Thursday, May 23, 2013

Google Chrome Updated

Google have released version 27.0.1453.93 of their Chrome web browser. New version contains fixes to 14 vulnerabilities:

-11 high (CVE-2013-2837, CVE-2013-2839, CVE-2013-2840, CVE-2013-2841, CVE-2013-2842, CVE-2013-2843, CVE-2013-2844, CVE-2013-2845, CVE-2013-2846, CVE-2013-2847 and CVE-2013-2836)

-two medium (CVE-2013-2838 and CVE-2013-2848)

-one low (CVE-2013-2849)


More information in Google Chrome Releases blog.


After that update Google released version 27.0.1453.94 for Windows that fixes a GPU-related crash.

Friday, May 17, 2013

ITunes 11.0.3 Released

Apple have released version 11.0.3 of their iTunes media player. Among some new features the updated version fixes some security vulnerabilities including ones that could allow an attacker to execute arbitrary code in target system.

More information about the security content of iTunes 11.0.3 can be read from related security advisory.

Old version users should update to the latest one available.

Mozilla Product Updates Released

Mozilla have released updates to Firefox web browser and Thunderbird email client to address a bunch of vulnerabilities of which three categorized as critical, four as high and one as moderate.

Affected products are:
- Mozilla Firefox earlier than 21.0
- Mozilla Firefox ESR earlier than 17.0.6
- Mozilla Thunderbird earlier than 17.0.6
- Mozilla Thunderbird ESR earlier than 17.0.6

Links to the security advisories with details about addressed security issues:
MFSA 2013-48 Memory corruption found using Address Sanitizer
MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
MFSA 2013-46 Use-after-free with video and onresize event
MFSA 2013-45 Mozilla Updater fails to update some Windows Registry entries
MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
MFSA 2013-43 File input control has access to full path
MFSA 2013-42 Privileged access for content level constructor
MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird

Thursday, May 16, 2013

Adobe Reader And Acrobat Security Updates

Adobe have released security updates to fix a bunch of vulnerabilities in their PDF products, Adobe Reader and Adobe Acrobat.

Affected versions:
*of series XI (11.x)
Adobe Reader 11.0.02 and earlier
Adobe Acrobat 11.0.02 and earlier

*of series X (10.x)
Adobe Reader 10.1.6 and earlier
Adobe Acrobat 10.1.6 and earlier

*of series 9.x
Adobe Reader 9.5.4 and earlier 9.x versions
Adobe Acrobat 9.5.4 and earlier 9.x versions


Users of vulnerable versions are instructed to update their versions either by using automatic update functionality or by downloading fresh version manually. The default installation configuration runs automatic updates on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Those who want to upgrade manually, can download the latest versions of the links below:
Adobe Reader
Acrobat Standard, Pro and Extended


More information about fixed vulnerabilities can be read from Adobe's security bulletin.

Wednesday, May 15, 2013

Adobe ColdFusion Update Available

Adobe have released updated version of ColdFusion web application development platform. The new version fix two vulnerabilities. A vulnerability (CVE-2013-1389) that could allow remote arbitrary code execution on a system running ColdFusion, and a vulnerability (CVE-2013-3336) that could permit an unauthorized user to remotely retrieve files stored on the server.

Affected versions:
- ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX.

More information can be read from Adobe's security bulletin.

Adobe Flash Player and Adobe AIR Updates Available

Adobe have released updated versions of their Flash Player and AIR. The new versions fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:
- Users of Adobe Flash Player 11.7.700.169 and earlier versions for Windows should update to Adobe Flash Player 11.7.700.202
- Users of Adobe Flash Player 11.7.700.169 and earlier versions for Macintosh should update to Adobe Flash Player 11.7.700.202
- Users of Adobe Flash Player 11.2.202.280 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.285
- Users of Adobe Flash Player 11.1.115.54 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.58 (applicable only for Flash Player installed before August 15, 2012)
- Users of Adobe Flash Player 11.1.111.50 and earlier versions for Android 3.x and 2.x versions should update to Flash Player 11.1.111.54 (applicable only for Flash Player installed before August 15, 2012)
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 will be updated via Windows Update
- Users of Adobe AIR 3.7.0.1530 and earlier versions for Windows should update to Adobe AIR 3.7.0.1860
- Users of Adobe AIR 3.7.0.1530 and earlier versions for Macintosh should update to Adobe AIR 3.7.0.1860
- Users of Adobe AIR 3.7.0.1660 and earlier versions for Android should update to Adobe AIR 3.7.0.1860
- Users of the Adobe AIR 3.7.0.1530 SDK should update to the Adobe AIR 3.7.0.1860 SDK

More information can be read from Adobe's security bulletin.

Tuesday, May 14, 2013

Microsoft Security Updates For May 2013

Microsoft have released security updates for May 2013. This month update contains ten security bulletins of which two critical and eight important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Monday, May 13, 2013

Unpatched Vulnerability In ColdFusion

Adobe has identified a critical vulnerability in its ColdFusion web application development platform. The vulnerability (CVE-2013-3336) could be exploited to gain access to files stored on vulnerable computers.

Affected versions are ColdFusion 10, 9.0.2, 9.0.0, 9.0 and older versions for Windows, Mac, and Unix. An exploit for the flaw is reportedly available. Adobe plans to release a patch for the vulnerability on May 14. More information in related security advisory.

Sunday, May 12, 2013

F-Secure Introduces Safe Profile App For Facebook

F-Secure have made available a Facebook app called Safe Profile. It's job is to inform user about the most important safety and privacy issues. After a scan Safe Profile gives a rating for the account's privacy, displays any potential issues and makes recommendations for more secure settings. Safe Profile won't store any personal data.

Safe Profile is currently at a beta stage. To try it, log into your Facebook account and search for "Safe Profile Beta".

Source: F-Secure press release

Monday, May 6, 2013

Vulnerability In Internet Explorer

There has been found a vulnerability in Microsoft Internet Explorer that may allow an attacker to execute arbitrary code in vulnerable system. Microsoft is aware of attacks that try to exploit this vulnerability. Affected Internet Explorer version is 8.

At the moment, there is no patch released againts the vulnerability. About workarounds can be read here.

Friday, May 3, 2013

Adobe PDF Leakage Issue To Be Fixed May 14

Adobe stated in their blog that there will be a fix released to a low severity issue affecting Adobe Reader and Acrobat products. User's IP address and timestamp could be exposed when a specifically crafted PDF document is opened. The fix will be included in the next Adobe Reader and Acrobat versions scheduled to be released on May 14.

The problem was originally found and reported by McAfee researchers (blog post).