Saturday, April 27, 2013

Microsoft Security Intelligence Report Volume 14 Released

Microsoft have released volume 14 of their Security Intelligence Report (SIR)). The Security Intelligence Report (SIR) is an investigation of the current threat landscape. The report can be downloaded here.

Symantec Internet Security Threat Report vol 18

Symantec have published their Internet Security Threat Report that highlights some security related things from the year 2012 and also takes a look ahead at the upcoming challenges in security. The report (in pdf format) can be downloaded here.

Thursday, April 18, 2013

Oracle Critical Patch Update For Q2 of 2013

Oracle have released updates for their products that fix 128 security issues in total. The updates are a part of Oracle's quarterly released critical patch update (CPU).

Detailed list of vulnerabilities with patching instructions can be read from Oracle CPU Advisory.

Next Oracle CPU is planned to be released in July 2013.

Java Security Updates From Oracle

Oracle have released update for Java JRE & JDK. The update fixes 42 vulnerabilities.

Affected versions are:
- Java 7 JRE and JDK update 17 and earlier
- Java 6 JRE and JDK update 43 and earlier
- Java 5.0 JRE and JDK update 41 and earlier
- JavaFX 2.2.7 and earlier

More information about the update can be read from Java critical patch update document.

Java users are recommended to update their versions to the latest one available as soon as possible.

Tuesday, April 16, 2013

New Version Of VLC Player Available

VideoLAN project has released a new version of their VLC media player. Version 2.0.6 contains a fix to a buffer overflow vulnerability in ASF demuxer. By exploiting the vulnerability attacker may be able to execute arbitrary code in affected system.

Affected are VLC Player versions prior 2.0.6. Owners of those versions should update to the latest version.

Thursday, April 11, 2013

Shockwave Player Update Available

Adobe have released an updated version of their Shockwave Player. The new version fixes three security vulnerabilities. The update is categorized as critical with priority level as 1.

Users of Adobe Shockwave Player 12.0.0.112 and earlier should update to Adobe Shockwave Player 12.0.2.122.

More about fixed vulnerabilities and other information can be read from Adobe's security bulletin.

Adobe Flash Player and Adobe AIR Updates Available

Adobe have released updated versions of their Flash Player and AIR. The new versions fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:
- Users of Adobe Flash Player 11.6.602.180 and earlier versions for Windows should update to Adobe Flash Player 11.7.700.169
- Users of Adobe Flash Player 11.6.602.180 and earlier versions for Macintosh should update to Adobe Flash Player 11.7.700.169
- Users of Adobe Flash Player 11.2.202.275 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.280
- Users of Adobe Flash Player 11.1.115.48 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.54 (applicable only for Flash Player installed before August 15, 2012)
- Users of Adobe Flash Player 11.1.111.44 and earlier versions for Android 3.x and 2.x versions should update to Flash Player 11.1.111.50 (applicable only for Flash Player installed before August 15, 2012)
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 will be updated via Windows Update
- Users of Adobe AIR 3.6.0.6090 and earlier versions for Windows should update to Adobe AIR 3.7.0.1530
- Users of Adobe AIR 3.6.0.6090 and earlier versions for Macintosh should update to Adobe AIR 3.7.0.1530
- Users of Adobe AIR 3.6.0.6090 and earlier versions for Android should update to Adobe AIR 3.7.0.1530
- Users of the Adobe AIR 3.6.0.6090 SDK should update to the Adobe AIR 3.7.0.1530 SDK

More information can be read from Adobe's security bulletin.

Microsoft Security Updates For April 2013

Microsoft have released security updates for April 2013. This month update contains nine security bulletins of which two critical and seven important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Wednesday, April 3, 2013

Mozilla Product Updates Released

Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a bunch of vulnerabilities of which three categorized as critical, four as high and four as moderate.

Affected products are:
- Mozilla Firefox earlier than 20.0
- Mozilla Firefox ESR earlier than 17.0.5
- Mozilla Thunderbird earlier than 17.0.5
- Mozilla Thunderbird ESR earlier than 17.0.5
- Mozilla SeaMonkey earlier than 2.17

Links to the security advisories with details about addressed security issues:
MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
MFSA 2013-39 Memory corruption while rendering grayscale PNG images
MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations
MFSA 2013-37 Bypass of tab-modal dialog origin disclosure
MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes
MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux
MFSA 2013-34 Privilege escalation through Mozilla Updater
MFSA 2013-33 World read and write access to app_tmp directory on Android
MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service
MFSA 2013-31 Out-of-bounds write in Cairo library
MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey