Thursday, February 23, 2012

Two months of security links

I promise to get better about more frequent updates ... anyway, you need to update just about everythign that touches the Internet or processes stuff downloaded from the 'net or in email


Browser Patches:


ASF note:  
 Consider the Iron Browser instead of Chrome if you're at all concerned about Google and your privacy.

Adobe Updates this year:

  • ISC Diary | Adobe January 2012 Black Tuesday overview

    Adobe Reader and Acrobat patches

  • Adobe plugs critical Reader X security holes | ZDNet

    Adobe has shipped a critical Reader X update to fix at least six security flaws that expose Windows and Mac OS X users to hacker attacks.

    “These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system,” Adobe warned in an advisory.

  • Flash Player Update Nixes Zero-Day Flaw — Krebs on Security

    Adobe has issued a critical security update for its ubiquitous Flash Player
    software. The patch plugs at least seven security holes, including one reported
    by Google that is already being used to trick users into clicking on malicious
    links delivered via email. 

  • Adobe Flash Player XSS flaw under 'active attack' | ZDNet

    Adobe ships a Flash Player patch amidst reports that a universal cross-site
    scripting flaw “is being exploited in the wild in active targeted attacks.”

  • Adobe confirms new zero-day Flash bug

    Adobe on Wednesday patched seven critical vulnerabilities in Flash Player, including one reported by Google researchers that hackers are using in "active
    targeted attacks." The bug attackers have been exploiting is a cross-site scripting (XSS) flaw in the Flash Player plug-in used by Microsoft's Internet
    Explorer (IE). 

  • Adobe - Security Bulletins: APSB12-03 - Security update available for Adobe Flash Player

    This update addresses critical vulnerabilities in Adobe Flash Player
    11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris,
    Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe
    Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. These
    vulnerabilities could cause a crash and potentially allow an attacker to take
    control of the affected system. This update also resolves a universal
    cross-site scripting vulnerability that could be used to take actions on a
    user's behalf on any website or webmail provider, if the user visits a
    malicious website. There are reports that this vulnerability (CVE-2012-0767) is
    being exploited in the wild in active targeted attacks designed to trick the
    user into clicking on a malicious link delivered in an email message (Internet
    Explorer on Windows only).

    Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions
    for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player
    11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on
    Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of
    Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier
    versions should update to Flash Player 11.1.111.6.

  •  


     

     

  • Critical Fixes from Microsoft, Adobe — Krebs on Security

    Adobe released a critical update that addresses nine vulnerabilities in its
    Shockwave Player software. 

  • Adobe - Security Bulletins: APSB12-02 - Security update available for Adobe Shockwave Player

    This update addresses critical vulnerabilities in Adobe Shockwave Player 11.6.3.633 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.3.633 and earlier versions update to Adobe Shockwave Player 11.6.4.634 using the instructions provided below.


Oracle Java Updates this month:

  • Java Security Update Scrubs 14 Flaws — Krebs on Security

    Oracle has shipped a critical update that fixes at least 14 security
    vulnerabilities in its Java JRE software. The company is urging users to deploy the fixes as quickly as possible.

  • Have you uninstalled Java yet? Here are 14 new reasons... | ZDNet

    Summary: All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

    If you still haven’t uninstalled Java to reduce the attack surface on your computer, here are 14 new reasons from Oracle Sun.  A new version of the Java SE has been released to patch 14 documented security vulnerabilities, some serious enough to let hackers remotely install malware on vulnerable machines.


Microsoft Updates in January and February

  • 'Critical' Windows Media flaws put millions at risk | ZDNet

    By Ryan Naraine | January 10, 2012, 12:04pm PST
    Microsoft has dropped its first batch of security bulletins for 2012: Seven bulletins with cover for at least eight vulnerabilities affecting all versions of the Windows operating system.

    The company is urging Windows users to pay special attention to MS12-004, a “critical” bulletin that provides fixes for two serious flaws in the way Windows Media handles certain media files.

  • Adobe, Microsoft Issue Critical Security Fixes — Krebs on Security

    Tuesday, January 10th, 2012
    Adobe and Microsoft today each issued software fixes to tackle dangerous security flaws in their products. If you use Acrobat, Adobe Reader or Windows, it’s time to patch.

  • Critical Fixes from Microsoft, Adobe — Krebs on Security

          If you use Microsoft Windows, it’s time again to get patched: Microsoft today issued nine updates to fix at least 21 security holes in its products.