Thursday, September 16, 2010

Patch Tuesday recap, QuickTime 7.6.8, Firefox 3.6.10

I have already patched all my computers without issue.  These stories all have more technical details and links for those who want to know more.

Patch Tuesday recap: Exploits expected for Windows security holes | ZDNet
Microsoft has shipped nine security bulletins with patches for at least 11 documented vulnerabilities in Windows and Microsoft office and is urging customers to pay special attention to two “critical” issues that can be remotely exploited to take complete control of an unpatched computer.

The two vulnerabilities, patched with MS10-061 and MS10-062, can be remotely attacked via booby-trapped print requests or maliciously rigged MPEG files.

Microsoft expects to see exploit code posted publicly for these vulnerabilities within the next 30 days, raising the likelihood that attacks will be seen in the wild very soon.

One of the flaws — in  the Windows Print Spooler Service — has already been exploited during the sophisticated Stuxnet zero-day worm attack.

Apple patches zero-day QuickTime flaw with 7.6.8 release - SC Magazine US
Apple on Wednesday released a new version of QuickTime to plug two vulnerabilities, including a zero-day flaw that is being actively exploited simply by tricking a victim into visiting a web page.

Version 7.6.8 closes the flaw, publicly revealed in late August by Spanish researcher Ruben Santamarta and affecting versions 6 and 7 of QuickTime. Santamarta, who works for Madrid-based security firm Wintercore, said the flaw is able to bypass two built-in Windows security features: Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). He successfully tested the exploit on Windows 7, Vista and XP machines.

US-CERT Current Activity: Apple Releases QuickTime 7.6.8
added September 16, 2010 at 12:00 am | updated September 16, 2010 at 09:09 am
Apple has released QuickTime 7.6.8 to address two vulnerabilities affecting earlier versions of QuickTime for Windows.

The first vulnerability is due to improper input validation in the QuickTime ActiveX control. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

The second vulnerability is due to a path searching issue related to insecure loading of dynamic link libraries (DLLs). Exploitation of this vulnerability may allow an attacker to execute arbitrary code. Additional information regarding this class of vulnerabilities can be found in the US-CERT Current Activity entry titled "Insecure Loading of Dynamic Link Libraries in Windows Applications" and in the US-CERT Vulnerability Note VU#707943.

US-CERT encourages users and administrators to review Apple article HT4339 and apply any necessary updates to help mitigate the risks.

Apple QuickTime flaws puts Windows users at risk | ZDNet
Apple has released a critical QuickTime media player update to fix a pair of gaping security holes that expose Windows users to code execution attacks.

The QuickTime 7.6.8 update, available for Windows 7, Windows Vista and Windows XP users, patches vulnerabilities that could be exploited in drive-by downloads (via rigged Web sites) and via booby-trapped image files.

US-CERT Current Activity: Mozilla Releases Firefox 3.5.13 and 3.6.10
added September 16, 2010 at 09:09 am
The Mozilla Foundation has released Firefox 3.5.13 and 3.6.10 to address a stability issue affecting some users.

US-CERT encourages users and administrators to review the release notes for Firefox 3.5.13 and Firefox 3.6.10 and apply any necessary updates to mitigate the issue.

No comments: