Thursday, September 9, 2010

More SysAdmin fun: patch Safari, Chrome, Firefox, Opera, and Thunderbird

If you use Safari, you should patch, although Windows users who don't use Safari but have had it installed by Apple without knowing they did should just uninstall it. Google has patched Chrome, Opera has been patched, and Mozilla has patched Firefox and Thunderbird to fix the Windows DLL-loading issue that has been made public recently. It's going to be a busy week for sysadmins ...

Apple plugs drive-by download flaws in Safari browser | ZDNet
Apple has shipped Safari 5.0.2 and Safari 4.1.2 with patches for three gaping holes that expose Web surfers to drive-by download attacks.

The browse-and-you’re-hacked vulnerabilities affect both Windows and Mac users, Apple warned in an advisory. One of the three vulnerabilities is the DLL load hijacking issue that haunts hundreds of Windows applications.

Two of the three vulnerabilities affect WebKit, the open-source rendering engine that powers Apple’s Safari and iTunes software products.

US-CERT Current Activity: Apple Releases Safari 5.0.2 and 4.1.2

added September 8, 2010 at 08:34 am
Apple has released Safari 5.0.2 and 4.1.2 to address multiple vulnerabilities in the Safari and WebKit packages. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Apple article HT4333 and apply any necessary updates to help mitigate the risks.

Mozilla Firefox 3.6.9 Release Notes
What’s New in Firefox 3.6.9
Firefox 3.6.9 fixes the following issues found in previous versions of Firefox 3.6:
  • Introduced support for the X-FRAME-OPTIONS HTTP response header. Site owners can use this to mitigate clickjacking attacks by ensuring that their content is not embedded into other sites.
  • Fixed several security issues.
  • Fixed several stability issues.
Please see the complete list of changes  in this version. You may also be interested in the Firefox 3.6.8 release notes for a list of changes in the previous version.

US-CERT Current Activity: Mozilla Releases Firefox 3.6.9
added September 8, 2010 at 08:34 am
The Mozilla Foundation has released Firefox 3.6.9 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, leverage cross-site scripting attacks, or cause a denial-of-service condition. The Mozilla Foundation has also released Firefox 3.5.12 to address these same vulnerabilities. Some of these vulnerabilities also affect Thunderbird and SeaMonkey.

US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories released on September 7, 2010 and apply any necessary updates to help mitigate the risks.

Mozilla patches DLL load hijacking vulnerability | ZDNet
Mozilla has joined Apple in being among the first to fix the DLL load hijacking attack vector that continues to haunt hundreds of Windows applications. The open-source group released Firefox 3.6.9 with patches for a total of 15 vulnerabilities (11 rated critical), including the publicly known DLL load hijacking flaw that exposes Windows users to remote code execution attacks.

The majority of the 15 vulnerabilities in this Firefox patch batch could be exploited to launch drive-by download attacks from booby-trapped Web sites.

According to Firefox, the DLL load hijacking issue only affects Windows XP users:

Mozilla fixes Firefox's DLL load hijacking bug

By Gregg Keizer, Computerworld
September 08, 2010 07:30 AM ET
Mozilla on Tuesday patched 15 vulnerabilities in Firefox, 11 of them labeled critical.

One of yesterday's patches addressed a problem found in scores of Windows applications, making Firefox one of the first browsers to be patched against the DLL load hijacking bug that went public three weeks ago.

Nearly three-quarters of the vulnerabilities in Firefox 3.6 were rated "critical," Mozilla's highest threat ranking, representing bugs that hackers may be able to use to compromise a system running Firefox, then plant other malware on the machine.

SANS: Mozilla Thunderbird updated to version 3.1.3
Release Notes

No comments: