Friday, August 20, 2010

Sure Happy It's Thursday: Google Chrome, VLC 1.1.3, old Java being exploited

The patch treadmill rolls along.  Google Chrome was patched just recently, and here it is again.  Ditto for VLC.  I was glad to read the Microsoft blog entry as that may explain how some of my out-of-date home users were infected recently.

US-CERT Current Activity: Google Releases Chrome 5.0.375.127
added August 20, 2010 at 08:47 am

Google has released Chrome 5.0.375.127 for Windows, Mac, and Linux to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or conduct spoofing attacks.

US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and apply any necessary updates to help mitigate the risks.
US-CERT Current Activity: VideoLAN Releases a Security Advisory for VLC Media Player
added August 20, 2010 at 10:47 am

VideoLAN has released a security advisory to address a vulnerability in VLC Media Player. This vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. The updated release also addresses additional issues that could result in a denial-of-service attack.

US-CERT encourages users and administrators to review VideoLAN security advisory VideoLAN-SA-1004 and apply any necessary updates or workarounds to help mitigate the risks.

Sunbelt Blog: Microsoft: drive-by Trojan preying on out-of-date Java installations
A piece by Marian Radu on Microsoft’s Technet Blog is warning that users who have failed to update the Java Runtime Environment (JRE) on their machines are vulnerable to drive-by downloads by a Trojan called Unruy. That Trojan has been associated with rogue security products. Radu said the vulnerability (which was patched in March) is being actively exploited.

Browsers running JRE versions up to version 6 update 18 are vulnerable. The current JRE version today is version 6, update 21.

Microsoft Technet blog piece here: “Unruy downloader uses CVE-2010-0094 Java vulnerability”

Users can easily check their version of Java and download necessary updates here: http://www.java.com/en/download/manual.jsp

No comments: