Wednesday, June 29, 2011

Microsoft Office 2010 Service Pack 1 available

Microsoft delivers Office 2010 Service Pack 1 | ZDNet
SP1 consists of cumulative and public updates to date for the various point products that are part of Office 2010 and SharePoint 2010. Products that will get fixes and updates include Office 2010 suites, Project 2010, Visio 2010, Office 2010 servers, Office Web Apps, Search Server 2010, SharePoint 2010 Products and FAST Search Server 2010 for SharePoint. Microsoft is planning to update all 40 SKU languages for Office when SP1 ships.

Mozilla updates Thunderbird and Firefox, Apple Java and OS X Security updates

Mozilla has consolidated their Thunderbird and Firefox websites under mozilla.org and has upgraded both Firefox and Thunderbird to version 5.0. Apple has issued security updates to OS X and its version of Java.  I'm running Firefox 5 without issues on several systems, although my main system still has 3.6.18 because of the large number of extensions I use there.

ISC Diary | Update: Thunderbird 5.0 released. https://www.mozilla.org/en-US/thunderbird/
Update: Thunderbird 5.0 released. https://www.mozilla.org/en-US/thunderbird/


US-CERT: Mozilla Releases Firefox 5 and 3.6.18
added June 22, 2011 at 09:02 am
The Mozilla Foundation has released Firefox 5 and Firefox 3.6.18 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, violate the same origin policy, or perform a cross-site scripting attack.

US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories for Firefox 5 and Firefox 3.6.18 and apply any necessary updates to help mitigate the risks.


US-CERT: Apple Releases Java Updates for Mac OS X 10.5 and OS X 10.6
added June 29, 2011 at 08:24 am
Apple has released Java for Mac OS X 10.5 Update 10 and Java for Mac OS X 10.6 Update 5 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Apple articles HT4739 and HT4738 and apply any necessary updates to help mitigate the risks.
US-CERT: Apple Releases Security Updates to Address Multiple Vulnerabilities
added June 24, 2011 at 08:04 am
Apple has released Mac OS X 10.6.8 and Security Update 2011-004 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, disclose sensitive information, or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Apple Support Article HT4723 and apply any necessary updates to help mitigate the risks.

Wednesday, June 15, 2011

Patch City: Microsoft and Adobe have simultaneous huge Patch Tuesdays

System admins will be very busy this week as Microsoft's Patch Tuesday is a big one affecting many products and requiring a reboot, while Adobe rolled out simultaneous patches to Adobe Reader (8.3, 9.4.5, and 10.1.0), Flash Player (10.3.181.26, the second patch in a week), and Shockwave Player (11.6.0.626).  Combine that with last week's must-install patch to Java (6.0.26) and any system admin is going to be grumpy.

Information Week and ZDNet both had articles on which patches are most important to roll out, and ISC has some useful summary and/or link pages.  I am currently testing all but expect to roll them out later this week.

Links to all the various bulletins follow below.

How To Prioritize Microsoft Patch Bonanza -- InformationWeek
On Tuesday, Microsoft released 16 security bulletins, addressing 34 vulnerabilities in its products, including Internet Explorer, Microsoft Excel, and .Net. In addition, Adobe also released patches for Acrobat, Reader, ColdFusion, LifeCycle, and Blazem, while last week, Oracle pushed a major Java security update.

While Microsoft and Adobe previewed their patches last week, IT administrators now have their work cut out for them, as they must quickly determine which patches to test and deploy first. Where should they start?
MS Patch Tuesday: Gaping holes haunt Internet Explorer browser | ZDNet
There is plenty of work this month of June for IT administrators - Microsoft’s June Patch Tuesday addresses 34 vulnerabilities in 16 distinct bulletins. Nine of the bulletins carry a maximum severity of “critical”, while the remaining seven are rated as “Important” only.

Plus there are the critical fixes from Adobe Reader and Oracle for Java.

No doubt IT Administrators will have to pick and choose where to act first.
ISC Diary | Adobe releases patches

ISC Diary | Microsoft June 2011 Black Tuesday Overview

Tuesday, June 7, 2011

Oracle Java 6 update 26 patches 17 security flaws

Another day, another program to patch.

ISC Diary | Oracle Releases Java Version 1.6.0.26 http://java.com/en/download/manual.jsp
Oracle Releases Java Version 1.6.0.26 http://java.com/en/download/manual.jsp
Java Patch Plugs 17 Security Holes — Krebs on Security
Oracle today released an update to its ubiquitous Java software that fixes at least 17 security vulnerabilities in the program.

The company is advising users to apply this update as soon as possible; it looks like most — if not all — of the vulnerabilities addressed by this new version may be exploited remotely without authentication.

Monday, June 6, 2011

VLC 1.1.10

A new version of the free multimedia player VLC was released today to fix some security issues.

VideoLAN - VLC: Official site - Free multimedia solutions for all OS!
VLC 1.1.10
2011-06-06

VideoLAN and the VLC development team present VLC 1.1.10, a minor release of the 1.1 branch.
This release, 2 months after 1.1.9, was necessary because some security issues were found, and the VLC development team cares about security.
... See the release notes for more information on 1.1.10.

Another Flash Player Patch

On Sunday Adobe released an update to Flash Player to combat a 0-day -- an exploit previously unknown which is "in the wild".  This may also affect Adobe Reader 9 and 10, so watch this space for updates for those programs in the next few days.

ISC Diary | Adobe releases Flash Player patch on a Sunday to combat latest 0day
Adobe releases Flash Player patch on a Sunday to combat latest 0day
http://www.adobe.com/support/security/bulletins/apsb11-13.html
Flash Player Patch Fixes Zero-Day Flaw — Krebs on Security
Adobe released an emergency security update today to fix a vulnerability that the company warned is being actively exploited in targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

The vulnerability — a cross-site scripting bug that could be used to take actions on a user’s behalf on any Web site or Webmail provider, exists in Flash Player version 10.3.181.16 and earlier for Windows, Macintosh, Linux and Solaris. Adobe recommends users update to version 10.3.181.22 (on Internet Explorer, the latest, patched version is 10.3.181.23). To find out what version of Flash you have, go here.

Google appears to have already pushed out an update that fixes this flaw in Chrome. Adobe says it will ship an update to fix this flaw on Android sometime this week.