Google Chrome 10.0.648.204 has been released for Windows, Mac, and Linux. The update includes fixes for 6 vulnerabilities, all of which are classified as high or critical.
* You are viewing the archive for March, 2011
KB2524375 was issued to address the rogue SSL certificate issue described at http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html.
Mozilla has released Firefox versions 3.6.16 and 3.5.18. These new versions contain updates to address the rogue SSL certificate issues described at http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html.
Adobe Reader version 9.4.3 has been released. 9.4.3 fixes a security issue in authplay.dll and three other bugs. The corresponding security patch in the 10.x series won’t come out until mid-June.
The fix for the printing issue introduced in 9.4.2 made it into 9.4.3. From the release notes at http://kb2.adobe.com/cps/837/cpsid_83708/attachments/Acrobat_Reader_ReleaseNote_9.4.3.pdf:
“Printing bug: Some users are experiencing printing issues with 9.4.2 as described here: http://kb2.adobe.com/cps/891/cpsid_89178.html. The 9.4.3 release resolves these issues.”
The full list of bugfixes included in 9.4.3 are:
2809151: The printing problems that some users of 9.4.2 have experienced are fixed by replacing the Adobe.Acrobat.Dependencies.manifest file …
Apple Mac OSX version 10.6.7 has been released. It includes fixes for several security issues.
Adobe has released version 10.2.153.1 of their Flash player product for Windows.
Google Chrome 10.0.648.134 has been released for Windows, Mac, and Linux. The update includes fixes for 1 vulnerability. This vulnerability is classified as high.
Google Chrome 10.0.648.133 has been released for Windows, Mac, and Linux. The update includes fixes for 1 vulnerability. This vulnerability is classified as high.
Apache Tomcat 7.0.11 fixes a security constraint bypass bug. Tomcat versions 7.0 through 7.0.10 are vulnerable.
The new Apple iOS 4.3 has been released and contains 12 security updates.
Apple has released Safari 5.0.4 (for Apple Mac). This new version contains several security-related fixes.
Apple has released security updates for Java for Mac OS X 10.5 Update 9 and Java for Mac OS X 10.6 Update 4. For details, please refer to the links below.
Joomla! version 1.6.1 includes addresses several security issues. Exploit code is available for at least one of the bugs fixed.
There are three bulletins in the Microsoft March 2011 Patch Tuesday patch set.
MS11-015: Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)
MS11-016: Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047)
MS11-017: Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)
VMware has released a fix for a local denial of service vulnerability affecting the Service Location Protocol Daemon (SLPD) part of their ESX/ESXi products. This is a local exploit, and as of 08 March 2011 no known exploit code exists.
Google Chrome 10.0.648.127 has been released for Windows, Mac, and Linux. The update includes fixes for 23 vulnerabilities, 15 of which are classified as high or critical.
Hopefully, from a security perspective, Google will move their Android market to more of the walled garden similar to Apple’s App Store. The developer and application vetting that Apple does seems to be working reasonably well in practice. The first reference link below is a statement from Google announcing some upcoming changes they intend to make to the Android Market due to recent problems (DroidDream) with malicious content being posted. Google has already removed those applications (putting REMOVE_ASSET to good use). And interestingly we see a beneficial use of INSTALL_ASSET, where Google used that facility to …
IBM’s WebSphere 184.108.40.206 (version 7.0 Fix Pack 15) release includes several security fixes. Details can be found at the links below. Exploit code is available for at least one of the security-related bugs.
An exploit is now publicly available for remote JBoss vulnerability CVE-2010-0738.
Mozilla has released Firefox versions 3.6.15. This new versions fixes an important problem with Java. There are no security updates in this version beyond what was in 3.6.14. You should abort any deployments to move to 3.6.14 in favor of the fixed 3.6.15 version.
Brian Krebs has published a good article that is of value to millions of home users who are currently overpaying to renew their antivirus licenses every year. He discusses the new Renewal Buddy site (http://www.renewalbuddy.com/), whose purpose is to help home users save money purchasing or renewing licenses for their antivirus products.
That is good information, but Renewal Buddy makes some dubious recommendations at times for alternative antivirus solutions. For the most effective antivirus support currently in existence, typical home users of Windows should stick with either Avira Antivir if they prefer a free tool, or one of …
Apple has released version 10.2 of their iTunes software for Windows 7, Vista, and Windows XP. 10.2 includes several security-related fixes.
Mozilla has released Firefox versions 3.6.14 and 3.5.17. These new versions contain updates for both security issues and several bugs.
Google Chrome 9.0.597.107 has been released for Windows, Mac, and Linux. The update includes fixes for 19 vulnerabilities, 16 of which are classified as high or critical.
Citrix has released an updated to address a remotely exploitable bug in their Citrix Secure Gateway 3.1.4 product. The fix for the 3.1.x line is to upgrade to 3.1.5. Version 3.2.0 and above isn’t vulnerable.
No public exploit is known to exist as of this writing (28 Feb 2011).
If you support Google Android in your organization, you might want to consider disallowing (e.g. through Good Technologies or by Exchange ActiveSync reporting) Android versions 2.2 and below until those units can be upgraded. Why? There is now commercially available (Immunity CANVAS) exploit code to gain root access to Android 2.2.
This attack against Android 2.2 is a two-step process. The first step takes advantage of a Android Webkit CSS rule deletion vulnerability, and the second step leverages that access to use a privilege escalation vulnerability to gain root access to the device.
Android 2.3 isn’t affected.
email: david @ sharpesecurity.com