The update is classified as important which is the second highest severity rating available.

Flash users can verify the installed version of the application by visiting Adobe’s Flash Player page. The system is vulnerable to the attacks if the Flash version is 10.3.181.16 or earlier.

Download links are provided on the security bulletin’s page. The latest version can be downloaded from the official Get Flash Player page as well. Direct Downloads are available as well.

Adobe is currently not aware of attacks that use the authplay.dll component that ships with Adobe Reader and Acrobat. While the company is not aware of attacks at this point in time, it has not completed the investigation if authplay.dll is vulnerable to the recently discovered Flash vulnerability.

In other news: The developers of the popular video player VLC have also released a new version of their application to protect users from recently discovered security issues.

The release notes list an integer overflow vulnerability in xspf demuxer as well as several updates and rewrites of features in the latest version of the media player.

VLC users are encouraged to download and install the latest version of the player right away to protect their system from possible exploits.

Downloads are as usually offered at the official Videolan website.

The WordPress developers suggest to update immediately, especially if users can register as contributors on the blog. WordPress 3.1.2 fixes several non-security related issues which you can see a list of at the issue tracker over at the WordPress website.

Nothing to spectacular fixed though, take a look below for the list.

• It’s tricky to drag metaboxes
• Apostrophe in first/last/nickname causes JS error on user profile page
• Missing closing </fieldset> in user-edit.php for “show admin bar”
• Multiple tag queries broken
• WP_User_Query ordered by post_count doesn’t work if prefix is not wp_
• WordPress 3.1.1 breaks date archive filtering by tag or category
• Walker_PageDropdown doesn’t filter titles correctly
• Too much escaping for pages when using Quick Edit

WordPress administrators can update their blogs either directly from the WordPress Dashboard with a click on the Update Automatically button, or by downloading the new release from the official WordPress website, uploading the files manually to the server and running the upgrade script afterwards.

I have just updated more than a dozen WordPress blog to version 3.1.2 and the automatic update worked without difficulties in every instance. WordPress admins should not encounter any page display problems on the frontend or backend after applying the update.

The developers of VLC have released a new version of the program yesterday that patches another security vulnerability in the program.

It took the VLC team less than five days to fix the vulnerability which was first disclosed on April 7. The security advisory on the Videolan web page describes the issue as a heap-based buffer overflow in the mp4 demuxer.

Workarounds have been posted on the very same page, which are however no longer necessary as the issue is fixed by the VLC update to version 1.1.9.

The built-in update checker does not seem to recognize the new update yet, which means that VLC users need to download the update from the homepage of the project to install the program update manually. Downloads for all supported operating systems are available on this page.

You can verify the version of VLC by clicking on Help > About in the program interface, or with the keyboard shortcut Shift-F1.

If you see VLC Media Player 1.1.8 there you need to update the software. Manual update checks are available via Help > Check for Updates. It is likely that the developers will enable automatic updates soon.

VLC 1.1.9 includes an update for the libmodplug which is security related as well.

Microsoft is currently pushing out a Windows Update that addresses the situation on Windows. Lets take a closer look at what actually happened before we go into details about that.

Comodo, a certification authority, notified Microsoft and other companies on March 16 that “nine certificates had been signed on behalf of a third party without sufficiently validating its identity”.

The following domains are affected by the certificates:

• login.live.com
• mail.google.com
• www.google.com
• login.yahoo.com
• login.skype.com
• addons.mozilla.org
• Global Trustee

These domains are some of the most visited domains on the Internet.

Microsoft notes that “these certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer”.

Comodo has revoked the certificates in the meantime. Microsoft has released a security update for all versions of Windows that moves the fraudulent certificates into the untrusted certificate store of Microsoft Windows.

The update is provided via Windows Update and Microsoft Download. Users with automatic updating enabled will receive the update automatically, a restart of the system is not required after the update has been installed.

• Microsoft Security Advisory: Fraudulent Digital Certificates could allow spoofing at Microsoft Download [link] for direct downloading.
• Security Advisory [link]

Here is how you can verify that the certificates are blocked after you have installed the update. Open an elevated command prompt. Windows 7 users click on Start, select All Programs > Accessories, right-click the Command Prompt program link and select Run as Administrator.

Enter mmc in the command prompt window to launch the Microsoft Management Console. Now follow these steps:

• Press Ctrl-m or select File > Add / Remove Snap In
• Find Certificates in the listing, select it with a left-click and click on Add.

• Select Computer Account on the next window and press Finish
• Click the ok button to leave the Add or Remove Snap-ins configuration window.
• Expand the certificates listing under Console Root and then the Untrusted Certificates sub-listing. Click on the Certificates folder there.

You should now see the affected domain names in the listing. Issued by should read UTN-USERFirst-Hardware.

System administrators can select a known computer name or enter an IP address and port during configuration of the analyzer. It is furthermore possible to select the multi-scan option which allows the admin to specify an IP range for the scan. Various options are provided in the configuration menu that basically configure the depth of the scan. It will by default check for Windows administrative vulnerabilities, weak passwords, IIS administrative vulnerabilities, SQL administrative vulnerability and security updated with addition options selectable for advanced usage.

The security assessment report will then display if security risks have been found during the scan. These risks will be displayed in an overview at the top of the report which gives an option to quickly look over the findings of the software program. Each section outlines what the program scanned, gives details about the results and offers solutions to correct the issues that were found.

To give one basic example. If the program finds that security updates are missing it will display those missing updates with options to download them right away. Microsoft Baseline Security Analyzer is a free download for all Microsoft operating systems since Windows 2000 including Windows XP, Windows Vista and Windows 7. The program is available for 32-bit and 64-bit editions.

The new version of Opera is a recommended security upgrade which fixes two security issues. The first fixes an issue where History Search could be used to execute arbitrary code while the second ensures that the links panel no longer allows cross-site scripting. The only other addition is the incorporation of the Opera Presto 2.1.1 user agent engine.

Opera users should upgrade the browser as soon as possible to secure the browser from those reported vulnerabilities.