Mozilla have released updates to Firefox browser to address a bunch of vulnerabilities of which three categorized as critical, two as high, six as moderate and one as low.
Affected products are:
- Mozilla Firefox earlier than 44
- Mozilla Firefox earlier than ESR 38.6
Links to the security advisories with details about addressed security issues:
MFSA 2016-12 Lightweight themes on Firefox for Android do not verify a secure connection
MFSA 2016-11 Application Reputation service disabled in Firefox 43
MFSA 2016-10 Unsafe memory manipulation found through code inspection
MFSA 2016-09 Addressbar spoofing attacks
MFSA 2016-08 Delay following click events in file download dialog too short on OS X
MFSA 2016-07 Errors in mp_div and mp_exptmod cryptographic functions in NSS
MFSA 2016-06 Missing delay following user click events in protocol handler dialog
MFSA 2016-05 Addressbar spoofing through stored data url shortcuts on Firefox for Android
MFSA 2016-04 Firefox allows for control characters to be set in cookie names
MFSA 2016-03 Buffer overflow in WebGL after out of memory allocation
MFSA 2016-02 Out of Memory crash when parsing GIF format images
MFSA 2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)
Fresh version can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thursday, January 28, 2016
Wednesday, January 27, 2016
Google Chrome Updated
Google have released version 48.0.2564.82 of their Chrome web browser. Among other fixes the new version contains 37 security vulnerability fixes. More information about changes in Google Chrome Releases blog.
Thursday, January 21, 2016
ESET Threat Radar Report for December 2015
ESET have published a report discussing global threats of December 2015.
TOP 10 threats list (previous ranking listed too):
1. Win32/Bundpil (1.)
2. JS/TrojanDownloader.Nemucod (-)
3. LNK/Agent.BZ (2.)
4. HTML/ScrInject (4.)
5. LNK/Agent.AV (5.)
6. LNK/Agent.BS (3.)
7. JS/TrojanDownloader.Iframe (6.)
8. Win32/Sality (7.)
9. Win32/Ramnit (8.)
10. INF/Autorun (10.)
Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).
TOP 10 threats list (previous ranking listed too):
1. Win32/Bundpil (1.)
2. JS/TrojanDownloader.Nemucod (-)
3. LNK/Agent.BZ (2.)
4. HTML/ScrInject (4.)
5. LNK/Agent.AV (5.)
6. LNK/Agent.BS (3.)
7. JS/TrojanDownloader.Iframe (6.)
8. Win32/Sality (7.)
9. Win32/Ramnit (8.)
10. INF/Autorun (10.)
Complete report (with a description about each of the above listed threats) can be downloaded here (in PDF format).
Oracle Critical Patch Update For Q1 of 2016
Oracle have released updates for their products that fix 248 security issues (including 8 Java fixes) in total. The updates are a part of Oracle's quarterly released critical patch update (CPU).
Detailed list of vulnerabilities with patching instructions can be read from Oracle CPU Advisory.
Next Oracle CPU is planned to be released in April 2016.
Detailed list of vulnerabilities with patching instructions can be read from Oracle CPU Advisory.
Next Oracle CPU is planned to be released in April 2016.
Wednesday, January 13, 2016
Adobe Reader And Acrobat Security Updates
Adobe have released security updates to fix a bunch of vulnerabilities in their PDF products, Adobe Reader and Adobe Acrobat. The vulnerabilities could allow an attacker to take over the affected system.
Affected versions:
*Acrobat DC and Acrobat Reader DC, continuous track
version 15.009.20077 and earlier
*Acrobat DC and Acrobat Reader DC, classic track
version 15.006.30097 and earlier
*of series XI (11.x)
Adobe Reader 11.0.13 and earlier
Adobe Acrobat 11.0.13 and earlier
*of series X (10.x)
Adobe Reader 10.1.15 and earlier
Adobe Acrobat 10.1.15 and earlier
Users of vulnerable versions are instructed to update their versions either by using automatic update functionality or by downloading fresh version manually. The default installation configuration runs automatic updates on a regular schedule and can be manually activated by choosing Help > Check for Updates.
Note: Adobe Acrobat X and Adobe Reader X are no longer supported. Those should be replaced with supported version.
Those who want to upgrade manually, can download the latest versions of the links below:
Adobe Reader
Acrobat Standard and Pro
More information about fixed vulnerabilities can be read from Adobe's security bulletin.
Affected versions:
*Acrobat DC and Acrobat Reader DC, continuous track
version 15.009.20077 and earlier
*Acrobat DC and Acrobat Reader DC, classic track
version 15.006.30097 and earlier
*of series XI (11.x)
Adobe Reader 11.0.13 and earlier
Adobe Acrobat 11.0.13 and earlier
*of series X (10.x)
Adobe Reader 10.1.15 and earlier
Adobe Acrobat 10.1.15 and earlier
Users of vulnerable versions are instructed to update their versions either by using automatic update functionality or by downloading fresh version manually. The default installation configuration runs automatic updates on a regular schedule and can be manually activated by choosing Help > Check for Updates.
Note: Adobe Acrobat X and Adobe Reader X are no longer supported. Those should be replaced with supported version.
Those who want to upgrade manually, can download the latest versions of the links below:
Adobe Reader
Acrobat Standard and Pro
More information about fixed vulnerabilities can be read from Adobe's security bulletin.
Microsoft Security Updates For January 2016
Microsoft have released security updates for January 2016. This month update contains nine security bulletins of which six categorized as critical and three as important.
A new version of Windows Malicious Software Removal Tool (MSRT) was released too.
More information can be read from the bulletin summary.
A new version of Windows Malicious Software Removal Tool (MSRT) was released too.
More information can be read from the bulletin summary.
Monday, January 11, 2016
New PHP Versions Released
PHP development team has released 7.0.2, 5.6.17 and 5.5.31 versions of the PHP scripting language. New versions contain fixes to several vulnerabilities. All PHP users are recommended to upgrade their versions to the latest release of the correspondent branch.
Changelogs:
Version 7.0.2
Version 5.6.17
Version 5.5.31
Changelogs:
Version 7.0.2
Version 5.6.17
Version 5.5.31
Saturday, January 9, 2016
QuickTime 7.7.9 Released
Apple have released a new version of their QuickTime multimedia player. Version 7.7.9 contains fixes for a bunch of vulnerabilities that could be exploited to run arbitrary code in target system.
Affected versions:
QuickTime versions earlier than 7.7.9 on Microsoft Windows 7 and Microsoft Windows Vista operating systems.
QuickTime users with version older than 7.7.9 should update to the latest one available.
More information about security content of QuickTime 7.7.9 can be read here.
Affected versions:
QuickTime versions earlier than 7.7.9 on Microsoft Windows 7 and Microsoft Windows Vista operating systems.
QuickTime users with version older than 7.7.9 should update to the latest one available.
More information about security content of QuickTime 7.7.9 can be read here.
Friday, January 8, 2016
WordPress 4.4.1 Released
There has been released a new version of WordPress (blogging tool and content management system) which contains an update to a cross-site scripting (XSS) vulnerability among a bunch of other bug fixes.
Affected versions:
WordPress versions earlier than 4.4.1
More information can be read from the WordPress blog.
Affected versions:
WordPress versions earlier than 4.4.1
More information can be read from the WordPress blog.
Monday, January 4, 2016
Ransom32 JavaScript-Based Ransomware
Security company Emsisoft warns about a new JavaScript-based ransomware. Fabian Wosar from Emsisoft says that a new ransomware family called Ransom32 is using the NW.js platform for infiltrating the victims' computers and encrypting their files with AES encryption.
The best way to protect from ransomware is to have proper backups regularly made of all important files. These should be stored on a disconnected device since a lot of ransomware targets backups specifically. Good option is for example an external hard drive that is usually detached the system.
The Emsisoft blog post can be read here.
"NW.js is essentially a framework that allows you to develop normal desktop applications for Windows, Linux and MacOS X using JavaScript. It is based upon the popular Node.js and Chromium projects. So while JavaScript is usually tightly sandboxed in your browser and can’t really touch the system it runs upon, NW.js allows for much more control and interaction with the underlying operating system, enabling JavaScript to do almost everything “normal” programming languages like C++ or Delphi can do. The benefit for the developer is that they can turn their web applications into normal desktop applications relatively easily. For normal desktop application developers it has the benefit that NW.js is able to run the same JavaScript on different platforms." At the moment only Windows appears to be targetted but at least in theory it could be packaged for Linux and Mac OS X too.
The best way to protect from ransomware is to have proper backups regularly made of all important files. These should be stored on a disconnected device since a lot of ransomware targets backups specifically. Good option is for example an external hard drive that is usually detached the system.
The Emsisoft blog post can be read here.
Subscribe to:
Posts (Atom)
