Thursday, October 21, 2010

Firefox, Thunderbird, Chrome, and Real Player patches released

Time for another round of patching, boys and girls.  Mozilla has patched both Firefox and Thunderbird, and Chrome has some more updates (although Chrome automatically updates itself silently).  If you have the Real Player installed, it, too, needs patching.

SANS: Firefox 3.6.11 and 3.5.14 released Thunderbird 3.1.4 and 3.0.9 released
Firefox 3.6.11 and 3.5.14 released, includes security updates (
Thunderbird 3.1.4 and 3.0.9 released, includes security patches (
Mozilla releases Firefox 3.6.11 to address 12 flaws - SC Magazine US
Mozilla on Tuesday released an updated version of its Firefox web browser to shore up a dozen vulnerabilities.

Firefox 3.6.11 fixes eight “critical” flaws that could result in a remote attacker installing malicious software on victim machines.
Mozilla Releases Firefox 3.6.11: US-CERT Current Activity
added October 20, 2010 at 08:57 am
The Mozilla Foundation has released Firefox 3.6.11 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, or cause a denial-of-service condition. The Mozilla Foundation has also released Firefox 3.5.14 to address these same vulnerabilities. Some of these vulnerabilities also affect Thunderbird and SeaMonkey and are addressed in Thunderbird 3.1.5 and 3.0.9 and SeaMonkey 2.0.9.

US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories released on October 19, 2010 and apply any necessary updates to help mitigate the risks.

Firefox dirty dozen: Mozilla patches 'critical' browser flaws | ZDNet
Mozilla has released Firefox 3.6.11 with patches for a dozen security holes, some serious enough to launch attacks if a user simply surfs to a booby-trapped website.

In all, the open-source released nine bulletins documenting 12 security vulnerabilities. Five of the bulletins are rated “critical,” meaning that those vulnerabilities can be exploited to run attacker code and install software, requiring no user interaction beyond normal browsing.

RealNetworks Releases Security Update for RealPlayer Vulnerabilities: US-CERT Current Activity
added October 18, 2010 at 08:08 am
RealNetworks has issued a Security Update to address multiple vulnerabilities affecting RealPlayer. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the RealNetworks security advisory and apply any necessary updates to help mitigate the risks.

Critical RealPlayer Update — Krebs on Security

Real Networks Inc. has released a new version of RealPlayer that fixes at least seven critical vulnerabilities that could be used to compromise host systems remotely if left unpatched.

I’ve never hidden my distaste for this program, mainly due to its history of unnecessarily tracking users, installing oodles of third party software, and serving obnoxious pop-ups. But I realize that many people keep this software installed because a handful of sites still only offer streaming in the RealPlayer format. If you or someone you look after has this program installed, please update it.

Google Releases Chrome 7.0.517.41: US-CERT Current Activity
added October 20, 2010 at 11:47 am
Google has released Chrome 7.0.517.41 for Linux, Mac, and Windows to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, conduct URL spoofing, or bypass security restrictions.

US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and apply any necessary updates to help mitigate the risks.
Google plugs 'high risk' Chrome browser holes | ZDNet

By Ryan Naraine | October 20, 2010, 1:11pm PDT

Google has shipped another Chrome browser update to fix multiple security security vulnerabilities.

Some of these security holes can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user’s system, according to this Secunia advisory.  Secunia rates this a “highly critical” update.

Tuesday, October 12, 2010

More discussion of today's patches

It's looking like there really are some PATCH NOW! patches in today's set of fixes for Microsoft Windows.  Also, Oracle released a major patch for the Java Runtime Engine (JRE), taking it to 6u22.  If you have Java installed, you should patch that as well.  Get your Java patch here: Java Downloads for All Operating Systems.  Here are links to two stories with "user-friendly" discussions of why you need to patch:

Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser | ZDNet
Microsoft dropped its largest ever batch of security patches today to cover a record 49 security vulnerabilities, including several browser flaws that could expose Internet Explorer users to drive-by malware downloads.

The Internet Explorer bulletin (MS10-071) fixes a total of 12 vulnerabilities and because of the risk of zero-click drive-by download attacks, Microsoft is urging Windows users to apply this patch immediately.

Windows users should also pay special attention to MS10-076, which covers a serious flaw in the way the operating system handles embedded OpenType (EOT) fonts. This update is rated “critical” for all versions of Windows (including Windows 7 and Windows Server 2008) and can be exploited to launch remote code execution attacks if a computer user simply surfs to a booby trapped Web site.
Microsoft Plugs a Record 49 Security Holes — Krebs on Security
Microsoft today issued 16 update bundles to fix a record-breaking 49 separate security vulnerabilities in computers powered by its Windows operating systems and other software.

“Microsoft has broken several of its own Patch Tuesday records this year, but this month far surpasses them all,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Perhaps most notable this month is the number of vulnerabilities that facilitate remote code execution. By our count, 35 of the issues fall into this category. These are bugs that could allow an attacker to run any command they wish on vulnerable machines.”

McAfee notes that today’s release exceeds the previous record of 34 vulnerabilities fixed in one go, which was first set in October 2009, and again in June and August of this year.

... Update, 3:58 p.m. ET: Several readers have pointed out that Microsoft took the momentous step today of adding detection for the infamous ZeuS Trojan to its Malicious Software Removal Tool. The MSRT is offered alongside Windows updates and if approved will scan host computers once a month for a variety of the most prevalent threats. It will be interesting to chart the impact of this welcome move by Microsoft.
Java Update Clobbers 29 Security Flaws — Krebs on Security
Oracle today released a critical update to its widely-installed Java software, fixing at least 29 security vulnerabilities in the program.

... Be aware that Java’s updater may by default also include free “extras”
that you may not want, such as the Yahoo! Toolbar or whatever other
moneymaker they decide to bundle with their software this time around,
so be sure to de-select that check box during installation if you don’t
want the add-ons.

Biggest PATCH TUESDAY ever -- some rated PATCH NOW

Today was Microsoft's biggest Patch Tuesday in a long time, possible ever.  SANS (first link below) rates several of these PATCH NOW!, their highest rating.  Anyone who runs as administrator on XP should probably patch ASAP.  I'm patching my work systems and home systems now and will report if I have any problems over the next day or so.

SANS: October 2010 Microsoft Black Tuesday Summary

Microsoft blog about it: Assessing the risk of the October security updates - Security Research & Defense - Site Home - TechNet Blogs

Tuesday, October 5, 2010

Reader, Acrobat Patches Plug 23 Security Holes

Finally the active 0-day exploit is being patched.  Brian Krebs has the most consumer-friendly write-up on it.

Reader, Acrobat Patches Plug 23 Security Holes — Krebs on Security
A new security update from Adobe plugs at least 23 security holes in its PDF Reader and Acrobat software, including two vulnerabilities that attackers are actively exploiting to break into computers.

Adobe is urging Reader and Acrobat users of versions 9.3.4 and earlier for Windows, Mac and UNIX systems to upgrade to version 9.4 (Adobe says those who can’t upgrade to the 9.x version should instead apply the version 8.2.5 update).

Adobe says one of the 23 flaws fixed by this new version being actively exploited. A second zero-day flaw corrected by today’s update — a critical vulnerability in Adobe Flash player that the company fixed in a separate update last month for the stand-alone Flash player — also exists in Adobe Acrobat and Reader, although Adobe says it is not aware of any attacks exploiting this flaw in those products yet.
If you use Adobe Reader or Acrobat, please take a moment to update this software. The current version of Reader is available here, and other products and versions are available from this page.

Adobe ships another mega-patch for PDF Reader | ZDNet
Adobe has slapped another band-aid on its heavily targeted PDF Reader/Acrobat product line, warning that hackers are already exploiting some of these vulnerabilities to launch malware attacks.

Adobe updates:

Friday, October 1, 2010

XP Users should stop using IE **ASAP**

If you are still running Windows XP, it's really time to stop using Internet Explorer (except for Windows Update) and switch to Firefox or Google Chrome.  There is an active zero-day active that Microsoft has acknowledged in a Security Advisory that affects all XP+IE users without warning when they click a malicious link. People whose firewall blocks Windows file sharing at the network perimeter are less vulnerable to this attack. Home users who want to continue using IE and who have some technical expertise should consider using the Microsoft FixIt linked to from the Security Advisory. However, using the FixIt requires installing a separate patch first, and business users should be aware that the FixIt may adversely affect applications running on their work networks.

IE, Windows XP Users Vulnerable To DLL Hijacking -- InformationWeek
Clicking a link to a remote shared folder on a web page will open this share in Windows Explorer without a warning for 67% of all Internet Explorer users on Windows XP, according to Acros Security.

Internet Explorer and Windows XP users are at high risk from attacks that use DLL hijacking -- aka binary planting -- techniques to remotely exploit PCs, according to studies conducted by Slovenian security company Acros Security. Furthermore, many such attacks, which have already been seen in the wild, will succeed without users even being aware of what's happening.

As part of those tests, it found that clicking on a remote shared folder link when using IE and Windows XP -- which about 67% of all Windows users are still on -- would open the remote shared folder without warning, enabling the attack. The same was true for clicking on any remote shared folder link that arrived via email to an Outlook, Windows Mail and Windows Live Mail client.

Interestingly, however, unlike IE, "We found no way to launch Windows Explorer via a hyperlink from Firefox, Chrome or Opera, while Safari does open a remote shared folder when the web page containing the link comes from a local drive" -- for example, if attackers email an HTML file, said Kolsek.