's capabilities. ... To resolve such issues, Adobe (Flash's developers) introduced a 'crossdomain.xml' file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain="*") to access its domain data." He found a similar problem in MySpace's crossdomain.xml. Both sites were notified, and they have implemented fixes.