Posts tagged ‘Vulnerability warning’
Microsoft today announced 5 security bulletins for the September patchday next Tuesday. They are all dealing with security holes considered critical in the Windows operating systems and system components. Interestingly, even the Windows Server 2008 Core installation is affected. As usual, the Redmond company isn’t going into details in the advance notification.
Prepare for installing the updates as soon as possible.
Dirk Knop
Technical Editor
There is a severe security hole in Microsofts Internet Information Services (IIS) versions 5 and 6. “0-day” Exploit code is publicly available on the net. The error is within the FTP component. Thus Microsoft recommends as workaround to disable (anonymous) FTP on IIS, or to withdraw anonymous users the rights to create directories. A security advisory was already available but currently leads to a Bing search page. There you can see the advisory as “cached page” at least.
Opera released the final version 10 of their Web browser. It fixes some security issues and has some new and improved features. They are listed in the changelog.
The OpenOffice.org developers released OpenOffice.org 3.1.1 (changelog). This version fixes a security flaw in the Word document processing which can lead to system compromise. Users of OpenOffice.org should download the new version and update immediatly.
Dirk Knop
Technical Editor
Microsoft released two new knowledgebase articles in which it makes patches for all actual supported operating systems available. Those patches properly disable the Autorun and AutoPlay feature. This is important as previously it was possible to convince users to execute malware from for example USB sticks with AutoPlay entries and to automatically run malware via Autorun. Disabling Autorun didn’t work as expected before.
To improve the PC security it is advised to install the patches!
Dirk Knop
Technical Editor
The developers of the Mozilla Foundation just released Firefox 3.5.2 to close two critical rated security vulnerabilities. One flaw in the web browser could be abused to spoof certificates for web servers. This could happen as the browser didn’t parse the domain name in the certificate correctly and would stop parsing at a NULL sign. A CA would issue a certificate for <domainname><0×00><mydomainname> and the certificate would be valid for <domainname>, thus allowing for a hidden man-in-the-middle attack.
The second vulnerability could get abused to inject malicious code – for example a Trojan – into the victim’s computer by putting certain regular expressions into a certificate for SSL communication. This happened due to code that was meant to provide backwards compatibility to the non-standard regular expression syntax used by Netscape clients and servers. Now Firefox uses the current industry-standard wild-card syntax.
Update your Firefox as soon as possible by clicking on the Help menu and choosing “Search for Updates”. As other Mozilla products like Thunderbird and SeaMonkey are vulnerable too, apply updates ASAP as well when they get available.
Dirk Knop
Technical Editor
As announced, Adobe released the first updates for the critical security vulnerabilities in its products already. The first update is for Adobe Flash-Player – the new version 10.0.32.18 is supposed to close the security hole in the software. You can get it via Adobes web site.
During the day, Adobe wants to release further patches for Adobe Reader and Acrobat. Also, a new version of the Shockwave-Player is already available. Please install the updated versions as soon as possible.
Let me thank all the hardworking administrators out there at this place, especially the Avira admins. They have to roll out all these updates today and already had a busy week due to Microsoft’s out-of-band updates from Tuesday. Don’t forget, it’s System Administrator Appreciation day!
Dirk Knop
Technical Editor
As announced last week, Microsoft released two security bulletins out-of-band. They cope with critical vulnerabilities in all Internet Explorer Versions and with a flawed Active Template Library (ATL) for developers using Microsoft’s Visual Studio.
Due to the flaw in the ATL – which gets used to build ActiveX controls for example – it is possible to bypass the kill bit restrictions within the Internet Explorer (IE). Manipulated Websites thus can call ActiveX modules with security vulnerabilities and inject malware on affected computers. Microsoft now closes three security holes in IE and hardens it against abuse of the flaws introduced by the ATL.
The error is based on flaws within the ATL of Visual Studio. Thus components build with this development environment can be affected, too. Cisco for example released a security advisory and announces workarounds and updates for the Cisco Unity software. Expect other software developers to release updates soon, too.
Interestingly, according to Microsoft’s Security Bulletins, Windows 7 is not affected by these vulnerabilities.
Install the updates as soon as possible, and if you are a developer, rebuild your components with the new ATL. A knowledge-base article from Microsoft explains the issue for developers.
Dirk Knop
Technical Editor
Microsoft announced extraordinary updates for the Internet Explorer and for Visual Studio for this Tuesday to come. While the company rates the security issue in Visual Studio only as moderate, the IE-flaws – which also affect IE8 – are considered critical and allow for remote code execution.
Prepare for those updates as they are really critical and necessary if Microsoft decides to do an out-of-band release. Install them ASAP when available.
Dirk Knop
Technical Editor
There are security flaws within Adobe Reader and Acrobat and the Adobe Flash Player which are getting actively exploited on the net currently. The company has published a security advisory where it announces that they are currently investigating the problem and plan an update for the 30th of July.
Avira antivirus solutions already detect the malicious PDF files as EXP/Pidief.TH and the dropped malware by those documents as TR/Drop.Wmach and TR/Spy.WMach, respectively. Anyhow it is a good idea to take additional security measures until Adobe provides an update.
Adobe recommends to delete or rename the file authplay.dll that ships with the Reader and with Acrobat. Also, enabling Data Execution Prevention (DEP) and activating the User Access Control (UAC) in Windows Vista shall mitigate the risk according to Adobe.
Another solution would be using a different PDF reader and disabling Adobe PDF and Flash within the web browser via its add-ons-manager. The NoScript extension for Firefox also helps preventing Flash applications to run in the browser; it is possible that drive-by-downloads via malicious Flash applications embedded in web sites turn up soon.
Dirk Knop
Technical Editor
The Mozilla Foundation released Firefox 3.5.1 today. The new version fixes an issue which could get abused by web sites to inject malicious code into a victim’s computer. The vulnerability was in the Just-In-Time compiler for JavaScript which is a new feature in Firefox 3.5. Please update your Firefox to the most recent version by clicking on “Help” and selecting “Search for updates” now.
Dirk Knop
Technical Editor
Microsoft released 6 security bulletins as announced. The actively exploited security hole in a video ActiveX component gets fixed by the updates, also flaws in DirectShow, the Embedded OpenType Font Engine, VirtualPC and -Server, ISA Server and Office 2007. A fix for the recently discovered vulnerability in Office, ISA Server 2004 and 2006 which also gets exploited on the net already is still missing though – so please apply the workarounds described in Microsofts security advisory or use the provided Fix-it-tool.
Microsoft expects exploits for all fixed vulnerabilities within the next 30 days according to the Exploitability Index of the security bulletin summary. The patches should be applied as soon as possible therefore to protect the own computer and/or network.
The Mozilla Foundation issued a warning of a security hole in the Just-in-time compiler for JavaScript of the new Firefox 3.5 web browser. As exploit code is already publicly available they recommend to turn of the compiler temporarily. From the security advisory:
The developers are currently working on a fix. Until then it is a good idea to implement the described workaround.
Dirk Knop
Technical Editor
