Tuesday, September 28, 2010
Out of Band Update For ASP.net Issue
Microsoft is going to release out of band update to address issue described in security advisory 2416728. Patch is scheduled to be released on Tuesday, September 28, 2010. More information can be read from related entry of the Microsoft Security Response Center (MSRC) blog.
Hotmail Security Updates To Prevent From Account Hijacking
Microsoft has made some security updates to their popular Hotmail web mail service. Seeing people posting to antimalware forums asking for help with their spam sending, hijacked accounts these new improvements will likely be nothing but a positive thing. Details about new security features can be read from Windows Live blog.
Tuesday, September 21, 2010
"MouseOver" Security Flaw On Twitter
"A new Twitter security flaw has been widely exploited on thousands of Twitter accounts, redirecting users to third-party websites without their consent.
The bug is particularly nasty because it works on mouseover only, meaning pop-ups and third-party websites can open even if you just move your mouse over the offending link.
For now, the best course of action is using only third-party apps such as TweetDeck to access Twitter, as the bug only seems to affect Twitter’s web interface."
More information > http://mashable.com/2010/09/21/twitter-mouseover-bug/
Saturday, September 18, 2010
Unpatched Vulnerability In ASP.NET
Microsoft is investigating public report about vulnerability in ASP.NET. By exploiting the vulnerability an attacker may be able to view data encrypted by the vulnerable server or read data from files on the vulnerable target server.
More information:
- http://www.microsoft.com/technet/security/advisory/2416728.mspx
- http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
- http://blogs.technet.com/b/msrc/archive/2010/09/17/security-advisory-2416728-released.aspx
More information:
- http://www.microsoft.com/technet/security/advisory/2416728.mspx
- http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
- http://blogs.technet.com/b/msrc/archive/2010/09/17/security-advisory-2416728-released.aspx
Thursday, September 16, 2010
QuickTime 7.6.8 Released
Apple has released new version of their QuickTime. Version 7.6.8 contains fixes for two vulnerabilities that could be exploited to run arbitrary code in target system:
QuickTime users with version older than 7.6.8 should update to the latest one available.
More information about security content of QuickTime 7.6.8 can be read here.
QuickTime users with version older than 7.6.8 should update to the latest one available.
More information about security content of QuickTime 7.6.8 can be read here.
Wednesday, September 15, 2010
Microsoft Security Updates For September 2010
Microsoft has released security updates for September 2010. This month update contains nine updates of which four are categorized as critical and five as important.
A new version of Windows Malicious Software Removal Tool (MSRT) was released too.
More information can be read from the bulletin summary.
For consumer the easist way to get the update is to use Microsoft Update service.
A new version of Windows Malicious Software Removal Tool (MSRT) was released too.
More information can be read from the bulletin summary.
For consumer the easist way to get the update is to use Microsoft Update service.
Tuesday, September 14, 2010
New Vulnerability In Adobe Products
Just some days ago I blogged about unpatched vulnerability affecting Adobe Reader and Acrobat versions. Unfortunately, there's been found another critical unpatched vulnerability in Adobe's products. This vulnerability (CVE-2010-2884) affects Flash Player, Adobe Reader and Adobe Acrobat programs. By exploiting the vulnerability an attacker may be able to cause a crash or execute arbitrary code in affected system. According to reports Flash Player vulnerability is actively exploited in the wild. Adobe says that they're not aware of any attacks exploiting this new vulnerability against Adobe Reader or Acrobat at the moment.
Affected software:
-Adobe Flash Player 10.1.82.76 and earlier
-Adobe Reader 9.3.4 and earlier versions
-Adobe Acrobat 9.3.4 and earlier versions
There are no patches available yet. To avoid exploitation users of the affected versions are advised to keep their antivirus protection definitions updated and open Flash (SWF) files from reliable sources only.
Adobe plans to bring update for Flash Player during the week of September 27, 2010 and for Adobe Reader and Acrobat during the week of October 4, 2010.
More information in the security advisory.
Affected software:
-Adobe Flash Player 10.1.82.76 and earlier
-Adobe Reader 9.3.4 and earlier versions
-Adobe Acrobat 9.3.4 and earlier versions
There are no patches available yet. To avoid exploitation users of the affected versions are advised to keep their antivirus protection definitions updated and open Flash (SWF) files from reliable sources only.
Adobe plans to bring update for Flash Player during the week of September 27, 2010 and for Adobe Reader and Acrobat during the week of October 4, 2010.
More information in the security advisory.
Thursday, September 9, 2010
Critical Vulnerability In Adobe Reader and Acrobat
There has been found a critical vulnerability in Adobe Reader and Acrobat products. The vulnerability (CVE-2010-2883) is related to font handling and it could cause a crash and potentially allow an attacker to take control of the affected system. The vulnerability is actively exploited in the wild.
Affected are:
-Adobe Reader 9.3.4 and earlier versions
-Adobe Acrobat 9.3.4 and earlier versions
There is no patch available yet. To avoid exploitation users of the affected versions are advised to keep their antivirus protection definitions updated and open PDF files from reliable sources only.
More information in Adobe's security advisory.
Affected are:
-Adobe Reader 9.3.4 and earlier versions
-Adobe Acrobat 9.3.4 and earlier versions
There is no patch available yet. To avoid exploitation users of the affected versions are advised to keep their antivirus protection definitions updated and open PDF files from reliable sources only.
More information in Adobe's security advisory.
Security Updates From Mozilla
Mozilla has released security bulletins related to found issues in some of their products. Ten of the fixed vulnerabilities are categorized as critical, two as high, one as moderate and two as low.
Critical:
MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
MFSA 2010-50 Frameset integer overflow vulnerability
MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array
MFSA 2010-52 Windows XP DLL loading vulnerability
MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection
MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-57 Crash and remote code execution in normalizeDocument
MFSA 2010-58 Crash on Mac using fuzzed font in data: URL
MFSA 2010-59 SJOW creates scope chains ending in outer object
High:
MFSA 2010-60 XSS using SJOW scripted function
MFSA 2010-61 UTF-7 XSS by overriding document charset using < object > type attribute
Moderate:
MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
Low:
MFSA 2010-55 XUL tree removal crash and remote code execution
MFSA 2010-63 Information leak via XMLHttpRequest statusText
Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey
Critical:
MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
MFSA 2010-50 Frameset integer overflow vulnerability
MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array
MFSA 2010-52 Windows XP DLL loading vulnerability
MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection
MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-57 Crash and remote code execution in normalizeDocument
MFSA 2010-58 Crash on Mac using fuzzed font in data: URL
MFSA 2010-59 SJOW creates scope chains ending in outer object
High:
MFSA 2010-60 XSS using SJOW scripted function
MFSA 2010-61 UTF-7 XSS by overriding document charset using < object > type attribute
Moderate:
MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
Low:
MFSA 2010-55 XUL tree removal crash and remote code execution
MFSA 2010-63 Information leak via XMLHttpRequest statusText
Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey
Wednesday, September 8, 2010
Security Updates For Safari
Apple has released new versions of their Safari web browsers. The new versions contain fixes to three different vulnerabilities. These may lead to an unexpected application termination or allow an attacker to execute arbitrary code in affected system.
Affected are Safari versions earlier than 5.0.2 or 4.1.2. Users of vulnerable Safari versions can get the latest version here.
More information of security content of 5.0.2 and 4.1.2 versions can be read here.
Affected are Safari versions earlier than 5.0.2 or 4.1.2. Users of vulnerable Safari versions can get the latest version here.
More information of security content of 5.0.2 and 4.1.2 versions can be read here.
Thursday, September 2, 2010
iTunes 10 Available
Apple has released version 10 of their iTunes media player. New version fixes a bunch of security vulnerabilities of which some allow an attacker to execute arbitrary code in target system.
More information about the security content of iTunes 10 can be read from related security advisory.
Old version users should update to the latest one available.
More information about the security content of iTunes 10 can be read from related security advisory.
Old version users should update to the latest one available.
RealNetworks Patches RealPlayer
RealNetworks has released updated version of their RealPlayer. New version contains fixes to seven vulnerabilities:
CVE-2010-2996
RealPlayer malformed IVR pointer index code execution vulnerability.
Affected software: Windows RealPlayer 11.1 and prior.
CVE-2010-3002
RealPlayerActiveX unauthorized file access vulnerability.
Affected software: Windows RealPlayer 11.1 and prior.
CVE-2010-0116
RealPlayer QCP files parsing integer overflow vulnerability.
Affected software: Windows RealPlayer SP 1.1.4 and prior.
CVE-2010-0117
RealPlayer processing of dimensions in the YUV420 transformation of MP4 content vulnerability.
Affected software: Windows RealPlayer SP 1.1.4 and prior.
CVE-2010-0120
RealPlayer QCP parsing heap-based buffer overflow vulnerability.
Affected software: Windows RealPlayer SP 1.1.4 and prior.
CVE-2010-3001
RealPlayer ActiveX IE Plugin vulnerability opening multiple browser windows.
Affected software: Windows RealPlayer SP 1.1.4 and prior.
CVE-2010-3000
RealPlayer FLV parsing multiple integer overflow vulnerability.
Affected software: Windows RealPlayer SP 1.1.4 and prior.
Users of affected versions are advised to update their RealPlayer to the latest one available. More information can be read from related security advisory.
CVE-2010-2996
RealPlayer malformed IVR pointer index code execution vulnerability.
Affected software: Windows RealPlayer 11.1 and prior.
CVE-2010-3002
RealPlayerActiveX unauthorized file access vulnerability.
Affected software: Windows RealPlayer 11.1 and prior.
CVE-2010-0116
RealPlayer QCP files parsing integer overflow vulnerability.
Affected software: Windows RealPlayer SP 1.1.4 and prior.
CVE-2010-0117
RealPlayer processing of dimensions in the YUV420 transformation of MP4 content vulnerability.
Affected software: Windows RealPlayer SP 1.1.4 and prior.
CVE-2010-0120
RealPlayer QCP parsing heap-based buffer overflow vulnerability.
Affected software: Windows RealPlayer SP 1.1.4 and prior.
CVE-2010-3001
RealPlayer ActiveX IE Plugin vulnerability opening multiple browser windows.
Affected software: Windows RealPlayer SP 1.1.4 and prior.
CVE-2010-3000
RealPlayer FLV parsing multiple integer overflow vulnerability.
Affected software: Windows RealPlayer SP 1.1.4 and prior.
Users of affected versions are advised to update their RealPlayer to the latest one available. More information can be read from related security advisory.
Wednesday, September 1, 2010
Vulnerability In Apple QuickTime ActiveX Component
There has been found a vulnerability in QTPlugin.ocx ActiveX component in Apple QuickTime. The vulnerability may allow arbitrary code execution on vulnerable installations of Apple QuickTime. It can be exploited by luring user to visit a malicious site or open a malicious file.
Vulnerable are Apple Quicktime 7.x and 6.x series (also versions released in 2004, older ones were not checked) on Windows XP, Windows Vista and Windows 7 with Internet Explorer in use. At the moment there's not a patch available yet but vulnerable control can be blocked by setting a kill bit on CLSID {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} or renaming QTPlugin.ocx file.
More information:
http://www.securityfocus.com/archive/1/513444
http://www.exploit-db.com/exploits/14843/
http://www.techworld.com.au/article/358857/old_apple_quicktime_code_puts_ie_users_harm_way
Vulnerable are Apple Quicktime 7.x and 6.x series (also versions released in 2004, older ones were not checked) on Windows XP, Windows Vista and Windows 7 with Internet Explorer in use. At the moment there's not a patch available yet but vulnerable control can be blocked by setting a kill bit on CLSID {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} or renaming QTPlugin.ocx file.
More information:
http://www.securityfocus.com/archive/1/513444
http://www.exploit-db.com/exploits/14843/
http://www.techworld.com.au/article/358857/old_apple_quicktime_code_puts_ie_users_harm_way
Subscribe to:
Posts (Atom)
