Google Chrome 14.0.835.202 has been released for Windows, Mac, and Linux. The update includes fixes for 7 vulnerabilities, all of which are classified as high or critical.
* You are viewing the archive for the ‘Vulnerability Management’ Category
Google Chrome 14.0.835.163 has been released for Windows, Mac, and Linux. The update includes fixes for 32 vulnerabilities, 15 of which are classified as high or critical.
Google Chrome 13.0.782.215 has been released for Windows, Mac, and Linux. The update includes fixes for 11 vulnerabilities, 10 of which are classified as high or critical.
Mozilla has released Firefox versions 6.0 and 3.6.20. These new versions fix several security-related memory corruption bugs (http://www.mozilla.org/security/announce/2011/mfsa2011-29.html).
Firefox version 5.x is now off support. You should be running only 3.6.x or 6.x in production now.
Adobe has released Shockwave Player version 18.104.22.1689 for Windows and Apple OS X. This update contains several security updates as outlined in the link below.
Adobe has released version 10.3.183.5 of their Flash player product for Windows, Linux, Apple OS X, and Solaris. This update includes security fixes.
Apple has released Quicktime Player 7.7 for Windows and Apple Mac OS X 10.5.8. Version 7.7 includes fixes for 13 security issues.
Google Chrome 13.0.782.107 has been released for Windows, Mac, and Linux. The update includes fixes for 30 vulnerabilities, 14 of which are classified as high.
A remotely exploitable security bug in Citrix XenApp and XenApp has been released. Details are at the link below.
– all versions of XenApp and XenApp Fundamentals (formerly known as Access Essentials) up to and including version 6
– XenDesktop 4 with, or without, Feature Packs 1 or 2
These updates address security-related bug in iOS.
Apple has released Safari 5.1 and 5.0.6 (for Apple Mac and Windows). This new version contains several security-related fixes.
Oracle has released its July 2011 Critical Patch Update. The security patches affect the following products:
Oracle Database 11g Release 2, versions 22.214.171.124, 126.96.36.199
Oracle Database 11g Release 1, version 188.8.131.52
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
Oracle Database 10g Release 1, version 10.1.0.5
Oracle Secure Backup, version 10.3.0.3
Oracle Fusion Middleware 11g Release 1, versions 184.108.40.206.0, 220.127.116.11.0, 18.104.22.168.0
Oracle Application Server 10g Release 3, version 10.1.3.5.0
Oracle Application Server 10g Release 2, version 10.1.2.3.0
Oracle Business Intelligence Enterprise Edition, versions 10.1.3.4.1, 22.214.171.124
Oracle Identity Management 10g, versions 10.1.4.0.1, 10.1.4.3
RIM releases fixes for DoS and information disclosure vulnerabilities in their BlackBerry Enterprise Server software. BlackBerry smartphones aren’t affected.
The following BES versions are affected:
– BlackBerry® Enterprise Server version 5.0.0 for Microsoft Exchange, IBM Lotus Domino and Novell GroupWise (with the BlackBerry® Administration API component installed as an option only)
– BlackBerry® Enterprise Server Express 5.0.0 for Microsoft Exchange and IBM Lotus Domino (with the BlackBerry® Administration API component installed as an option only)
– BlackBerry® Enterprise Server Express versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange
– BlackBerry® Enterprise Server Express versions 5.0.2 …
These updates close the latest jailbreaking hole in iOS.
An exploit has been published on exploit-db.com for a remotely exploitable bug in BlueCoat BCAAA. BlueCoat BCAAA is used by ProxySG and ProxyOne.
The following ProxySG versions include the fix:
5.3.x – no patch available yet
4.3 – SGOS 126.96.36.199 patch release.
No fix has been released yet for ProxyOne.
Siemens has announced a password security problem in an authentication mechanism used in their SIMATIC S7 series of programmable controllers. No patch is available yet. Until a fix is available, some defensive guidance is available at the reference link below. The following Siemens SIMATIC S7 platforms are affected:
WordPress version 3.1.4 contains both normal bugfixes and security-related changes. I upgraded this blog already to the 3.1.4 release level and it seems to work fine.
Apple has released Java updates for Mac OS X 10.6 Update 5 and OS X 10.6 Update 10. Details are at the links below.
Google Chrome 12.0.742.112 has been released for Windows, Mac, and Linux. The update includes fixes for 7 vulnerabilities, 6 of which are classified as high.
A commercial grade exploit has been released for CVE-2011-1220 in IBM Tivoli Endpoint lcfd.exe in the White Phosphorous add-on pack for Immunity CANVAS.
From Apple’s release:
APPLE-SA-2011-06-23-1 Mac OS X v10.6.8 and Security Update 2011-004
Mac OS X v10.6.8 and Security Update 2011-004 are now available and address the following:
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: When connected to Wi-Fi, an attacker on the same network may be able to cause a system reset
Description: An out of bounds memory read issue existed in the handling of Wi-Fi frames. When connected to Wi-Fi, an attacker on the same network may be able to cause a system reset. This issue does not affect Mac OS X v10.6 CVE-ID
Available for: …
Citrix has released security updates for their Citrix EdgeSight for Active Application Monitoring and Citrix EdgeSight for Load Testing products. Citrix recommends customers upgrade their Citrix EdgeSight for Active Application Monitoring installations to version 5.3 SP2 or later, and Citrix EdgeSight for Load Testing installations to version 3.8.1 or later. Details are available at the link below.
Mozilla has released Firefox versions 5.0 and 3.6.18. These new versions fix several security-related bugs.
BTW, Firefox version 4.x is now off support, as is 3.5.x. You should be running only 3.6.x or 5.x in production now.
Adobe has released version 10.3.181.26 of their Flash player product for Windows, Linux, Apple OS X, and Solaris. Adobe reports this update includes a fix for a vulnerability that is being exploited in the wild.
Google Chrome 12.0.742.100 has been released for Windows, Mac, and Linux. The update includes fixes for 1, which is classified as critical.
Adobe has released versions 10.1, 9.4.5, and 8.3 of their Acrobat Reader product to address a set of security vulnerabilities. Details are available at the link below.
So far, one patch out of this months set – MS11-044 – has a known exploit in the wild.
UPDATE – 17 June 2011 – Symantec is reporting exploits for MS11-050 being found in circulation: http://www.symantec.com/connect/de/blogs/vulnerability-june-ms-tuesday-wild
Adobe has released Shockwave Player version 188.8.131.526 for Windows and Apple OS X. This update contains several security updates as outlined in the link below.
There are 17 vulnerabilities fixed this time around. If for some reason you cannot patch some or all of you Sun Java JRE instances in your organization, please consider putting IPS blocks in place at your network edges and/or in your client host IPS as outlined at http://blog.sharpesecurity.com/2010/10/25/list-of-currently-exploited-sun-java-vulnerabilities/.
Public proof-of-concept exploit code exists for some of the vulnerabilities fixed in this release.
Google Chrome 12.0.742.91 has been released for Windows, Mac, and Linux. The update includes fixes for 14 vulnerabilities, 5 of which are classified as high or critical.
The feature list includes:
– Hardware accelerated 3D CSS
– New Safe Browsing protection against downloading malicious files
– Ability to delete Flash cookies from inside Chrome
– Launch Apps by name from the Omnibox
– Integrated Sync into new settings pages
– Improved screen reader support
– New warning when hitting Command-Q on Mac
– Removal of Google Gears