Friday, April 2, 2010

It's Mega-Super-Hyper-Mondo Patch Week!

This is NOT an April Fool's joke.

Here's what was patched this week:
  • Internet Explorer got an emergency, out-of-cycle, patch to correct a 0-day flaw that was being exploited.
  • Firefox 3.6 got patched to correct the security flaw that was exposed in the Pwn20wn competition last week (no patch yet for flaws exposed there in IE or Safari).
  • Foxit Reader got patched to correct a flaw that allowed it to launch any EXE without warning even with scripting disabled (no patch yet for Adobe Reader).
  • Java JRE got patched to correct 27 critical vulnerabilities.
  • Apple Quicktime and iTunes each got patches to address critical vulnerabilities.
  • Apple OS X 10.6 was patched on March 29th with a mega-patch that upgraded OS X to version 10.6.3.

Each of the stories below will open in a separate window and has links to more details and the patches. The most important for Windows users is the IE patch followed by the Firefox, Java, and Foxit Reader patches.

Emergency IE update patches 10 critical security holes | Zero Day | ZDNet.com
Microsoft today shipped a cumulative Internet Explorer update with patches for 10 security holes, including a drive-by download vulnerability that’s already being used in malware attacks.

The critical MS08-018 update patches security holes that could lead to code execution attacks on all versions of Microsoft’s flagship browser, including the newest Internet Explorer 8.

Mozilla Firefox first to patch Pwn2Own vulnerability | Zero Day | ZDNet.com
Mozilla is the first browser vendor to fix a vulnerability exploited at this year’s CanSecWest Pwn2Own contest.

Just one week after a U.K.-based hacker known as “Nils” broke into a 64-bit Windows 7 machine with a Firefox vulnerability, the open-source group shipped Firefox 3.6.3 to plug the security hole.

Java update plugs 27 critical security holes | Zero Day | ZDNet.com
Oracle has shipped a Critical Patch Update for Java SE and Java for Business to fix 27 security flaws that could expose users to malicious hacker attacks.

The update, available for Windows, Solaris and Linux, addresses issues that could be remotely exploitable without authentication.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” the company said in an advisory.

Affected products include:

* Java SE: JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux ...

Foxit Reader Security Update
Foxit Reader has released a security that fixes an issue that runs an embedded executable in a PDF document without asking the user's permission. The update can be launch from Foxit (select version 3.2.1.0401) or download it from here.

This update is related to a recent ISC diary "PDF Arbitrary Code Execution - vulnerable by design" published on the 31 March 2010.

Apple QuickTime and iTunes Security Update
QuickTime 7.6.6 addresses 16 CVEs affecting both Windows and Mac. Additional information regarding the security fixes incorporated in this version is available here. Apple has rated several CVEs can lead to an unexpected application termination or arbitrary code execution.

iTunes 9.1 addresses 7 CVEs affecting Windows and Mac. Additional information regarding the security fixes incorporated in this version is available here. Apple has rated several CVEs can lead to an unexpected application termination or arbitrary code execution including Denial of Service.

Apple plugs 88 Mac OS X security holes | Zero Day | ZDNet.com
Apple today released one of its biggest Mac OS X security updates in recent memory, covering a whopping 88 documented vulnerabilities.

The Mac OS X v10.6.3 update, which is considered “critical,” covers flaws that could lead to remote code execution, information disclosure and denial-of-service attacks.

Apple patching frenzy: Security holes in QuickTime, iTunes, AirPort | Zero Day | ZDNet.com
Just call it Mac OS X patchapalooza. Over the last week, Apple has shipped security patches to cover 88 vulnerabilities in the Mac operating system, 16 holes in the QuickTime media player, 7 flaws in iTunes and a security bug in the AirPort Base Station.

In the days following the release of the Mac OS X v10.6.3 update, Apple also covered remote code execution holes in QuickTime and iTunes, who software products found on millions of Mac and Windows machines.

No comments: