Adobe has released two security bulletins to address vulnerabilities in Adobe Acrobat, Reader, and Flash Player.
The first bulletin, APSB10-06, is a security update for Adobe Flash Player and Adobe AIR that addresses a critical vulnerability. Exploitation of these vulnerabilities may allow an attacker to make unauthorized cross-domain requests. The bulletin indicates that the update also addresses a potential denial-of-service issue.
The second bulletin, APSB10-07, is a security advisory for Adobe Reader and Acrobat. This advisory indicates that Adobe is planning to release updates for Adobe Reader and Acrobat on February 16, 2010 to address critical security issues.
US-CERT encourages users and administrators to review Adobe Bulletins APSB10-06 and APSB10-07 and apply any necessary updates to help mitigate the risks.
US-CERT will provide additional information as it becomes available.
Tag Archives: update
Google Releases Chrome 4.0.249.78
Google has released Chrome 4.0.249.78 for Windows to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, bypass security restrictions, or cause a denial-of-service condition.
US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and update to Chrome 4.0.249.78 for Windows to help mitigate the risks.
US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and update to Chrome 4.0.249.78 for Windows to help mitigate the risks.
Apple releases patches for OS X security flaws
Filed under Security News
Tagged as 10.5, 10.6, Flash, holes, images, OpenSSL, OS X, patch, security, update
Tagged as 10.5, 10.6, Flash, holes, images, OpenSSL, OS X, patch, security, update
Vulnerabilities in OS X 10.5 and 10.6 were addressed in Apple's first security update of 2010, patching a dozen known security holes in the Mac operating system.
While five of the vulnerabilities were inherent in Apple's own software, the other seven were found in Adobe's Flash Player plug-in, which could lead to remote code execution and other serious issues. Experts say that Flash Player is fast developing a reputation as one of the most popular targets for would-be cyber criminals.
Media functionality was at the heart of the remaining problems as well, as Apple fixed vulnerabilities to maliciously crafted .mp4 audio files, .dng images, and .tiff images. The company's latest round of patches also fixed a months-old vulnerability in OpenSSL, which could have allowed attackers to breach network security and alter protected internet sessions.
PC Magazine security blogger Larry Seltzer questions the timing of the OpenSSL patch, since OpenSSL itself released a fix for the problem "almost immediately" after the discovery of the vulnerability. "It's not clear what took Apple so long," writes Seltzer.
While five of the vulnerabilities were inherent in Apple's own software, the other seven were found in Adobe's Flash Player plug-in, which could lead to remote code execution and other serious issues. Experts say that Flash Player is fast developing a reputation as one of the most popular targets for would-be cyber criminals.
Media functionality was at the heart of the remaining problems as well, as Apple fixed vulnerabilities to maliciously crafted .mp4 audio files, .dng images, and .tiff images. The company's latest round of patches also fixed a months-old vulnerability in OpenSSL, which could have allowed attackers to breach network security and alter protected internet sessions.
PC Magazine security blogger Larry Seltzer questions the timing of the OpenSSL patch, since OpenSSL itself released a fix for the problem "almost immediately" after the discovery of the vulnerability. "It's not clear what took Apple so long," writes Seltzer.
Security flaw in IE used to target U.S. firms in cyber attack
Filed under Security News
Tagged as attack, Cyber, IE, off-cycle, patch, repair, update, vulnerability
Tagged as attack, Cyber, IE, off-cycle, patch, repair, update, vulnerability
Microsoft announced yesterday that the cyber criminals who launched a large-scale assault on network security at multiple American firms did so via a vulnerability in the company's Internet Explorer browser software.
A security alert released by the company said that IE 6 installations running on some less commonly used versions of Windows were vulnerable, as well as IE 6, 7, and 8 installations on Windows XP, Vista, Server 2003/2008, and Windows 7. Microsoft has said that it is working on a solution and could release an off-cycle update to repair the vulnerability.
CNET reports that source code was stolen from over 30 U.S. firms targeted in the attack, including Adobe, Yahoo, Symantec, and Dow Chemical, though only Adobe has issued an official confirmation that it was attacked.
Experts say that setting IE's security features to maximum prevents the attack from gaining access to valuable personal or company data. According to PC Magazine, this implies the exploit targets IE's unprivileged context, outside of which it is unlikely to cause many problems.
A security alert released by the company said that IE 6 installations running on some less commonly used versions of Windows were vulnerable, as well as IE 6, 7, and 8 installations on Windows XP, Vista, Server 2003/2008, and Windows 7. Microsoft has said that it is working on a solution and could release an off-cycle update to repair the vulnerability.
CNET reports that source code was stolen from over 30 U.S. firms targeted in the attack, including Adobe, Yahoo, Symantec, and Dow Chemical, though only Adobe has issued an official confirmation that it was attacked.
Experts say that setting IE's security features to maximum prevents the attack from gaining access to valuable personal or company data. According to PC Magazine, this implies the exploit targets IE's unprivileged context, outside of which it is unlikely to cause many problems.
Mistaken identity causes brief crisis for anti-virus provider
Filed under Security News
Tagged as anti-virus, Avast, definitions, false-positive, malicious, update, VPS 091203-0, VPS 091203-1, ZBot, Zeus Trojan
Tagged as anti-virus, Avast, definitions, false-positive, malicious, update, VPS 091203-0, VPS 091203-1, ZBot, Zeus Trojan
A security update meant to add more definitions to Avast's anti-virus database accidentally led to the program identifying legitimate files like device drivers and applications as malicious software.
Although the problem was quickly corrected - less than six hours passed from the Czech company's first acknowledgement of the problem to its solution being delivered - legitimate software from Adobe and Realtek was misidentified as one of two dangerous pieces of malware, including a variant of the nefarious Zbot or Zeus Trojan which can slave computers to remotely-controlled botnets and steal sensitive personal financial information from infected machines.
Avast's first update was called VPS 091203-0, and it was this which caused the misidentification problems to start upon its delivery early this morning. It was followed by VPS 091203-1, which corrected the problem at a little after 6 a.m. GMT.
Analysts speculate that this could provide negative coverage for the anti-virus maker, which is due to release a redesigned version of its free anti-virus program sometime in early 2010, according to Mark Hachman at PC Magazine.
Although the problem was quickly corrected - less than six hours passed from the Czech company's first acknowledgement of the problem to its solution being delivered - legitimate software from Adobe and Realtek was misidentified as one of two dangerous pieces of malware, including a variant of the nefarious Zbot or Zeus Trojan which can slave computers to remotely-controlled botnets and steal sensitive personal financial information from infected machines.
Avast's first update was called VPS 091203-0, and it was this which caused the misidentification problems to start upon its delivery early this morning. It was followed by VPS 091203-1, which corrected the problem at a little after 6 a.m. GMT.
Analysts speculate that this could provide negative coverage for the anti-virus maker, which is due to release a redesigned version of its free anti-virus program sometime in early 2010, according to Mark Hachman at PC Magazine.
Microsoft issues Internet Explorer security update
Filed under Security News
Tagged as bug, IE, Internet Explorer, Microsoft, MS09-054, security, update
Tagged as bug, IE, Internet Explorer, Microsoft, MS09-054, security, update
Microsoft on Monday issued a security bulletin that updates a previous patch for Internet Explorer to resolve two issues. The IE bug only affects users who already applied the earlier patch.
Microsoft announced yesterday at the Microsoft Security Response Center that the security update MS09-054 released as part of the October Security Bulletin Release was causing errors in certain browsing scenarios.
The company said it is "not currently aware of any attempts to attack the vulnerabilities."
The MS09-054 bulletin is a fix rated critical for all Windows users. The bulletin addressed three flaws in all versions of IE and also an attack vector in the Firefox web browser for users with the Windows Presentation Foundation (WPF) plugin enabled.
Microsoft said users who have not applied the patch MS09-054 should first apply that fix before applying the fix from bulletin 976749.
The prior bulletin caused some confusion for Firefox maker Mozilla, which decided to block the Microsoft WPF add-on along with another .NET Framework Assistant add-on. Mozilla later unblocked the .NET Framework add-on within Firefox.
Microsoft announced yesterday at the Microsoft Security Response Center that the security update MS09-054 released as part of the October Security Bulletin Release was causing errors in certain browsing scenarios.
The company said it is "not currently aware of any attempts to attack the vulnerabilities."
The MS09-054 bulletin is a fix rated critical for all Windows users. The bulletin addressed three flaws in all versions of IE and also an attack vector in the Firefox web browser for users with the Windows Presentation Foundation (WPF) plugin enabled.
Microsoft said users who have not applied the patch MS09-054 should first apply that fix before applying the fix from bulletin 976749.
The prior bulletin caused some confusion for Firefox maker Mozilla, which decided to block the Microsoft WPF add-on along with another .NET Framework Assistant add-on. Mozilla later unblocked the .NET Framework add-on within Firefox.
Mozilla plugs Firefox web browser security hole
Filed under Security News
Tagged as 3.5.1, Firefox, hole, Mozilla, patch, security, update, vulnerability
Tagged as 3.5.1, Firefox, hole, Mozilla, patch, security, update, vulnerability
Mozilla yesterday released an update to its web browser, Firefox 3.5.1, that patches a critical web security flaw that hackers could exploit in a browse-and-get-owned scenario.
"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," Mozilla said on its blog.
Firefox 3.5 users will receive an automated update notification within 24 to 48 hours or can click on the "check for updates" tab under help, Mozilla said. Users who are still using older versions of Firefox are urged to download the updated browser from firefox.com.
Some web security experts raised questions about whether Mozilla had pushed out Firefox 3.5 too soon. When Firefox 3.5 was released at the end of June, it already had several known bugs.
"[The] goal of this release should be a quick turnaround that fixes topcrashes and bugs we almost held ship for," Mozilla said in notes when it released Firefox 3.5, according to Computerworld.com.
Andreas Gal, a Mozilla contributor, posted a comment on the vulnerability's Bugzilla entry stating that it appeared the hacker had created the attack after spotting discussions and test cases on Bugzilla.
"Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier," Gal said.
"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," Mozilla said on its blog.
Firefox 3.5 users will receive an automated update notification within 24 to 48 hours or can click on the "check for updates" tab under help, Mozilla said. Users who are still using older versions of Firefox are urged to download the updated browser from firefox.com.
Some web security experts raised questions about whether Mozilla had pushed out Firefox 3.5 too soon. When Firefox 3.5 was released at the end of June, it already had several known bugs.
"[The] goal of this release should be a quick turnaround that fixes topcrashes and bugs we almost held ship for," Mozilla said in notes when it released Firefox 3.5, according to Computerworld.com.
Andreas Gal, a Mozilla contributor, posted a comment on the vulnerability's Bugzilla entry stating that it appeared the hacker had created the attack after spotting discussions and test cases on Bugzilla.
"Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier," Gal said.
Microsoft ‘targeting’ Tuesday for ActiveX fix
Filed under Security News
Tagged as ActiveX, bulletin, flaw, flaws, Mixrosot, security, Tuesday, update, Vulnerabilities
Tagged as ActiveX, bulletin, flaw, flaws, Mixrosot, security, Tuesday, update, Vulnerabilities
Microsoft plans to issue a total of six security bulletins in the monthly security update for Tuesday, July 14, including three critical flaws in Windows. The company did not say if the update will fix two critical Windows flaws that have been exploited in the wild.
The company said software engineers have been working "around the clock" to produce an update for the vulnerability in the Microsoft Video ActiveX Control, about which the company notified users on Monday. Microsoft is "targeting" a patch for that flaw for Tuesday.
Microsoft's Mike Reavey defended the company's decision not to inform users earlier of the ActiveX flaw, which IBM researchers warned the company about in spring 2008.
In a blog post yesterday at the Microsoft Security Response Center, Reavey said an exploit for the flaw was not discovered until recently, well after the company began its investigation.
"For any issue that is reported to us, we strive to address not only the vulnerabilities brought to us but also to find any similar or related issues to ensure the update provides as comprehensive security as possible," Reavey said.
Microsoft is also working on a fix for a flaw in DirectX - the Windows subsystem used for streaming video - which hackers have exploited using malicious QuickTime video files.
The company said software engineers have been working "around the clock" to produce an update for the vulnerability in the Microsoft Video ActiveX Control, about which the company notified users on Monday. Microsoft is "targeting" a patch for that flaw for Tuesday.
Microsoft's Mike Reavey defended the company's decision not to inform users earlier of the ActiveX flaw, which IBM researchers warned the company about in spring 2008.
In a blog post yesterday at the Microsoft Security Response Center, Reavey said an exploit for the flaw was not discovered until recently, well after the company began its investigation.
"For any issue that is reported to us, we strive to address not only the vulnerabilities brought to us but also to find any similar or related issues to ensure the update provides as comprehensive security as possible," Reavey said.
Microsoft is also working on a fix for a flaw in DirectX - the Windows subsystem used for streaming video - which hackers have exploited using malicious QuickTime video files.