It will be a busy week. We'll start with Microsoft Patch Tuesday. Three critical, two important and one moderate patch for Bluetooth, Internet Explorer, the Speech API, ActiveX, DirectX, WINS, Active Directory and PGM.
Swa over at SANS ISC give us a good visual overview of them all.
Followed by SNMPv3 issues:SNMP can be configured to utilize version 3, which is the current standard version of SNMP. SNMPv3 incorporates security features such as authentication and privacy control among other features. Authentication for SNMPv3 is done using keyed-Hash Message Authentication Code (HMAC), a message authentication code calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of 1 byte. This issue is known to affect Net-SNMP and UCD-SNMP. Other SNMP implementations may also be affected. (Source: US CERT)
Next in line is OpenOffice:
and let's not forget Apple Quicktime:With OpenOffice 2.4.1, the open source project has released what will probably be the last version of its 2.x office suite. It is available for Windows, Linux, and Solaris.
The new version of OpenOffice corrects numerous flaws. It also closes a security hole that attackers could exploit to execute arbitrary code by means of manipulated documents. In its Release Notes, the team describes the changes it made from version 2.4. At the beginning of September, the team plans to release version OpenOffice 3.0, which is currently undergoing beta testing. Beta 2 is expected to be released at the end of this month.
Sun Microsystems made Update 11 of StarOffice 8, which is commercial software based on OpenOffice, available for download a few days ago, bringing it up to date with OpenOffice 2.4.1. (Source: Heise Security)
and last but not least, something from last week. If you installed XP SP3, it might be necessary to re-upgrade Adobe Flash. More details at the SANS ISC website. It might not be a bad idea to recheck your entire system with Secunia PSI or similar tools (UpdateStar (Windows), SUMo - Software Update Monitor (Windows), VersionTracker [Pro] (Mac and Windows), RadarSyncUpdateChecker (Windows), Belarc Advisor (Windows), and App Update Widget (Mac) - after you do a major upgrade. Better be safe then sorry. Especially because this plugin is being regularly targeted by malware.Apple has released QuickTime 7.5 to address multiple vulnerabilities. These vulnerabilities include the following:
US-CERT encourages users to review Apple Article HT1991 and upgrade to QuickTime 7.5. (Source: US CERT)
- a heap-based buffer overflow condition in the handling of PixData structures when processing a PICT image that may allow an attacker to execute arbitrary code or cause a denial-of-service condition
- a memory corruption condition in the handling of AAC-encoded media content that may allow an attacker to execute arbitrary code or cause a denial-of-service condition
- a heap-based buffer overflow condition in the handling of PICT images that may allow an attacker to execute arbitrary code or cause a denial-of-service condition
- a stack-based buffer overflow condition in the handling of Indeo video codec content that may allow an attacker to execute arbitrary code execution or cause a denial-of-service condition
- an unspecified error in the handling of file: URLs that may allow an attacker to execute arbitrary files and applications
Related posts:
- Another Zero Day in Quicktime
- Patch mania, it's not just Patch Tuesday
- Massive amounts of vulnerabilities are making a lot of PCs vulnerable
- Quicktime flaw (AGAIN)
- Oracle security patches are seldom applied
- Flood of vulnerabilities coming our way
- Adobe Acrobat and Reader security patch finally released
- QuickTime update closes security hole
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment