Friday, April 17, 2015

Adobe Flash Player Update Available

Adobe have released updated version of their Flash Player. The new version fixes critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Affected versions:
- Users of Adobe Flash Player 17.0.0.134 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 17.0.0.169

- Users of Adobe Flash Player 11.2.202.451 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.457

- Flash Player integrated with Google Chrome will be updated by Google via Chrome update

- Flash Player integrated with Internet Explorer 10 and 11 (on Windows 8.x) will be updated via Windows Update

More information can be read from Adobe's security bulletin.

Google Chrome Updated

Google have released version 42.0.2311.90 of their Chrome web browser. Among other changes the new version contains fixes to 45 security issues.

More information about these in Google Chrome Releases blog.

Microsoft Security Updates For April 2015

Microsoft have released security updates for April 2015. This month update contains 11 security bulletins of which four categorized as critical and seven as important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Friday, April 10, 2015

Websense Security Labs 2015 Threat Report

Websense Security Labs has published their annual Threat Report analysing threats in the cyber landscape.

There are eight trends definitely worth noting due to the significant risk they pose for data theft this year. These are reviewed across two categories: Human Behavioral Trends and Technique-based Trends, to examine who’s doing what and how they are doing it. Each of the two categories will look at 4 topics of interest, to include data on:

Cybercrime Just Got Easier: In this age of MaaS (Malware-as-a-Service), even entry-level threat actors can successfully create and launch data theft attacks due to greater access to exploit kits for rent, MaaS, and other opportunities to buy or subcontract portions of a complex, multi-stage attack. We review how 99.3 percent of malicious files used a Command & Control URL that has been previously used by one or more other malware samples and what this means for an attacker and a defender.

Something New or Déjà Vu?: Threat actors are blending old tactics, such as macros, in unwanted email with new evasion techniques. Old threats are being “recycled” into new threats launched through email and web channels, challenging the most robust defensive postures. We review how a business can adapt to protect itself from increasingly advanced threats and capable threat actors.

Digital Darwinism - Surviving Evolving Threats: Threat actors have focused on the quality of their attacks rather than quantity. Websense Security Labs observed 3.96 billion security threats in 2014, which was 5.1 percent less than 2013. Yet, the numerous breaches of high-profile organizations with huge security investments attest to the effectiveness of last year’s threats. We review what has changed in the threat landscape and what actions businesses can take to bolster their security posture.

Additional topics include how to face the challenge presented by the IT security skills shortage, how to build on infrastructure made brittle by OpenSSL Heartbleed and similar vulnerabilities, and how to handle the difficulties in correctly attributing an attack to an adversary.

The report can be downloaded here.

Vulnerabilities in Firefox fixed

Mozilla has released a new version of Firefox web browser fixing two issues of which one critical and one high (this one affecting only Firefox for Android and pre-release versions of Desktop Firefox).

Affected products are:
- Mozilla Firefox earlier than 37.0.1

Links to the security advisories with details about addressed security issues:
MFSA 2015-44 Certificate verification bypass through the HTTP/2 Alt-Svc header
MFSA 2015-43 Loading privileged content through Reader mode

Fresh versions can be obtained via inbuilt updater or by downloading from the product site.

Thursday, April 2, 2015

Mozilla Product Updates Released

Mozilla have released updates to Firefox browser and Thunderbird email client to address a bunch of vulnerabilities of which four categorized as critical, two as high, five as moderate and two as low.

Affected products are:
- Mozilla Firefox earlier than 37
- Mozilla Firefox ESR earlier than 31.6
- Mozilla Thunderbird earlier than 31.6

Links to the security advisories with details about addressed security issues:
MFSA 2015-42 Windows can retain access to privileged content on navigation to unprivileged pages
MFSA 2015-41 PRNG weakness allows for DNS poisoning on Android
MFSA 2015-40 Same-origin bypass through anchor navigation
MFSA 2015-39 Use-after-free due to type confusion flaws
MFSA 2015-38 Memory corruption crashes in Off Main Thread Compositing
MFSA 2015-37 CORS requests should not follow 30x redirections after preflight
MFSA 2015-36 Incorrect memory management for simple-type arrays in WebRTC
MFSA 2015-35 Cursor clickjacking with flash and images
MFSA 2015-34 Out of bounds read in QCMS library
MFSA 2015-33 resource:// documents can load privileged pages
MFSA 2015-32 Add-on lightweight theme installation approval bypassed through MITM attack
MFSA 2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
MFSA 2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)

Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird

Google Chrome Updated

Google have released version 41.0.2272.118 of their Chrome web browser. Among other changes the new version contains fixes to 4 security issues.

More information about these in Google Chrome Releases blog.