Saturday, December 28, 2013

RealPlayer Update

RealNetworks has released updated version of their RealPlayer. New version contains a fix to a stack buffer overflow vulnerability (CVE-2013-6877).

Users of affected versions are advised to update their RealPlayer to the latest one available. More information can be read from related security advisory.

Wednesday, December 18, 2013

Symantec Intelligence Report: November 2013

Symantec have published their Intelligence report that sums up the latest threat trends for November 2013.

Report highlights:
- Targeted attacks per day are up in November compared to the last month, and are almost double the number during the same month in 2012.
- Another large data breach was reported in November, where 42 million identities were exposed as a result. However, the breach took place in January of 2013.
- The email virus rate has increased in November, where one in 235 emails contains a malicious attachment.


The report (in PDF format) can be viewed here.

Saturday, December 14, 2013

Shockwave Player Update Available

Adobe have released an updated version of their Shockwave Player. The new version fixes security vulnerabilities that may allow an attacker to run arbitrary code on the affected system. The update is categorized as critical with priority level as 1.

Users of Adobe Shockwave Player 12.0.6.147 and earlier should update to Adobe Shockwave Player 12.0.4.148.

More about fixed vulnerabilities and other information can be read from Adobe's security bulletin.

Adobe Flash Player And Adobe AIR Updates Available


Adobe have released updated versions of their Flash Player and AIR. The new versions fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:

- Users of Adobe Flash Player 11.9.900.152 and earlier versions for Windows should update to Adobe Flash Player 11.9.900.170

- Users of Adobe Flash Player 11.9.900.152 and earlier versions for Macintosh should update to Adobe Flash Player 11.9.900.170

- Users of Adobe Flash Player 11.2.202.327 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.332

- Flash Player integrated with Google Chrome will be updated by Google via Chrome update

- Flash Player integrated with Internet Explorer 10 and 11 (on Windows 8.0 and Windows 8.1) will be updated via Windows Update

- Users of Adobe AIR 3.9.0.1210 and earlier versions for Windows and Macintosh should update to Adobe AIR 3.9.0.1380

- Users of the Adobe AIR 3.9.0.1210 SDK should update to the Adobe AIR 3.9.0.1380 SDK

- Users of the Adobe AIR 3.9.0.1210 SDK & Compiler and earlier versions should update to the Adobe AIR 3.9.0.1380 SDK & Compiler

- Users of the Adobe AIR 3.9.0.1210 and earlier versions for Android should update to Adobe AIR 3.9.0.1380 by browsing to Google play on an Android device


More information can be read from Adobe's security bulletin.

Friday, December 13, 2013

ESET Global Threat Report for November 2013

ESET have published a report discussing global threats of November 2013.

TOP 10 threats list (previous ranking listed too):

1. WIN32/Bundpil (1.)
2. LNK/Agent.AK (-)
3. Win32/Sality (3.)
4. INF/Autorun (2.)
5. HTML/ScrInject (5.)
6. Win32/Dorkbot (6.)
7. Win32/Conficker (7.)
8. HTML/Iframe (4.)
9. Win32/Ramnit (8.)
10. Win32/TrojanDownloader.Small.AAB (9.)



Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).

Mozilla Product Updates Released

Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a bunch of vulnerabilities of which five categorized as critical, three as high, three as moderate and three as low.

Affected products are:
- Mozilla Firefox earlier than 26
- Mozilla Firefox ESR 24.x earlier than 24.1
- Mozilla Thunderbird earlier than 24.2
- Mozilla Thunderbird ESR 17.x earlier than 17.0.11
- Mozilla SeaMonkey earlier than 2.23

Links to the security advisories with details about addressed security issues:
MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
MFSA 2013-112 Linux clipboard information disclosure though selection paste
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-110 Potential overflow in JavaScript binary search algorithms
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-107 Sandbox restrictions not applied to nested object elements
MFSA 2013-106 Character encoding cross-origin XSS attack
MFSA 2013-105 Application Installation doorhanger persists on navigation
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Wednesday, December 11, 2013

Microsoft Security Updates For December 2013

Microsoft have released security updates for December 2013. This month update contains 11 security bulletins of which five critical and six important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

VMWare Updates Available

VMware has released security update to patch a vulnerability in their virtualization applications. The vulnerability is in LGTOSYNC.SYS driver and when exploited could result in a privilege escalation on 32-bit Guest Operating Systems running Windows 2000 Server, Windows XP or Windows 2003 Server on ESXi and ESX; or Windows XP on Workstation and Fusion.

Affected versions:
- Workstation earlier than 9.0.3
- Player 5.x Windows earlier than 5.0.3
- Fusion 5.x Mac OS/X versions earlier than 5.0.4
- ESXi 5.1 ESXi
- ESXi 5.0 ESXi
- ESXi 4.1 ESXi
- ESXi 4.0 ESXi
- ESX 4.1 ESX
- ESX 4.0 ESX


Further information including updating instructions can be read from VMware's security advisory.

Thursday, December 5, 2013

Google Chrome Updated

Google have released version 31.0.1650.63 of their Chrome web browser. New version contains fixes to 15 vulnerabilities.

More information in Google Chrome Releases blog.

Wednesday, November 27, 2013

Symantec Intelligence Report: October 2013

Symantec have published their Intelligence report that sums up the latest threat trends for October 2013.

Report highlights:
- This month saw one of the largest data breaches in a number of years, where as many as 150 million identities were exposed due to one breach.
- October saw a fivefold increase in targeted attacks compared to last month, even surpassing this time of year in 2011 and 2012, though still much lower than the summer peak.
- The total number of mobile vulnerabilities disclosed dropped significantly. In September a major update to a popular mobile operating system addressed a number of vulnerabilities, raising the count for that month.

The report (in PDF format) can be viewed here.

Mozilla Product Security Updates Released

Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a few NSS library (Network Security Services) related vulnerabilities. Update is categorized as critical

Affected products are:
- Mozilla Firefox earlier than 25.0.1
- Mozilla Firefox ESR 24.x earlier than 24.1.1
- Mozilla Firefox ESR 17.x earlier than 17.0.11
- Mozilla Thunderbird earlier than 24.1.1
- Mozilla Thunderbird ESR 17.x earlier than 17.0.11
- Mozilla SeaMonkey earlier than 2.22.1

Link to the security advisory with details about addressed security issues:
MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Monday, November 18, 2013

Google Chrome Update Available

Google have released version 31.0.1650.57 of their Chrome web browser. New version contains a fix to a critical vulnerability (CVE-2013-6632).

More information in Google Chrome Releases blog.

Friday, November 15, 2013

Adobe Flash Player And Adobe AIR Updates Available

Adobe have released updated version of their Flash Player . The new version fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:

- Users of Adobe Flash Player 11.9.900.117 and earlier versions for Windows should update to Adobe Flash Player 11.9.900.152

- Users of Adobe Flash Player 11.9.900.117 and earlier versions for Macintosh should update to Adobe Flash Player 11.9.900.152

- Users of Adobe Flash Player 11.2.202.310 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.327

- Flash Player integrated with Google Chrome will be updated by Google via Chrome update

- Flash Player integrated with Internet Explorer 10 and 11 (on Windows 8.0 and Windows 8.1) will be updated via Windows Update

- Users of Adobe AIR 3.9.0.1030 and earlier versions for Windows and Macintosh should update to Adobe AIR 3.9.0.1210

- Users of the Adobe AIR 3.9.0.1030 SDK should update to the Adobe AIR 3.9.0.1210 SDK

- Users of the Adobe AIR 3.9.0.1030 SDK & Compiler and earlier versions should update to the Adobe AIR 3.9.0.1210 SDK & Compiler

- Users of the Adobe AIR  3.9.0.1060 and earlier versions for Android should update to Adobe AIR 3.9.0.1210 by browsing to Google play on an Android device


More information can be read from Adobe's security bulletin.

Adobe ColdFusion Hotfix Update Available

Adobe have released updated version of ColdFusion web application development platform. This hotfix addresses a reflected cross site scripting vulnerability (CVE-2013-5326) that could be exploited by a remote, authenticated user on ColdFusion 10 and earlier when the CFIDE directory is exposed. This hotfix also addresses a vulnerability (CVE-2013-5328) in ColdFusion 10 that could permit unauthorized remote read access.

Affected versions:
- ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and Linux


More information can be read from Adobe's security bulletin.

Google Chrome Updated

Google have released version 31.0.1650.48 of their Chrome web browser. New version contains fixes to 25 vulnerabilities. Also, Flash Player is updated.

More information in Google Chrome Releases blog.

Wednesday, November 13, 2013

Microsoft Security Updates For November 2013

Microsoft have released security updates for November 2013. This month update contains eight security bulletins of which three critical and five important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Monday, November 11, 2013

Vulnerability in Microsoft Graphics Component

Microsoft is investigating private reports of a vulnerability in the Microsoft Graphics component. By exploiting the vulnerability successfully an attacker may be able to execute arbitrary code in affected system.

Affected are:
Windows Vista and Windows Server 2008 versions
Microsoft Office versions older than Microsoft Office 2013
Microsoft Lync versions

At the moment there is no patch for the vulnerability available. For a workaround and more information please see the related security advisory.

Wednesday, November 6, 2013

ESET Global Threat Report for October 2013

ESET have published a report discussing global threats of October 2013.

TOP 10 threats list (previous ranking listed too):

1. WIN32/Bundpil (1.)
2. INF/Autorun (2.)
3. Win32/Sality (3.)
4. HTML/Iframe (4.)
5. HTML/ScrInject (5.)
6. Win32/Dorkbot (6.)
7. Win32/Conficker (7.)
8. Win32/Ramnit (8.)
9. Win32/TrojanDownloader.Small.AAB (-)
10. Win32/Qhost (9.)



Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).

Sunday, November 3, 2013

Microsoft Security Intelligence Report Volume 15 Released

Microsoft have released volume 15 of their Security Intelligence Report (SIR)). The Security Intelligence Report (SIR) is an investigation of the current threat landscape. The report can be downloaded here.

Wednesday, October 30, 2013

Mozilla Product Updates Released

Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a bunch of vulnerabilities of which seven categorized as critical, four as high and six as moderate.

Affected products are:
- Mozilla Firefox earlier than 25.0
- Mozilla Firefox ESR 24.x earlier than 24.1
- Mozilla Firefox ESR 17.x earlier than 17.0.10
- Mozilla Thunderbird earlier than 24.1
- Mozilla Thunderbird ESR 17.x earlier than 17.0.10
- Mozilla SeaMonkey earlier than 2.22

Links to the security advisories with details about addressed security issues:
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-99 Security bypass of PDF.js checks using iframes
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Monday, October 28, 2013

ITunes 11.1.2 Released

Apple have released version 11.1.2 of their iTunes media player. New version fixes a bunch of security vulnerabilities.

More information about the security content of iTunes 11.1.2 can be read from related security advisory.

Old version users should update to the latest one available.

Wednesday, October 23, 2013

Symantec Intelligence Report: September 2013

Symantec have published their Intelligence report that sums up the latest threat trends for September 2013.

Report highlights:
- While no largely new target attack techniques have appeared so far in 2013, attackers continue to hone current techniques for maximum impact
- In particular, an attack group called Hidden Lynx is responsible for some of the more brazen attacks this year (as discussed in a Q&A session with one of Symantec Analysts)
- The average number of targeted attacks per day is down when compared to the same period in 2012, but up 13 percent overall when looking back at attack trends since 2011

The report (in PDF format) can be viewed here.

Thursday, October 17, 2013

Google Chrome Updated

Google have released version 30.0.1599.101 of their Chrome web browser. New version contains fixes to 5 vulnerabilities of which 3 categorized as high.

More information in Google Chrome Releases blog.

Oracle Critical Patch Update For Q4 of 2013

Oracle have released updates for their products that fix 127 security issues (including 51 Java fixes) in total. The updates are a part of Oracle's quarterly released critical patch update (CPU).

Detailed list of vulnerabilities with patching instructions can be read from Oracle CPU Advisory.

Next Oracle CPU is planned to be released in January 2014.

Wednesday, October 16, 2013

Look Out For Nasty CryptoLocker

SophosLabs warns in their blog about a really nasty malware named as CryptoLocker. CryptoLocker encrypts files of specified file types on infected system and then asks user to pay a ransom in order to get files decrypted. Details about the infection and how to protect against it can be read from the SophosLabs blog post.

Bleeping Computer has an information guide and FAQ about CryptoLocker too. It can be viewed here.

Thursday, October 10, 2013

Adobe Reader And Acrobat Security Updates

Adobe have released security updates to fix a vulnerability in their PDF products, Adobe Reader and Adobe Acrobat.

Affected versions:
*of series XI (11.x)
Adobe Reader 11.0.04
Adobe Acrobat 11.0.04


Users of vulnerable versions are instructed to update their versions either by using automatic update functionality or by downloading fresh version manually. The default installation configuration runs automatic updates on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Those who want to upgrade manually, can download the latest versions of the links below:
Adobe Reader
Acrobat Standard, Pro and Extended


More information about fixed vulnerabilities can be read from Adobe's security bulletin.

Wednesday, October 9, 2013

Microsoft Security Updates For October 2013

Microsoft have released security updates for October 2013. This month update contains eight security bulletins of which four critical and four important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Monday, October 7, 2013

ESET Global Threat Report for September 2013

ESET have published a report discussing global threats of September 2013.

TOP 10 threats list (previous ranking listed too):

1. WIN32/Bundpil (2.)
2. INF/Autorun (5.)
3. Win32/Sality (4.)
4. HTML/Iframe (1.)
5. HTML/ScrInject (3.)
6. Win32/Dorkbot (7.)
7. Win32/Conficker (6.)
8. Win32/Ramnit (8.)
9. Win32/Qhost (9.)
10. Win32/Virut (10.)


Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).

Thursday, October 3, 2013

Google Chrome Updated

Google have released version 30.0.1599.66 of their Chrome web browser. New version contains fixes to 50 vulnerabilities of which 10 categorized as high.

More information in Google Chrome Releases blog.

Monday, September 23, 2013

Mozilla Product Updates Released

Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a bunch of vulnerabilities of which seven categorized as critical, four as high and six as moderate.

Affected products are:
- Mozilla Firefox earlier than 24.0
- Mozilla Firefox ESR earlier than 17.0.9
- Mozilla Thunderbird earlier than 24.0
- Mozilla Thunderbird ESR earlier than 17.0.9
- Mozilla SeaMonkey earlier than 2.21

Links to the security advisories with details about addressed security issues:
MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-87 Shared object library loading from writable location
MFSA 2013-86 WebGL Information disclosure through OS X NVIDIA graphic drivers
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-84 Same-origin bypass through symbolic links
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-78 Integer overflow in ANGLE library
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Saturday, September 21, 2013

Symantec Intelligence Report: August 2013

Symantec have published their Intelligence report that sums up the latest threat trends for August 2013.

Report highlights:
- So far this year, 82 percent of all social media attacks have been fake offerings. This is up from 56 percent in 2012
- There were 213 new mobile malware variants discovered this month, a modest increase since July, but nowhere near the 504 variants saw in June
- The .pl top-level domain from Poland comprised almost 48% of spam-related domains in August, topping the list two months in a row

The report (in PDF format) can be viewed here.

Friday, September 20, 2013

Vulnerability In Internet Explorer

There has been found a vulnerability (CVE-2013-3893) in Microsoft Internet Explorer that may allow an attacker to execute arbitrary code in vulnerable system. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and 9 versions. However, the issue affects all Internet Explorer versions from 6 to 11.

At the moment, there is no patch released against the vulnerability. About workarouds can be read here.

Thursday, September 19, 2013

WordPress 3.6.1 Released

There's been released a new version of WordPress which contains updates to security vulnerabilities and also some security hardening. More information can be read from WordPress blog.

Friday, September 13, 2013

Adobe Flash Player And Adobe AIR Updates Available

Adobe have released updated version of their Flash Player . The new version fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:

- Users of Adobe Flash Player 11.8.800.94 and earlier versions for Windows should update to Adobe Flash Player 11.8.800.168

- Users of Adobe Flash Player 11.8.800.94 and earlier versions for Macintosh should update to Adobe Flash Player 11.8.800.168

- Users of Adobe Flash Player 11.2.202.297 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.310

- Users of Adobe Flash Player 11.1.115.69 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.81 (applicable only for Flash Player installed before August 15, 2012)

- Users of Adobe Flash Player 11.1.111.64 and earlier versions for Android 3.x and 2.x versions should update to Flash Player 11.1.111.73 (applicable only for Flash Player installed before August 15, 2012)

- Flash Player integrated with Google Chrome will be updated by Google via Chrome update

- Flash Player integrated with Internet Explorer 10 will be updated via Windows Update

- Users of Adobe AIR 3.8.0.870 and earlier versions for Windows and Android should update to Adobe AIR 3.8.0.1430

- Users of Adobe AIR 3.8.0.910 and earlier versions for Macintosh should update to Adobe AIR 3.8.0.1430

- Users of the Adobe AIR 3.8.0.870 SDK and earlier versions for Windows should update to the Adobe AIR 3.8.0.1430 SDK

- Users of the Adobe AIR 3.8.0.910 SDK and earlier versions for Macintosh should update to the Adobe AIR 3.8.0.1430 SDK


More information can be read from Adobe's security bulletin.

Adobe Reader And Acrobat Security Updates

Adobe have released security updates to fix a bunch of vulnerabilities in their PDF products, Adobe Reader and Adobe Acrobat.

Affected versions:
*of series XI (11.x)
Adobe Reader 11.0.03 and earlier
Adobe Acrobat 11.0.03 and earlier

*of series X (10.x)
Adobe Reader 10.1.7 and earlier
Adobe Acrobat 10.1.7 and earlier


Users of vulnerable versions are instructed to update their versions either by using automatic update functionality or by downloading fresh version manually. The default installation configuration runs automatic updates on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Those who want to upgrade manually, can download the latest versions of the links below:
Adobe Reader
Acrobat Standard, Pro and Extended


More information about fixed vulnerabilities can be read from Adobe's security bulletin.

Shockwave Player Update Available

Adobe have released an updated version of their Shockwave Player. The new version fixes one security vulnerability that may allow an attacker to run arbitrary code on the affected system. The update is categorized as critical with priority level as 1.

Users of Adobe Shockwave Player 12.0.3.133 and earlier should update to Adobe Shockwave Player 12.0.4.144.

More about fixed vulnerabilities and other information can be read from Adobe's security bulletin.

Thursday, September 12, 2013

Microsoft Security Updates For September 2013

Microsoft have released security updates for September 2013. This month update contains 13 security bulletins of which four critical and nine important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Saturday, September 7, 2013

Hesperbot Banking Trojan

There has been discovered a new banking trojan that seems to target online banking users mainly in Turkey, the Czech Republic, Portugal and the United Kingdom. This Hesperbot named trojan uses very credible-looking phishing-like campaigns, related to trustworthy organizations, to lure victims into running the malware.

"Despite being a “new kid on the block”, it appears that Win32/Spy.Hesperbot is a very potent banking trojan which features common functionalities, such as keystroke logging, creation of screenshots and video capture, and setting up a remote proxy, but also includes some more advanced tricks, such as creating a hidden VNC server on the infected system. And of course the banking trojan feature list wouldn’t be complete without network traffic interception and HTML injection capabilities. Win32/Spy.Hesperbot does all this in quite a sophisticated manner."

More about Hesperbot can be read in Robert Lipovsky's blog post.

Friday, September 6, 2013

ESET Global Threat Report for August 2013

ESET have published a report discussing global threats of August 2013.

TOP 10 threats list (previous ranking listed too):

1. HTML/Iframe (5.)
2. WIN32/Bundpil (1.)
3. HTML/ScrInject (2.)
4. Win32/Sality (4.)
5. INF/Autorun (3.)
6. Win32/Conficker (7.)
7. Win32/Dorkbot (7.)
8. Win32/Ramnit (9.)
9. Win32/Qhost (10.)
10. Win32/Virut (-)


Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).

Saturday, August 31, 2013

Java 6 Vulnerability Exploited

Security researchers have spot in-the-wild exploit that targets vulnerability CVE-2013-2463 in Java 6. Since Java 6 has been retired (further updates are available for paying customers only) only option is to upgrade to latest Java 7 version (currently update 25).

Source: InformationWeek article

If Java is not needed then even better option is to uninstall completely or at least turn it off in web browsers (instructions).

Opera 16 Released

Opera have released version 16 of their Opera web browser. Among bug fixes new version contains some new features.

Latest version can be downloaded here.

Thursday, August 29, 2013

RealPlayer Update

RealNetworks has released updated version of their RealPlayer. New version contains fixes to two vulnerabilities.

Users of affected versions are advised to update their RealPlayer to the latest one available. More information can be read from related security advisory.

Saturday, August 24, 2013

Symantec Intelligence Report: July 2013

Symantec have published their Intelligence report that sums up the latest threat trends for July 2013.

Report highlights:
- So far in 2013, 43 percent of mobile malware tracks users, up from 15 percent in 2012. Adware/Annoyance risks have also increased, from 8 percent in 2012 to 23 percent this year.
- Of the data breaches reported so far in 2013, 62 percent contain a person’s real name. Birth dates and government ID numbers (e.g. Social Security) numbers appear in 39 percent of breaches.
- The global spam rate rose 3.4 percentage points in July to 67.6 percent, up from 64.2 percent in June.


The report (in PDF format) can be viewed here.

Thursday, August 22, 2013

New Version of Chrome Released

Google have released version 29.0.1547.57 of their Chrome web browser. New version contains fixes to 25 security vulnerabilities.

More information in Google Chrome Releases blog.

Wednesday, August 14, 2013

Microsoft Security Updates For August 2013

Microsoft have released security updates for August 2013. This month update contains eight security bulletins of which three critical and five important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Wednesday, August 7, 2013

ESET Global Threat Report for July 2013

ESET have published a report discussing global threats of July 2013.

TOP 10 threats list (previous ranking listed too):

1. WIN32/Bundpil (1.)
2. HTML/ScrInject (2.)
3. INF/Autorun (3.)
4. Win32/Sality (5.)
5. HTML/Iframe (6.)
6. Win32/Dorkbot (7.)
7. Win32/Conficker (8.)
8. JS/Chromex.FBook (-)
9. Win32/Ramnit (9.)
10. Win32/Qhost (10.)


Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).

Mozilla Product Updates Released

Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a bunch of vulnerabilities of which four categorized as critical, seven as high, one as moderate and one as low.

Affected products are:
- Mozilla Firefox earlier than 23.0
- Mozilla Firefox ESR earlier than 17.0.8
- Mozilla Thunderbird earlier than 17.0.8
- Mozilla Thunderbird ESR earlier than 17.0.8
- Mozilla SeaMonkey earlier than 2.20

Links to the security advisories with details about addressed security issues:
MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-74 Firefox full and stub installer DLL hijacking
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-71 Further Privilege escalation through Mozilla Updater
MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-67 Crash during WAV audio file decoding
MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
MFSA 2013-65 Buffer underflow when generating CRMF requests
MFSA 2013-64 Use after free mutating DOM during SetBody
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Friday, August 2, 2013

Vulnerabilities Fixed In PhpMyAdmin

phpMyAdmin is a free software tool that can be used to administrate MySQL databases. There have been found and fixed several vulnerabilities.

Affected versions:
- phpMyAdmin 3.5.8.1 and earlier versions
- phpMyAdmin 4.0.4.1 and earlier versions

Fixed versions of phpMyAdmin can be downloaded here.

Google Chrome Updated

Google have released version 28.0.1500.95 of their Chrome web browser. New version contains fixes to 11 vulnerabilities.

More information in Google Chrome Releases blog.

Tuesday, July 30, 2013

New Versions Of Wireshark Released

There have been found and fixed some vulnerabilities in Wireshark, free open source program for analyzing network protocols. By exploiting the vulnerabilities protocol analyzers in Wireshark can be prevented from working.

Vulnerable versions:
- Wireshark 1.8 series from version 1.8.0 to 1.8.8
- Wireshark 1.10.0

Non vulnerable version of Wireshark can be downloaded here.

More information about the contents of new versions can be read from release notes:
1.8.9
1.10.1

ISC Diary entry about the update can be viewed here.





Sunday, July 28, 2013

Symantec Intelligence Report: June 2013

Symantec have published their Intelligence report that sums up the latest threat trends for June 2013.

Report highlights:
- The total number of vulnerabilities in 2013 is up 16 percent, as compared to the same time period in 2012.
- The number of zero day vulnerabilities found in the first half of 2013 is 12, compared to 14 in all of 2012.
- Automated phishing toolkits account for close to 47 percent of all phishing attacks to date in 2013.


The report (in PDF format) can be viewed here.

Saturday, July 27, 2013

IBM Security Updates July 2013

IBM have released their software update (Synchronized Security Release, SSR) for July. Updates fix eight vulnerabilities in IBM Java Runtime Environment (JRE).

Affected versions:
- IBM Java JRE 1.4.2 prior version 1.4.2 SR13-FP18
- IBM Java JRE 5.0 prior version 5.0.0 SR16-FP3
- IBM Java JRE 6 prior versions 6.0.0 SR14 and 6.0.1 SR6
- IBM Java JRE 7 prior version 7.0.0 SR5

More information in the related alert

Wednesday, July 17, 2013

Oracle Critical Patch Update For Q3 of 2013

Oracle have released updates for their products that fix 89 security issues in total. The updates are a part of Oracle's quarterly released critical patch update (CPU).

Detailed list of vulnerabilities with patching instructions can be read from Oracle CPU Advisory.

Next Oracle CPU is planned to be released in October 2013.

Thursday, July 11, 2013

Google Chrome Updated

Google have released version 28.0.1500.71 of their Chrome web browser. New version contains fixes to 15 vulnerabilities:

-one critical (CVE-2013-2870)

-four high (CVE-2013-2879, CVE-2013-2871, CVE-2013-2873, CVE-2013-2880)

-seven medium (CVE-2013-2868, CVE-2013-2869, CVE-2013-2853, CVE-2013-2874 Windows + NVIDIA only, CVE-2013-2875, CVE-2013-2876, CVE-2013-2878)

-three low (CVE-2013-2867, CVE-2013-2872 Mac only, CVE-2013-2877)

More information in Google Chrome Releases blog.

Wednesday, July 10, 2013

Adobe ColdFusion Update Available

Adobe have released updated version of ColdFusion web application development platform. The new version fix two vulnerabilities. A vulnerability (CVE-2013-3350) that could allow an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets, and a vulnerability (CVE-2013-3349) that could be exploited to cause a denial of service condition on a system running ColdFusion 9.0, 9.0.1 and 9.0.2 on JRun.

Affected versions:
- ColdFusion 10 for Windows, Macintosh and Linux (CVE-2013-3349 not affected).
- ColdFusion 9.0.2, 9.0.1 and 9.0 on JRun

More information can be read from Adobe's security bulletin.

Shockwave Player Update Available

Adobe have released an updated version of their Shockwave Player. The new version fixes one security vulnerability that may allow an attacker to run arbitrary code on the affected system. The update is categorized as critical with priority level as 1.

Users of Adobe Shockwave Player 12.0.2.122 and earlier should update to Adobe Shockwave Player 12.0.3.133.

More about fixed vulnerabilities and other information can be read from Adobe's security bulletin.

Adobe Flash Player Updates Available

Adobe have released updated version of their Flash Player . The new version fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:

- Users of Adobe Flash Player 11.7.700.224 and earlier versions for Windows should update to Adobe Flash Player 11.8.800.94

- Users of Adobe Flash Player 11.7.700.225 and earlier versions for Macintosh should update to Adobe Flash Player 11.8.800.94

- Users of Adobe Flash Player 11.2.202.291 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.297

- Users of Adobe Flash Player 11.1.115.63 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.69 (applicable only for Flash Player installed before August 15, 2012)

- Users of Adobe Flash Player 11.1.111.59 and earlier versions for Android 3.x and 2.x versions should update to Flash Player 11.1.111.64 (applicable only for Flash Player installed before August 15, 2012)

- Flash Player integrated with Google Chrome will be updated by Google via Chrome update

- Flash Player integrated with Internet Explorer 10 will be updated via Windows Update


More information can be read from Adobe's security bulletin.

Microsoft Security Updates For July 2013


Microsoft have released security updates for July 2013. This month update contains seven security bulletins of which six critical and one important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Friday, July 5, 2013

ESET Global Threat Report for June 2013

ESET have published a report discussing global threats of June 2013.

TOP 10 threats list (previous ranking listed too):

1. WIN32/Bundpil (1.)
2. HTML/ScrInject (3.)
3. INF/Autorun (2.)
4. JS/Kryptik.ALB (-)
5. Win32/Sality (4.)
6. HTML/Iframe (5.)
7. Win32/Dorkbot (6.)
8. Win32/Conficker (7.)
9. Win32/Ramnit (8.)
10. Win32/Qhost (9.)


Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).

Sunday, June 30, 2013

Vulnerabilities In Drupal Fixed

There have been fixed two vulnerabilities in open-source content management framework Drupal. The vulnerabilities are related to Drupal Login Security Module 1.x.

Affected versions are 6.x-1.x versions prior to 6.x-1.2 and 7.x-1.x versions prior to 7.x-1.2.

Solution:
Users of the Login Security module for Drupal 6.x should upgrade to Login Security 6.x-1.3
Users of the Login Security module for Drupal 7.x should upgrade to Login Security 7.x-1.3


More information in Drupal security advisory and Secunia advisory.

Role Of Redirects In Spam

Spam is not a new problem for email user. Security company Kaspersky have written an analysis about redirects in spam.

Spammers frequently use redirects in their emails: after clicking on a link in a spam message, the recipient is often taken through a series of websites before reaching the destination resource.

There are many reasons for using redirects. In most cases, they help spammers to hide the data that enables spam filters to classify a message as unwanted – e.g., the website or contact phone number of the spammers’ customer. As a result, the recipient (as well as the spam filter) sees no links to the website being advertised in the message, no telephone numbers or email addresses that can be used to contact those who ordered the spam mailing. The message only contains a link to an intermediary resource. In addition, if the spammer is a member of an affiliate program, he will need to know how many users followed the link, because his income directly depends on that. As a result the chain of websites through which a user is sent may include redirector sites which function as counters.

The analysis can be read here.

Thursday, June 27, 2013

Mozilla Product Updates Released

Mozilla have released updates to Firefox web browser and Thunderbird email client to address a bunch of vulnerabilities of which four categorized as critical, six as high, three as moderate and one as low.

Affected products are:
- Mozilla Firefox earlier than 22.0
- Mozilla Firefox ESR earlier than 17.0.7
- Mozilla Thunderbird earlier than 17.0.7
- Mozilla Thunderbird ESR earlier than 17.0.7

Links to the security advisories with details about addressed security issues:
MFSA 2013-62 Inaccessible updater can lead to local privilege escalation
MFSA 2013-61 Homograph domain spoofing in .com, .net and .name
MFSA 2013-60 getUserMedia permission dialog incorrectly displays location
MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
MFSA 2013-58 X-Frame-Options ignored when using server push with multi-part responses
MFSA 2013-57 Sandbox restrictions not applied to nested frame elements
MFSA 2013-56 PreserveWrapper has inconsistent behavior
MFSA 2013-55 SVG filters can lead to information disclosure
MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
MFSA 2013-53 Execution of unmapped memory through onreadystatechange event
MFSA 2013-52 Arbitrary code execution within Profiler
MFSA 2013-51 Privileged content access and execution via XBL
MFSA 2013-50 Memory corruption found using Address Sanitizer
MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird

Thursday, June 20, 2013

Google Chrome Updated

Google have released version 27.0.1453.116 of their Chrome web browser. New version fixes a medium categorized vulnerability (CVE-2013-2866) in Chrome Flash plug-in.

More information in Google Chrome Releases blog.

Java Security Updates From Oracle

Oracle have released update for Java JRE & JDK. The update fixes 40 vulnerabilities.

Affected versions are:
- Java 7 JRE and JDK update 21 and earlier
- Java 6 JRE and JDK update 45 and earlier
- Java 5.0 JRE and JDK update 45 and earlier
- JavaFX 2.2.21 and earlier

More information about the update can be read from Java critical patch update document.

Java users are recommended to update their versions to the latest one available as soon as possible.

Thursday, June 13, 2013

Adobe Flash Player and Adobe AIR Updates Available

Adobe have released updated versions of their Flash Player and AIR. The new versions fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:
- Users of Adobe Flash Player 11.7.700.202 and earlier versions for Windows should update to Adobe Flash Player 11.7.700.224
- Users of Adobe Flash Player 11.7.700.203 and earlier versions for Macintosh should update to Adobe Flash Player 11.7.700.225
- Users of Adobe Flash Player 11.2.202.285 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.291
- Users of Adobe Flash Player 11.1.115.58 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.63 (applicable only for Flash Player installed before August 15, 2012)
- Users of Adobe Flash Player 11.1.111.54 and earlier versions for Android 3.x and 2.x versions should update to Flash Player 11.1.111.59 (applicable only for Flash Player installed before August 15, 2012)
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 will be updated via Windows Update
- Users of Adobe AIR 3.7.0.1860 and earlier versions for Windows should update to Adobe AIR 3.7.0.2090
- Users of Adobe AIR 3.7.0.1860 and earlier versions for Macintosh should update to Adobe AIR 3.7.0.2100
- Users of Adobe AIR 3.7.0.1860 and earlier versions for Android should update to Adobe AIR 3.7.0.2090
- Users of the Adobe AIR 3.7.0.1860 SDK for Windows should update to the Adobe AIR 3.7.0.2090 SDK
- Users of the Adobe AIR 3.7.0.1860 SDK for Macintosh should update to the Adobe AIR 3.7.0.2100 SDK

More information can be read from Adobe's security bulletin.

Wednesday, June 12, 2013

Microsoft Security Updates For June 2013

Microsoft have released security updates for June 2013. This month update contains five security bulletins of which one critical and four important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Tuesday, June 11, 2013

PHP Versions 5.3.26 and 5.4.16 Released

PHP development team has released 5.3.26 and 5.4.16 versions of PHP scripting language. New versions contain about 15 bug fixes, including one fixing a heap based buffer overflow in quoted_printable_encode (CVE-2013-2110). All PHP users are recommended to upgrade their versions to the latest release of the correspondent branch.

More details about 5.3.26 and 5.4.16 releases can be read from the official release announcement.

Wednesday, June 5, 2013

Google Chrome Updated

Google have released version 27.0.1453.110 of their Chrome web browser. New version contains fixes to 11 vulnerabilities:

-one critical (CVE-2013-2863)

-nine high (CVE-2013-2854 (Windows only), CVE-2013-2856, CVE-2013-2857, CVE-2013-2858, CVE-2013-2859, CVE-2013-2860, CVE-2013-2861, CVE-2013-2862, CVE-2013-2864)

-one medium (CVE-2013-2855)


More information in Google Chrome Releases blog.

Tuesday, June 4, 2013

Two-factor authentication FAQ

Two-factor authentication or shorter as 2FA is an attempt to make log-in process more secure. Basic log-in process asks for username and password. In 2FA authentication there is an extra authentication level.

CNET has an article dealing with some common questions around two-factor authentication. The article can be read here.

Thursday, May 23, 2013

Google Chrome Updated

Google have released version 27.0.1453.93 of their Chrome web browser. New version contains fixes to 14 vulnerabilities:

-11 high (CVE-2013-2837, CVE-2013-2839, CVE-2013-2840, CVE-2013-2841, CVE-2013-2842, CVE-2013-2843, CVE-2013-2844, CVE-2013-2845, CVE-2013-2846, CVE-2013-2847 and CVE-2013-2836)

-two medium (CVE-2013-2838 and CVE-2013-2848)

-one low (CVE-2013-2849)


More information in Google Chrome Releases blog.


After that update Google released version 27.0.1453.94 for Windows that fixes a GPU-related crash.

Friday, May 17, 2013

ITunes 11.0.3 Released

Apple have released version 11.0.3 of their iTunes media player. Among some new features the updated version fixes some security vulnerabilities including ones that could allow an attacker to execute arbitrary code in target system.

More information about the security content of iTunes 11.0.3 can be read from related security advisory.

Old version users should update to the latest one available.

Mozilla Product Updates Released

Mozilla have released updates to Firefox web browser and Thunderbird email client to address a bunch of vulnerabilities of which three categorized as critical, four as high and one as moderate.

Affected products are:
- Mozilla Firefox earlier than 21.0
- Mozilla Firefox ESR earlier than 17.0.6
- Mozilla Thunderbird earlier than 17.0.6
- Mozilla Thunderbird ESR earlier than 17.0.6

Links to the security advisories with details about addressed security issues:
MFSA 2013-48 Memory corruption found using Address Sanitizer
MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
MFSA 2013-46 Use-after-free with video and onresize event
MFSA 2013-45 Mozilla Updater fails to update some Windows Registry entries
MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
MFSA 2013-43 File input control has access to full path
MFSA 2013-42 Privileged access for content level constructor
MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird

Thursday, May 16, 2013

Adobe Reader And Acrobat Security Updates

Adobe have released security updates to fix a bunch of vulnerabilities in their PDF products, Adobe Reader and Adobe Acrobat.

Affected versions:
*of series XI (11.x)
Adobe Reader 11.0.02 and earlier
Adobe Acrobat 11.0.02 and earlier

*of series X (10.x)
Adobe Reader 10.1.6 and earlier
Adobe Acrobat 10.1.6 and earlier

*of series 9.x
Adobe Reader 9.5.4 and earlier 9.x versions
Adobe Acrobat 9.5.4 and earlier 9.x versions


Users of vulnerable versions are instructed to update their versions either by using automatic update functionality or by downloading fresh version manually. The default installation configuration runs automatic updates on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Those who want to upgrade manually, can download the latest versions of the links below:
Adobe Reader
Acrobat Standard, Pro and Extended


More information about fixed vulnerabilities can be read from Adobe's security bulletin.

Wednesday, May 15, 2013

Adobe ColdFusion Update Available

Adobe have released updated version of ColdFusion web application development platform. The new version fix two vulnerabilities. A vulnerability (CVE-2013-1389) that could allow remote arbitrary code execution on a system running ColdFusion, and a vulnerability (CVE-2013-3336) that could permit an unauthorized user to remotely retrieve files stored on the server.

Affected versions:
- ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX.

More information can be read from Adobe's security bulletin.

Adobe Flash Player and Adobe AIR Updates Available

Adobe have released updated versions of their Flash Player and AIR. The new versions fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:
- Users of Adobe Flash Player 11.7.700.169 and earlier versions for Windows should update to Adobe Flash Player 11.7.700.202
- Users of Adobe Flash Player 11.7.700.169 and earlier versions for Macintosh should update to Adobe Flash Player 11.7.700.202
- Users of Adobe Flash Player 11.2.202.280 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.285
- Users of Adobe Flash Player 11.1.115.54 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.58 (applicable only for Flash Player installed before August 15, 2012)
- Users of Adobe Flash Player 11.1.111.50 and earlier versions for Android 3.x and 2.x versions should update to Flash Player 11.1.111.54 (applicable only for Flash Player installed before August 15, 2012)
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 will be updated via Windows Update
- Users of Adobe AIR 3.7.0.1530 and earlier versions for Windows should update to Adobe AIR 3.7.0.1860
- Users of Adobe AIR 3.7.0.1530 and earlier versions for Macintosh should update to Adobe AIR 3.7.0.1860
- Users of Adobe AIR 3.7.0.1660 and earlier versions for Android should update to Adobe AIR 3.7.0.1860
- Users of the Adobe AIR 3.7.0.1530 SDK should update to the Adobe AIR 3.7.0.1860 SDK

More information can be read from Adobe's security bulletin.

Tuesday, May 14, 2013

Microsoft Security Updates For May 2013

Microsoft have released security updates for May 2013. This month update contains ten security bulletins of which two critical and eight important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Monday, May 13, 2013

Unpatched Vulnerability In ColdFusion

Adobe has identified a critical vulnerability in its ColdFusion web application development platform. The vulnerability (CVE-2013-3336) could be exploited to gain access to files stored on vulnerable computers.

Affected versions are ColdFusion 10, 9.0.2, 9.0.0, 9.0 and older versions for Windows, Mac, and Unix. An exploit for the flaw is reportedly available. Adobe plans to release a patch for the vulnerability on May 14. More information in related security advisory.

Sunday, May 12, 2013

F-Secure Introduces Safe Profile App For Facebook

F-Secure have made available a Facebook app called Safe Profile. It's job is to inform user about the most important safety and privacy issues. After a scan Safe Profile gives a rating for the account's privacy, displays any potential issues and makes recommendations for more secure settings. Safe Profile won't store any personal data.

Safe Profile is currently at a beta stage. To try it, log into your Facebook account and search for "Safe Profile Beta".

Source: F-Secure press release

Monday, May 6, 2013

Vulnerability In Internet Explorer

There has been found a vulnerability in Microsoft Internet Explorer that may allow an attacker to execute arbitrary code in vulnerable system. Microsoft is aware of attacks that try to exploit this vulnerability. Affected Internet Explorer version is 8.

At the moment, there is no patch released againts the vulnerability. About workarounds can be read here.

Friday, May 3, 2013

Adobe PDF Leakage Issue To Be Fixed May 14

Adobe stated in their blog that there will be a fix released to a low severity issue affecting Adobe Reader and Acrobat products. User's IP address and timestamp could be exposed when a specifically crafted PDF document is opened. The fix will be included in the next Adobe Reader and Acrobat versions scheduled to be released on May 14.

The problem was originally found and reported by McAfee researchers (blog post).

Saturday, April 27, 2013

Microsoft Security Intelligence Report Volume 14 Released

Microsoft have released volume 14 of their Security Intelligence Report (SIR)). The Security Intelligence Report (SIR) is an investigation of the current threat landscape. The report can be downloaded here.

Symantec Internet Security Threat Report vol 18

Symantec have published their Internet Security Threat Report that highlights some security related things from the year 2012 and also takes a look ahead at the upcoming challenges in security. The report (in pdf format) can be downloaded here.

Thursday, April 18, 2013

Oracle Critical Patch Update For Q2 of 2013

Oracle have released updates for their products that fix 128 security issues in total. The updates are a part of Oracle's quarterly released critical patch update (CPU).

Detailed list of vulnerabilities with patching instructions can be read from Oracle CPU Advisory.

Next Oracle CPU is planned to be released in July 2013.

Java Security Updates From Oracle

Oracle have released update for Java JRE & JDK. The update fixes 42 vulnerabilities.

Affected versions are:
- Java 7 JRE and JDK update 17 and earlier
- Java 6 JRE and JDK update 43 and earlier
- Java 5.0 JRE and JDK update 41 and earlier
- JavaFX 2.2.7 and earlier

More information about the update can be read from Java critical patch update document.

Java users are recommended to update their versions to the latest one available as soon as possible.

Tuesday, April 16, 2013

New Version Of VLC Player Available

VideoLAN project has released a new version of their VLC media player. Version 2.0.6 contains a fix to a buffer overflow vulnerability in ASF demuxer. By exploiting the vulnerability attacker may be able to execute arbitrary code in affected system.

Affected are VLC Player versions prior 2.0.6. Owners of those versions should update to the latest version.

Thursday, April 11, 2013

Shockwave Player Update Available

Adobe have released an updated version of their Shockwave Player. The new version fixes three security vulnerabilities. The update is categorized as critical with priority level as 1.

Users of Adobe Shockwave Player 12.0.0.112 and earlier should update to Adobe Shockwave Player 12.0.2.122.

More about fixed vulnerabilities and other information can be read from Adobe's security bulletin.

Adobe Flash Player and Adobe AIR Updates Available

Adobe have released updated versions of their Flash Player and AIR. The new versions fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:
- Users of Adobe Flash Player 11.6.602.180 and earlier versions for Windows should update to Adobe Flash Player 11.7.700.169
- Users of Adobe Flash Player 11.6.602.180 and earlier versions for Macintosh should update to Adobe Flash Player 11.7.700.169
- Users of Adobe Flash Player 11.2.202.275 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.280
- Users of Adobe Flash Player 11.1.115.48 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.54 (applicable only for Flash Player installed before August 15, 2012)
- Users of Adobe Flash Player 11.1.111.44 and earlier versions for Android 3.x and 2.x versions should update to Flash Player 11.1.111.50 (applicable only for Flash Player installed before August 15, 2012)
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 will be updated via Windows Update
- Users of Adobe AIR 3.6.0.6090 and earlier versions for Windows should update to Adobe AIR 3.7.0.1530
- Users of Adobe AIR 3.6.0.6090 and earlier versions for Macintosh should update to Adobe AIR 3.7.0.1530
- Users of Adobe AIR 3.6.0.6090 and earlier versions for Android should update to Adobe AIR 3.7.0.1530
- Users of the Adobe AIR 3.6.0.6090 SDK should update to the Adobe AIR 3.7.0.1530 SDK

More information can be read from Adobe's security bulletin.

Microsoft Security Updates For April 2013

Microsoft have released security updates for April 2013. This month update contains nine security bulletins of which two critical and seven important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Wednesday, April 3, 2013

Mozilla Product Updates Released

Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a bunch of vulnerabilities of which three categorized as critical, four as high and four as moderate.

Affected products are:
- Mozilla Firefox earlier than 20.0
- Mozilla Firefox ESR earlier than 17.0.5
- Mozilla Thunderbird earlier than 17.0.5
- Mozilla Thunderbird ESR earlier than 17.0.5
- Mozilla SeaMonkey earlier than 2.17

Links to the security advisories with details about addressed security issues:
MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
MFSA 2013-39 Memory corruption while rendering grayscale PNG images
MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations
MFSA 2013-37 Bypass of tab-modal dialog origin disclosure
MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes
MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux
MFSA 2013-34 Privilege escalation through Mozilla Updater
MFSA 2013-33 World read and write access to app_tmp directory on Android
MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service
MFSA 2013-31 Out-of-bounds write in Cairo library
MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Wednesday, March 27, 2013

New Google Chrome Version Released

Google have released version 26.0.1410.43 of their Chrome web browser. New version contains fixes to 11 vulnerabilities:

-two high (CVE-2013-0916 and CVE-2013-0921)

-four medium (Linux only CVE-2013-0919, CVE-2013-0920, CVE-2013-0923 and CVE-2013-0926)

-five low (CVE-2013-0917, CVE-2013-0918, CVE-2013-0922, CVE-2013-0924 and CVE-2013-0925)


More information in Google Chrome Releases blog.

Monday, March 18, 2013

Symantec Intelligence Report: February 2013

Symantec have published their Intelligence report that sums up the latest threat trends for February 2013.

Report highlights:
- Spam – 65.9 percent (an increase of 1.8 percentage points since January)
- Phishing – One in 466.3 emails identified as phishing (an increase of 0.018 percentage points since January)
- Malware – One in 408.2 emails contained malware (a decrease of 0.11 percentage points since January)
- Malicious websites – 1,530 websites blocked per day (a decrease of 32.2 percent since January)

The report can be viewed here.

ESET Global Threat Report for February 2013

ESET have published a report discussing global threats of February 2013.

TOP 10 threats list (previous ranking listed too):

1. INF/Autorun (1.)
2. HTML/Iframe.B (2.)
3. Win32/Sality (5.)
4. HTML/ScrInject.B (3.)
5. Win32/Dorkbot (8.)
6. Win32/Ramnit (7.)
7. Win32/Conficker (6.)
8. Win32/Qhost (4.)
9. JS/TrojanDownloader.Iframe.NKE (9.)
10. Win32/Virut (32.)


Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).

Wednesday, March 13, 2013

Adobe Flash Player and Adobe AIR Updates Available

Adobe have released updated versions of their Flash Player and AIR. The new versions fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:
- Users of Adobe Flash Player 11.6.602.171 and earlier versions for Windows should update to Adobe Flash Player 11.6.602.180
- Users of Adobe Flash Player 11.6.602.171 and earlier versions for Macintosh should update to Adobe Flash Player 11.6.602.180
- Users of Adobe Flash Player 11.2.202.273 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.275
- Users of Adobe Flash Player 11.1.115.47 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.48 (applicable only for Flash Player installed before August 15, 2012)
- Users of Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x versions should update to Flash Player 11.1.111.44 (applicable only for Flash Player installed before August 15, 2012)
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 will be updated via Windows Update
- Users of Adobe AIR 3.6.0.597 and earlier versions for Windows should update to Adobe AIR 3.6.0.6090
- Users of Adobe AIR 3.6.0.597 and earlier versions for Macintosh should update to Adobe AIR 3.6.0.6090
- Users of Adobe AIR 3.6.0.597 and earlier versions for Android should update to Adobe AIR 3.6.0.6090
- Users of the Adobe AIR 3.6.0.597 SDK should update to the Adobe AIR 3.6.0.6090 SDK

More information can be read from Adobe's security bulletin.

Microsoft Security Updates For March 2013

Microsoft have released security updates for March 2013. This month update contains seven security bulletins of which four critical and three important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Monday, March 11, 2013

New Update To Chrome

Google have released version 25.0.1364.160 of their Chrome web browser. New version contains a fix to 'high' categorized vulnerability (CVE-2013-0912).

More information in Google Chrome Releases blog.

Security Updates To Mozilla Products

Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a critical vulnerability (CVE-2013-0787).

Affected products are:
- Mozilla Firefox earlier than 19.0.2
- Mozilla Firefox ESR earlier than 17.0.4
- Mozilla Thunderbird earlier than 17.0.4
- Mozilla Thunderbird ESR earlier than 17.0.4
- Mozilla SeaMonkey earlier than 2.16.1

Link to the security advisory with details about addressed security issue:
MFSA 2013-29 Use-after-free in HTML Editor


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Thursday, March 7, 2013

Google Chrome Updated

Google have released version 25.0.1364.152 of their Chrome web browser. New version contains fixes to 10 vulnerabilities:

-six high (CVE-2013-0902, CVE-2013-0903, CVE-2013-0904, CVE-2013-0905, CVE-2013-0906 and CVE-2013-0911)

-three medium (CVE-2013-0907, CVE-2013-0908 and CVE-2013-0910)

-one low (CVE-2013-0909)


More information in Google Chrome Releases blog.

Tuesday, March 5, 2013

Java Security Updates From Oracle

Oracle have released update for Java JRE & JDK. The update fixes two vulnerabilities (CVE-2013-0809 and CVE-2013-1493).

Affected versions are:
- Java 7 JRE and JDK update 15 and earlier
- Java 6 JRE and JDK update 41 and earlier
- Java 5.0 JRE and JDK update 40 and earlier

More information about the update can be read from here.

Java users are recommended to update their versions to the latest one available as soon as possible.

Thursday, February 28, 2013

Adobe Flash Player Update Available

Adobe have released updated versions of their Flash Player. The new version fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:
- Users of Adobe Flash Player 11.6.602.168 and earlier versions for Windows should update to Adobe Flash Player 11.6.602.171
- Users of Adobe Flash Player 11.6.602.167 and earlier versions for Macintosh should update to Adobe Flash Player 11.6.602.171
- Users of Adobe Flash Player 11.2.202.270 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.273
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 for Windows 8 will be updated via Windows Update

More information can be read from Adobe's security bulletin.

Monday, February 25, 2013

Google Chrome Updated

Google have released version 25.0.1364.97 of their Chrome web browser. New version contains fixes to 23 vulnerabilities:

-nine high (CVE-2013-0879, CVE-2013-0880, CVE-2013-0882, CVE-2013-0890, CVE-2013-0891, CVE-2013-0894, Linux / Mac affecting CVE-2013-0895, CVE-2013-0896, CVE-2013-0898)

-eight medium (CVE-2013-0881, CVE-2013-0883, CVE-2013-0885, Mac only affecting CVE-2013-0886, CVE-2013-0888, CVE-2013-0892, CVE-2013-0893, CVE-2013-0900)

-five low (CVE-2013-0884, CVE-2013-0887, CVE-2013-0889, CVE-2013-0897, CVE-2013-0899)


More information in Google Chrome Releases blog.

Thursday, February 21, 2013

Mozilla Security Updates Available

Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a bunch of vulnerabilities of which four categorized as critical, two as high and two as moderate.

Affected products are:
- Mozilla Firefox earlier than 19.0
- Mozilla Firefox ESR earlier than 17.0.3
- Mozilla Thunderbird earlier than 17.0.3
- Mozilla Thunderbird ESR earlier than 17.0.3
- Mozilla SeaMonkey earlier than 2.16

Links to the security advisories with details about addressed security issues:
MFSA 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer
MFSA 2013-27 Phishing on HTTPS connection through malicious proxy
MFSA 2013-26 Use-after-free in nsImageLoadingContent
MFSA 2013-25 Privacy leak in JavaScript Workers
MFSA 2013-24 Web content bypass of COW and SOW security wrappers
MFSA 2013-23 Wrapped WebIDL objects can be wrapped again
MFSA 2013-22 Out-of-bounds read in image rendering
MFSA 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Adobe Reader And Acrobat Security Updates

Adobe have released security updates to fix a couple of critical vulnerabilities (CVE-2013-0640, CVE-2013-0641) in their PDF products, Adobe Reader and Adobe Acrobat.

Affected versions:
*of series XI (11.x)
Adobe Reader 11.0.01 and earlier
Adobe Acrobat 11.0.01 and earlier

*of series X (10.x)
Adobe Reader 10.1.5 and earlier
Adobe Acrobat 10.1.5 and earlier

*of series 9.x
Adobe Reader 9.5.3 and earlier 9.x versions
Adobe Acrobat 9.5.3 and earlier 9.x versions


Users of vulnerable versions are instructed to update their versions either by using automatic update functionality or by downloading fresh version manually. The default installation configuration runs automatic updates on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Those who want to upgrade manually, can download the latest versions of the links below:
Adobe Reader
Acrobat Standard, Pro and Extended


More information about fixed vulnerabilities can be read from Adobe's security bulletin.

Java Security Updates From Oracle

Oracle have released update for Java JRE & JDK. The update fixes five vulnerabilities.

Affected versions are:
- Java 7 JRE and JDK update 13 and earlier
- Java 6 JRE and JDK update 39 and earlier
- Java 5.0 JRE and JDK update 39 and earlier
- Java 1.4.2 JRE and JDK update 41 and earlier

More information about the update can be read from Java critical patch update document.

Java users are recommended to update their versions to the latest one available as soon as possible.

Wednesday, February 20, 2013

Symantec Intelligence Report: January 2013

Symantec have published their Intelligence report that sums up the latest threat trends for January 2013.

Report highlights:
- Spam – 64.1 percent (a decrease of 6.5 percentage points since December)
- Phishing – One in 508.6 emails identified as phishing (a decrease of 0.068 percentage points since December)
- Malware – One in 400 emails contained malware (a decrease of 0.11 percentage points since December)
- Malicious websites – 2,256 websites blocked per day (an increase of 196.1 percent since December)

The report can be viewed here.

Thursday, February 14, 2013

Adobe Shockwave Player Update Available


Adobe have released an updated version of their Shockwave Player. The new version fixes two security vulnerabilities. The update is categorized as critical with priority level as 2.

Users of Adobe Shockwave Player 11.6.8.638 and earlier should update to Adobe Shockwave Player 12.0.0.112.

More about fixed vulnerabilities and other information can be read from Adobe's security bulletin.

Adobe Flash Player and Adobe AIR Updates Available

Adobe have released updated versions of their Flash Player and AIR. The new versions fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:
- Users of Adobe Flash Player 11.5.502.149 and earlier versions for Windows should update to Adobe Flash Player 11.6.602.168
- Users of Adobe Flash Player 11.5.502.149 and earlier versions for Macintosh should update to Adobe Flash Player 11.6.602.167
- Users of Adobe Flash Player 11.2.202.262 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.270
- Users of Adobe Flash Player 11.1.115.37 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.47 (applicable only for Flash Player installed before August 15, 2012)
- Users of Adobe Flash Player 11.1.111.32 and earlier versions for Android 3.x and 2.x versions should update to Flash Player 11.1.111.43 (applicable only for Flash Player installed before August 15, 2012)
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 will be updated via Windows Update
- Users of Adobe AIR 3.5.0.1060 and earlier versions for Windows should update to Adobe AIR 3.6.0.597
- Users of Adobe AIR 3.5.0.1060 and earlier versions for Macintosh should update to Adobe AIR 3.6.0.597
- Users of the Adobe AIR 3.5.0.1060 SDK (includes AIR for iOS) should update to the Adobe AIR 3.6.0.599 SDK

More information can be read from Adobe's security bulletin.

Wednesday, February 13, 2013

Microsoft Security Updates For February 2013

Microsoft have released security updates for February 2013. This month update contains 12 security bulletins of which five critical and seven important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Saturday, February 9, 2013

Adobe Flash Player Update Available

Adobe have released updated versions of their Flash Player. The new version fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:
- Users of Adobe Flash Player 11.5.502.146 and earlier versions for Windows should update to Adobe Flash Player 11.5.502.149
- Users of Adobe Flash Player 11.5.502.146 and earlier versions for Macintosh should update to Adobe Flash Player 11.5.502.149
- Users of Adobe Flash Player 11.2.202.261 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.262
- Users of Adobe Flash Player 11.1.115.36 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.37 (applicable only for Flash Player installed before August 15, 2012)
- Users of Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x versions should update to Flash Player 11.1.111.32 (applicable only for Flash Player installed before August 15, 2012)
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 will be updated via Windows Update

More information can be read from Adobe's security bulletin.

Tuesday, February 5, 2013

Java Security Updates From Oracle

Oracle have released update for Java JRE & JDK and JavaFX. The update fixes 50 vulnerabilities.

Affected versions are:
- Java 7 JRE and JDK update 11 and earlier
- Java 6 JRE and JDK update 38 and earlier
- Java 5.0 JRE and JDK update 38 and earlier
- Java 1.4.2 JRE and JDK update 40 and earlier
- JavaFX 2.2.4 and earlier

More information about the update can be read from Java critical patch update document.

Java users are recommended to update their versions to the latest one available as soon as possible.

Saturday, February 2, 2013

Opera 12.13 Released

Opera Software have released an update for their Opera web browser. Version 12.13 contains fixes to four security vulnerabilities.

high:
* Fixed an issue where DOM events manipulation might be used to execute arbitrary code, as reported by Arthur Gerkis; advisory
* Fixed an issue where use of SVG clipPaths could allow execution of arbitrary code, as reported by anonymous via the iSIGHT Partners GVP Program; advisory

low:
* Fixed an issue where CORS requests could omit the preflight request, as reported by webpentest; advisory

In addition, one other low severity security issue (Opera Software will disclose its details at a later date) was fixed.

Opera users are strongly recommended to update to the latest version. New version can be downloaded here.

Sunday, January 27, 2013

Google Chrome Updated

Google have released version 24.0.1312.56 of their Chrome web browser. New version contains fixes to five vulnerabilities:
-three high (CVE-2013-0839, CVE-2013-0841, CVE-2013-0843)
-two medium (CVE-2013-0840, CVE-2013-0842)

More information in Google Chrome Releases blog.

Monday, January 21, 2013

ESET Global Threat Report for December 2012

ESET have published a report discussing global threats of December 2012.

TOP 10 threats list:

1. INF/Autorun
2. HTML/ScrInject.B
3. HTML/Iframe.B
4. Win32/Conficker
5. Win32/Sality
6. Win32/Dorkbot
7. JS/TrojanDownloader.Iframe.NKE
8. Win32/Sirefef
9. Win32/Ramnit
10. Win32/Spy.Ursnif


Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).

Sunday, January 20, 2013

Symantec Intelligence Report: December 2012

Symantec have published their Intelligence report that sums up the latest threat trends for December 2012.

Report highlights:
- Spam – 70.6 percent (an increase of 1.8 percentage points since November)
- Phishing – One in 377.4 emails identified as phishing (an increase of 0.225 percentage points since November)
- Malware – One in 277.8 emails contained malware (a decrease of 0.03 percentage points since November)
- Malicious websites – 762 websites blocked per day (a decrease of 58.7 percent since November)

The report can be viewed here.

Friday, January 18, 2013

Oracle Critical Patch Update For Q1 of 2013

Oracle have released updates for their products that fix 86 security issues in total. The updates are a part of Oracle's quarterly released critical patch update (CPU).

Detailed list of vulnerabilities with patching instructions can be read from Oracle CPU Advisory.

Next Oracle CPU is planned to be released in April 2013.

Monday, January 14, 2013

A Vulnerability Affecting Java 7

There has been found a vulnerability (CVE-2013-0422) in Oracle Java. The vulnerability may allow an attacker to run arbitrary code in a vulnerable system. Affected are Java JDK and JRE 7 update 10 and earlier versions in series 7 (JDK and JRE 6, 5.0 and 1.4.2, and Java SE Embedded JRE releases are not affected).

Users of affected versions are recommended to get update 11 here. New version has also default security level setting changed from medium to high:
"The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation."

If Java is not needed in a web browser then in addition to getting it updated it's recommended to disable Java in browsers. Instructions for doing that can be read here.

Update For Google Chrome Released

Google have released version  24.0.1312.52 of their Chrome web browser. New version contains fixes to 24 vulnerabilities:
-11 high (CVE-2012-5145, CVE-2012-5146, CVE-2012-5147, CVE-2012-5149, CVE-2012-5150, CVE-2012-5151, CVE-2012-5153, CVE-2012-5156, CVE-2013-0828, CVE-2013-0829, CVE-2013-0836)
-eight medium (CVE-2012-5148, CVE-2012-5152, CVE-2012-5155 (Mac only), CVE-2012-5157, CVE-2013-0832, CVE-2013-0833, CVE-2013-0834, CVE-2013-0837)
-five low (CVE-2012-5154 (Windows only), CVE-2013-0830 (Windows only), CVE-2013-0831, CVE-2013-0835, CVE-2013-0838 (Linux only))

New version contains also an update to Flash.

More information in Google Chrome Releases blog.



Thursday, January 10, 2013

Mozilla Security Updates Available

Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a bunch of vulnerabilities of which 12 categorized as critical, seven as high and one as moderate.

Affected products are:
- Mozilla Firefox earlier than 18.0
- Mozilla Firefox ESR earlier than 10.0.12
- Mozilla Firefox ESR earlier than 7.0.2
- Mozilla Thunderbird earlier than 17.0.2
- Mozilla Thunderbird ESR earlier than 10.0.12
- Mozilla Thunderbird ESR earlier than 17.0.2
- Mozilla SeaMonkey earlier than 2.15

Links to the security advisories with details about addressed security issues:
MFSA 2013-20 Mis-issued TURKTRUST certificates
MFSA 2013-19 Use-after-free in Javascript Proxy objects
MFSA 2013-18 Use-after-free in Vibrate
MFSA 2013-17 Use-after-free in ListenerManager
MFSA 2013-16 Use-after-free in serializeToStream
MFSA 2013-15 Privilege escalation through plugin objects
MFSA 2013-14 Chrome Object Wrapper (COW) bypass through changing prototype
MFSA 2013-13 Memory corruption in XBL with XML bindings containing SVG
MFSA 2013-12 Buffer overflow in Javascript string concatenation
MFSA 2013-11 Address space layout leaked in XBL objects
MFSA 2013-10 Event manipulation in plugin handler to bypass same-origin policy
MFSA 2013-09 Compartment mismatch with quickstubs returned values
MFSA 2013-08 AutoWrapperChanger fails to keep objects alive during garbage collection
MFSA 2013-07 Crash due to handling of SSL on threads
MFSA 2013-06 Touch events are shared across iframes
MFSA 2013-05 Use-after-free when displaying table with many columns and column groups
MFSA 2013-04 URL spoofing in addressbar during page loads
MFSA 2013-03 Buffer Overflow in Canvas
MFSA 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer
MFSA 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey