Wednesday, November 28, 2012

Security Fixes To Chrome

Google have released version 23.0.1271.91 of their Chrome web browser. New version contains fixes to seven vulnerabilities:
- three high (CVE-2012-5131, CVE-2012-5133, CVE-2012-5134)
- three medium (CVE-2012-5130, CVE-2012-5135, CVE-2012-5136)
- one low (CVE-2012-5132)

More information in Google Chrome Releases blog.

Thursday, November 22, 2012

Opera 12.11 Released

Opera Software has released an update for their Opera web browser. Version 12.11 contains fixes to two security vulnerabilities.

high:
* Fixed an issue where HTTP response heap buffer overflow could allow execution of arbitrary code; advisory

low:
* Fixed an issue where error pages could be used to guess local file paths; advisory


Opera users are strongly recommended to update to the latest version. New version can be downloaded here.

Wednesday, November 21, 2012

Updates For Mozilla Products

Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a bunch of vulnerabilities of which six categorized as critical, eight as high and one as moderate.

Affected products are:
- Mozilla Firefox earlier than 17.0
- Mozilla Firefox ESR earlier than 10.0.11
- Mozilla Thunderbird earlier than 17.0
- Mozilla Thunderbird ESR earlier than 10.0.11
- Mozilla SeaMonkey earlier than 2.14

Links to the security advisories with details about addressed security issues:
MFSA 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer
MFSA 2012-105 Use-after-free and buffer overflow issues found using Address Sanitizer
MFSA 2012-104 CSS and HTML injection through Style Inspector
MFSA 2012-103 Frames can shadow top.location
MFSA 2012-102 Script entered into Developer Toolbar runs with chrome privileges
MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset
MFSA 2012-100 Improper security filtering for cross-origin wrappers
MFSA 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment
MFSA 2012-98 Firefox installer DLL hijacking
MFSA 2012-97 XMLHttpRequest inherits incorrect principal within sandbox
MFSA 2012-96 Memory corruption in str_unescape
MFSA 2012-95 Javascript: URLs run in privileged context on New Tab page
MFSA 2012-94 Crash when combining SVG text on path with CSS
MFSA 2012-93 evalInSanbox location context incorrectly applied
MFSA 2012-92 Buffer overflow while rendering GIF images
MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Tuesday, November 20, 2012

Symantec Intelligence Report: October 2012

Symantec has published their Intelligence report that sums up the latest threat trends for October 2012.

Report highlights:
- Spam – 64.8 percent (a decrease of 10.2 percentage points since September)
- Phishing – One in 286.9 emails identified as phishing (a decrease of 0.059 percentage points since September)
- Malware – One in 229.4 emails contained malware (a decrease of 0.04 percentage points since September)
- Malicious websites – 933 websites blocked per day (an increase of 19.7 percent since September)
- Scammers attempt to leverage Instagram
- Why global spam rates are down this month
- The evolution of Ransomware
- Other stories in the threat landscape this month



The report can be viewed here.

ESET Global Threat Report for October 2012

ESET has released a report discussing global threats of October 2012.

TOP 10 threats list (previous ranking listed too):

1. INF/Autorun (1.)
2. HTML/Iframe.B (3.)
3. Win32/Conficker (4.)
4. HTML/ScrInject.B (2.)
5. Win32/Sirefef (5.)
6. Win32/Dorkbot (7.)
7. Win32/Qhost (8.)
8. JS/TrojanDownloader.Iframe.NKE (9.)
9. Win32/Sality (10.)
10. Win32/Ramnit (28.)


Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).

Wednesday, November 14, 2012

Microsoft Security Updates For November 2012

Microsoft have released security updates for November 2012. This month update contains six security bulletins of which four critical, one important and one moderate.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Thursday, November 8, 2012

QuickTime 7.7.3 Released

Apple have released a new version of their QuickTime. Version 7.7.3 contains fixes for a bunch of vulnerabilities that could be exploited to run arbitrary code in target system.

QuickTime users with version older than 7.7.3 should update to the latest one available.

More information about security content of QuickTime 7.7.3 can be read here.

Chrome Update Available

Google have released version 23.0.1271.64 of their Chrome web browser. New version contains fixes to 14 vulnerabilities:
- six high (CVE-2012-5115 (Mac OS), CVE-2012-5116, CVE-2012-5118 (Mac OS), CVE-2012-5121, CVE-2012-5124, CVE-2012-5128)
- seven medium (CVE-2012-5127, CVE-2012-5120 (Linux 64-bit), CVE-2012-5119, CVE-2012-5122, CVE-2012-5123, CVE-2012-5125, CVE-2012-5126)
- one low (CVE-2012-5117)

More information in Google Chrome Releases blog.

Tuesday, November 6, 2012

New Opera Version Available

Opera Software has released an update for their Opera web browser. Among some new features version 12.10 contains fixes to six security vulnerabilities.

critical:
* Fixed an issue where specially crafted SVG images could allow execution of arbitrary code; advisory

high:
* Fixed an issue where CORS requests could incorrectly retrieve contents of cross origin pages; advisory
* Fixed an issue where data URIs could be used to facilitate Cross-Site Scripting; advisory
* Fixed a high severity issue, as reported by Gareth Heyes; details will be disclosed at a later date

moderate:
* Fixed an issue that could cause Opera not to correctly check for certificate revocation; advisory
* Fixed a moderate severity issue, as reported by the Google Security Group; details will be disclosed at a later date

Opera users are strongly recommended to update to the latest version. New version can be downloaded here.

Flash Player and AIR Update Available

Adobe have released updated versions of their Flash Player and AIR. The new versions fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:
- Users of Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.5.502.110
- Users of Adobe Flash Player 11.2.202.243 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.251
- Users of Adobe Flash Player 11.1.115.20 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.27 (applicable only for Flash Player installed before August 15, 2012)
- Users of Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x versions should update to Flash Player 11.1.111.24 (applicable only for Flash Player installed before August 15, 2012)
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 will be updated via Windows Update
- Users of Adobe AIR 3.4.0.2710 for Windows and Macintosh, SDK (including AIR for iOS) and Android should update to Adobe AIR 3.5.0.600.

More information can be read from Adobe's security bulletin.