updates Archive

Newer Entries »

Sun Java Runtime Environment Multiple Vulnerabilities

By derek | Filed in browser, Exploits, firefox, Java, microsoft, mozilla, updates, Warnings and Alerts

Sun Java Runtime Environment Multiple Vulnerabilities
Affected:
JDK and JRE 6 Update 16 and earlier
JDK and JRE 5.0 Update 21 and earlier
SDK and JRE 1.4.2_23 and earlier
SDK and JRE 1.3.1_26 and earlier

Description: Sun’s implementation of the Java Runtime Environment (JRE) and Java Web Start contains multiple vulnerabilities. A specially crafted Java application, an audio or image file or an applet could trigger one of these vulnerabilities, with consequences ranging from arbitrary code execution with the privileges of the current user to denials-of-service and security restriction bypass. Note that, depending upon configuration, Java applets embedded in web pages may be opened automatically upon the loading of the page. One of the error is that the update mechanism does not update JRE to the new version when running on non-English Windows versions. There are errors in decoding DER encoded data and the parsing of HTTP headers which might lead to memory exhaustion. There is an authentication bypass vulnerability in JRE while verifying HMAC digests. Multiple buffer overflow and integer overflow vulnerabilities have been reported in JRE while processing specially crafted audio and image files. There is a command execution vulnerability in JRE which could be triggered by a specially crafted web page. There is a flaw in the implementation of security model permissions in the Java Web Start Installer. Some technical details for some of these vulnerabilities are publicly available.

Status: Vendor not confirmed, no updates available. [edit] Updates are available

References:
Zero Day Initiative Advisories
http://www.zerodayinitiative.com/advisories/ZDI-09-076
http://www.zerodayinitiative.com/advisories/ZDI-09-077
 http://www.zerodayinitiative.com/advisories/ZDI-09-078
http://www.zerodayinitiative.com/advisories/ZDI-09-079
http://www.zerodayinitiative.com/advisories/ZDI-09-080
Sun Security Advisories
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270476-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270475-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269870-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269869-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269868-1
Product Home Page
http://java.sun.com
SecurityFocus BID
http://www.securityfocus.com/bid/36881

for this DO NOT rely on check for updates in JAVA control panel BUT go to http://java.com/en/download/ie_manual.jsp?locale=en&host=java.com:80

if you have a 64 bit version of windows, you need to install the standard 32 bit version AND the 64 bit version http://java.com/en/download/manual.jsp

RoboForm: Learn more...
Share

Adobe Shockwave Player Multiple Vulnerabilities

By derek | Filed in adobe, browser, Exploits, Malware, updates, Warnings and Alerts

 Affected: Adobe Shockwave Player versions 11.x

Description: Adobe Shockwave Player, with over 450 million users, is a multimedia player that allows Adobe Director applications to be published and viewed by a browser that is installed with a Shockwave plug-in.

 Multiple vulnerabilities have been reported in Adobe Shockwave Player, which be triggered by a specially crafted Shockwave content.  There is a error in the way the invalid index is used.  There are also a couple of issues caused by the inappropriate use of the invalid pointer.  And the last issue is a memory corruption error when processing string lengths.

 In all the cases successful exploitation might allow an attacker to execute arbitrary code in the context of the logged on user.

There is not enough public information about these vulnerabilities.

Status: Vendor confirmed, updates available.

References:

 Adobe Security Bulletin (APSB09-16)  http://www.adobe.com/support/security/bulletins/apsb09-16.html

Wikipedia Article on Adobe Shockwave  http://en.wikipedia.org/wiki/

Adobe_Shockwave Product Home Page  http://www.adobe.com/products/shockwaveplayer/

 SecurityFocus BID http://www.securityfocus.com/bid/36905

Adobe recommends Shockwave Player users install Shockwave Player version 11.5.2.602 available here: http://get.adobe.com/shockwave/
Remember: You need to install shockwave in Every Browser you use separately, if you wish to use it in your browser

Share

Mozilla fixes 16 flaws with Firefox 3.5.4:

By derek | Filed in browser, firefox, mozilla, updates

http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.4

Mozilla fixes 16 flaws with Firefox 3.5.4:

http://www.computerworld.com/s/article/9140008/Mozilla_fixes_16_flaws_with_Firefox_3.5.4

 Mozilla today patched 16 vulnerabilities in Firefox, 11 of them critical, as it updated the open-source browser to version 3.5.4. 

 The 11 critical Firefox 3.5 vulnerabilities were located in a variety ofn components, including Web worker calls, the GIF color map parser, the string-to-number converter, a trio of third-party media libraries, and both the JavaScript and browser engines.

Share
Tags: , ,

Microsoft Malware Protection Center : Microsoft Security Essentials

By derek | Filed in Antivirus, Malware, microsoft, updates, Warnings and Alerts

Microsoft Malware Protection Center : Microsoft Security Essentials –
Week One:
http://blogs.technet.com/mmpc/archive/2009/10/15/microsoft-security-essentials-week-one.aspx

The Windows 7 numbers are spectacular for an operating system that
hasn’t yet released for global availability. Even better, about 1/3rd
of Windows 7 Microsoft Security Essentials machines are 64-bit, which is
even more resistant to malware than 32-bit due to PatchGuard.

By looking at detections divided by active Microsoft Security Essentials
machines over the whole population, we see far more detections per XP
machine, with the fewest from Win7. This follows our usual observed
trend of seeing less malware on newer OSes and service packs.

Share

Microsoft Patch Registration Cleanup Tool

By derek | Filed in microsoft, updates

Brief Description:
On a computer that has a Windows Installer based product installed, you may receive an error while installing an update for the product and the installation of the update may fail

Windows Installer uses the registry to record information about updates installed for each Windows Installer-based product. These registry keys help identify the state of each update: registered, applied, superseded, or obsoleted. Information about installed updates is stored across several registry keys and values. To allow for the product to be in a serviceable state in which it can be repaired, updated, or uninstalled, it is critical for the data in these registry keys to be synchronized. When the data in these registry keys is no longer synchronized, maintenance mode operations cannot be performed on the product .msi file.

The Patch Registration Cleanup Tool helps resolve some issues that are related to invalid or corrupted update registration. This tool lets you bring the product back to a known state so that you can reinstall updates.

http://support.microsoft.com/?kbid=976220

direct download for the Patch Registration Cleanup Tool

Applies to all currently supported windows versions from XP SP2 up to Windows 7 including all versions of Vista ( SP1 and higher) & server 2003 (SP2 ) and server 2008

Share

Microsoft Security Bulletin Summary for October 2009

By derek | Filed in Exploits, microsoft, updates

Microsoft has issued its biggest ever security update on 13 October.

The update includes 13 bulletins that between them tackle 34 vulnerabilities.

Microsoft said that eight of the bulletins were rated as critical – the most serious sort of vulnerability.

The security patches close loopholes in many different programs including different editions of Windows, Internet Explorer and some elements of Office.

One update, rated as critical, tackles a loophole in Internet Explorer 8 running under Windows 7. The next version of Microsoft’s operating system is due to be released on 22 October.

For home users the best way is to use Microsoft update on your computer.

These updates are vital and need to be installed immediately Read the remainder of this entry »

Share

Adobe Releases Security Bulletin for Critical Vulnerability

By derek | Filed in Exploits, updates, Warnings and Alerts

Adobe has released security bulletin APSB09-15 to alert users of acritical vulnerability in Adobe Reader and Acrobat.

Adobe indicates thatit has received reports of active exploitation of this vulnerability.

Release of an update for this vulnerability is scheduled for Tuesday,October 13. Read the remainder of this entry »

Share

The Microsoft Security Response Center (MSRC) : October 2009 Bulletin Release Advance Notification

By derek | Filed in microsoft, updates

October 2009 Bulletin Release Advance Notification

Advance Notification for the October 2009 Security Bulletin Release

For October we are releasing 13 bulletins (eight critical and five important), addressing 34 vulnerabilities, affecting Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Most of these updates require a restart so please factor that into your deployment planning.
Read the remainder of this entry »

Share