Tuesday, September 28, 2010

Out of Band Update For ASP.net Issue

Microsoft is going to release out of band update to address issue described in security advisory 2416728. Patch is scheduled to be released on Tuesday, September 28, 2010. More information can be read from related entry of the Microsoft Security Response Center (MSRC) blog.

Hotmail Security Updates To Prevent From Account Hijacking

Microsoft has made some security updates to their popular Hotmail web mail service. Seeing people posting to antimalware forums asking for help with their spam sending, hijacked accounts these new improvements will likely be nothing but a positive thing. Details about new security features can be read from Windows Live blog.

Tuesday, September 21, 2010

"MouseOver" Security Flaw On Twitter

"A new Twitter security flaw has been widely exploited on thousands of Twitter accounts, redirecting users to third-party websites without their consent.

The bug is particularly nasty because it works on mouseover only, meaning pop-ups and third-party websites can open even if you just move your mouse over the offending link.

For now, the best course of action is using only third-party apps such as TweetDeck to access Twitter, as the bug only seems to affect Twitter’s web interface."


More information > http://mashable.com/2010/09/21/twitter-mouseover-bug/

Saturday, September 18, 2010

Unpatched Vulnerability In ASP.NET

Microsoft is investigating public report about vulnerability in ASP.NET. By exploiting the vulnerability an attacker may be able to view data encrypted by the vulnerable server or read data from files on the vulnerable target server.

More information:
- http://www.microsoft.com/technet/security/advisory/2416728.mspx
- http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
- http://blogs.technet.com/b/msrc/archive/2010/09/17/security-advisory-2416728-released.aspx

Thursday, September 16, 2010

QuickTime 7.6.8 Released

Apple has released new version of their QuickTime. Version 7.6.8 contains fixes for two vulnerabilities that could be exploited to run arbitrary code in target system:


QuickTime users with version older than 7.6.8 should update to the latest one available.

More information about security content of QuickTime 7.6.8 can be read here.

Wednesday, September 15, 2010

Microsoft Security Updates For September 2010

Microsoft has released security updates for September 2010. This month update contains nine updates of which four are categorized as critical and five as important.

A new version of Windows Malicious Software Removal Tool (MSRT) was released too.

More information can be read from the bulletin summary.

For consumer the easist way to get the update is to use Microsoft Update service.

Tuesday, September 14, 2010

New Vulnerability In Adobe Products

Just some days ago I blogged about unpatched vulnerability affecting Adobe Reader and Acrobat versions. Unfortunately, there's been found another critical unpatched vulnerability in Adobe's products. This vulnerability (CVE-2010-2884) affects Flash Player, Adobe Reader and Adobe Acrobat programs. By exploiting the vulnerability an attacker may be able to cause a crash or execute arbitrary code in affected system. According to reports Flash Player vulnerability is actively exploited in the wild. Adobe says that they're not aware of any attacks exploiting this new vulnerability against Adobe Reader or Acrobat at the moment.

Affected software:
-Adobe Flash Player 10.1.82.76 and earlier
-Adobe Reader 9.3.4 and earlier versions
-Adobe Acrobat 9.3.4 and earlier versions


There are no patches available yet. To avoid exploitation users of the affected versions are advised to keep their antivirus protection definitions updated and open Flash (SWF) files from reliable sources only.

Adobe plans to bring update for Flash Player during the week of September 27, 2010 and for Adobe Reader and Acrobat during the week of October 4, 2010.

More information in the security advisory.

Thursday, September 9, 2010

Critical Vulnerability In Adobe Reader and Acrobat

There has been found a critical vulnerability in Adobe Reader and Acrobat products. The vulnerability (CVE-2010-2883) is related to font handling and it could cause a crash and potentially allow an attacker to take control of the affected system. The vulnerability is actively exploited in the wild.

Affected are:
-Adobe Reader 9.3.4 and earlier versions
-Adobe Acrobat 9.3.4 and earlier versions

There is no patch available yet. To avoid exploitation users of the affected versions are advised to keep their antivirus protection definitions updated and open PDF files from reliable sources only.

More information in Adobe's security advisory.

Security Updates From Mozilla

Mozilla has released security bulletins related to found issues in some of their products. Ten of the fixed vulnerabilities are categorized as critical, two as high, one as moderate and two as low.

Critical:
MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
MFSA 2010-50 Frameset integer overflow vulnerability
MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array
MFSA 2010-52 Windows XP DLL loading vulnerability
MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection
MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-57 Crash and remote code execution in normalizeDocument
MFSA 2010-58 Crash on Mac using fuzzed font in data: URL
MFSA 2010-59 SJOW creates scope chains ending in outer object

High:
MFSA 2010-60 XSS using SJOW scripted function
MFSA 2010-61 UTF-7 XSS by overriding document charset using < object > type attribute

Moderate:
MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS

Low:
MFSA 2010-55 XUL tree removal crash and remote code execution
MFSA 2010-63 Information leak via XMLHttpRequest statusText


Fresh versions can be obtained via inbuilt updater or by downloading from the product site:
Firefox
Thunderbird
SeaMonkey

Wednesday, September 8, 2010

Security Updates For Safari

Apple has released new versions of their Safari web browsers. The new versions contain fixes to three different vulnerabilities. These may lead to an unexpected application termination or allow an attacker to execute arbitrary code in affected system.

Affected are Safari versions earlier than 5.0.2 or 4.1.2. Users of vulnerable Safari versions can get the latest version here.

More information of security content of 5.0.2 and 4.1.2 versions can be read here.

Thursday, September 2, 2010

iTunes 10 Available

Apple has released version 10 of their iTunes media player. New version fixes a bunch of security vulnerabilities of which some allow an attacker to execute arbitrary code in target system.

More information about the security content of iTunes 10 can be read from related security advisory.

Old version users should update to the latest one available.

RealNetworks Patches RealPlayer

RealNetworks has released updated version of their RealPlayer. New version contains fixes to seven vulnerabilities:
CVE-2010-2996
RealPlayer malformed IVR pointer index code execution vulnerability.
Affected software: Windows RealPlayer 11.1 and prior.

CVE-2010-3002
RealPlayerActiveX unauthorized file access vulnerability.
Affected software: Windows RealPlayer 11.1 and prior.

CVE-2010-0116
RealPlayer QCP files parsing integer overflow vulnerability.
Affected software: Windows RealPlayer SP 1.1.4 and prior.

CVE-2010-0117
RealPlayer processing of dimensions in the YUV420 transformation of MP4 content vulnerability.
Affected software: Windows RealPlayer SP 1.1.4 and prior.

CVE-2010-0120
RealPlayer QCP parsing heap-based buffer overflow vulnerability.
Affected software: Windows RealPlayer SP 1.1.4 and prior.

CVE-2010-3001
RealPlayer ActiveX IE Plugin vulnerability opening multiple browser windows.
Affected software: Windows RealPlayer SP 1.1.4 and prior.

CVE-2010-3000
RealPlayer FLV parsing multiple integer overflow vulnerability.
Affected software: Windows RealPlayer SP 1.1.4 and prior.

Users of affected versions are advised to update their RealPlayer to the latest one available. More information can be read from related security advisory.

Wednesday, September 1, 2010

Vulnerability In Apple QuickTime ActiveX Component

There has been found a vulnerability in QTPlugin.ocx ActiveX component in Apple QuickTime. The vulnerability may allow arbitrary code execution on vulnerable installations of Apple QuickTime. It can be exploited by luring user to visit a malicious site or open a malicious file.

Vulnerable are Apple Quicktime 7.x and 6.x series (also versions released in 2004, older ones were not checked) on Windows XP, Windows Vista and Windows 7 with Internet Explorer in use. At the moment there's not a patch available yet but vulnerable control can be blocked by setting a kill bit on CLSID {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} or renaming QTPlugin.ocx file.

More information:
http://www.securityfocus.com/archive/1/513444
http://www.exploit-db.com/exploits/14843/
http://www.techworld.com.au/article/358857/old_apple_quicktime_code_puts_ie_users_harm_way