Sunday, June 30, 2013

Vulnerabilities In Drupal Fixed

There have been fixed two vulnerabilities in open-source content management framework Drupal. The vulnerabilities are related to Drupal Login Security Module 1.x.

Affected versions are 6.x-1.x versions prior to 6.x-1.2 and 7.x-1.x versions prior to 7.x-1.2.

Solution:
Users of the Login Security module for Drupal 6.x should upgrade to Login Security 6.x-1.3
Users of the Login Security module for Drupal 7.x should upgrade to Login Security 7.x-1.3


More information in Drupal security advisory and Secunia advisory.

Role Of Redirects In Spam

Spam is not a new problem for email user. Security company Kaspersky have written an analysis about redirects in spam.

Spammers frequently use redirects in their emails: after clicking on a link in a spam message, the recipient is often taken through a series of websites before reaching the destination resource.

There are many reasons for using redirects. In most cases, they help spammers to hide the data that enables spam filters to classify a message as unwanted – e.g., the website or contact phone number of the spammers’ customer. As a result, the recipient (as well as the spam filter) sees no links to the website being advertised in the message, no telephone numbers or email addresses that can be used to contact those who ordered the spam mailing. The message only contains a link to an intermediary resource. In addition, if the spammer is a member of an affiliate program, he will need to know how many users followed the link, because his income directly depends on that. As a result the chain of websites through which a user is sent may include redirector sites which function as counters.

The analysis can be read here.

Thursday, June 27, 2013

Mozilla Product Updates Released

Mozilla have released updates to Firefox web browser and Thunderbird email client to address a bunch of vulnerabilities of which four categorized as critical, six as high, three as moderate and one as low.

Affected products are:
- Mozilla Firefox earlier than 22.0
- Mozilla Firefox ESR earlier than 17.0.7
- Mozilla Thunderbird earlier than 17.0.7
- Mozilla Thunderbird ESR earlier than 17.0.7

Links to the security advisories with details about addressed security issues:
MFSA 2013-62 Inaccessible updater can lead to local privilege escalation
MFSA 2013-61 Homograph domain spoofing in .com, .net and .name
MFSA 2013-60 getUserMedia permission dialog incorrectly displays location
MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
MFSA 2013-58 X-Frame-Options ignored when using server push with multi-part responses
MFSA 2013-57 Sandbox restrictions not applied to nested frame elements
MFSA 2013-56 PreserveWrapper has inconsistent behavior
MFSA 2013-55 SVG filters can lead to information disclosure
MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
MFSA 2013-53 Execution of unmapped memory through onreadystatechange event
MFSA 2013-52 Arbitrary code execution within Profiler
MFSA 2013-51 Privileged content access and execution via XBL
MFSA 2013-50 Memory corruption found using Address Sanitizer
MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird

Thursday, June 20, 2013

Google Chrome Updated

Google have released version 27.0.1453.116 of their Chrome web browser. New version fixes a medium categorized vulnerability (CVE-2013-2866) in Chrome Flash plug-in.

More information in Google Chrome Releases blog.

Java Security Updates From Oracle

Oracle have released update for Java JRE & JDK. The update fixes 40 vulnerabilities.

Affected versions are:
- Java 7 JRE and JDK update 21 and earlier
- Java 6 JRE and JDK update 45 and earlier
- Java 5.0 JRE and JDK update 45 and earlier
- JavaFX 2.2.21 and earlier

More information about the update can be read from Java critical patch update document.

Java users are recommended to update their versions to the latest one available as soon as possible.

Thursday, June 13, 2013

Adobe Flash Player and Adobe AIR Updates Available

Adobe have released updated versions of their Flash Player and AIR. The new versions fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:
- Users of Adobe Flash Player 11.7.700.202 and earlier versions for Windows should update to Adobe Flash Player 11.7.700.224
- Users of Adobe Flash Player 11.7.700.203 and earlier versions for Macintosh should update to Adobe Flash Player 11.7.700.225
- Users of Adobe Flash Player 11.2.202.285 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.291
- Users of Adobe Flash Player 11.1.115.58 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.63 (applicable only for Flash Player installed before August 15, 2012)
- Users of Adobe Flash Player 11.1.111.54 and earlier versions for Android 3.x and 2.x versions should update to Flash Player 11.1.111.59 (applicable only for Flash Player installed before August 15, 2012)
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 will be updated via Windows Update
- Users of Adobe AIR 3.7.0.1860 and earlier versions for Windows should update to Adobe AIR 3.7.0.2090
- Users of Adobe AIR 3.7.0.1860 and earlier versions for Macintosh should update to Adobe AIR 3.7.0.2100
- Users of Adobe AIR 3.7.0.1860 and earlier versions for Android should update to Adobe AIR 3.7.0.2090
- Users of the Adobe AIR 3.7.0.1860 SDK for Windows should update to the Adobe AIR 3.7.0.2090 SDK
- Users of the Adobe AIR 3.7.0.1860 SDK for Macintosh should update to the Adobe AIR 3.7.0.2100 SDK

More information can be read from Adobe's security bulletin.

Wednesday, June 12, 2013

Microsoft Security Updates For June 2013

Microsoft have released security updates for June 2013. This month update contains five security bulletins of which one critical and four important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Tuesday, June 11, 2013

PHP Versions 5.3.26 and 5.4.16 Released

PHP development team has released 5.3.26 and 5.4.16 versions of PHP scripting language. New versions contain about 15 bug fixes, including one fixing a heap based buffer overflow in quoted_printable_encode (CVE-2013-2110). All PHP users are recommended to upgrade their versions to the latest release of the correspondent branch.

More details about 5.3.26 and 5.4.16 releases can be read from the official release announcement.

Wednesday, June 5, 2013

Google Chrome Updated

Google have released version 27.0.1453.110 of their Chrome web browser. New version contains fixes to 11 vulnerabilities:

-one critical (CVE-2013-2863)

-nine high (CVE-2013-2854 (Windows only), CVE-2013-2856, CVE-2013-2857, CVE-2013-2858, CVE-2013-2859, CVE-2013-2860, CVE-2013-2861, CVE-2013-2862, CVE-2013-2864)

-one medium (CVE-2013-2855)


More information in Google Chrome Releases blog.

Tuesday, June 4, 2013

Two-factor authentication FAQ

Two-factor authentication or shorter as 2FA is an attempt to make log-in process more secure. Basic log-in process asks for username and password. In 2FA authentication there is an extra authentication level.

CNET has an article dealing with some common questions around two-factor authentication. The article can be read here.