Internet Explorer Patched by Microsoft

If you use Internet Explorer and haven’t yet applied the patch that was released by Microsoft just over a week ago, you will want to do so now. Critical patch MS12-063 applies to Internet Explorer versions 6 through 9. It does not affect Internet Explorer 10.

The vulnerability was discovered mid-September, and could allow the installation of a backdoor Trojan when visiting compromised websites.

Microsoft released the patch on September 21. It is recommended to run Windows Update as soon as possibly to apply patch MS12-063.

Adobe Closed 12 Critical Holes in Flash

Earlier this month Adobe issued a critical update for Flash player to address a dozen flaws, some of which allow remote code execution. Flash version 11.1.102.55 is available for Windows, Mac, Linux and Solaris. Adobe has also released Flash version 11.1.102.59 for Android, which is expected to be the last time it updates Flash for mobile. In addition, Adobe has released AIR version 3.1.0.4880 for Windows, Mac, and Android. The company says it is not aware of any active attacks against these flaws at this time.

Get the newest version of Adobe Flash.

Read the full news story online.

Apple Security Updates

Apple released a massive security update (2011-006) on October 13 to address more than 70 vulnerabilities in the following operating systems:

  • Mac OS X 10.6.8
  • Mac OS X Server 10.6.8
  • Mac OS X 10.7, 10.7.1
  • Mac OS X Server 10.7, 10.7.1

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Two security issues were patched in the Mac OS X kernel, one in CoreStorage, two in CoreMedia, while others were in CoreProcesses, CoreFoundation, CFNetwork, and even the application firewall.

According to an article on ComputerWorld.com installation errors have occurred with this update in some instances:

“Apple OS X Security Update makes MacBook kernel panic at boot,” warned security researcher Dragos Ruiu on Twitter. He later confirmed that other users have experienced similar problems, particularly on systems with Lion/Snow Leopard dual-boot configurations. “If you have two or more OS partitions on [MacBook Pro] it breaks,” the security expert said.

Graham Cluley, a senior technology consultant at Mac OS antivirus provider Sophos, couldn’t confirm the Mac OS X boot issues, but advised users to postpone updating if they believe they might be affected.

“My advice would be to contact Apple technical support – and see if they have a resolution for the problem. If you suspect you may be impacted by the issue it may be wise to hold off installing the security update until Apple has confirmed if it has fixed it,” Cluley said.

OTHER APPLE UPDATES:
Apple also released updates for Safari (version 5.1.1), Mac OS X 10.7.2 to fix security issues and introduce iCloud, and iOS (version 5) to fix nearly 100 security flaws.

 

Adobe Fixes Flash Player Vulnerability

Last week Adobe published an unscheduled emergency patch for Flash Player to address many critical security issues.

Systems affected:

  • Flash Player versions up to and including 10.3.183.7 for Windows, Mac OS X, Linux and Solaris
  • Versions 10.3.186.6 and earlier for Android

The Flash Player updates are the company’s response to a recently discovered universal cross-site scripting (XSS) hole. According to Adobe, the vulnerability is already being actively exploited by attackers to bypass the same origin policy, allowing them to, for example, take actions on a user’s behalf on any Web site, or steal a victim’s cookies. For an attack to be successful, a victim must click on a malicious link.

Get latest Adobe Flash Player.

Oracle Critical Patch Update Advisory July 2011

Oracle released an update advisory this month to address 78 vulnerabilities in various Oracle products and versions. US-CERT recommends that Oracle database administrators apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory – July 2011. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed.

Microsoft Fixes Hotmail Cross-Site Scripting Flaw

Microsoft has fixed a security issue in Hotmail that was being actively exploited to steal users’ messages and contact lists.  Attackers sent email messages to targets containing malicious scripts.  Computers become infected when recipients open or preview the message.  The embedded code uploaded messages and contact lists to remote servers. The attack was possible due to a cross-site scripting flaw which has been remedied.

According to the article by the Register: “It’s unclear how many Hotmail users may have been affected by the exploits and whether Microsoft has adequately warned users they may have been compromised. Microsoft spokesman Bryan Nairn wouldn’t say how many subscribers were targeted or when the patch was put in place.”

Google Has Fix for Android Vulnerability

Google is rolling out a fix for a vulnerability in the majority of Android phones that allows attackers to access and modify users’ Google contacts and calendar when they are being accessed over unsecured Wi-Fi networks. The flaw affects versions 2.3.3 and earlier of the Android platform, which is running on 99.7 percent of Android devices. The fix does not require action from users; it will be pushed out automatically.

Read the full story at PCWorld.com.