Sunday, October 19, 2014

Mozilla Product Updates Released

Mozilla have released updates to Firefox browser and Thunderbird email client to address a bunch of vulnerabilities of which three categorized as critical, four as high and two as moderate.

Affected products are:
- Mozilla Firefox earlier than 33
- Mozilla Firefox ESR earlier than 31.2
- Mozilla Thunderbird earlier than 31.2

Links to the security advisories with details about addressed security issues:
MFSA 2014-82 Accessing cross-origin objects via the Alarms API
MFSA 2014-81 Inconsistent video sharing within iframe
MFSA 2014-80 Key pinning bypasses
MFSA 2014-79 Use-after-free interacting with text directionality
MFSA 2014-78 Further uninitialized memory use during GIF
MFSA 2014-77 Out-of-bounds write with WebM video
MFSA 2014-76 Web Audio memory corruption issues with custom waveforms
MFSA 2014-75 Buffer overflow during CSS manipulation
MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird

Adobe Flash Player And Adobe AIR Updates Available

Adobe have released updated versions of their Flash Player and AIR. The new versions fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:

- Users of Adobe Flash Player 15.0.0.167 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 15.0.0.189

- Users of Adobe Flash Player 11.2.202.406 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.411

- Flash Player integrated with Google Chrome will be updated by Google via Chrome update

- Flash Player integrated with Internet Explorer 10 and 11 (on Windows 8.x) will be updated via Windows Update

- Users of the Adobe AIR 15.0.0.249 SDK and earlier versions should update to the Adobe AIR 15.0.0.302 SDK.

- Users of the Adobe AIR 14.0.0.249 SDK & Compiler and earlier versions should update to the Adobe AIR 15.0.0.302 SDK & Compiler.

- Users of Adobe AIR 15.0.0.252 and earlier versions for Android should update to Adobe AIR 15.0.0.293.

- Users of Adobe AIR 15.0.0.249 and earlier versions for Windows and Macintosh should update to Adobe 15.0.0.293.


More information can be read from Adobe's security bulletin.

Friday, October 17, 2014

Adobe ColdFusion Hotfixes Available

Adobe have released updated versions of ColdFusion web application development platform. These hotfixes address a security permissions issue (CVE-2014-0572) that could be exploited by an unauthenticated local user to bypass IP address access control restrictions applied to the ColdFusion Administrator.  Cross-site scripting and cross-site request forgery vulnerabilities (CVE-2014-0570, CVE-2014-0571) are also addressed in the hotfixes.

Affected versions:
- ColdFusion 11, 10, 9.0.2, 9.0.1 and 9.0 for all platforms


More information can be read from Adobe's security bulletin.

Oracle Critical Patch Update For Q4 of 2014

Oracle have released updates for their products that fix 154 security issues (including 25 Java fixes) in total. The updates are a part of Oracle's quarterly released critical patch update (CPU).

Detailed list of vulnerabilities with patching instructions can be read from Oracle CPU Advisory.

Next Oracle CPU is planned to be released in January 2015.

Wednesday, October 15, 2014

Symantec Intelligence Report: September 2014

Symantec have published their Intelligence report that sums up the latest threat trends for September 2014.

Report highlights:
- The .doc file type was the most common attachment type used in spear-phishing attacks, making up more than 52.9 percent of all attachments in September.
- The largest data breach reported in September actually took place in April, and resulted in the exposure of 56 million identities.
- There were 600 vulnerabilities disclosed in the month of September, the highest number so far in 2014 and second-highest in the last 12 months.



The report (in PDF format) can be viewed here.

Microsoft Security Updates For October 2014

Microsoft have released security updates for October 2014. This month update contains eight security bulletins of which three categorized as critical and five as important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Monday, October 13, 2014

Google Chrome Updated

Google have released version 38.0.2125.101 of their Chrome web browser. New version contains fixes to 159 security issues.

More information about these in Google Chrome Releases blog.

Thursday, October 9, 2014

Cash Dispersal Enabling ATM Malware Discovered

There has been detected a backdoor program allowing cash dispersal on automated teller machines (ATMs) in multiple countries although mostly in Russia. Security company Kaspersky reports that the program, designated Backdoor.MSIL.Tyupkin, requires physical access to the ATM system and booting it off of a CD to install the malware.

The analysis of the malware can be read in Kaspersky blog.

Monday, October 6, 2014

ESET Global Threat Report for September 2014

ESET have published a report discussing global threats of September 2014.

TOP 10 threats list (previous ranking listed too):

1. HTML/Refresh (-)
2. WIN32/Bundpil (1.)
3. JS/Kryptik.I (2.)
4. Win32/Adware.MultiPlug (3.)
5. Win32/RiskWare.NetFilter (4.)
6. LNK/Agent.AK (5.)
7. Win32/Sality (6.)
8. HTML/Iframe (-)
9. Win32/Danger.DoubleExtension (-)
10. INF/Autorun (7.)


Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).