Already last week Opera released version 10.01 of its Web Browser. It closes some security holes. At least one of them can lead to code injection (for example to infect the computer with a Trojan). Users are advised to install the new version fast.

Meanwhile, the Mozilla Foundation has updated Firefox to version 3.5.5. The developers only mention stability fixes, this release doesn’t seem to fix security issues. Anyhow it is a good idea to install the update.

There was another security Update for Sun Java. Version 6 Update 17 fixes a lot of security vulnerabilities. Those flaws may lead to remote code execution, thus updating immediately is recommended.

What else? Adobe has released Shockwave Player 11.5.1.602 which also closes security holes in the software which allow for remote malware injection. Users of the Shockwave Player (which is different from Adobe Flash Player) should also update their software immediately.

Today also Google released an update for its Chrome browser. It fixes 2 security problems which put users at risk.

Dirk Knop
Technical Editor

For the upcoming Patch Tuesday next week, Microsoft plans to release 6 security bulletins. 3 of them handle critical rated security issues, the other 3 are rated important.

Affected are Windows Operating Systems starting from Windows 2000 up to Windows Server 2008. The “important” fixes are for Microsoft Office (also for Mac) and the Office Viewers.

Prepare to install the patches as soon as possible as usually exploits for these security vulnerabilities are released very soon after Microsoft ships the patches.

Dirk Knop
Technical Editor

Microsoft released another update for the Internet Explorer. It is supposed to fix some flaws that may occur after installing the cumulative update from the last Patchday, MS09-054. In a knowledgebase article Microsoft explains the issues that may arise:

- The offsetTop calculation for elements that are contained as children of scrolled elements may be reported incorrectly in Windows Internet Explorer 8

- You receive a VBScript “Type Mismatch” script error message in Internet Explorer after you install cumulative security update 974455

Fig. 1: The automatic windows update offers a new update for the Internet Explorer.

Though the Update is not critical, some users may experience the described problems with the last security update. Thus users should install the offered patch – which requires a reboot of the computer.

Dirk Knop
Technical Editor

The Mozilla Foundation just released Firefox 3.5.4 – the new version closes 11 security holes of which 6 are considered critical from the Mozilla developers. Those vulnerabilities can be abused by cybercriminals to inject malicious code like a Trojan into the computer. The release also fixes a few non-security related issues.

Some of the bugs also affect earlier versions of the Mozilla browsers and get fixed within Firefox 3.0.15 (though it is recommended to update to Firefox 3.5) and in SeaMonkey 2.0. Thunderbird doesn’t get mentioned in the security advisories.

As some of the vulnerabilities are quite serious security issues, users should update the software as soon as possible. The easiest way is to go to the “Help” menu and choose “Check for Updates”.

Dirk Knop
Technical Editor

Not only Microsoft released a bunch of patches to close security holes in their products, but also Adobe now ships updated software to fix several vulnerabilities in Adobe Reader and Acrobat which already get attacked with specially prepared PDF documents to take over control of vulnerable computers – Avira AntiVir protects its users and detects the currently circulating exploit PDF as Exp/Pidief.xam.

Users of Adobe Reader and Acrobat with earlier versions than the new 9.2 are advised to install the updated software immediately to protect themselves from the attacks; Adobe rates the vulnerabilities as critical. New versions of Reader are available for Windows, Mac and Unix. Further links for updates for different Acrobat versions are listed in Adobes security advisory.

Dirk Knop
Technical Editor

Just as announced last Friday, Microsoft ships updates for plenty of products and closes 34 security holes. Many of them are rated critical which means that attackers can infiltrate vulnerable systems remotely.

The patches affect the Windows operating systems starting from Windows 2000 up to the brand new Windows 7. The vulnerable software is a lengthy list too: Internet Explorer, Media Player, Office from XP up to 2007, .Net runtimes, SQL server, Visual Studio 2003 up to 2008, Visual FoxPro, Report Viewer, the antivirus solution Forefront and Silverlight 2.

As the patches deal with critical security vulnerabilities which in some cases are already abused (like the FTP hole in IIS) it is advised to install them ASAP.

Dirk Knop
Technical Editor

Microsoft today announced 13 Security Bulletins for the October Patchday. 8 of them are concerning critical rated security vulnerabilities. The total count of security holes which the company plans to close is 34, according to the Microsoft Security Response Center.

The affected software includes Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Among the fixes that are gonna be provided is one for the SMBv2 vulnerability and one for the vulnerable FTP service IIS.

Administrators should prepare for those updates – most of them require a restart – and install them as soon as possible.

Dirk Knop
Technical Editor

We are currently delivering another huge update to our clients. This leads to the situation that users of the free Avira AntiVir Personal have some issues getting their updates fast.

The situation should get better today or tomorrow. We hope that we have our improved, faster system up and running for the next big update so that this situation won’t come up again!

Please be patient – the update will be over soon! By the way, as usual, users of Avira AntiVir Premium, Avira Premium Security Suite and the Professional products are not affected – they have dedicated download servers and reserved bandwidth available.

Dirk Knop
Technical Editor

The update servers for our free Avira AntiVir Personal are currently under heavy load due to a huge update that gets delivered. Even if we are delivering with 8 GBit per second – whereof up to 1 GBit per second is used by IPv6 traffic alone! – this results in a slow update process for many of the free AntiVir Personal users. The situation should get better over the weekend, it already got better this night for a few hours.

We already increased bandwidth and made further optimizations to our servers. Also we’re working on a permanent solution to better serve the users of our free Avira AntiVir version – this may take a few weeks though.

Users of our Avira AntiVir Premium and Avira AntiVir Professional products are not affected by this issue.

Dirk Knop
Technical Editor

Now that didn’t happen for a while: Microsoft updated one of the security bulletins from Tuesday. It deals with a security flaw in TCP/IP networking. The first version of the bulletin mentioned Windows 2000, Vista, Server 2003 and Server 2008 as affected. The updated version also mentions Windows XP as affected.

Consequently, all Windows XP users should run Windows Update again (as soon as the patch is available for XP, it currently isn’t) – though the impact of the error isn’t as critical as in Vista or Server 2008, where it allows for remote code execution. In Windows XP it is possible to cause a Denial of Service (DoS) condition with sending manipulated network packets to the unpatched computer.

Update: Microsoft updated the bulletin once more. Now it states “By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability.” So an update won’t be available any time soon – if at all, because in the default installation no service is listening on the network interface.

Dirk Knop
Technical Editor