November 2009 Updates From Microsoft

Microsoft has released its monthly security update packet. November 2009 update contains six updates of which three critical and three important.

Critical updates:

MS09-063: Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (973565)
MS09-064: Vulnerability in License Logging Server Could Allow Remote Code Execution (974783)
MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)

Important updates:

MS09-066: Vulnerability in Active Directory Could Allow Denial of Service (973309)
MS09-067: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)
MS09-068: Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (976307)

New version of Microsoft Windows Malicious Software Removal Tool was released too.

More information of the update pack and its contents can be read from here.

For consumer the easist way to get the update is to use Microsoft Update service.

Google Reader Abused By Koobface

Jonell Baltazar, Advanced Threats Researcher in TrendMicro, writes in company's blog that bad guys behind Koobface are using Google's Google Reader service to spread malicious links in social networking sites such as Facebook, MySpace, and Twitter.

"The Koobface gang used controlled Google Reader accounts to host URLs containing an image that resembles a flash movie. These URL are spammed through the said social networks. When the user clicks the image or the title of the shared content, it leads to the all too familiar fake YouTube page that hosts the Koobface downloader component", Baltazar writes.

Whole blog post can be read here.

Adobe Shockwave Player Updated

There has been released a new version of Adobe Shockwave Player. Version 11.5.2.602 fixes critical vulnerabilities which could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system.

Adobe recommends Shockwave Player users on Windows uninstall Shockwave version 11.5.1.601 and earlier on their systems, restart, and install Shockwave version 11.5.2.602.

More information:
Adobe's security bulletin

New Java Update Released

Sun has released update for Java SE Runtime Environment (JRE) 6. JRE allows end-users to run Java applications. The latest update can be downloaded from Sun's Java SE Downloads site.

More information about contents of the update can be read from Release Notes of Java SE 6 Update 17.

Java users are recommended to update their versions to the latest one available.

In-depth Analysis of Bredolab

David Sancho, Senior Threat Researcher in Trend Micro, has written an interesting in-depth analysis of Bredolab malware and its connections to FakeAV and Zeus/Zbot malware families. "You Scratch My Back…BREDOLAB’s Sudden Rise in Prominence" -report can be downloaded here.

Security And Stability Patch For Opera Available

Opera Software has released patch for their Opera web browser. Version 10.01 fixes a few security issues of which the most severe one could allow execution of arbitrary code.

Changelog of Windows version can be read here.

New Updates For Firefox

Mozilla has released new updates for Firefox 3.5.x and older 3.0.x versions. 3.5.4 version fixes 11 vulnerabilities of which six are categorized as critical, three as moderate and two as low. Update 3.0.15, meant for older 3.0.x series, fixes ten vulnerabilities of which five are categorized as critical, three as moderate and two as low.

Update can be obtained by using inbuilt updater of Firefox or by downloading it manually.

Download links and related extra information:
Release notes for 3.5.4 version
Release notes for 3.0.15 version

Mozilla recommends 3.0.x series users to switch to 3.5.x series version. Security and stability updates for 3.0.x versions will be released until January 2010.