Tuesday, August 16, 2011

Mozilla Security Updates

The Mozilla group has been busy, issuing updates with security fixes to Firefox 3.6, Thunderbird, and Firefox 5 (upgrading it to 6).  I foresee a busy couple of weeks ahead.

One comment -- Mozilla is shooting itself in the foot as far as corporate deployment by not providing us with MSI installers that we can script.  Upgrading computers one at a time is very expensive.

ISC Diary | Firefox 3.6.20 Corrects Several Critical Vulnerabilities
Earlier this afternoon, the Mozilla Foundation released an update for their Firefox web browser to correct a number of security issues. Most of the issues corrected in this release are listed at a critical severity. As such, organizations should consider pushing the updated web browser in the near future.

More information concerning the issues is available at www.mozilla.org/security/announce/2011/mfsa2011-30.html


ISC Diary | Firefox version 6 is out
For those of you just getting used to Firefox 5, version 6 is out. A few changes including security ones. the release notes are here: http://www.mozilla.com/en-US/firefox/6.0/releasenotes/
Firefox 6 patches 10 dangerous security holes | ZDNet
By Ryan Naraine | August 16, 2011, 4:00pm PDT

Summary: The vulnerabilities are serious enough to allow an attacker to launch harmful code and install software, requiring no user interaction beyond normal browsing.

Mozilla has shipped a critical Firefox update to fix at least 10 security vulnerabilities, some serious enough to expose web surfers to drive-by download attacks.

According to an advisory from the open-source group, 8 of the 10 vulnerabilities are rated “critical,” meaning that they can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.


ISC Diary | Thunderbird 6 is out, Stability and security fixes. http://www.mozilla.org/en-US/thunderbird/6.0/releasenotes/
Thunderbird 6 is also out, Stability and security fixes. http://www.mozilla.org/en-US/thunderbird/6.0/releasenotes/

Wednesday, August 10, 2011

August Windows Updates critical, require reboot

It has been too long since I posted here.  Microsoft's July update cycle was a small one with only one critical patch affecting Windows Vista/7 users, so I didn't bother blogging about it. However, the August patch set is much larger -- two critical patches including one for Internet Explorer which Microsoft says is likely to be exploited soon. The updates for M$ Windows and Microsoft Office require a reboot. Combine that with a surprise release of new versions of Adobe Flash Player and Adobe Shockwave Player and system admins are going to be busy this week.

July updates:
ISC Diary | Microsoft July 2011 Black Tuesday Overview
Overview of the July 2011 Microsoft patches and their status.

Microsoft warns of critical security hole in Bluetooth stack | ZDNet
Microsoft today shipped four security bulletins with patches for 22 serious security flaws and called special attention to a vulnerability in the Windows Bluetooth stack that could allow hackers to remotely take control of an affected computer.

The vulnerability, fixed with MS11-053, headlines a batch of updates that include fixes for gaping holes in the Windows kernel and security problems in the Windows Client/Server Run-time Subsystem.
Microsoft Fixes Scary Bluetooth Flaw, 21 Others — Krebs on Security
Microsoft today released updates to fix at least 22 security flaws in its Windows operating systems and other software. The sole critical patch from this month’s batch addresses an unusual Bluetooth vulnerability that could let nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network.

Adobe Patches:
Microsoft Security Bulletin Summary for July 2011

ISC Diary | Adobe August 2011 Black Tuesday Overview
Although none of us seems to have seen any warning, Adobe has released 5 bulletins today.

These update Adobe products to the following versions:

* Adobe Shockwave Player 11.6.1.629
* Flash Media Server 4.0.3 (or 3.5.7 if you are using 3.x)
* Adobe Flash Player
o Android 10.3.186.3
o Windows, OS X, Solaris, Linux 10.3.183.5
* Adobe Air 2.7.1
* Photoshop version is not changed by the update.
* Robohelp version is not changed, but version 9.0.1.262 is not vulnerable.

August updates:
ISC Diary | Microsoft August 2011 Black Tuesday Overview
Multiple vulnerabilities in Internet Explorer allow random code execution with the rights of the logged on user and information leaks. Replaces MS11-050.
Assessing the risk of the August security updates - Security Research & Defense - Site Home - TechNet Blogs
Today we released 13 security bulletins. Two have a maximum severity rating of Critical, nine have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
Microsoft expecting exploits for critical IE vulnerabilities | ZDNet
By Ryan Naraine | August 9, 2011, 12:11pm PDT

Microsoft today warned that multiple gaping security holes in its Internet Explorer browser could expose millions of Web surfers to hacker attacks via rigged web pages.

As part of this months’ Patch Tuesday release, Microsoft shipped a “critical” IE bulletin (MS11-057) with fixes for total of 7 security flaws. Two of the vulnerabilities were publicly discussed prior to the availability of the patch.

The company expects to see reliable exploits developed within the next 30 days.

Because these vulnerabilities expose IE and Windows users to drive-by download attacks without any user action beyond surfing to a booby-trapped web site, Microsoft is strongly recommending that all Windows users apply the patch immediately.

The IE update is rated “critical” for Internet Explorer 6 on Windows clients, and for Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9; and Important for Internet Explorer 6 on Windows servers.
Microsoft Security Bulletin Summary for August 2011
This bulletin summary lists security bulletins released for August 2011.

Apple QuickTime 7.7

I should have blogged this when it first was announced, but today was the first day that I was able to download QT 7.7 from Apple's manual download site.  Previous to this you had to update your existing QT using Apple Software Update, and that didn't work for network managers.

Apple QuickTime flaws haunt Windows users | ZDNet
By Ryan Naraine | August 3, 2011, 7:21pm PDT

Apple has shipped a high-priority QuickTime update to fix at least 14 security holes that expose computer users to hacker attacks.

The QuickTime 7.7 update, available for both Windows and Mac OS X,
addresses flaws that could be exploited via rigged image, audio and
movie files.


According to an advisory from Apple, some of the flaws could lead to
remote code execution attacks if a user is tricked into clicking on a
booby-trapped web site or into opening a special media file.