Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. The vulnerability (CVE-2014-1761) could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. By exploiting the vulnerability successfully an attacker may be able to execute arbitrary code in affected system.
Affected are:
Microsoft Word 2003 Service Pack 3
Microsoft Word 2007 Service Pack 3
Microsoft Word 2010 Service Pack 1 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 1 (64-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)
Microsoft Word 2013 (32-bit editions)
Microsoft Word 2013 (64-bit editions)
Microsoft Word 2013 RT
Microsoft Word Viewer
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office for Mac 2011
Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 1
Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2
Word Automation Services on Microsoft SharePoint Server 2013
Microsoft Office Web Apps 2010 Service Pack 1
Microsoft Office Web Apps 2010 Service Pack 2
Microsoft Office Web Apps Server 2013
At the moment there is no patch for the vulnerability available. For a workaround and more information please see the related security advisory.
Sunday, March 30, 2014
Friday, March 28, 2014
ESET Global Threat Report for February 2014
ESET have published a report discussing global threats of February 2014.
TOP 10 threats list (previous ranking listed too):
1. WIN32/Bundpil (1.)
2. LNK/Agent.AK (5.)
3. Win32/Sality (2.)
4. INF/Autorun (4.)
5. Win32/Qhost (9.)
6. HTML/ScrInject (3.)
7. Win32/Ramnit (6.)
8. Win32/Conficker (7.)
9. Win32/Dorkbot (10.)
10. Win32/TrojanDownloader.Waski (-)
Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).
TOP 10 threats list (previous ranking listed too):
1. WIN32/Bundpil (1.)
2. LNK/Agent.AK (5.)
3. Win32/Sality (2.)
4. INF/Autorun (4.)
5. Win32/Qhost (9.)
6. HTML/ScrInject (3.)
7. Win32/Ramnit (6.)
8. Win32/Conficker (7.)
9. Win32/Dorkbot (10.)
10. Win32/TrojanDownloader.Waski (-)
Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).
Thursday, March 20, 2014
Mozilla Product Updates Released
Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a bunch of vulnerabilities of which five categorized as critical, three as high, seven as moderate and three as low.
Affected products are:
- Mozilla Firefox earlier than 28
- Mozilla Firefox ESR 24.x earlier than 24.4
- Mozilla Thunderbird earlier than 24.4
- Mozilla SeaMonkey earlier than 2.25
Links to the security advisories with details about addressed security issues:
MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering
MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
MFSA 2014-30 Use-after-free in TypeObject
MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs
MFSA 2014-28 SVG filters information disclosure through feDisplacementMap
MFSA 2014-27 Memory corruption in Cairo during PDF font rendering
MFSA 2014-26 Information disclosure through polygon rendering in MathML
MFSA 2014-25 Firefox OS DeviceStorageFile object vulnerable to relative path escape
MFSA 2014-24 Android Crash Reporter open to manipulation
MFSA 2014-23 Content Security Policy for data: documents not preserved by session restore
MFSA 2014-22 WebGL content injection from one domain to rendering in another
MFSA 2014-21 Local file access via Open Link in new tab
MFSA 2014-20 onbeforeunload and Javascript navigation DOS
MFSA 2014-19 Spoofing attack on WebRTC permission prompt
MFSA 2014-18 crypto.generateCRMFRequest does not validate type of key
MFSA 2014-17 Out of bounds read during WAV file decoding
MFSA 2014-16 Files extracted during updates are not always read only
MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)
Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey
Affected products are:
- Mozilla Firefox earlier than 28
- Mozilla Firefox ESR 24.x earlier than 24.4
- Mozilla Thunderbird earlier than 24.4
- Mozilla SeaMonkey earlier than 2.25
Links to the security advisories with details about addressed security issues:
MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering
MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
MFSA 2014-30 Use-after-free in TypeObject
MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs
MFSA 2014-28 SVG filters information disclosure through feDisplacementMap
MFSA 2014-27 Memory corruption in Cairo during PDF font rendering
MFSA 2014-26 Information disclosure through polygon rendering in MathML
MFSA 2014-25 Firefox OS DeviceStorageFile object vulnerable to relative path escape
MFSA 2014-24 Android Crash Reporter open to manipulation
MFSA 2014-23 Content Security Policy for data: documents not preserved by session restore
MFSA 2014-22 WebGL content injection from one domain to rendering in another
MFSA 2014-21 Local file access via Open Link in new tab
MFSA 2014-20 onbeforeunload and Javascript navigation DOS
MFSA 2014-19 Spoofing attack on WebRTC permission prompt
MFSA 2014-18 crypto.generateCRMFRequest does not validate type of key
MFSA 2014-17 Out of bounds read during WAV file decoding
MFSA 2014-16 Files extracted during updates are not always read only
MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)
Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey
Labels:
Firefox,
Mozilla,
seamonkey,
security,
thunderbird,
update,
vulnerability
Friday, March 14, 2014
Google Chrome Updated
Google have released version 33.0.1750.149 of their Chrome web browser. Among other bug fixes the new version contains fixes to seven security issues and also a new version (12.0.0.77) of Flash Player.
More information in Google Chrome Releases blog.
More information in Google Chrome Releases blog.
Shockwave Player Update Available
Adobe have released an updated version of their Shockwave Player. The new version fixes security vulnerability that may allow an attacker to run arbitrary code on the affected system. The update is categorized as critical with priority level as 2.
Users of Adobe Shockwave Player 12.0.9.149 and earlier should update to Adobe Shockwave Player 12.1.0.150.
More about fixed vulnerabilities and other information can be read from Adobe's security bulletin.
Users of Adobe Shockwave Player 12.0.9.149 and earlier should update to Adobe Shockwave Player 12.1.0.150.
More about fixed vulnerabilities and other information can be read from Adobe's security bulletin.
Labels:
adobe,
security,
shockwave player,
update,
vulnerability
Adobe Flash Player Updates Available
Adobe have released updated versions of their Flash Player. The new versions fix important categorized vulnerabilities.
Affected versions:
- Users of Adobe Flash Player 12.0.0.70 and earlier versions for Windows Internet Explorer should update to Adobe Flash Player 12.0.0.77.
- Users of Adobe Flash Player 12.0.0.70 and earlier versions for Macintosh should update to Adobe Flash Player 12.0.0.77.
- Users of Adobe Flash Player 11.2.202.341 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.346.
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 and 11 (on Windows 8.0 and Windows 8.1) will be updated via Windows Update
More information can be read from Adobe's security bulletin.
Affected versions:
- Users of Adobe Flash Player 12.0.0.70 and earlier versions for Windows Internet Explorer should update to Adobe Flash Player 12.0.0.77.
- Users of Adobe Flash Player 12.0.0.70 and earlier versions for Macintosh should update to Adobe Flash Player 12.0.0.77.
- Users of Adobe Flash Player 11.2.202.341 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.346.
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 and 11 (on Windows 8.0 and Windows 8.1) will be updated via Windows Update
More information can be read from Adobe's security bulletin.
Wednesday, March 12, 2014
Microsoft Security Updates For March 2014
Microsoft have released security updates for March 2014. This month update contains five security bulletins of which two categorized as critical and three as important.
A new version of Windows Malicious Software Removal Tool (MSRT) was released too.
More information can be read from the bulletin summary.
A new version of Windows Malicious Software Removal Tool (MSRT) was released too.
More information can be read from the bulletin summary.
Monday, March 10, 2014
PHP Versions 5.5.10 and 5.4.26 Released
PHP development team has released 5.5.10 and 5.4.26 versions of the PHP scripting language. New versions contain 11 bug fixes. All PHP users are recommended to upgrade their versions to the latest release of the correspondent branch.
Version 5.5.10 Changelog
Version 5.4.26 Changelog
Version 5.5.10 Changelog
Version 5.4.26 Changelog
Tuesday, March 4, 2014
Symantec Intelligence Report: January 2014
Symantec have published their Intelligence report that sums up the latest threat trends for January 2014.
Report highlights:
- The number of identities exposed in the last 12 months has passed 500 million. This is largely due to two large breaches, that each reported over 100 million identities exposed.
- Targeted attacks are up to their highest level since August of last year, after what appears to be average-to-low attack numbers over the last four months.
- In other news, spam and phishing rates are down slightly in January, while email virus rates are at their lowest levels since October of last year.
The report (in PDF format) can be viewed here.
Report highlights:
- The number of identities exposed in the last 12 months has passed 500 million. This is largely due to two large breaches, that each reported over 100 million identities exposed.
- Targeted attacks are up to their highest level since August of last year, after what appears to be average-to-low attack numbers over the last four months.
- In other news, spam and phishing rates are down slightly in January, while email virus rates are at their lowest levels since October of last year.
The report (in PDF format) can be viewed here.
ESET Global Threat Report for January 2014
ESET have published a report discussing global threats of January 2014.
TOP 10 threats list (previous ranking listed too):
1. WIN32/Bundpil (1.)
2. Win32/Sality (3.)
3. HTML/ScrInject (5.)
4. INF/Autorun (4.)
5. LNK/Agent.AK (2.)
6. Win32/Ramnit (8.)
7. Win32/Conficker (6.)
8. JS/Fbook (-)
9. Win32/Qhost (-)
10. Win32/Dorkbot (7.)
Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).
TOP 10 threats list (previous ranking listed too):
1. WIN32/Bundpil (1.)
2. Win32/Sality (3.)
3. HTML/ScrInject (5.)
4. INF/Autorun (4.)
5. LNK/Agent.AK (2.)
6. Win32/Ramnit (8.)
7. Win32/Conficker (6.)
8. JS/Fbook (-)
9. Win32/Qhost (-)
10. Win32/Dorkbot (7.)
Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).
Subscribe to:
Posts (Atom)