Adobe have released updated versions of ColdFusion web application development platform. This hotfix resolves two input validation issues (CVE-2015-8052 and CVE-2015-8053) that could be used to conduct reflected cross-site scripting attacks. The fix also includes an updated version of BlazeDS which resolves an important Server-side Request Forgery vulnerability (CVE-2015-5255).
Affected versions:
- ColdFusion 11 and 10
More information can be read from Adobe's security bulletin.
Tuesday, November 24, 2015
Adobe LiveCycle Data Services Fix Available
Adobe has released an update for LiveCycle Data Services (LiveCycle DS). The update includes patched version of BlazeDS that fixes an important server-side request forgery vulnerability.
Affected versions:
LiveCycle DS versions 4.7, 4.6.2, 4.5, 3.1.x, 3.0.x on Windows, Macintosh and Unix platforms
More information in Adobe security bulletin.
Affected versions:
LiveCycle DS versions 4.7, 4.6.2, 4.5, 3.1.x, 3.0.x on Windows, Macintosh and Unix platforms
More information in Adobe security bulletin.
Labels:
adobe,
LiveCycle Data Services,
security,
update,
vulnerability
Monday, November 16, 2015
ESET Threat Radar Report for October 2015
ESET have published a report discussing global threats of October 2015.
TOP 10 threats list (previous ranking listed too):
1. Win32/Bundpil (1.)
2. LNK/Agent.BS (-)
3. LNK/Agent.AV (5.)
4. JS/TrojanDownloader.Iframe (2.)
5. HTML/ScrInject (4.)
6. Win32/Sality (7.)
7. Win32/Ramnit (9.)
8. JS/IFrame (-)
9. INF/Autorun (10.)
10. Win32/AdWare.ConvertAd (-)
Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).
TOP 10 threats list (previous ranking listed too):
1. Win32/Bundpil (1.)
2. LNK/Agent.BS (-)
3. LNK/Agent.AV (5.)
4. JS/TrojanDownloader.Iframe (2.)
5. HTML/ScrInject (4.)
6. Win32/Sality (7.)
7. Win32/Ramnit (9.)
8. JS/IFrame (-)
9. INF/Autorun (10.)
10. Win32/AdWare.ConvertAd (-)
Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).
Symantec Intelligence Report: October 2015
Symantec have published their Intelligence report that sums up the latest threat trends for October 2015.
Report highlights:
- The number of vulnerabilities disclosed increased in October, from 349 in September to 441 reported during this month.
- Crypto-ransomware was up once again during October, setting another high for 2015.
- Large enterprises were the target of 67.9 percent of spear-phishing attacks as well, up from 45.7 percent in September.
The report (in PDF format) can be viewed here.
Report highlights:
- The number of vulnerabilities disclosed increased in October, from 349 in September to 441 reported during this month.
- Crypto-ransomware was up once again during October, setting another high for 2015.
- Large enterprises were the target of 67.9 percent of spear-phishing attacks as well, up from 45.7 percent in September.
The report (in PDF format) can be viewed here.
Wednesday, November 11, 2015
Google Chrome Updated
Google have released version 46.0.2490.86 of their Chrome web browser. Among other fixes the new version contains an update to Adobe Flash Player (19.0.0.245). More information about changes in Google Chrome Releases blog.
Microsoft Security Updates For November 2015
Microsoft have released security updates for November 2015. This month update contains 12 security bulletins of which four categorized as critical and eight as important.
A new version of Windows Malicious Software Removal Tool (MSRT) was released too.
More information can be read from the bulletin summary.
A new version of Windows Malicious Software Removal Tool (MSRT) was released too.
More information can be read from the bulletin summary.
Adobe Flash Player And Adobe AIR Updates Available
Adobe have released updated versions of their Flash Player and AIR. The new versions fix critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Affected versions:
- Users of Adobe Flash Player 19.0.0.226 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 19.0.0.245
- Users of Adobe Flash Player 11.2.202.540 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.548
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 (on Windows 8.x) and 11 (on Windows 8.x and Windows 10) and Microsoft Edge (Windows 10) will be updated via Windows Update
- Users of the Adobe AIR 19.0.0.213 SDK & Compiler and earlier versions should update to the Adobe AIR 19.0.0.241 SDK & Compiler
- Users of Adobe AIR 19.0.0.213 and earlier versions for Desktop Runtime should update to Adobe AIR 19.0.0.241.
More information can be read from Adobe's security bulletin.
Affected versions:
- Users of Adobe Flash Player 19.0.0.226 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 19.0.0.245
- Users of Adobe Flash Player 11.2.202.540 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.548
- Flash Player integrated with Google Chrome will be updated by Google via Chrome update
- Flash Player integrated with Internet Explorer 10 (on Windows 8.x) and 11 (on Windows 8.x and Windows 10) and Microsoft Edge (Windows 10) will be updated via Windows Update
- Users of the Adobe AIR 19.0.0.213 SDK & Compiler and earlier versions should update to the Adobe AIR 19.0.0.241 SDK & Compiler
- Users of Adobe AIR 19.0.0.213 and earlier versions for Desktop Runtime should update to Adobe AIR 19.0.0.241.
More information can be read from Adobe's security bulletin.
Monday, November 9, 2015
Fix For vBulletin Available
There has been released an update to vBulletin 5 Connect software that is used on many internet forums. The update fixes an actively exploited vulnerability (affects versions 5.1.4 - 5.1.9). A public method for exploiting is available so it's strongly advised that vBulletin using forums are updated with the latest version.
More information:
- http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4332166-security-patch-release-for-vbulletin-5-connect-versions-5-1-4-through-5-1-9
- http://arstechnica.com/security/2015/11/vbulletin-password-hack-fuels-fear
s-of-serious-internet-wide-0-day-attacks
More information:
- http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4332166-security-patch-release-for-vbulletin-5-connect-versions-5-1-4-through-5-1-9
- http://arstechnica.com/security/2015/11/vbulletin-password-hack-fuels-fear
s-of-serious-internet-wide-0-day-attacks
Thursday, November 5, 2015
Mozilla Product Updates Released
Mozilla have released updates to Firefox browser to address a bunch of vulnerabilities of which three categorized as critical, six as high, seven as moderate and two as low.
Affected products are:
- Mozilla Firefox earlier than 42
- Mozilla Firefox ESR earlier than 38.4
Links to the security advisories with details about addressed security issues:
MFSA 2015-133 NSS and NSPR memory corruption issues
MFSA 2015-132 Mixed content WebSocket policy bypass through workers
MFSA 2015-131 Vulnerabilities found through code inspection
MFSA 2015-130 JavaScript garbage collection crash with Java applet
MFSA 2015-129 Certain escaped characters in host of Location-header are being treated as non-escaped
MFSA 2015-128 Memory corruption in libjar through zip files
MFSA 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
MFSA 2015-126 Crash when accessing HTML tables with accessibility tools on OS X
MFSA 2015-125 XSS attack through intents on Firefox for Android
MFSA 2015-124 Android intents can be used on Firefox for Android to open privileged files
MFSA 2015-123 Buffer overflow during image interactions in canvas
MFSA 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy
MFSA 2015-121 Disabling scripts in Add-on SDK panels has no effect
MFSA 2015-120 Reading sensitive profile files through local HTML file on Android
MFSA 2015-119 Firefox for Android addressbar can be removed after fullscreen mode
MFSA 2015-118 CSP bypass due to permissive Reader mode whitelist
MFSA 2015-117 Information disclosure through NTLM authentication
MFSA 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)
Fresh version can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Affected products are:
- Mozilla Firefox earlier than 42
- Mozilla Firefox ESR earlier than 38.4
Links to the security advisories with details about addressed security issues:
MFSA 2015-133 NSS and NSPR memory corruption issues
MFSA 2015-132 Mixed content WebSocket policy bypass through workers
MFSA 2015-131 Vulnerabilities found through code inspection
MFSA 2015-130 JavaScript garbage collection crash with Java applet
MFSA 2015-129 Certain escaped characters in host of Location-header are being treated as non-escaped
MFSA 2015-128 Memory corruption in libjar through zip files
MFSA 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
MFSA 2015-126 Crash when accessing HTML tables with accessibility tools on OS X
MFSA 2015-125 XSS attack through intents on Firefox for Android
MFSA 2015-124 Android intents can be used on Firefox for Android to open privileged files
MFSA 2015-123 Buffer overflow during image interactions in canvas
MFSA 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy
MFSA 2015-121 Disabling scripts in Add-on SDK panels has no effect
MFSA 2015-120 Reading sensitive profile files through local HTML file on Android
MFSA 2015-119 Firefox for Android addressbar can be removed after fullscreen mode
MFSA 2015-118 CSP bypass due to permissive Reader mode whitelist
MFSA 2015-117 Information disclosure through NTLM authentication
MFSA 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)
Fresh version can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Subscribe to:
Posts (Atom)