Microsoft has released two extra security bulletins out of their normal monthly patch cycle:
MS09-034: Cumulative Security Update for Internet Explorer (972260)
MS09-035:Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)
Update MS09-034 is categorized as critical while MS09-035 update is categorized as moderate.
Updated security bulletin summary for July 2009 can be found here.
Tuesday, July 28, 2009
Thursday, July 23, 2009
Unpatched Vulnerabilities In Adobe Reader, Acrobat And Flash Player
Adobe has published a security advisory regarding critical unpatched vulnerability in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems.
Adobe expects to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). They expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows and Macintosh by July 31, 2009 (the date for Adobe Reader for UNIX is still pending).
While waiting for the update users may mitigate the threat by following the instructions given in the advisory.
Adobe will release updated information in its Adobe Product Security Incident Response Team blog.
Adobe expects to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). They expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows and Macintosh by July 31, 2009 (the date for Adobe Reader for UNIX is still pending).
While waiting for the update users may mitigate the threat by following the instructions given in the advisory.
Adobe will release updated information in its Adobe Product Security Incident Response Team blog.
Update For Firefox 3.0.x Available
Mozilla has released new update for older 3.0.x series of its web browser. Version 3.0.12 fixes six vulnerabilities of which five are categorized as critical and one as important.
Update can be obtained by using inbuilt updater of Firefox or by downloading it here.
Mozilla continues supporting Firefox 3.0.x series with security and stability updates until January 2010. All users are recommended to upgrade to Firefox 3.5 version.
Version 3.0.12 Release Notes
Update can be obtained by using inbuilt updater of Firefox or by downloading it here.
Mozilla continues supporting Firefox 3.0.x series with security and stability updates until January 2010. All users are recommended to upgrade to Firefox 3.5 version.
Version 3.0.12 Release Notes
Tuesday, July 21, 2009
Malicious Spam Spread Under Swine Flu Theme
Swine flu is one of the biggest discussion topics in the world at the moment. Criminals are taking advantage of this too. F-Secure reports about malicious file spreading in emails. The file is named as Novel H1N1 Flu Situation Update.exe and icon is made to look like a Word document file. When opened, the file creates a few new files of which the executables contain backdoor functionality, including keylogger.
Friday, July 17, 2009
Firefox Version 3.5.1 Available
Mozilla has released update for its Firefox web browser. New version contains a fix to vulnerability in Just-in-time (JIT) JavaScript compiler. Affected is Firefox version 3.5.
Update can be obtained thru the browser's in-built updater or from Firefox download site.
Release notes for Firefox 3.5.1
Update can be obtained thru the browser's in-built updater or from Firefox download site.
Release notes for Firefox 3.5.1
Wednesday, July 15, 2009
Unpatched vulnerability In Firefox 3.5
There has been found an unpatched vulnerability in Firefox 3.5. The vulnerability exists in Just-in-time (JIT) JavaScript compiler and it can be used to execute malicious code. To exploit vulnerability an attacker has to trick user to open specially crafted web page containing the exploit code.
Mozilla offers two methods to workaround the problem until patch is available:
1) Temporary disabling the javascript.options.jit.content setting in about:config
2) Windows users can disable JIT by running Firefox in safe mode. This can be done by selecting Mozilla Firefox (Safe Mode) from the Mozilla Firefox folder.
The third method would be to disable Javascript by default by using NoScript add-on for Firefox.
More information:
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
http://isc.sans.org/diary.html?storyid=6796
http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761
Mozilla offers two methods to workaround the problem until patch is available:
1) Temporary disabling the javascript.options.jit.content setting in about:config
2) Windows users can disable JIT by running Firefox in safe mode. This can be done by selecting Mozilla Firefox (Safe Mode) from the Mozilla Firefox folder.
The third method would be to disable Javascript by default by using NoScript add-on for Firefox.
More information:
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
http://isc.sans.org/diary.html?storyid=6796
http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761
Updates For July From Microsoft
Microsoft has released security updates for July. The release contains six packets. Three of those are categorized as critical:
and other three as important:
New version of Microsoft Windows Malicious Software Removal Tool was released too.
More information of the update and its contents can be read from here.
For consumer the easist way to get the update is to use Microsoft Update service.
- MS09-029: Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
- MS09-028: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
- MS09-032: Cumulative Security Update of ActiveX Kill Bits (973346)
and other three as important:
- MS09-033: Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856)
- MS09-031: Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953)
-MS09-030: Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (969516)
New version of Microsoft Windows Malicious Software Removal Tool was released too.
More information of the update and its contents can be read from here.
For consumer the easist way to get the update is to use Microsoft Update service.
Tuesday, July 14, 2009
Critical Patch Update From Oracle
Oracle has released updates that contains fixes to 30 different security vulnerabilities. The fixes are part of the company's quarterly CPU (critical patch update). Of the updates 10 are for Oracle Database, two for Oracle Secure Backup, two for Oracle Application Server, five for Oracle E-Business Suite and Applications, two for Oracle Enterprise Manager, three for PeopleSoft Enterprise and JDEdwards Suite, one for Oracle Siebel Suite and five updates for BEA Products Suite.
Exact list of the vulnerabilities and instructions how to apply the fixes can be read from Oracle's Critical Patch Update Advisory.
Next critical patch update Oracle plans to release 13 October 2009.
Exact list of the vulnerabilities and instructions how to apply the fixes can be read from Oracle's Critical Patch Update Advisory.
Next critical patch update Oracle plans to release 13 October 2009.
Vulnerability In Microsoft Office Web Components
Microsoft is investigating a privately reported vulnerability in Microsoft Office Web Components. If successfully exploited, the vulnerability could give an attacker same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
Affected products are:
- Microsoft Office XP Service Pack 3
- Microsoft Office 2003 Service Pack 3
- Microsoft Office XP Web Components Service Pack 3
- Microsoft Office 2003 Web Components Service Pack 3
- Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1
- Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
- Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
- Microsoft Internet Security and Acceleration Server 2006
- Internet Security and Acceleration Server 2006 Supportability Update
- Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
- Microsoft Office Small Business Accounting 2006
Customers may prevent the Microsoft Office Web Components from running in Internet Explorer either manually, using the instructions in the Workaround section of the advisory, or automatically, using the solution found in Microsoft Knowledge Base Article 973472.
More information:
Microsoft Security Response Center (MSRC) Blog
Microsoft Security Research & Defense Blog
Affected products are:
- Microsoft Office XP Service Pack 3
- Microsoft Office 2003 Service Pack 3
- Microsoft Office XP Web Components Service Pack 3
- Microsoft Office 2003 Web Components Service Pack 3
- Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1
- Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
- Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
- Microsoft Internet Security and Acceleration Server 2006
- Internet Security and Acceleration Server 2006 Supportability Update
- Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
- Microsoft Office Small Business Accounting 2006
Customers may prevent the Microsoft Office Web Components from running in Internet Explorer either manually, using the instructions in the Workaround section of the advisory, or automatically, using the solution found in Microsoft Knowledge Base Article 973472.
More information:
Microsoft Security Response Center (MSRC) Blog
Microsoft Security Research & Defense Blog
Thursday, July 9, 2009
Version 4.0.2 For Safari Available
Apple has released version 4.0.2 of its Safari web browser. New version fixes two vulnerabilities:
Windows version users can get the latest version from Apple Downloads.
* WebKit
CVE-ID: CVE-2009-1724
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: An issue in WebKit's handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.
* WebKit
CVE-ID: CVE-2009-1725
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.
Windows version users can get the latest version from Apple Downloads.
Monday, July 6, 2009
Vulnerability In Microsoft DirectShow
There has been found a vulnerability in msvidctl component of Microsoft DirectShow. According to CSIS the vulnerability is actively being exploited through drive-by attacks using thousands of newly compromised web sites.
There isn't a patch available for the vulnerability yet. As a work around, the vulnerable msvidctl.dll component can be stopped from running in Internet Explorer by setting a kill bit for it by using following registry fix (it's recommended to always backup registry before making any modifications to it):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400
More information:
Sans
SecurityFocus
There isn't a patch available for the vulnerability yet. As a work around, the vulnerable msvidctl.dll component can be stopped from running in Internet Explorer by setting a kill bit for it by using following registry fix (it's recommended to always backup registry before making any modifications to it):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400
More information:
Sans
SecurityFocus
Saturday, July 4, 2009
Waledac Independence Day Theme Campaign In The Wild
There's a Waledac campaign going on under Independence Day theme. According to Websense, malicious email messages that are sent use subjects and content related to Independence Day, Fourth of July and fireworks shows.
The malicious Web sites in the current attack also have a July 4 or fireworks theme within the domain name. Sites look like YouTube site with a video on it. When user clicks the video (s)he is offered an .exe file that would install the latest variant of Waledac.
Source
The malicious Web sites in the current attack also have a July 4 or fireworks theme within the domain name. Sites look like YouTube site with a video on it. When user clicks the video (s)he is offered an .exe file that would install the latest variant of Waledac.
Source
Thursday, July 2, 2009
Firefox 3.5 Released
Subscribe to:
Posts (Atom)