The second week in December is starting with a bunch of patching. So far this week, we have QuickTime, Firefox, and Thunderbird with security updates, and next Tuesday promises to be another record Patch Tuesday with patches for IE among other things. (Updated Fri 10 Dec 2010 18:31 MST)
Apple this week issued an update that plugs at least 15 security holes in its QuickTime media player. The patch – which brings QuickTime to version 7.6.9 — quashes several critical bugs that could be exploited to install malicious software were a user to load a poisoned media file. Updates are available for both Mac and Windows versions of the program.
The Mozilla Foundation has released Firefox 3.6.13 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, operate with elevated privileges, spoof the location bar, or operate with elevated privileges.
The December batch of patches will cover security holes in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange, according to an advance notice posted Thursday.
Of the 17, Microsoft said two bulletins will be rated “critical,” the company’s highest severity rating. Of the remainder, 14 will be rated “important.” More links:
And for a final note, if you use CCleaner, you should update to version 3.01. It has lots of improvements. Get a portable version from the CCleaner - Builds page.
It has been a busy month, and I have not been keeping up with timely posting here. I will try to keep this a little more current from now on.
We'll start with November's Patch Tuesday and go forward from there. The final article linked below is definitely something anyone who uses open WiFi hotspots in Starbucks and other places should read. Also, if you use Flash Player or Adobe Reader, both have had critical patches in the last month. If your systems haven't been updated, you need to patch them NOW. Foxit Reader has also had an update. IE 6 and 7 have an unpatched flaw which is being exploited "in the wild", so avoid using IE if you possibly can.
By Ryan Naraine | November 9, 2010, 10:43am PST Microsoft has shipped a patch for to fix several critical security holes affecting its Office productivity suite and warned that hackers can use RTF (Rich Text Format) e-mails to launch code execution attacks.
The MS10-087 bulletin, which is considered a high-priority update, patches a total of 5 documented vulnerabilities affecting all currently supported Microsoft Office products.
It is rated critical for Office 2007 and Office 2010 because of a preview pane vector in Microsoft Outlook that could trigger the vulnerability when a customer views a specially crafted malicious RTF file, the company explained.
By Ryan Naraine | November 10, 2010, 12:23pm PST Penetration testing specialists Core Security has publicly released information on a serious security vulnerability in Apple’s Mac OS X and criticized the computer maker for delaying the release of a patch.
The vulnerability, which only affects Apple Mac OS X v10.5, could allow hackers to take complete control of a vulnerable machine via malicious PDF files.
In an advisory, Core Security said Apple claims it already has a patch prepared for this issue but failed to release the fix despite several promises.
Apple did not give any reasons for skipping the patch release.
[ASF: November 4th, 2010] Adobe on Thursday released an update to its Flash Player software that fixes at least 18 security vulnerabilities, including one that is being exploited in targeted attacks.
[ASF: November 16th, 2010] Adobe on Tuesday issued a critical update to patch at least two security holes in its PDF Reader and Acrobat software, including one flaw that was publicly disclosed earlier this month.
In a related story: Adobe launches 'sandboxed' Reader X. I am not using Adobe Reader (any version) so I haven't tested it yet. Reviews of the "sandbox" are generally positive but the sandboxing is not complete so I expect it will help but not totally prevent attacks.
By Gregg Keizer, Computerworld - November 18, 2010 02:01 PM ET Adobe today released Reader X, the next version of its popular software that includes a "sandbox" designed to protect users from PDF attacks.
Reader X on Windows features Protected Mode, a technology that isolates system processes, preventing or at least hindering malware from escaping the application to wreak havoc on the computer.
The new version is also available for Mac OS X and Android, but those editions lack the sandbox.
By Gregg Keizer, Computerworld - November 18, 2010 02:01 PM ET Apple today patched 27 vulnerabilities in Safari for Mac OS X and Windows, 85% of them critical bugs that could be exploited to hijack Macs or PCs.
Visitors to Amnesty International’s Hong Kong website are being bombarded with a host of lethal exploits, including one that attacks an unpatched vulnerability in Microsoft’s Internet Explorer browser, researchers at security firm Websense said.
The injected IE attack code resides directly on the pages of amnesty.org.hk, an indication that the perpetrators were able to penetrate deep into the website’s security defenses. The code exploits a vulnerability disclosed last week that gives attackers complete control over machines running default versions of IE 6 and 7. Version 8 isn’t vulnerable, thanks to security protections built into the browser.
An open-source Firefox extension called Firesheep has shined a spotlight on just how insecure it is to use unprotected WiFi networks.
It's widely known that unprotected WiFi networks make sensitive data readily available for anyone with the technical skill necessary to find it ...
Firesheep, which allows anyone to scan unprotected WiFi networks for users who are logged into Facebook, Twitter, Google, Amazon, and a variety of other Web 2.0 services and to impersonate those users by hijacking their session cookie.
"On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy," wrote Firesheep creator Eric Butler in a blog post. "This is a widely known problem that has been talked about to death, yet very popular Web sites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the Web as HTTPS or SSL."
According to Danish security company CSIS, most Windows infections by commercial malware are the result of failure to patch IE and a few vulnerable apps. Here is their list from September, 2011, with the latest version numbers as of Tuesday, 28 Apr 2015:
Adobe Flash Player v 17.0.0.169 (IE) 17.0.0.169 (Firefox) (updated 14 Apr 2015). NOTE: update BOTHIE and Firefox Flash Players.
WARNING: Adobe (Flash, Reader) and Oracle (Java) OFTEN install additional software like toolbars or Google Chrome from their download pages. UNCHECK this additional software unless you really want it.
Anti-Spyware Updates
These are several anti-spyware apps that are free for home use which I use and recommend IN ADDITION TO your anti-virus program. Use both of these in non-resident mode to keep your browser from accessing known-bad URLs.
WinPatrol Now at v33.5.2015.3 last update: 14 Apr 2015