Tag Archives: bug

A flurry of app security updates

Today has been a very busy day from a security update p.o.v.

  • Microsoft as released an update for the critical hole in IE which as been out for about 3 weeks ( iepeers.dll ) and 9 other updates which apply to various IE/Windows combinations ) the F1 attack discovered a month ago unfortunately still remains unpatched )
  • Java 6 Update 19 has been released to close 26 security holes including buffer overflows in in JRE, and other areas – this is also the first time since Oracle’s takeover of Sun that this advisory appears as an Oracle Critical Patch Update ( CPU )
  • Mozilla has updated Firefox 3 to 3.0.19, Firefox 3.5 to 3.5.9, Thunderbird 3 to 3.0.4 and Seamonkey 2 to 2.0.4
  • Apple has released version 7.6.6 of the Quicktime player closing a total of 16 vulnerabilities
  • OpenSSL 1.0.0  was released yesterday
  • Apple has released Mac OS X 10.6.3, an update that improves the operating system’s stability, compatibility and security

On another ( PDF ) note, security specialist Didier Stevens has developed a PDF document which is capable of infecting a PC – without exploiting a specific vulnerability. The demo exploit works both in Adobe Reader and in Foxit. Stevens says he used the “Launch Actions/Launch File” option, which can even start scripts and EXE files that are embedded in the PDF document.

VMWare forgets about BETA code

VMWare developers recently left beta debug code in an update provided for ESX 3.5, with an expiry date built in. The result would be that users would lose access to their VM’s after applying the update and a ‘general system error’ would be indicated. While the updated update is now working and available, those who need a quick fix can disable the NTP daemon and set the clock back a few days. Interestingly, ITweb had the headline today: SA unaffected by web glitch. Lucky us …

Linux kernel vmsplice vulnerability

The recent vulnerability in the linux kernel pertaining to the vmsplice function has resulted in quite a hole in many Linux PCs all over the world. It is recommended to updated to 2.6.24.2 immediately to close this loop hole. Please note that to successfully exploit this bug, you need to have at minimum unprivileged local access. More info available here:

link1

link2