Thursday, October 28, 2010

Mozilla Security Patch On Critical Vulnerability

Mozilla has released a new update to address a critical vulnerability present in their products.

Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Sunday, October 24, 2010

Critical Unpatched Vulnerability In Adobe Shockwave Player

There has been found a critical vulnerability in Adobe Shockwave Player. The vulnerability (CVE-2010-3653) could cause a crash and potentially allow an attacker to take control of the vulnerable system. Details about the vulnerability have been disclosed publicly but Adobe states that they are not aware of any attacks exploiting the vulnerability at the moment.

Adobe's security advisory can be read here. Also, Secunia has an advisory available.

Saturday, October 23, 2010

Google Patches Vulnerabilities In Chrome

Google has released a new version of their Chrome web browser. Version 7.0.517.43 fixes ten vulnerabilities (two affecting Linux only) of which one is categorized as critical, five as high, two as medium and two as low.

More information in Google Chrome Releases blog.

Wednesday, October 20, 2010

Mozilla Updates

Mozilla has released security bulletins related to found issues in some of their products. Five of the fixed vulnerabilities are categorized as critical, two as high, one as moderate and one as low.

Critical:
MFSA 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)
MFSA 2010-65 Buffer overflow and memory corruption using document.write
MFSA 2010-66 Use-after-free error in nsBarProp
MFSA 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter
MFSA 2010-71 Unsafe library loading vulnerabilities

High:
MFSA 2010-68 XSS in gopher parser when parsing hrefs
MFSA 2010-69 Cross-site information disclosure via modal calls

Moderate:
MFSA 2010-70 SSL wildcard certificate matching IP addresses

Low:
MFSA 2010-72 Insecure Diffie-Hellman key exchange


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Monday, October 18, 2010

Security Updates For RealPlayer

RealNetworks has released updated version of their RealPlayer. New version contains fixes to seven vulnerabilities:

CVE-2010-2998
RealPlayer Malformed IVR Pointer Index Code Execution Vulnerability
Affected software: Windows RealPlayer SP 1.0.1 and prior.

CVE-2010-3747
RealPlayer ActiveX Control CDDA URI Uninitialized Pointer Vulnerability
Affected software: Windows RealPlayer SP 1.1.4 and prior; RealPlayer Enterprise 2.1.2 and prior.

CVE-2010-3750
RealPlayer RJMDSections Remote Code Execution Vulnerability
Affected software: Windows RealPlayer SP 1.1.4 and prior; RealPlayer Enterprise 2.1.2 and prior.

CVE-2010-2578
RealPlayer QCP parsing heap-based buffer overflow vulnerability.
Affected software: Windows RealPlayer SP 1.1.4 and prior; RealPlayer Enterprise 2.1.2 and prior.

CVE-2010-3751
RealPlayer ActiveX Control Multiple Protocol Handlers Remote Code Execution Vulnerability
Affected software: Windows RealPlayer SP 1.1.4 and prior.

CVE-2010-3748
RealPlayer RichFX Component Stack Overflow Vulnerability
Affected software: Windows RealPlayer SP 1.1.4 and prior; RealPlayer Enterprise 2.1.2 and prior.

CVE-2010-3749
RealPlayer Browser Extension RecordClip Parameter Injection Vulnerability
Affected software: Windows RealPlayer SP 1.1 and prior.


Users of affected versions are advised to update their RealPlayer to the latest one available. More information can be read from related security advisory.

Wednesday, October 13, 2010

Opera Updated

Opera Software has released an update for their Opera web browser. Version 10.63 contains fixes to five security vulnerabilities.

critical:
* Fixed an issue with reloads and redirects that could allow spoofing and cross-site scripting; advisory.

moderate:
* Fixed an issue that allowed cross-domain checks to be bypassed, allowing limited data theft using CSS, as reported by Isaac Dawson; advisory.
* Fixed an issue that allowed private video streams to be intercepted, as reported by Nirankush Panchbhai of Microsoft Vulnerability Research; advisory.
* Fixed an issue that caused JavaScript to run in the wrong security context after manual interaction; advisory.

low:
* Fixed an issue where manipulating the window could be used to spoof the page address; advisory.


Opera users are strongly recommended to update to 10.63 version. New version can be downloaded here.

Changelog of Windows version

Java Security Update Available

Oracle has released update for Java SE and Java for Business. The update fixes 29 security vulnerabilities of which 28 may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Affected versions are:
- Java SE:
• JDK and JRE 6 Update 21 and earlier for Windows, Solaris, and Linux
• JDK 5.0 Update 25 and earlier for Solaris
• SDK 1.4.2_27 and earlier for Solaris

- Java for Business:
• JDK and JRE 6 Update 21 and earlier for Windows, Solaris and Linux
• JDK and JRE 5.0 Update 25 and earlier for Windows, Solaris and Linux
• SDK and JRE 1.4.2_27 and earlier for Windows, Solaris and Linux

More information about the update can be read from Java critical patch update document.

Java users are recommended to update their versions to the latest one available.

Big Bunch of Patches To Oracle Products

Oracle has released updates for 85 security vulnerabilities as a part of their quarterly released critical patch update (CPU).

Detailed list of vulnerabilities with patching instructions can be read from Oracle CPU Advisory.

The next Oracle CPU is planned to be released in January 2011.

Tuesday, October 12, 2010

Microsoft Security Updates For October 2010

Microsoft has released security updates for October 2010. This month update is big containing 16 updates of which four are categorized as critical, ten as important and two moderate.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

For consumer the easist way to get the update is to use Microsoft Update service.

Sunday, October 10, 2010

Global Threat Trends Report From Trend Micro

Trend Micro has released a report about global threat trends. The report, covering January to June 2010, takes a look at various cybercrime incidents, the criminal's use of multiple tools (i.e. botnets) and look at threat trends and activity currently causing cost and disruption to connected users globally.

The report can be found here.

Wednesday, October 6, 2010

Adobe Reader And Acrobat Update

Adobe has released big batch of security updates for Adobe Reader and Adobe Acrobat.

Affected versions:
Adobe Reader 9.3.4 and earlier versions
Adobe Acrobat 9.3.4 and earlier versions

Users of vulnerable versions are instructed to update their versions either by using automatic update functionality or by downloading fresh version manually. The default installation configuration runs automatic updates on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Those who want to upgrade manually, can download the latest versions of the links below:
Adobe Reader
Acrobat Standard and Pro
Acrobat Pro Extended
Acrobat 3D


More information about fixed vulnerabilities can be read from Adobe's security bulletin.

Sunday, October 3, 2010

MessageLabs Intelligence Report: September 2010

MessageLabs has published their Intelligence report that sums up the latest threat trends for September 2010.

Report highlights:
• Spam – 91.9% in September (a decrease of 0.3 percentage points since August)
• Viruses – One in 218.7 emails in September contained malware (an increase of 0.15 percentage points since August)
• Phishing – One in 382.0 emails comprised a phishing attack (a decrease of 0.01 percentage points since August)
• Malicious websites – 2,997 websites blocked per day (a decrease of 10.8% since August)
• 33.6% of all malicious domains blocked were new in September (a decrease of 0.7 percentage points since August)
• 21.8% of all web-based malware blocked was new in September (an increase of 8.9 percentage points since August)
• Understanding and Managing a Mobile Workforce – Malicious Threats and Policy Controls
• Blog Update: “Here you have” mass-mailing worm

The report can be viewed here.