New Version of Google Chrome Released

Google has released a new version of their Chrome web browser. The first stable version of Chrome 4 contains some new features like long-waited support for extensions and bookmark syncing. A bunch of security issues has been fixed too.

More information can be read from Chrome Releases blog.

Microsoft Patches Internet Explorer Vulnerability

Microsoft has fixed the Internet Explorer (IE) vulnerability I blogged about last week. The update MS10-002 patches also a few other IE vulnerabilities. More details can be read from the correspondent security bulletin.

Updated Shockwave Player Available

Adobe has released a new version of their Shockwave Player. The update contains fixes for a few vulnerabilities that could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. The affected versions are Shockwave Player 11.5.2.602 and earlier. Fresh version can be obtained here.

More information can be read on Adobe's Security Bulletin.

Security Updates For RealPlayer

RealNetworks has released updates that patch eleven vulnerabilities in different RealPlayer versions. More information about affected versions and patching can be read here.

Vulnerabilities In D-Link Routers

SourceSec writes in their blog about vulnerabilities in D-Link routers' HNAP (Home Network Administration Protocol) implementations. "While HNAP does require basic authentication, the mere existence of HNAP on D-Link routers allows attackers and malware to bypass CAPTCHA “security”. Further, HNAP authentication is not properly implemented, allowing anyone to view and edit administrative settings on the router."

SourceSec has verified that vulnerabilities exist in the HNAP implementations of the DI-524, DIR-628 and DIR-655 routers. They also suspect that in worst case all D-Link routers since 2006 could be affected.

Full writeup can be read here.

Reported Vulnerability In Internet Explorer

Microsoft is investigating a report of publicly exploited vulnerability in Internet Explorer.The vulnerability exists as an invalid pointer reference within Internet Explorer and when exploited successfully can be used to allow remote code execution in target system.

Affected Internet Explorer versions are:
-Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 and
-Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected.

Currently there's no patch available. There're some workarounds listed in the corresponding security advisory though.

Patches To Oracle Products Available

Oracle has released updates for 24 security vulnerabilities as a part of their quarterly released critical patch update (CPU).

Detailed list of vulnerabilities with patching instructions can be read from Oracle CPU Advisory.

Next Oracle CPU is planned to be released in April 2010.

Adobe Patches Reader & Acrobat Products

Adobe has released update that patches critical vulnerabilities in Adobe Reader & Acrobat 9.2 and earlier versions. Among other issues, the patch fixes vulnerability that I blogged about in last month.

More details about the update and solutions can be read from the correspondent Adobe security bulletin.

Microsoft Security Updates For January 2010

Microsoft has released its monthly security updates. The first packet of the year 2010 contains only one update. MS10-001 fixes vulnerability that could allow remote code execution if a user opens content rendered in a specifically crafted Embedded OpenType (EOT) font in client application that can render EOT fonts. Such applications are for example Microsoft Internet Explorer, Microsoft Office PowerPoint and Microsoft Office Word. The severity of the update is rated as critical for Windows 2000 systems. For other supported Windows operating systems the severity is rated as low.

Microsoft released also a new version of its Windows Malicious Software Removal Tool (MSRT).

More information can be from the bulletin summary.

Data Doctor 2010 - Combination Of Ransomware And Rogue

F-Secure introduces in their blog a pest that combines some elements of ransomware and rogueware. Trojan detected as DatCrypt encrypts Microsoft Office documents, video, music and image files and then shows user error message telling that files are corrupted. It advises user to download "recommended file repair software". This software detected, as Rogue:W32/DatDoc, lets user decrypt only one file unless a full version with price tag of $89.95, is bought.

Sunbelt has provided a decrypting tool to cure Data Doctor 2010 encrypted files.

Adobe Working On Automatic updater

Ryan Naraine writes in his post on ZDNet Zero Day blog that Adobe is working on automatic updater that will patch security vulnerabilities without user interaction. The updater will hit beta later this month.

Adobe security chief Brad Arkin says that tool will be configurable for end users that want more control in patching process. Users are given three ways to deal with patching: 1) to download and then give choice to install available update, 2) to notify only or 3) to turn patch updates off completely (obviously, not the most recommended option).

McAfee Threat Predictions For 2010

McAfee has released their Threat Predictions Report for year 2010. The dealt matters in a nutshell are:
- Social Networks Will Be Platform of Choice for Emerging Threats
- Web Evolution Will Give Cybercriminals New Opportunities to Write Malware
- Banking Trojans, Email Attachments Delivering Malware Will Rise in Volume, Sophistication
- Cybercriminals Continue to Target Adobe Reader, Flash
- Botnet Infrastructure Shifts from Centralized Model to Peer-to-Peer Control
- Cybercrime: A Good Year for Law Enforcement

The report can be found here.