Thursday, October 13, 2011

iTunes, Windows, iOS, OS X, and Safari all updated this week

It's going to be a busy week for sysadmins.  On Tuesday Microsoft issued the monthly update set and Apple updated iTunes.  Both patch sets fix critical flaws, and I haven't seen any reports of problems so business admins should roll out the patch sets ASAP.  Anyone who is still using IE needs to patch ASAP as all current versions of IE have a vulnerability which allows "drive-by" infection.  See the last article below.

In addition, Apple iOS, Safari 5.1.1, OS X Lion v10.7.2, iWork 09, and Apple TV 4.4 were also patched. I HAVE SEEN REPORTS OF BUGS WITH THE iOS 5 UPDATE SO HOLD OFF ON UPDATING YOUR iDevice.

Critical Security Updates from Microsoft, Apple — Krebs on Security
Microsoft and Apple today released security updates to fix a slew of critical security problems in their software. Microsoft’s patch batch fixes at least 23 vulnerabilities in Windows and other Microsoft products. Apple’s update addresses more than 75 security flaws in the Windows versions of iTunes.
Microsoft Fixes 23 Vulnerabilities Including Critical IE Flaws

Microsoft issued its monthly security bulletins today, which include two updates rated as “critical” and which could allow remote code execution. The first, MS11-078, is for a vulnerability in .NET Framework and Microsoft Silverlight. The second critical fix is for MS11-081, a cumulative security update for Internet Explorer. There were six other updates issued that were ranked as “important.”

Microsoft also issued guidance for prioritization of patching. Click on the image below for a full-size chart.

Assessing the risk of the October 2011 security updates - Security Research & Defense - Site Home - TechNet Blogs
Today we released eight security bulletins. Two have a maximum severity rating of Critical with the other six having a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
Apple slaps another security band-aid on iTunes | ZDNet
Apple has shipped iTunes 10.5 to fix mountains of security problems that expose Windows users to dangerous hacker attacks.

The security patch, available for Windows 7, Windows Vista and Windows XP SP2, fixes a total of 79 documented vulnerabilities.  The most serious of these flaws could allow remote code execution attacks via booby-trapped image or movie files.

US-CERT Current Activity: Apple Releases Multiple Security Updates
added October 12, 2011 at 04:11 pm

Apple has released security updates for Apple iOS, Safari 5.1.1, OS X Lion v10.7.2, iWork 09, and Apple TV 4.4 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, and bypass security restrictions.
ISC Diary | Apple iTunes 10.5

Apple released iTunes 10.5 for Windows and Mac OS X. For those following Apple this comes as no big surprise as there are functionality changes expected due to the imminent release of a new iPhone model. What is however a bit surprising is that they also released an impressive list of fixed vulnerabilities in the windows version of iTunes.

Even more interesting is that that list also mentions that  e.g. "For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006" or "For OS X Lion systems, this issue is addressed in OS X Lion v10.7.2". And those are respectively a security update and an OS update that are not yet released at the time of writing.

ISC Diary | Microsoft Black Tuesday Overview October 2011

Overview of the October 2011 Microsoft patches and their status.

Internet Explorer 9 haunted by 'critical' security vulnerabilities | ZDNet

By Ryan Naraine | October 11, 2011, 12:03pm PDT

Summary: Microsoft
fixes drive-by download flaws in the latest version of its dominant
Internet Explorer browser and warns that exploits could emerge within 30

Microsoft’s shiny new Internet Explorer 9 browser contains critical security vulnerabilities that expose users to drive-by download attacks, the company warned today.

The IE warning highlights this month’s batch of security patches from Microsoft where the company shipped eight security bulletins (two critical, six important) to cover gaping holes in Internet Explorer, .NET Framework & Silverlight, Microsoft Windows, Microsoft Forefront UAG and Microsoft Host Integration Server.follow Ryan Naraine on twitter

According to Microsoft, the IE vulnerabilities could be exploited if a user simply surfs to a maliciously rigged website.

The IE update (MS11-081),
available for all users or Microsoft Windows and all versions of
Internet Explorer, covers at least eight documented security holes in
the world’s most widely used browser.

The most severe vulnerabilities could
allow remote code execution if a user views a specially crafted Web page
using Internet Explorer. An attacker who successfully exploited any of
these vulnerabilities could gain the same user rights as the local user.
Users whose accounts are configured to have fewer user rights on the
system could be less impacted than users who operate with administrative
user rights.

No comments: