Last Updated: 2008-02-09 00:07:20 UTC
by Jim Clausing (Version: 3)
Just a heads up, Firefox 184.108.40.206 is available for manual download via the links on http://www.mozilla.com which means in the next 24 hours we're likely to see it available for automatic download. The known vulnerabilities page lists 10 issues (3 critical) fixed in this release. Thanx, to roseman for the heads up.
Update: (2008-02-08 16:10 UTC) It just showed up automatically for me. --jac
Last Updated: 2008-02-08 16:52:52 UTC
by Jim Clausing (Version: 2)
Get some good sleep over the weekend because Microsoft has announced that they intend to release 12 bulletins (7 ranked as critical, by Microsoft, which means 'can result in remote code execution') on Tuesday. The overview can be found here.
Update: Also, take a look at the MSRC blog post.
Last Updated: 2008-02-08 02:28:57 UTC
by Raul Siles (Version: 1)
The last couple of days have brought up multiple serious vulnerabilities in very commonly used client software:
- QuickTime 7.4.1 - Heap buffer overflow that may cause arbitrary remote code execution.
- Adobe Reader 8.1.2 - It turns out that the non-clearly defined security vulnerabilities in the release notes include a stack overflow that can lead to remote code execution, as analyzed by Kostya Kortchinsky from Inmunity. PoC is already available.
- Firefox 220.127.116.11 - It fixes 10 security issues, some of them labeled as critical.
- ... and be ready for the new twelve security bulletins Microsoft will release next Tuesday, 7 labeled as critical and 5 as important, affecting the OS, Office, IE and IIS.
As you already know, clients are one of the main targets for attacks nowadays. Ensure your automatic software update mechanisms are working properly or go back to the manual update process, but please, patch! BTW, based on a quick test, at this time only some of the new updates already show up on the automatic update features of the affected products: Adobe Reader and Firefox do, while Quick Time does not.
A topic I have been researching a little bit about recently is "update tools for third-party client applications". What tools do you use to manage updates on commonly used third-party client tools, apart from the expensive corporate solutions? Please, send us your suggestions and I will summarize in a future post.
-- Raul Siles