Friday, December 10, 2010

More December Security Patches: QuickTime, Firefox, and a huge Patch Tuesday coming

The second week in December is starting with a bunch of patching.  So far this week, we have QuickTime, Firefox, and Thunderbird with security updates, and next Tuesday promises to be another record Patch Tuesday with patches for IE among other things.  (Updated Fri 10 Dec 2010  18:31 MST)

Apple QuickTime Patch Fixes 15 Flaws — Krebs on Security
Apple this week issued an update that plugs at least 15 security holes in its QuickTime media player.  The patch – which brings QuickTime to version 7.6.9 — quashes several critical bugs that could be exploited to install malicious software were a user to load a poisoned media file. Updates are available for both Mac and Windows versions of the program.

More links:

Mozilla Firefox 3.6.13, Thunderbird 3.1.7

The Mozilla Foundation has released Firefox 3.6.13 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, operate with elevated privileges, spoof the location bar, or operate with elevated privileges.

More links:
Update Fri 10 Dec 2010 18:31 MST:


MS Patch Tuesday heads-up: 17 bulletins, 40 vulnerabilities | ZDNet
The December batch of patches will cover security holes in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange, according to an advance notice posted Thursday.

Of the 17, Microsoft said two bulletins will be rated “critical,” the company’s highest severity rating.  Of the remainder, 14 will be rated “important.”
More links:


And for a final note, if you use CCleaner, you should update to version 3.01. It has lots of improvements. Get a portable version from the CCleaner - Builds page.

Piriform Blog - CCleaner v3.01
Change log:
  • Improved application startup time and INI loading speeds.
  • Removed need to reboot for Index.dat cleaning.
  • Improved cookie cleaning in Firefox 4.0 Beta 7.
  • Improved Chromium based browser detection and cleaning.
  • Added support for Adobe Reader 10 and Acronis True Image.
  • Improved cleaning for 7-Zip, Adobe Reader 9.0, Microsoft Silverlight Isolated Storage, WinPatrol and Microsoft Management Console.

Security Updates notes for November, 2010

It has been a busy month, and I have not been keeping up with timely posting here.  I will try to keep this a little more current from now on. 

We'll start with November's Patch Tuesday and go forward from there.  The final article linked below is definitely something anyone who uses open WiFi hotspots in Starbucks and other places should read.  Also, if you use Flash Player or Adobe Reader, both have had critical patches in the last month.  If your systems haven't been updated, you need to patch them NOW.  Foxit Reader has also had an update.  IE 6 and 7 have an unpatched flaw which is being exploited "in the wild", so avoid using IE if you possibly can.

November Patch Tuesday: Critical security holes in Microsoft Office | ZDNet
By Ryan Naraine | November 9, 2010, 10:43am PST
Microsoft has shipped a patch for to fix several critical security holes affecting its Office productivity suite and warned that hackers can use RTF (Rich Text Format) e-mails to launch code execution attacks.

The MS10-087 bulletin, which is considered a high-priority update, patches a total of 5 documented vulnerabilities affecting all currently supported Microsoft Office products.

It is rated critical for Office 2007 and Office 2010 because of a preview pane vector in Microsoft Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF file, the company explained.
More links:
Mac OS X security flaw publicized after Apple fails to patch | ZDNet
By Ryan Naraine | November 10, 2010, 12:23pm PST
Penetration testing specialists Core Security has publicly released information on a serious security vulnerability in Apple’s Mac OS X and criticized the computer maker for delaying the release of a patch.

The vulnerability, which only affects Apple Mac OS X v10.5, could allow hackers to take complete control of a vulnerable machine via malicious PDF files.

In an advisory, Core Security said Apple claims it already has a patch prepared for this issue but failed to release the fix despite several promises.

Apple did not give any reasons for skipping the patch release.
More links:
Flash Update Plugs 18 Security Holes — Krebs on Security
[ASF: November 4th, 2010]
Adobe on Thursday released an update to its Flash Player software that fixes at least 18 security vulnerabilities, including one that is being exploited in targeted attacks.
More links:

Critical Updates for Adobe Reader, Acrobat — Krebs on Security
[ASF: November 16th, 2010]
Adobe on Tuesday issued a critical update to patch at least two security holes in its PDF Reader and Acrobat software, including one flaw that was publicly disclosed earlier this month.
More links: In a related story: Adobe launches 'sandboxed' Reader X. I am not using Adobe Reader (any version) so I haven't tested it yet. Reviews of the "sandbox" are generally positive but the sandboxing is not complete so I expect it will help but not totally prevent attacks.
By Gregg Keizer, Computerworld - November 18, 2010 02:01 PM ET
Adobe today released Reader X, the next version of its popular software that includes a "sandbox" designed to protect users from PDF attacks.

Reader X on Windows features Protected Mode, a technology that isolates system processes, preventing or at least hindering malware from escaping the application to wreak havoc on the computer.

The new version is also available for Mac OS X and Android, but those editions lack the sandbox.
More links:

Apple patches critical 'drive-by' Safari bugs
By Gregg Keizer, Computerworld - November 18, 2010 02:01 PM ET
Apple today patched 27 vulnerabilities in Safari for Mac OS X and Windows, 85% of them critical bugs that could be exploited to hijack Macs or PCs.


Internet Explorer 0-day Malware Infects Amnesty International Hong Kong Website Visitors | CyberInsecure.com
Visitors to Amnesty International’s Hong Kong website are being bombarded with a host of lethal exploits, including one that attacks an unpatched vulnerability in Microsoft’s Internet Explorer browser, researchers at security firm Websense said.

The injected IE attack code resides directly on the pages of amnesty.org.hk, an indication that the perpetrators were able to penetrate deep into the website’s security defenses. The code exploits a vulnerability disclosed last week that gives attackers complete control over machines running default versions of IE 6 and 7. Version 8 isn’t vulnerable, thanks to security protections built into the browser.


Firesheep Exposes Need For Encryption -- InformationWeek
Using Facebook, Twitter, Yelp, Flickr, or other Web services on an open WiFi network could lead to lead to account hijacking.

An open-source Firefox extension called Firesheep has shined a spotlight on just how insecure it is to use unprotected WiFi networks.

It's widely known that unprotected WiFi networks make sensitive data readily available for anyone with the technical skill necessary to find it ...

Firesheep, which allows anyone to scan unprotected WiFi networks for users who are logged into Facebook, Twitter, Google, Amazon, and a variety of other Web 2.0 services and to impersonate those users by hijacking their session cookie.

"On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy," wrote Firesheep creator Eric Butler in a blog post. "This is a widely known problem that has been talked about to death, yet very popular Web sites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the Web as HTTPS or SSL."