Sunday, May 23, 2010

HP Pavilion laptop battery recall expanded

Hp expands exploding battery recall - The Inquirer
MAKER OF EXPENSIVE PRINTER INK, HP has expanded its recall programme for a series of explosive notebook computer batteries that can overheat and pose a fire hazard.

The affected battery packs were distributed worldwide in a few notebook computers manufactured between August 2007 and May 2008.

...

The affected battery packs were distributed worldwide in certain notebook PCs, including the following models:

HP Pavilion dv2000, dv2500, dv2700, dv6000, dv6500, dv6700, dx6000, dx6500, dx6700, dv9000, dv9500, dv9700. Compaq Presario, A900, C700, F500, F700, V3000, V3500, V3700, V6000, V6500, V6700, HP G6000, G7000, and the HP Compaq 6510b, 6515b, 6710b, 6710s, 6715b, 6715s and 6720s.

If you have one of these models you should visit the HP site here to find out if you are at risk.

Wednesday, May 19, 2010

Apple *_finally_* updates Java for Mac OS X

Details in the linked article.

Apple fixes old Java for Mac security holes | ZDNet
Apple has released a Java for Mac update to fix about 30 documented vulnerabilities, including some that exposes Mac users to remote code execution attacks.

The Java for Mac patch batch, available for Mac OS X 10.5 and Mac OS X 10.6, includes a fix for a vulnerability that’s more than a year old.

Wednesday, May 12, 2010

Patch Tuesday: Windows, Microsoft Office, Adobe Shockwave all get critical patches

Well, yesterday was a quiet Patch Tuesday, but the Microsoft patches are listed as "Critical" on the SANS page. My own systems patched without problems and I'm not seeing any reports of issues elsewhere, so I will be applying them on client systems later this week. Home users should update themselves.

May 2010 Microsoft Patches
Overview of the May 2010 Microsoft Patches and their status.

Patch Tuesday: Microsoft plugs Windows worm holes | ZDNet
Microsoft today issued patches for a pair of critical (remote code execution) vulnerabilities in Windows and Microsoft Office and urged affected users to apply the fixes as soon as possible.

In addition, to Microsoft, Adobe issued a patch rated "Critical", but it only affects those few people who have the Adobe Shockwave Player (this is different from the "Shockwave Flash Player" which almost everyone has installed. NOTE: last time Adobe updated the Shockwave Player, you had to manually uninstall the older version first, then reboot, then install the new version. I haven't found out if that is necessary this time.

Adobe zaps critical Shockwave vulnerabilities | ZDNet
Adobe joined the Patch Tuesday train today with the release of patches for at least 21 documented security vulnerabilities in the Shockwave and ColdFusion product lines.

According to the APSB10-12 security bulletin, 18 of the 21 flaws affected the Shockwave Player, a free software product that lets users view rich-media content on the web.

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.6.606 and earlier versions for Windows and Macintosh. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.

This bulletin is rated “critical” and Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609.

Here's a link to the bulletin: Adobe - Security Bulletins: APSB10-12 - Security update available for Shockwave Player

You can also use Mozilla's free Plugin Check page to check on which plugins you have and which need updating, but you have to enable scripting on the page and it only has "Limited" support for IE7+. There's a blog entry on the Mozilla Security blog about it here: Plugin Check for Everyone at Mozilla Security Blog

Monday, May 10, 2010

Apple Safari 0-day flaw found

Multiple reports on this today.  The only Windows users who I've seen with Safari were those unfortunates who got tricked into installing it by the Apple iTunes or QuickTime updating software.  You're best off IMHO uninstalling Safari completely and using either Firefox or ChromePlus.  Additional info can be found at links in the following articles:

Critical zero-day flaw found in Apple's Safari browser - SC Magazine US
A “highly critical” zero-day vulnerability has been discovered in Apple's Safari web browser, according to Danish vulnerability tracking firm Secunia.

The code execution vulnerability, revealed Friday, affects the current version (4.0.5) of Safari for Windows and could allow an attacker to compromise a user's system. Other versions of the browser could also be affected.
Unpatched drive-by download flaw in Apple Safari browser | ZDNet
A zero-day vulnerability in Apple’s Safari browser could expose millions of Windows users to drive-by download malware attacks. The flaw is currently unpatched.

According to an alert from Secunia, the issue is rated “highly critical” because of the risk of remote code execution attacks that can lead to complete system takeover.
US-CERT Current Activity: Apple Safari Vulnerability
added May 10, 2010 at 10:57 am

US-CERT is aware of a vulnerability affecting Apple Safari. By convincing a user to open a specially crafted web page, an attacker may be able to execute arbitrary code. Exploit code for this vulnerability is publicly available.

US-CERT encourages users and administrators to disable JavaScript as detailed in the Securing Your Web Browser document until a fix is provided by the vendor. Additional information regarding this vulnerability can be found in the Vulnerability Notes Database.

US-CERT will provide additional information as it becomes available.