Charles Flynn Reports: Security Updates Abound
Please let us know if you see updates that we should inform the community about. This is what we have had recently:
Let's take a look at those patches in Firefox 3.5.3, since 3.5 was released:
Security Advisories for Firefox 3.5
Impact key: [The circles and arrows looks prettier on the original site - link above - Ed]
Fixed in Firefox 3.5.3
- Critical: Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
- High: Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
- Moderate: Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
- Low: Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)
Critical: MFSA 2009-51 Chrome privilege escalation with FeedWriter
MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters
Critical: MFSA 2009-49 TreeColumns dangling pointer vulnerability
Critical: MFSA 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)
Fixed in Firefox 3.5.2
Critical: MFSA 2009-46 Chrome privilege escalation due to incorrectly cached wrapper
Critical: MFSA 2009-45 Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13)
MFSA 2009-44 Location bar and SSL indicator spoofing via window.open() on invalid URL
MFSA 2009-38 Data corruption with SOCKS5 reply containing DNS name longer than 15 characters
Fixed in Firefox 3.5.1
Critical: MFSA 2009-41 Corrupt JIT state after deep return from native function
Critical: MFSA 2009-35 Crash and remote code execution during Flash player unloading
Fixed in Firefox 3.5
Critical: MFSA 2009-43 Heap overflow in certificate regexp parsing
Critical: MFSA 2009-42 Compromise of SSL-protected communication
MFSA 2009-40 Multiple cross origin wrapper bypasses
Critical: MFSA 2009-39 setTimeout loses XPCNativeWrappers
Critical: MFSA 2009-37 Crash and remote code execution using watch and __defineSetter__ on SVG element
Critical: MFSA 2009-36 Heap/integer overflows in font glyph rendering libraries
Critical: MFSA 2009-34 Crashes with evidence of memory corruption (rv:1.9.1/1.9.0.12)
That's a heap of Critical - Message is: Stay on top of Firefox. Stay on top of every freakin' piece of software you have, for certainly, the blackhats are.
Nine patches for Microsoft's next Patch Tuesday | IT PRO By Nicole Kobie, 7 Aug 2009 at 10:26
Microsoft will issue nine security patches next Tuesday, as part of its monthly patching cycle.
The majority affect various versions of Windows. Five are seen as critical by Microsoft, with the other three rated important. One critical patch also affects Client for Mac, while one of the important patches is for the .NET Framework.
The last bulletin is for a flaw in Microsoft Office's Web Components, which was reported last month. The critical patch affects Microsoft Office, Visual Studio, ISA Server and BizTalk.
Paul Henry, security and forensic analyst at Lumension, said: “After a summer of heavier-than-normal Patch Tuesdays, the last thing IT workers need next Tuesday is yet another large batch of patches from Microsoft."
He warned that anyone using Microsoft's ISA server should pay attention to this patch. “One of Microsoft’s security products, Internet Security and Acceleration (ISA) server, appears to have a hole that’s critical on all versions," he said.
"Therefore, companies that are actively using this product as part of their security infrastructure will need to patch this vulnerability immediately."
The patch will be delivered by autoupdate or be available to download on 11 August.
Microsoft issued a pair of out-of-band patches last week, to fix flaws in Internet Explorer and Visual Studio.
Apple updates Mac OS | IT PRO By Nicole Kobie, 6 Aug 2009 at 11:07
Apple has released the Mac OS X 10.5.8 update, patching a few issues in its Leopard operating system, one month before the new 10.6 Snow is expected to be released.
Aside from general stability issues, the update fixes problems with joining AirPort networks, monitor resolution settings and Bluetooth reliability with peripheral devices like printers. The update also fixes an error which slowed startup time and another which affected imports of large movie or photo files.
The Mac OS X 10.5.8 update includes the latest version of Safari and all recent security patches.
GarageBand 5.1 puts lid back on cookie jar - News - The H Security: News and features 6 August 2009
Apple has released an update for its GarageBand application, addressing a security issue that could allow third parties or advertisers to track a user's web activity. When a user opens the GarageBand application, it automatically changes Safari's security preferences to always accept cookies, rather than the default setting of "Only from sites I visit".
The change means that users may no longer be blocking any third-party cookies which advertisers can use to track their online activity. [Read more data at H Security source material above.]
Naming trick opens mail servers - News - The H Security: News and features 6 August 2009
A number of Vietnamese spam sources are currently attracting attention because the spammers have equipped the relevant hosts with DNS pointer records called "localhost". As a result, IP addresses like 123.27.3.81, 222.252.80.188 or 123.16.13.188 produce this name when a reverse look-up occurs. The problem is caused by badly configured Domain Name Systems, as "localhost" should generally translate to a single IP address – 127.0.0.1 ...
...
Mail server operators must make sure they avoid falling victim to this trick. For example, they can make relays only available from local IP addresses and not identify clients by reverse look-up DNS names. Normal open relay tests don't produce an alert in this case, because the test client usually isn't called "localhost". Several vulnerable mail servers have already been added to the iX blacklist. In addition to blacklisting, the operators of open relays potentially face having to pay damages to spam or malware recipients. [Read more data at H Security source material above.]
Firefox patches Black Hat SSL encryption vulnerability | IT PRO By Asavin Wattanajantra, 4 Aug 2009 at 11:23
Firefox has released version 3.5.2, a patch closing four critical vulnerabilities - one of which was a serious SSL encryption flaw discovered at the recent Black Hat conference in Las Vegas
The flaw is described in more detail here, but as Mozilla said in an advisory, it basically meant that attackers could have obtained certificates that could intercept and alter encrypted information between client and server, such as bank account transactions.
...
The other three vulnerabilities were also critical. This meant that attackers could have taken advantage by running code and installing software on a user’s computer even if they were just browsing normally.
[Story is severely edited...see the original.]
Latest Videos in Security
Video: Mobile security threats and Mac complacency 
Play
Part two: Eugene Kaspersky, chief executive and founder of Kaspersky Lab, talks about the increasing security threats mobile users are facing.
Subscribe to RSS Feed