Wednesday, November 27, 2013

Symantec Intelligence Report: October 2013

Symantec have published their Intelligence report that sums up the latest threat trends for October 2013.

Report highlights:
- This month saw one of the largest data breaches in a number of years, where as many as 150 million identities were exposed due to one breach.
- October saw a fivefold increase in targeted attacks compared to last month, even surpassing this time of year in 2011 and 2012, though still much lower than the summer peak.
- The total number of mobile vulnerabilities disclosed dropped significantly. In September a major update to a popular mobile operating system addressed a number of vulnerabilities, raising the count for that month.

The report (in PDF format) can be viewed here.

Mozilla Product Security Updates Released

Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a few NSS library (Network Security Services) related vulnerabilities. Update is categorized as critical

Affected products are:
- Mozilla Firefox earlier than 25.0.1
- Mozilla Firefox ESR 24.x earlier than 24.1.1
- Mozilla Firefox ESR 17.x earlier than 17.0.11
- Mozilla Thunderbird earlier than 24.1.1
- Mozilla Thunderbird ESR 17.x earlier than 17.0.11
- Mozilla SeaMonkey earlier than 2.22.1

Link to the security advisory with details about addressed security issues:
MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Monday, November 18, 2013

Google Chrome Update Available

Google have released version 31.0.1650.57 of their Chrome web browser. New version contains a fix to a critical vulnerability (CVE-2013-6632).

More information in Google Chrome Releases blog.

Friday, November 15, 2013

Adobe Flash Player And Adobe AIR Updates Available

Adobe have released updated version of their Flash Player . The new version fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:

- Users of Adobe Flash Player 11.9.900.117 and earlier versions for Windows should update to Adobe Flash Player 11.9.900.152

- Users of Adobe Flash Player 11.9.900.117 and earlier versions for Macintosh should update to Adobe Flash Player 11.9.900.152

- Users of Adobe Flash Player 11.2.202.310 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.327

- Flash Player integrated with Google Chrome will be updated by Google via Chrome update

- Flash Player integrated with Internet Explorer 10 and 11 (on Windows 8.0 and Windows 8.1) will be updated via Windows Update

- Users of Adobe AIR 3.9.0.1030 and earlier versions for Windows and Macintosh should update to Adobe AIR 3.9.0.1210

- Users of the Adobe AIR 3.9.0.1030 SDK should update to the Adobe AIR 3.9.0.1210 SDK

- Users of the Adobe AIR 3.9.0.1030 SDK & Compiler and earlier versions should update to the Adobe AIR 3.9.0.1210 SDK & Compiler

- Users of the Adobe AIR  3.9.0.1060 and earlier versions for Android should update to Adobe AIR 3.9.0.1210 by browsing to Google play on an Android device


More information can be read from Adobe's security bulletin.

Adobe ColdFusion Hotfix Update Available

Adobe have released updated version of ColdFusion web application development platform. This hotfix addresses a reflected cross site scripting vulnerability (CVE-2013-5326) that could be exploited by a remote, authenticated user on ColdFusion 10 and earlier when the CFIDE directory is exposed. This hotfix also addresses a vulnerability (CVE-2013-5328) in ColdFusion 10 that could permit unauthorized remote read access.

Affected versions:
- ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and Linux


More information can be read from Adobe's security bulletin.

Google Chrome Updated

Google have released version 31.0.1650.48 of their Chrome web browser. New version contains fixes to 25 vulnerabilities. Also, Flash Player is updated.

More information in Google Chrome Releases blog.

Wednesday, November 13, 2013

Microsoft Security Updates For November 2013

Microsoft have released security updates for November 2013. This month update contains eight security bulletins of which three critical and five important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Monday, November 11, 2013

Vulnerability in Microsoft Graphics Component

Microsoft is investigating private reports of a vulnerability in the Microsoft Graphics component. By exploiting the vulnerability successfully an attacker may be able to execute arbitrary code in affected system.

Affected are:
Windows Vista and Windows Server 2008 versions
Microsoft Office versions older than Microsoft Office 2013
Microsoft Lync versions

At the moment there is no patch for the vulnerability available. For a workaround and more information please see the related security advisory.

Wednesday, November 6, 2013

ESET Global Threat Report for October 2013

ESET have published a report discussing global threats of October 2013.

TOP 10 threats list (previous ranking listed too):

1. WIN32/Bundpil (1.)
2. INF/Autorun (2.)
3. Win32/Sality (3.)
4. HTML/Iframe (4.)
5. HTML/ScrInject (5.)
6. Win32/Dorkbot (6.)
7. Win32/Conficker (7.)
8. Win32/Ramnit (8.)
9. Win32/TrojanDownloader.Small.AAB (-)
10. Win32/Qhost (9.)



Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).

Sunday, November 3, 2013

Microsoft Security Intelligence Report Volume 15 Released

Microsoft have released volume 15 of their Security Intelligence Report (SIR)). The Security Intelligence Report (SIR) is an investigation of the current threat landscape. The report can be downloaded here.