Bugs fixed in Ubuntu

photoLast week a large number of security vulnerabilities were fixed in Ubuntu, including a remotely exploitable font flaw that an attacker could use to run arbitrary code on vulnerable machines. A number of Linux kernel flaws were also patched in some versions of the operating system.

Read the full story online.

Adobe Closed 12 Critical Holes in Flash

Earlier this month Adobe issued a critical update for Flash player to address a dozen flaws, some of which allow remote code execution. Flash version 11.1.102.55 is available for Windows, Mac, Linux and Solaris. Adobe has also released Flash version 11.1.102.59 for Android, which is expected to be the last time it updates Flash for mobile. In addition, Adobe has released AIR version 3.1.0.4880 for Windows, Mac, and Android. The company says it is not aware of any active attacks against these flaws at this time.

Get the newest version of Adobe Flash.

Read the full news story online.

Microsoft Fixes Hotmail Cross-Site Scripting Flaw

Microsoft has fixed a security issue in Hotmail that was being actively exploited to steal users’ messages and contact lists.  Attackers sent email messages to targets containing malicious scripts.  Computers become infected when recipients open or preview the message.  The embedded code uploaded messages and contact lists to remote servers. The attack was possible due to a cross-site scripting flaw which has been remedied.

According to the article by the Register: “It’s unclear how many Hotmail users may have been affected by the exploits and whether Microsoft has adequately warned users they may have been compromised. Microsoft spokesman Bryan Nairn wouldn’t say how many subscribers were targeted or when the patch was put in place.”

January 2011 Microsoft Security Updates

This month’s security update to be released on Tuesday, January 11, contains just two patches, addressing three vulnerabilities in all supported versions of Windows.

The update will NOT address a publicly known vulnerability in Internet Explorer (announced in late December) or the Windows Graphics Rendering Engine flaw, disclosed earlier this month. Both flaws are reportedly used in targeted attacks and users should look at the mitigation steps outlined in the advisories.

Adobe Patches Critical Reader and Acrobat Flaws

Adobe released another out-of-band patch to fix critical flaws in Reader and Acrobat last week.

Systems affected:

  • Adobe Reader 9.4 and earlier
  • Adobe Acrobat 9.4 and earlier

The flaws could cause the application to crash or, more seriously, allow hackers to take control of the affected systems. The out-of-band updates also resolve a memory corruption vulnerability that could lead to code execution. The Reader flaw has been known about since the end of October and had already been exploited in the wild.

Read the full story at Computerworld.com.

Adobe Warns of Flaw in Reader, Acrobat, Flash

A new critical vulnerability is being exploited to attack computers running the PDF viewer software, Adobe warned last week. The vulnerability is not yet patched.

Systems affected:

  • Flash Player 10.1.85.3 and earlier versions for Windows, Mac, Linux and Solaris
  • Flash Player 10.1.95.2 and earlier versions for Android
  • Reader 9.4 and earlier versions for Windows, Mac and Unix
  • Acrobat 9.4 and earlier versions for Windows and Mac

Earlier in October, the company plugged 23 holes in Reader and Acrobat. Adobe is adding sandbox technology designed to add more layers of protection in the next version of Adobe Reader, Reader X, due out by mid-November.

Read the full story at cnet.com.

Unpatched Flaw Affects Windows Applications

A vulnerability in iTunes for Windows that Apple has patched remains unfixed in hundreds of other Windows applications.  The remote code execution flaw was initially reported to affect about 40 applications, but that figure was later estimated to be significantly higher.  The researcher says the attacks are trivial to launch. The problem lies in the way Windows downloads libraries for third-party applications.  Each application will need to be fixed separately.  Microsoft is looking into the issue.

Read the full story at ComputerWorld.com.