Saturday, January 31, 2015

Symantec Intelligence Report: December 2014

Symantec have published their Intelligence report that sums up the latest threat trends for December 2014.

Report highlights:
- There were eight data breaches reported that took place within the month of December.
- 14 new data breaches were reported during December that took place between January and November.
- The most commonly encountered malware in December was Trojan.Swifi.
- A new zero-day vulnerability (CVE-2014-9163) was disclosed during the month of December.


The report (in PDF format) can be viewed here.

Wednesday, January 28, 2015

Adobe Flash Player Update Available

Adobe have released updated version of their Flash Player. The new version fixes critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Affected versions:

- Users of Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 16.0.0.296

- Users of Adobe Flash Player 11.2.202.438 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.440

- Flash Player integrated with Google Chrome will be updated by Google via Chrome update

- Flash Player integrated with Internet Explorer 10 and 11 (on Windows 8.x) will be updated via Windows Update


More information can be read from Adobe's security bulletin.

Monday, January 26, 2015

Adobe Flash Player Update Available

Adobe have released updated version of their Flash Player. The new version fix a vulnerability (CVE-2015-0310) that could be used to circumvent memory randomization mitigations on the Windows platform.

Affected versions:

- Users of Adobe Flash Player 16.0.0.257 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 16.0.0.287

- Users of Adobe Flash Player 11.2.202.429 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.438

- Flash Player integrated with Google Chrome will be updated by Google via Chrome update

- Flash Player integrated with Internet Explorer 10 and 11 (on Windows 8.x) will be updated via Windows Update


More information can be read from Adobe's security bulletin.

Friday, January 23, 2015

Google Chrome Updated

Google have released version 40.0.2214.91 of their Chrome web browser. New version contains fixes to 62 security issues.

More information about these in Google Chrome Releases blog.

Wednesday, January 21, 2015

Oracle Critical Patch Update For Q1 of 2015

Oracle have released updates for their products that fix 169 security issues (including 19 Java fixes) in total. The updates are a part of Oracle's quarterly released critical patch update (CPU).

Detailed list of vulnerabilities with patching instructions can be read from Oracle CPU Advisory.

Next Oracle CPU is planned to be released in April 2015.

Thursday, January 15, 2015

Mozilla Product Updates Released

Mozilla have released updates to Firefox and Seamonkey browsers and Thunderbird email client to address a bunch of vulnerabilities of which three categorized as critical, one as high, four as moderate and one as low.

Affected products are:
- Mozilla Firefox earlier than 35
- Mozilla Firefox ESR earlier than 31.4
- Mozilla Thunderbird earlier than 31.4
- SeaMonkey 2.32

Links to the security advisories with details about addressed security issues:
MSFA-2015-09 XrayWrapper bypass through DOM objects
MSFA-2015-08 Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension
MSFA-2015-07 Gecko Media Plugin sandbox escape
MSFA-2015-06 Read-after-free in WebRTC
MSFA-2015-05 Read of uninitialized memory in Web Audio
MSFA-2015-04 Cookie injection through Proxy Authenticate responses
MSFA-2015-03 sendBeacon requests lack an Origin header
MSFA-2015-02 Uninitialized memory use during bitmap rendering
MSFA-2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)



Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Google Chrome Updated

Google have released version 39.0.2171.99 of their Chrome web browser. New version contains an update for Adobe Flash and some other fixes.

More information about these in Google Chrome Releases blog.

Wednesday, January 14, 2015

Adobe Flash Player And Adobe AIR Updates Available

Adobe have released updated versions of their Flash Player and AIR. The new versions fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Affected versions:

- Users of Adobe Flash Player 16.0.0.235 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 16.0.0.257

- Users of Adobe Flash Player 11.2.202.425 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.429

- Flash Player integrated with Google Chrome will be updated by Google via Chrome update

- Flash Player integrated with Internet Explorer 10 and 11 (on Windows 8.x) will be updated via Windows Update

- Users of the Adobe AIR 15.0.0.356 SDK and earlier versions should update to the Adobe AIR 16.0.0.272 SDK.

- Users of the Adobe AIR 15.0.0.356 SDK & Compiler and earlier versions should update to the Adobe AIR 16.0.0.272 SDK & Compiler.

- Users of Adobe AIR 15.0.0.356 and earlier versions for Android should update to Adobe AIR  16.0.0.272.

- Users of Adobe AIR 15.0.0.356 and earlier versions for Windows and Macintosh should update to Adobe AIR 16.0.0.245.


More information can be read from Adobe's security bulletin.

Microsoft Security Updates For January 2015

Microsoft have released security updates for January 2015. This month update contains eight security bulletins of which one categorized as critical and seven as important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

Tuesday, January 13, 2015

ESET Global Threat Report for December 2014

ESET have published a report discussing global threats of December 2014.

TOP 10 threats list (previous ranking listed too):

1. HTML/Refresh (1.)
2. WIN32/Bundpil (2.)
3. Win32/Adware.MultiPlug (3.)
4. Win32/TrojanDownloader.Wauchos (4.)
5. Win32/Sality (5.)
6. LNK/Agent.AK (6.)
7. INF/Autorun (8.)
8. LNK/Agent.AV (-)
9. JS/Kryptik.ATB (-)
10. Win32/Ramnit (9.)


Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).

Wednesday, January 7, 2015

New Emotet Trojan Variant Targets Banking Credentials

Microsoft warns of new variant of Emotet trojan that is targeting banking credentials with a new spam email campaign. The emails include fraudulent claims, such as fake phone bills, and invoices from banks or PayPal.

According to the Microsoft Malware Protection Center the campaign seems to be targeting primarily German-language speakers and banking websites.

More information in Microsoft Malware Protection Center blog post.