PDA

View Full Version : Alerts



Pages : [1] 2

AplusWebMaster
2012-04-25, 11:59
FYI...

Thunderbird v12.0 released
- https://www.mozilla.org/en-US/thunderbird/12.0/releasenotes
April 24, 2012 ... See Known Issues

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird12
Fixed in Thunderbird 12
MFSA 2012-33 Potential site identity spoofing when loading RSS and Atom feeds
MFSA 2012-32 HTTP Redirections and remote content can be read by javascript errors
MFSA 2012-31 Off-by-one error in OpenType Sanitizer
MFSA 2012-30 Crash with WebGL content using textImage2D
MFSA 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
MFSA 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions
MFSA 2012-27 Page load short-circuit can lead to XSS
MFSA 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error
MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite
MFSA 2012-24 Potential XSS via multibyte content processing errors
MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface
MFSA 2012-22 use-after-free in IDBKeyRange
MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)

Bugs fixed
- https://www.mozilla.org/en-US/thunderbird/12.0/releasenotes/buglist.html

Download
- https://www.mozilla.org/thunderbird/all.html
___

- https://secunia.com/advisories/48932/
Release Date: 2012-04-25
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, System access
Where: From remote...
Solution: Upgrade to Firefox version 12.0 and Thunderbird version 12.0...

- http://www.securitytracker.com/id/1026973
Date: Apr 24 2012
CVE Reference: CVE-2011-1187, CVE-2012-0467, CVE-2012-0468, CVE-2012-0469, CVE-2012-0470, CVE-2012-0471, CVE-2012-0472, CVE-2012-0473, CVE-2012-0474, CVE-2012-0475, CVE-2012-0477, CVE-2012-0478, CVE-2012-0479
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Version(s): prior to 12.0...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with a target site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A remote user can spoof certain web sites.
A remote user can obtain potentially sensitive information...

:fear:

AplusWebMaster
2012-04-30, 16:33
FYI...

ISTR report for 2011
- https://secure.marketwatch.com/story/annual-symantec-internet-security-threat-report-reveals-81-percent-increase-in-malicious-attacks-2012-04-30?reflink=MW_news_stmp
April 30, 2012 - "... while the number of vulnerabilities decreased by 20 percent, the number of malicious attacks continued to skyrocket by 81 percent. In addition, the report* highlights that advanced targeted attacks are spreading to organizations of all sizes and variety of personnel, data breaches are increasing, and that attackers are focusing on mobile threats... Symantec blocked more than 5.5 billion malicious attacks in 2011, an increase of 81 percent over the previous year. In addition, the number of unique malware variants increased to 403 million and the number of Web attacks blocked per day increased by 36 percent... Targeted attacks are growing, with the number of daily targeted attacks increasing from 77 per day to 82 per day by the end of 2011. Targeted attacks use social engineering and customized malware to gain unauthorized access to sensitive information. These advanced attacks have traditionally focused on public sector and government; however, in 2011, targeted attacks diversified. Targeted attacks are no longer limited to large organizations. More than 50 percent of such attacks target organizations with fewer than 2,500 employees, and almost 18 percent target companies with fewer than 250 employees... As tablets and smartphones continue to outsell PCs, more sensitive information will be available on mobile devices. Workers are bringing their smartphones and tablets into the corporate environment faster than many organizations are able to secure and manage them. This may lead to an increase in data breaches as lost mobile devices present risks to information if not properly protected. Recent research by Symantec shows that 50 percent of lost phones will not be returned and 96 percent (including those returned) will experience a data breach... Mobile vulnerabilities increased by 93 percent in 2011. At the same time, there was a rise in threats targeting the Android operating system. With the number of vulnerabilities in the mobile space rising and malware authors not only reinventing existing malware for mobile devices, but creating mobile-specific malware geared to the unique mobile opportunities, 2011 was the first year that mobile malware presented a tangible threat to businesses and consumers..."
* http://www.symantec.com/threatreport/topic.jsp?id=threatreport&aid=executive_summary

:sad: :fear: :mad:

AplusWebMaster
2012-05-01, 16:58
FYI...

Samba v3.4.17, 3.5.15, 3.6.5 released
- http://www.securitytracker.com/id/1026988
Date: Apr 30 2012
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2111 - 6.5
Impact: Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 3.4.x - 3.6.4
Description: ... A remote authenticated user can modify user privileges on the target system...
Solution: The vendor has issued a fix (3.4.17, 3.5.15, 3.6.5).
The vendor's advisory is available at:
http://www.samba.org/samba/security/CVE-2012-2111
"... Patches addressing this issue have been posted to:
- https://www.samba.org/samba/history/security.html
Additionally, Samba 3.6.5, Samba 3.5.15 and 3.4.17 have been issued as security releases to correct the defect. Patches against older Samba versions are available at:
- http://samba.org/samba/patches/
Samba administrators running affected versions are advised to upgrade to 3.6.5, 3.5.15, or 3.4.17 or apply these patches as soon as possible"...

- https://secunia.com/advisories/48976/
Release Date: 2012-05-01
CVE Reference(s): http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2111 - 6.5
... caused due to improper application of security checks in the CreateAccount, OpenAccount, AddAccountRights, and RemoveAccountRights remote procedure calls (RPC) within the Local Security Authoriy (LSA). This can be exploited to gain "take ownership" privileges and e.g. change the ownership of arbitrary files and directories on the smdb file server.
... reported in versions 3.4.x through 3.6.4.
Solution: Apply patch or update to version 3.4.17, 3.5.15, and 3.6.5.
Original Advisory:
- http://www.samba.org/samba/security/CVE-2012-2111

:fear::spider:

AplusWebMaster
2012-05-02, 00:44
FYI...

Apple patching practices ...
- http://atlas.arbor.net/briefs/index#-1272909644
30 Apr 2012 - OSX anti-malware site provides resources of value... link to a recent Flashback trojan analysis by DrWeb*.
Source: http://macviruscom.wordpress.com/2012/04/29/flashback-drweb-analysis-and-apple-patching-practice/

- http://nakedsecurity.sophos.com/2012/04/27/python-malware-mac/
April 27, 2012

* http://news.drweb.com/?i=2410&c=5&lng=en&p=0
April 27, 2012
> https://www.zdnet.com/blog/bott/flashback-malware-exposes-big-gaps-in-apple-security-response/4904?pg=2
April 29, 2012 - "... left to their own devices, many users will simply postpone those updates by clicking the 'Not Now' or 'Install Later' button. They see updates as an annoyance that will mean they they can’t use their Mac for 10 minutes to a half-hour... roughly 1 out of every 4 Snow Leopard users are at least six months behind in terms of applying major software updates. Nearly 15% are more than a year behind, meaning they have skipped at least two major OS X updates and are easy prey for any exploit that targets security holes that were fixed in those updates... If (Apple) talks to the press in an effort to reach owners of Macs who aren’t aware they’ve been infected, they risk puncturing the 'Macs don’t get viruses' image they’ve cultivated through the years. So the company has chosen to remain silent, which is shameful..."

These guys know it - and so do the Hacks.

Free Mac anti-virus for home users
> http://www.sophos.com/freemacav
> https://www.avira.com/en/avira-free-mac-security
___

New Malware Found Exploiting Mac OS X Snow Leopard
- https://threatpost.com/en_us/blogs/new-malware-found-exploiting-mac-os-x-snow-leopard-050212
May 2, 2012 - "... with Lion, that specific memory address can't be written, so the exploit fails. We can assume that this malware itself is targeting only Snow Leopard or lower versions of Mac OSX. That means the attacker had knowledge about the target environment beforehand. That includes the target operating system, application patch levels, etc..."

:sad::mad:

AplusWebMaster
2012-05-06, 05:54
FYI...

Sumatra PDF reader v2.1.1 released
- http://blog.kowalczyk.info/software/sumatrapdf/download-free-pdf-viewer.html
2012-05-07

Version history
- http://blog.kowalczyk.info/software/sumatrapdf/news.html
Changes in this release: fixes for a few crashes
___

Sumatra PDF reader v2.1 released
- http://blog.kowalczyk.info/software/sumatrapdf/download-free-pdf-viewer.html
2012-05-03

What's new
- http://blog.kowalczyk.info/software/sumatrapdf/news.html
Changes in this release:
> support for EPUB ebook format
> added File/Rename menu item to rename currently viewed file (contributed by Vasily Fomin)
> support multi-page TIFF files
> support TGA images
> support for some comic book (CBZ) metadata
> support JPEG XR images (available on Windows Vista or later, for Windows XP the Windows Imaging Component has to be installed)
> the installer is now signed

:fear:

AplusWebMaster
2012-05-08, 12:44
FYI...

Apple iOS 5.1.1 update for iPod, iPhone, iPad
- https://isc.sans.edu/diary.html?storyid=13144
Last Updated: 2012-05-07 20:29:40 UTC - "... only available through iTunes. The updates address Safari and WebKit for iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2... the update is available through iTunes."

- http://support.apple.com/kb/HT5278
May 07, 2012
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056 - 7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0672 - 6.8
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0674 - 4.3

- http://support.apple.com/kb/DL1521
Version: 5.1.1 - May 07, 2012
System Requirements: iPhone 4S, iPhone 4, iPhone 3GS, iPad 2, iPad, iPod touch (4th generation), iPod touch (3rd generation)

Apple patches serious security holes in iOS devices
- http://atlas.arbor.net/briefs/index#-480279256
Severity: Elevated Severity
Published: Monday, May 07, 2012
New patches provide protection for recent security holes in iOS.
Analysis: Some of these security holes were used in "hacking contents" such as pwn2own. It is likely that others are aware of the security holes, especially now that patches have been released and are surely being analyzed by attackers to spot the vulnerabilities. Considering the hot trends in mobile attacks, users are encouraged to deploy these updates as soon as possible.
Source: https://www.zdnet.com/blog/security/apple-patches-serious-security-holes-in-ios-devices/11983?utm

- http://h-online.com/-1569932
8 May 2012

- http://nakedsecurity.sophos.com/2012/05/08/apple-offers-ios-5-1-1-update-fixes-some-serious-vulnerabilities/
May 8, 2012

- http://www.securitytracker.com/id/1027028
CVE Reference: CVE-2012-0672, CVE-2012-0674
Date: May 7 2012
Impact: Execution of arbitrary code via network, Modification of system information, User access via network
Version(s): prior to 5.1.1; iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2
Description: Two vulnerabilities were reported in Apple iOS. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can spoof the address bar URL...

:fear:

AplusWebMaster
2012-05-08, 22:34
FYI...

Apache OpenOffice v3.4 released
- http://www.openoffice.org/news/aoo34.html
8 May 2012 — "The Apache OpenOffice Project today announced the availability of Apache OpenOffice 3.4, the first release of OpenOffice under the governance of the Apache Software Foundation. Apache OpenOffice is the original open source office productivity suite, designed for professional and consumer use... Apache OpenOffice is the leading open source office productivity suite, with more than 100 million users worldwide in home, corporate, government, research, and academic environments, across 15 languages. Apache OpenOffice 3.4 is available for download* free of charge. OpenOffice 3.4 features:
• word processing, spreadsheets, presentation graphics, databases, drawing, and mathematical editing applications support for Windows, Linux (32-bit and 64-bit) and Macintosh operating environments
• native language support for English, Arabic, Czech, German, Spanish, French, Galician, Hungarian, Italian, Japanese, Dutch, Russian, Brazilian Portuguese, Simplified Chinese, and Traditional Chinese
• improved ODF support, including new ODF 1.2 encryption options and new spreadsheet functions
• enhanced pivot table support in Calc
• enhanced graphics, including line caps, shear transformations and native support for Scalable Vector Graphics (SVG)
• improvements in performance and quality
The complete list of new features, functions, and improvements is available in the Release Notes..."

* Download: http://download.openoffice.org/

Release notes: https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+3.4+Release+Notes
___

- https://secunia.com/advisories/46992/
Release Date: 2012-05-17
Criticality level: Highly critical
Impact: System access
Where: From remote
CVE Reference(s): CVE-2012-1149, CVE-2012-2149
Solution: Update to version 3.4.
Original Advisory:
http://www.openoffice.org/security/cves/CVE-2012-1149.html
http://www.openoffice.org/security/cves/CVE-2012-2149.html

- http://www.securitytracker.com/id/1027068
CVE Reference: CVE-2012-1149
Updated: May 16 2012

- http://www.securitytracker.com/id/1027069
CVE Reference: CVE-2012-2149
May 16 2012

- http://www.securitytracker.com/id/1027070
CVE Reference: CVE-2012-2334
Date: May 16 2012
Solution: The vendor has issued a fix (3.4).
> http://www.openoffice.org/security/cves/CVE-2012-2334.html

:fear::fear:

AplusWebMaster
2012-05-10, 12:30
FYI...

Apple Security Update 2012-002 - OS X Lion v10.7.4
Released for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
- http://support.apple.com/kb/HT5281
May 09, 2012

- http://support.apple.com/kb/HT5167

Related: http://support.apple.com/kb/TS4272

- http://www.securitytracker.com/id/1027054
CVE Reference: CVE-2012-0649, CVE-2012-0651, CVE-2012-0654, CVE-2012-0655, CVE-2012-0656, CVE-2012-0657, CVE-2012-0658, CVE-2012-0659, CVE-2012-0660, CVE-2012-0661, CVE-2012-0662, CVE-2012-0675
Date: May 10 2012
Impact: Disclosure of system information, Execution of arbitrary code via network, User access via local system, User access via network
Version(s): 10.6.8, 10.7.3
Solution: The vendor has issued a fix (OS X Lion v10.7.4 and Security Update 2012-002), available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:
http://www.apple.com/support/downloads/
___

Safari 5.1.7
- http://support.apple.com/kb/HT5282
May 09, 2012

- http://support.apple.com/kb/DL1531

- http://support.apple.com/kb/HT5271

- https://secunia.com/advisories/47292/
Release Date: 2012-05-10
Criticality level: Highly critical
CVE Reference(s):
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3046 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3056 - 7.5 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0672 - 6.8
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0676 - 5.0
Impact: Security Bypass, Cross Site Scripting, System access
Where: From remote
... vulnerabilities are reported in versions prior to 5.1.7.
Solution: Update to version 5.1.7

- http://www.securitytracker.com/id/1027053
Date: May 10 2012
Impact: Modification of user information
Version(s): prior to 5.1.7
... The vendor's advisory is available at:
http://support.apple.com/kb/HT1222
___

Apple closes numerous holes in Mac OS X and Safari
- http://atlas.arbor.net/briefs/
Severity: Elevated Severity
Published: Friday, May 11, 2012
Now that malware authors are paying more attention to the OS X platform, keeping current on updates is going to become more important. This patch also fixes the recent plaintext password leakage issue.
Analysis: The Flashback trojan infected and still infects a substantial number of OS X systems. Imagine for a moment that they decided to take advantage of one of these security flaws - the password leakage issue with older versions of filevault - and compromised many passwords. Some of those passwords are bound to be re-used elsewhere, which could lead an attacker deeper into an enterprise. Creative and dedicated attackers will use any possible method to further their campaigns. This is just one scenario. Recent events show us that OS X is a viable target for criminals therefore patches need to be deployed in a timely manner to reduce risks.
Source: http://h-online.com/-1572174

.

AplusWebMaster
2012-05-15, 14:04
FYI...

Apple 2012-003 Security Update for Leopard
- https://support.apple.com/kb/DL1533
May 14, 2012

- http://support.apple.com/kb/HT5271
"... Out-of-date versions of Adobe Flash Player do not include the latest security updates and will be disabled to help keep your Mac secure. If Safari 5.1.7 or Leopard Security Update 2012-003 detects an out-of-date version of Flash Player on your system, you will see a dialog informing you that Flash Player has been disabled. The dialog provides the option to go directly to Adobe's website, where you can download and install an updated version of Flash Player..."

- http://support.apple.com/kb/HT1222

- http://lists.apple.com/archives/security-announce/2012/May/msg00004.html
___

APPLE-SA-2012-05-14-1 Flashback Removal Security Update
- http://lists.apple.com/archives/security-announce/2012/May/msg00003.html
14 May 2012

- http://support.apple.com/downloads/

Flashback removal tool - for Mac OS X 10.5 Leopard
- http://h-online.com/-1575554
15 May 2012

.

AplusWebMaster
2012-05-16, 16:38
FYI...

QuickTime v7.7.2 released
- https://secunia.com/advisories/47447/
Release Date: 2012-05-16
Criticality level: Highly critical
Impact: System access
Where: From remote
CVE Reference: CVE-2011-3458, CVE-2011-3459, CVE-2011-3460, CVE-2012-0265, CVE-2012-0663, CVE-2012-0664, CVE-2012-0665, CVE-2012-0666, CVE-2012-0667, CVE-2012-0668, CVE-2012-0669, CVE-2012-0670, CVE-2012-0671
... vulnerabilities are reported in versions prior to 7.7.2.
Solution: Update to version 7.7.2.
Original Advisory: Apple (APPLE-SA-2012-05-15-1):
http://lists.apple.com/archives/security-announce/2012/May/msg00005.html
Download:
- http://www.apple.com/quicktime/download/
-or-
Use Apple Software Update.

- http://support.apple.com/kb/HT5261
May 15, 2012

- http://www.securitytracker.com/id/1027065
May 16 2012
Impact: Execution of arbitrary code via network, User access via network
Version(s): prior to 7.7.2
Description: Multiple vulnerabilities were reported in Apple QuickTime. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create a specially crafted file that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.
Only Windows-based systems are affected...

:fear::fear:

AplusWebMaster
2012-05-20, 04:09
FYI...

PHP v5.4.3 - PoC remote exploit in the wild
- https://isc.sans.edu/diary.html?storyid=13255
Last Updated: 2012-05-19 - "There is a remote exploit in the wild for PHP 5.4.3 in Windows, which takes advantage of a vulnerability in the com_print_typeinfo function. The php engine needs to execute the malicious code, which can include any shellcode like the the ones that bind a shell to a port. Since there is no patch available for this vulnerability yet, you might want to do the following:
• Block any file upload function in your php applications to avoid risks of exploit code execution.
• Use your IPS to filter known shellcodes like the ones included in metasploit.
• Keep PHP in the current available version, so you can know that you are not a possible target for any other vulnerability like CVE-2012-2336* registered at the beginning of the month.
• Use your HIPS to block any possible buffer overflow in your system."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2336

> Last: http://www.php.net/archive/2012.php#id2012-05-08-1

PHP 5.4 (5.4.3) Code Execution (Win32)
> http://www.exploit-db.com/exploits/18861/
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2376 - 10.0 (HIGH)

:fear::fear::spider:

AplusWebMaster
2012-05-31, 16:22
FYI...

IrfanView plugins updated - v4.34 released

- https://secunia.com/advisories/49204/
Release Date: 2012-05-31
Criticality level: Highly critical
Impact: System access
Where: From remote
... vulnerability is confirmed in version 4.33. Other versions may also be affected.
Solution: Apply ECW PlugIn patch version 4.34*
___

- http://www.irfanview.com/plugins.htm
PlugIns updated -after- the version 4.33:

FPX/FlashPix PlugIn (4.34): Installer or ZIP - FPX-Library loading bug fixed:
http://www.irfanview.net/plugins/irfanview_plugin_fpx.exe
* ECW PlugIn (Third party, 3.1.0.350 - 4.34): Installer or ZIP - Some loading bugs fixed:
http://www.irfanview.net/plugins/irfanview_plugin_ecw.exe
XCF PlugIn (1.08): Installer or ZIP - Some loading bugs fixed:
http://www.irfanview.net/plugins/irfanview_plugin_xcf.exe

- https://secunia.com/advisories/49319/
Release Date: 2012-06-01
Criticality level: Moderately critical
Impact: System access
Where: From remote...
Solution: Apply Formats PlugIn patch version 4.34...
- http://www.irfanview.com/plugins.htm
FORMATS PlugIn (4.34): TTF loading bug fixed...
- http://www.irfanview.net/plugins/irfanview_plugin_formats.exe

:fear:

AplusWebMaster
2012-06-07, 15:38
FYI...

Thunderbird v13.0 released
- https://www.mozilla.org/en-US/thunderbird/13.0/releasenotes
June 5, 2012 ... See Known Issues

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird13
Fixed in Thunderbird 13
MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer
MFSA 2012-39 NSS parsing errors with zero length items
MFSA 2012-38 Use-after-free while replacing/inserting a node in a document
MFSA 2012-37 Information disclosure though Windows file shares and shortcut files
MFSA 2012-36 Content Security Policy inline-script bypass
MFSA 2012-35 Privilege escalation through Mozilla Updater and Windows Updater Service
MFSA 2012-34 Miscellaneous memory safety hazards

Bugs fixed
- https://www.mozilla.org/en-US/thunderbird/13.0/releasenotes/buglist.html

Download
- https://www.mozilla.org/thunderbird/all.html
___

- http://www.securitytracker.com/id/1027122
CVE Reference:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0441 - 5.0
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1937 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1938 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1939 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1940 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1941 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1942 - 7.2 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1943 - 6.9
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1944 - 4.3
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1945 - 2.9
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1946 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1947 - 9.3 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3105 - 9.3 (HIGH)
Jun 6 2012
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Version(s): prior to 13.0

- https://secunia.com/advisories/49368/
Release Date: 2012-06-06
Criticality level: Highly critical
Impact: Unknown, Security Bypass, Exposure of sensitive information, Privilege escalation, System access
Where: From remote
Solution: Upgrade to... Thunderbird version 13.0.

:fear:

AplusWebMaster
2012-06-12, 15:34
FYI...

iTunes v10.6.3 released
- https://secunia.com/advisories/49489/
Release Date: 2012-06-12
Criticality level: Highly critical
Impact: System access
Where: From remote
CVE Reference(s):
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0672 - 6.8
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0677 - 9.3 (HIGH)
... This vulnerability does not affect the application on OS X Lion systems.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
Solution: Update to version 10.6.3.
Original Advisory: Apple:
http://support.apple.com/kb/HT5318

• Addresses a problem where iTunes may become unresponsive when syncing an iPad (1st generation) that contains an iBooks textbook
• Fixes a problem where photos synced to a device may appear in an unexpected order
• Resolves an issue where iTunes may unexpectedly delete playlists created on a device
• Fixes issues where iTunes may unexpectedly delete apps on a device
• Improves overall performance and reliability

... available via Apple Software Update.

:fear::fear:

AplusWebMaster
2012-06-13, 16:35
FYI...

Java for OS X 2012-004 / Mac OS X 10.6 Update 9
- http://support.apple.com/kb/HT5319
June 12, 2012 - "Description: Multiple vulnerabilities exist in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_33. Further information is available via the Java website at
http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html ..."

- https://secunia.com/advisories/49542/
Release Date: 2012-06-13
Criticality level: Highly critical
Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
... more information: https://secunia.com/SA49472/
Original Advisory: http://support.apple.com/kb/HT5319

> http://forums.spybot.info/showpost.php?p=426869&postcount=4

:fear:

AplusWebMaster
2012-06-21, 20:24
FYI...

Winamp v5.63 released
AVI/IT File Processing vulns
- https://secunia.com/advisories/46624/
Release Date: 2012-06-21
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Solution: Update to version 5.63 Build 3234.
Original Advisory: Winamp:
http://forums.winamp.com/showthread.php?t=345684

:fear:

AplusWebMaster
2012-07-12, 17:38
FYI...

Plesk Panel remote vuln - Fix
- http://kb.parallels.com/en/113321
Last Review: Jul, 12 2012 - "... it may not be plausible at this time to perform a full upgrade to the latest release of Parallels Plesk Panel 11 which is not affected, thus there was a set of Micro-Updates released for each major version affected which will resolve the security issue without the necessity of a system upgrade..."

- http://www.symantec.com/security_response/threatconlearn.jsp
"... Parallels has released a fix for its Plesk Panel application to correct a previously unknown vulnerability which allows the administrator password to be recovered by an attacker. The code to exploit the vulnerability is currently being sold on the internet and potentially allows passwords to be compromised. Customers are advised to apply the fix as soon as possible..."
___

- http://www.securitytracker.com/id/1027243
Jul 12 2012
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1557 - 7.5 (HIGH)
Impact: Disclosure of system information, Disclosure of user information, User access via network
Version(s): prior to 10.4.x*
Solution: The vendor has issued a fix.
The fix also includes a Mass Password Reset Script that must be executed to remove existing sessions and prevent a recurrence.
The vendor's advisory is available at:
- http://kb.parallels.com/en/113321

- https://secunia.com/advisories/48262
___

Plesk Panel 10.x for Windows...
* http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-windows-updates-release-notes.html
15-Jul-2012 - "... Fixed critical Plesk security issues found during internal security audit. All customers are highly recommended to update..."

Plesk Panel 10.x for Linux...
- http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-linux-updates-release-notes.html
15-Jul-2012 - "... Fixed critical Plesk security issues found during internal security audit. All customers are highly recommended to update..."

- http://kb.parallels.com/en/113321
Last Review: Jul, 16 2012

:fear::fear: :spider:

AplusWebMaster
2012-07-18, 20:38
FYI...

Thunderbird v14.0 released
- https://www.mozilla.org/en-US/thunderbird/14.0/releasenotes
July 17, 2012 ... See Known Issues

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird14
Fixed in Thunderbird 14
MFSA 2012-56 Code execution through javascript: URLs
MFSA 2012-53 Content Security Policy 1.0 implementation errors cause data leakage
MFSA 2012-52 JSDependentString::undepend string conversion results in memory corruption
MFSA 2012-51 X-Frame-Options header ignored when duplicated
MFSA 2012-50 Out of bounds read in QCMS
MFSA 2012-49 Same-compartment Security Wrappers can be bypassed
MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden
MFSA 2012-47 Improper filtering of javascript in HTML feed-view
MFSA 2012-45 Spoofing issue with location
MFSA 2012-44 Gecko memory corruption
MFSA 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)

Bugs fixed
- https://www.mozilla.org/en-US/thunderbird/14.0/releasenotes/buglist.html

Download
- https://www.mozilla.org/thunderbird/all.html
___

- https://secunia.com/advisories/49993/
Release Date: 2012-07-18
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, System access
Where: From remote...
Solution: Upgrade to version 14...

- http://www.securitytracker.com/id/1027257
CVE Reference: CVE-2012-1948, CVE-2012-1949, CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1955, CVE-2012-1957, CVE-2012-1958, CVE-2012-1959, CVE-2012-1960, CVE-2012-1961, CVE-2012-1962, CVE-2012-1963, CVE-2012-1967
Jul 17 2012
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Version(s): prior to 14 ...

:fear::fear:

AplusWebMaster
2012-07-18, 21:28
FYI...

- http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
2012-July-17 - "... This Critical Patch Update contains 87 new security fixes..."
* http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html#PIN

July 2012 Risk Matrices
- http://www.oracle.com/technetwork/topics/security/cpujul2012verbose-392736.html
___

- https://www.us-cert.gov/current/#oracle_releases_critical_patch_update20
July 18, 2012 - "... 87 vulnerabilities across multiple products. This update contains the following security fixes:
• 4 for Oracle Database Server
• 1 for Oracle Application Express Listener
• 2 for Oracle Secure Backup
• 22 for Oracle Fusion Middleware
• 1 for Oracle Hyperion
• 1 for Oracle Enterprise Manager Grid Control
• 4 for Oracle E-Business Suite
• 5 for Oracle Supply Chain Products
• 9 for Oracle PeopleSoft Products
• 7 for Oracle Siebel CRM
• 1 for Oracle Industry Applications
• 24 for Oracle Sun Products
• 6 for Oracle MySQL ..."
___

- http://h-online.com/-1644934
18 July 2012

:fear::fear:

AplusWebMaster
2012-07-23, 22:03
FYI...

Symantec Two Products Insecure Library Loading vuln ...
- https://secunia.com/advisories/50033/
Release Date: 2012-07-23
Criticality level: Highly critical
Impact: System access
Where: From remote
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0305
... vulnerability is reported in the following products and versions:
* Symantec Backup Exec System Recovery 2010 prior to SP5
* Symantec System Recovery 2011 prior to SP2
Solution: Update to a fixed version.
Original Advisory: SYM12-012:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120720_01

- http://support.microsoft.com/kb/932716#appliesto
Last Review: October 9, 2011 - Revision: 6.0
___

Symantec Web Gateway multiple vulns
- https://secunia.com/advisories/50031/
Release Date: 2012-07-23
Criticality level: Moderately critical
Impact: Security Bypass, Manipulation of data, System access
Where: From local network
CVE Reference(s): CVE-2012-2574, CVE-2012-2953, CVE-2012-2957, CVE-2012-2961, CVE-2012-2976, CVE-2012-2977
Solution: Apply Database Update 5.0.0.438.
Original Advisory: SYM12-011:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120720_00

:fear::fear:

AplusWebMaster
2012-07-24, 19:47
FYI...

"WordPress Plugin" search results ...
- https://secunia.com/advisories/search/?search=WordPress+Plugin
Found: 415 Secunia Security Advisories ...
Aug 31, 2012

- http://nakedsecurity.sophos.com/2012/08/10/blackhole-malware-attack/
"... ensure that any software you run on your web server is also properly secured, and kept patched and current (that includes blogging software like WordPress and any plugins that it might use)."

:sad: :fear::fear:

AplusWebMaster
2012-07-26, 16:19
FYI...

Safari v6 released
- http://support.apple.com/kb/HT5400
July 25, 2012
> http://lists.apple.com/archives/security-announce/2012/Jul/msg00000.html
APPLE-SA-2012-07-25-1 Safari 6.0

- https://secunia.com/advisories/50058/
Release Date: 2012-07-26
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, System access
Where: From remote...
Solution: Upgrade to Safari version 6.0 via Apple Software Update.

- http://www.securitytracker.com/id/1027307
CVE Reference: CVE-2011-3016, CVE-2011-3021, CVE-2011-3027, CVE-2011-3913, CVE-2012-0678, CVE-2012-0679, CVE-2012-0680, CVE-2012-0682, CVE-2012-0683, CVE-2012-1520, CVE-2012-2815, CVE-2012-3589, CVE-2012-3590, CVE-2012-3591, CVE-2012-3592, CVE-2012-3593, CVE-2012-3594, CVE-2012-3595, CVE-2012-3596, CVE-2012-3597, CVE-2012-3599, CVE-2012-3600, CVE-2012-3603, CVE-2012-3604, CVE-2012-3605, CVE-2012-3608, CVE-2012-3609, CVE-2012-3610, CVE-2012-3611, CVE-2012-3615, CVE-2012-3618, CVE-2012-3620, CVE-2012-3625, CVE-2012-3626, CVE-2012-3627, CVE-2012-3628, CVE-2012-3629, CVE-2012-3630, CVE-2012-3631, CVE-2012-3633, CVE-2012-3634, CVE-2012-3635, CVE-2012-3636, CVE-2012-3637, CVE-2012-3638, CVE-2012-3639, CVE-2012-3640, CVE-2012-3641, CVE-2012-3642, CVE-2012-3644, CVE-2012-3645, CVE-2012-3646, CVE-2012-3650, CVE-2012-3653, CVE-2012-3655, CVE-2012-3656, CVE-2012-3661, CVE-2012-3663, CVE-2012-3664, CVE-2012-3665, CVE-2012-3666, CVE-2012-3667, CVE-2012-3668, CVE-2012-3669, CVE-2012-3670, CVE-2012-3674, CVE-2012-3678, CVE-2012-3679, CVE-2012-3680, CVE-2012-3681, CVE-2012-3682, CVE-2012-3683, CVE-2012-3686, CVE-2012-3689, CVE-2012-3690, CVE-2012-3691, CVE-2012-3693, CVE-2012-3694, CVE-2012-3695, CVE-2012-3696, CVE-2012-3697
Jul 26 2012
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Version(s): prior to 6.0 ...
___

Apple Xcode v4.4 released
- https://secunia.com/advisories/50068/
Release Date: 2012-07-26
Impact: Hijacking, Security Bypass, Exposure of sensitive information
Where: From remote
CVE Reference(s): CVE-2011-3389, CVE-2012-3698
... weakness and the vulnerability are reported in versions prior to 4.4.
Solution: Update to version 4.4 via the Apple Developer site or via the App Store.
Original Advisory: APPLE-SA-2012-07-25-2:
http://support.apple.com/kb/HT5416

- http://www.securitytracker.com/id/1027302
CVE Reference: CVE-2012-3698
Jul 26 2012
Impact: Disclosure of authentication information, Disclosure of user information
Version(s): prior to 4.4

- http://www.securitytracker.com/id/1027303
CVE Reference: CVE-2011-3389
Jul 26 2012
Impact: Disclosure of user information
Version(s): prior to 4.4

:fear::fear:

AplusWebMaster
2012-08-17, 23:56
FYI...

PHP v5.4.6, 5.3.16 released
- http://www.php.net/
16-Aug-2012 - "... immediate availability of PHP 5.4.6 and PHP 5.3.16. These releases fix over 20 bugs. All users of PHP are encouraged to upgrade..."

Download
- http://www.php.net/downloads.php

ChangeLog
- http://www.php.net/ChangeLog-5.php

:fear:

AplusWebMaster
2012-08-23, 21:25
FYI...

OpenOffice v3.4.1 released
- https://blogs.apache.org/OOo/entry/announcing_apache_openoffice_3_41
Aug 23, 2012 - "... OpenOffice 3.4.1 can be downloaded now from http://www.openoffice.org/download/ or by going to the 'Help/Check for Updates' dialog within OpenOffice 3.4 or 3.3..."

Release notes
- http://www.openoffice.org/development/releases/3.4.1.html
"... there were 69 verified issues that have been resolved..."
(More detail at the URL above.)

- http://h-online.com/-1674083
23 August 2012
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2665 - 7.5 (HIGH)
Last revised: 09/07/2012

- http://www.openoffice.org/security/cves/CVE-2012-2665.html
Versions Affected:
Apache OpenOffice 3.4.0, all languages, all platforms.
Earlier versions of OpenOffice.org may be also affected.
... upgrade to Apache OpenOffice 3.4.1...

- https://secunia.com/advisories/50438/
Release Date: 2012-08-28
Criticality level: Highly critical
Solution: Update to version 3.4.1.

:fear:

AplusWebMaster
2012-08-30, 15:42
FYI...

Thunderbird v15.0 released
- https://www.mozilla.org/en-US/thunderbird/15.0/releasenotes
August 28, 2012 ... See Known Issues

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird15
Fixed in Thunderbird 15 ...

Bugs fixed
- https://www.mozilla.org/en-US/thunderbird/15.0/releasenotes/buglist.html

Download
- https://www.mozilla.org/thunderbird/all.html
___

- http://www.securitytracker.com/id/1027452
CVE Reference: CVE-2012-1956, CVE-2012-1970, CVE-2012-1971, CVE-2012-1972, CVE-2012-1973, CVE-2012-1974, CVE-2012-1975, CVE-2012-1976, CVE-2012-3956, CVE-2012-3957, CVE-2012-3958, CVE-2012-3959, CVE-2012-3960, CVE-2012-3961, CVE-2012-3962, CVE-2012-3963, CVE-2012-3964, CVE-2012-3966, CVE-2012-3967, CVE-2012-3968, CVE-2012-3969, CVE-2012-3970, CVE-2012-3971, CVE-2012-3972, CVE-2012-3974, CVE-2012-3975, CVE-2012-3978, CVE-2012-3980
Aug 29 2012
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Version(s): prior to ESR 10.0.7; prior to 15.0

- https://secunia.com/advisories/50308/
Release Date: 2012-08-29
Criticality level: Highly critical
Impact: Cross Site Scripting, Spoofing, Exposure of sensitive information, System access
Where: From remote...
For more information: https://secunia.com/SA50088/
Solution: Upgrade to version 15...
___

- http://h-online.com/-1677823
29 August 2012

:fear:

AplusWebMaster
2012-09-06, 14:40
FYI...

Apple/Java v1.6.0_35
- https://support.apple.com/kb/HT5473
Sep 05, 2012
Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, OS X Mountain Lion v10.8 or later
Description: An opportunity for security-in-depth hardening is addressed by updating to Java version 1.6.0_35. Further information is available via the Java website at
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
CVE-ID: CVE-2012-0547

- https://support.apple.com/kb/HT1338

APPLE-SA-2012-09-05-1 Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00000.html
Sep 05, 2012
___

- https://secunia.com/advisories/50545/
Release Date: 2012-09-06
Criticality level: Highly critical
Impact: System access
Where: From remote
CVE Reference(s): CVE-2012-0547, CVE-2012-4681
... For more information see: https://secunia.com/SA50133/
Original Advisory: APPLE-SA-2012-09-05-1:
http://lists.apple.com/archives/security-announce/2012/Sep/msg00000.html

:fear:

AplusWebMaster
2012-09-07, 16:02
FYI...

WordPress v3.4.2 released
- http://wordpress.org/download/
September 6, 2012 - "The latest stable release of WordPress (Version 3.4.2) is available..."

WordPress 3.4.2 Maintenance and Security Release
- https://wordpress.org/news/2012/09/wordpress-3-4-2/
September 6, 2012 - "WordPress 3.4.2, now available for download, is a maintenance and security release for all previous versions... we’ve identified and fixed a number of nagging bugs, including:
• Fix some issues with older browsers in the administration area.
• Fix an issue where a theme may not preview correctly, or its screenshot may not be displayed.
• Improve plugin compatibility with the visual editor.
• Address pagination problems with some category permalink structures.
• Avoid errors with both oEmbed providers and trackbacks.
• Prevent improperly sized header images from being uploaded.
Version 3.4.2 also fixes a few security issues and contains some security hardening...

- https://secunia.com/advisories/50515/
Release Date: 2012-09-07
Impact: Unknown, Security Bypass
Where: From remote
... security issue and vulnerability are reported in versions prior to 3.4.2.
Solution: Update to version 3.4.2.
Original Advisory: http://wordpress.org/news/2012/09/wordpress-3-4-2/

- http://h-online.com/-1702501
7 Sep 2012
___

"WordPress Plugin" search results ...
- https://secunia.com/advisories/search/?search=WordPress+Plugin
Found: 432 Secunia Security Advisories ...
Oct 15, 2012

:fear::fear:

AplusWebMaster
2012-09-13, 17:05
FYI...

Apple iTunes v10.7 released
- https://secunia.com/advisories/50618/
Release Date: 2012-09-13
Criticality level: Highly critical
Impact: System access
Where: From remote
... vulnerabilities are reported in versions prior to 10.7.
Solution: Update to version 10.7.
Original Advisory: APPLE-SA-2012-09-12-1:
http://lists.apple.com/archives/security-announce/2012/Sep/msg00001.html

- http://www.securitytracker.com/id/1027525
CVE Reference: CVE-2012-2817, CVE-2012-2818, CVE-2012-2829, CVE-2012-2831, CVE-2012-3601, CVE-2012-3602, CVE-2012-3606, CVE-2012-3607, CVE-2012-3612, CVE-2012-3613, CVE-2012-3614, CVE-2012-3616, CVE-2012-3617, CVE-2012-3621, CVE-2012-3622, CVE-2012-3623, CVE-2012-3624, CVE-2012-3632, CVE-2012-3643, CVE-2012-3647, CVE-2012-3648, CVE-2012-3649, CVE-2012-3651, CVE-2012-3652, CVE-2012-3654, CVE-2012-3657, CVE-2012-3658, CVE-2012-3659, CVE-2012-3660, CVE-2012-3671, CVE-2012-3672, CVE-2012-3673, CVE-2012-3675, CVE-2012-3676, CVE-2012-3677, CVE-2012-3684, CVE-2012-3685, CVE-2012-3687, CVE-2012-3688, CVE-2012-3692, CVE-2012-3699, CVE-2012-3700, CVE-2012-3701, CVE-2012-3702, CVE-2012-3703, CVE-2012-3704, CVE-2012-3705, CVE-2012-3706, CVE-2012-3707, CVE-2012-3708, CVE-2012-3709, CVE-2012-3710, CVE-2012-3711, CVE-2012-3712
Sep 13 2012
Impact: Execution of arbitrary code via network, User access via network
Version(s): prior to 10.7

- https://support.apple.com/kb/HT5485
Sep 12, 2012
___

163 security holes in iTunes
- http://h-online.com/-1706849
13 Sep 2012

:fear:

AplusWebMaster
2012-09-20, 00:48
FYI...

iOS 6 released
APPLE-SA-2012-09-19-1 iOS 6
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00003.html
19 Sep 2012
"iOS 6 is now available...
Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later..."

- https://support.apple.com/kb/HT5503
"... can be downloaded and installed using iTunes*..."
* https://support.apple.com/kb/ht1414

- https://secunia.com/advisories/50586/
Release Date: 2012-09-20
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, Privilege escalation, System access
Where: From remote ...
Solution: Upgrade to iOS 6 via Software Update.

- http://www.securitytracker.com/id/1027552
CVE Reference: CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-4599, CVE-2012-3724, CVE-2012-3725, CVE-2012-3726, CVE-2012-3727, CVE-2012-3728, CVE-2012-3729, CVE-2012-3730, CVE-2012-3731, CVE-2012-3732, CVE-2012-3733, CVE-2012-3734, CVE-2012-3735, CVE-2012-3736, CVE-2012-3737, CVE-2012-3738, CVE-2012-3739, CVE-2012-3740, CVE-2012-3741, CVE-2012-3742, CVE-2012-3743, CVE-2012-3744, CVE-2012-3745, CVE-2012-3746, CVE-2012-3747
Sep 20 2012
Impact: Disclosure of system information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network...
Solution: The vendor has issued a fix (6.0).
___

- http://h-online.com/-1713012
20 Sep 2012

- https://isc.sans.edu/diary.html?storyid=14128
"iOS6 released: a few CVEs addresses, breaks mapping."

:fear:

AplusWebMaster
2012-09-20, 15:52
FYI...

Apple security updates
- https://support.apple.com/kb/HT1222
3x - 19 Sept 2012
___

Safari v6.0.1 for Mac OS X
- https://secunia.com/advisories/50577/
Release Date: 2012-09-20
Criticality level: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote...
Solution: Update to version 6.0.1...
Original Advisory: Apple:
http://support.apple.com/kb/HT5502

> http://lists.apple.com/archives/security-announce/2012/Sep/msg00005.html
APPLE-SA-2012-09-19-3 Safari 6.0.1
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 and v10.8.1

- http://www.securitytracker.com/id/1027550
CVE Reference: CVE-2012-3713, CVE-2012-3714, CVE-2012-3715, CVE-2012-3598
Date: Sep 20 2012
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Version(s): prior to 6.0.1
___

Mac OS X multiple vulns - Security Update 2012-004
- https://secunia.com/advisories/50628/
Release Date: 2012-09-20
Criticality level: Highly critical
Impact: Security Bypass, Exposure of sensitive information, Privilege escalation, DoS, System access
Where: From remote...
Solution: Update to version 10.8.2 or 10.7.5 or apply Security Update 2012-004.

- http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
APPLE-SA-2012-09-19-2 OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update 2012-004

- http://www.securitytracker.com/id/1027551
CVE Reference: CVE-2012-0650, CVE-2012-3716, CVE-2012-3718, CVE-2012-3719, CVE-2012-3720, CVE-2012-3721, CVE-2012-3722, CVE-2012-3723
Sep 20 2012
Impact: Denial of service via network, Disclosure of authentication information, Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
... vendor's advisory is available at:
http://support.apple.com/kb/HT5501

:fear::fear:

AplusWebMaster
2012-09-25, 18:57
FYI...

Apple TV v5.1 released
- https://secunia.com/advisories/50728/
Release Date: 2012-09-25
Criticality level: Highly critical
Impact: Exposure of sensitive information, DoS, System access
Where: From remote
CVE Reference(s): CVE-2011-1167, CVE-2011-1944, CVE-2011-2821, CVE-2011-2834, CVE-2011-3026, CVE-2011-3048, CVE-2011-3328, CVE-2011-3919, CVE-2012-0682, CVE-2012-0683, CVE-2012-1173, CVE-2012-3589, CVE-2012-3590, CVE-2012-3591, CVE-2012-3592, CVE-2012-3678, CVE-2012-3679, CVE-2012-3722, CVE-2012-3725, CVE-2012-3726
... vulnerabilities are reported in versions prior to 5.1.
Solution: Update to Apple TV Software version 5.1.
Original Advisory: APPLE-SA-2012-09-24-1:
http://support.apple.com/kb/HT5504
Apple TV 2nd generation and later

- https://support.apple.com/kb/HT4448
Apple TV (2nd and 3rd generation) software updates
Sep 24, 2012

How to update: https://support.apple.com/kb/HT1600

APPLE-SA-2012-09-24-1 Apple TV 5.1
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00006.html
24 Sep 2012

:fear:

AplusWebMaster
2012-09-25, 19:11
FYI...

phpMyAdmin 3.x - potential compromise
- https://secunia.com/advisories/50703/
Release Date: 2012-09-25
Criticality level: Extremely critical
Impact: System access
Where: From remote
... distribution of a compromised phpMyAdmin source code package containing a backdoor, which can be exploited to e.g. execute arbitrary PHP code.
Solution: Download and reinstall phpMyAdmin.
Software: phpMyAdmin 3.x
Original Advisory:
http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php
Date: 2012-09-25
Summary: One server from the SourceForge.net mirror system was distributing a phpMyAdmin kit containing a backdoor...
Severity: We consider this vulnerability to be critical.
Affected Versions: We currently know only about phpMyAdmin-3.5.2.2-all-languages.zip being affected, check if your download contains a file named server_sync.php.
Solution: Check your phpMyAdmin distribution and download it again from a trusted mirror if your copy contains a file named server_sync.php...

> http://www.phpmyadmin.net/home_page/downloads.php
phpMyAdmin 3.5.2.2 - Released 12 Aug 2012
___

- https://threatpost.com/en_us/blogs/sourceforge-investigates-backdoor-code-found-copy-phpmyadmin-092512
Sep 25, 2012

- http://h-online.com/-1717644
26 Sep 2012

:fear: :fear: :fear:

AplusWebMaster
2012-09-28, 19:36
FYI...

RE: iOS 6 release / Apple maps...

- http://news.yahoo.com/tim-cook-apple-maps-extremely-sorry-working-fix-135819039.html
Sep 28, 2012 - "Apple CEO Tim Cook says the company is "extremely sorry" for the frustration that its maps application has caused and it's doing everything it can to make it better. Cook said in a letter posted online Friday that Apple "fell short" in its commitment to make the best possible products for its customers. He recommends that people try alternatives by downloading competing map apps from the App Store while Apple works on its own maps products.... 'had released an update to its iPhone and iPad operating system last week that replaced Google Maps with Apple's own maps application. But users complained that the new maps have fewer details, lack public transit directions and misplace landmarks, among other problems."
* https://www.apple.com/letter-from-tim-cook-on-maps/
Sep 28, 2012

:fear: :sad:

AplusWebMaster
2012-10-11, 14:56
FYI...

Thunderbird v16.0.1 released
- https://www.mozilla.org/en-US/thunderbird/16.0.1/releasenotes
October 11, 2012 ... See Known Issues

Download
- https://www.mozilla.org/thunderbird/all.html

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird16.0.1
Fixed in Thunderbird 16.0.1
MFSA 2012-89 defaultValue security checks not applied
MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4190 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4191 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4192 - 4.3
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4193 - 9.3 (HIGH)
___

Bugs fixed
- https://www.mozilla.org/en-US/thunderbird/16.0/releasenotes/buglist.html
___

- http://www.securitytracker.com/id/1027652
CVE Reference: CVE-2012-4190, CVE-2012-4191
Oct 12 2012
Impact: A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (16.0.1).

- https://secunia.com/advisories/50932/
Last Update: 2012-10-12
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote
CVE Reference(s): CVE-2012-4190, CVE-2012-4191, CVE-2012-4192, CVE-2012-4193
... vulnerabilities are reported in Firefox and Thunderbird versions -prior- to 16.0.1 and SeaMonkey versions -prior- to 2.13.1.
Solution: Update Firefox and Thunderbird to versions 16.0.1 and SeaMonkey to version 2.13.1.

:fear:

AplusWebMaster
2012-10-17, 06:52
FYI...

Oracle Critical Patch Update Advisory - October 2012
- http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
Oct 16, 2012 - "... Critical Patch Update patches are usually cumulative but each advisory describes only the security fixes added since the previous Critical Patch Update advisory... Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 109 new security fixes..."

Patch Availability Table
- http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html#PIN

Risk Matrices
- http://www.oracle.com/technetwork/topics/security/cpuoct2012verbose-1515934.html
___

- http://atlas.arbor.net/briefs/index#968980828
Severity: High Severity
October 17, 2012
In addition to patching Java, Oracle releases patches for other products as well.
Analysis: While the Java security issues get the most press due it's widespread exploitation, the Oracle database and other products are often used to protect sensitive information and should also be protected. Some of these other products don't have the same attack footprint as Java however if an attacker is already inside the network then other Oracle software is easier to reach and exploit.
Source: http://h-online.com/-1731176

Oct 17 2012
Sun SPARC Server Bug in Integrated Lights Out Manager Lets Local Users Access Data
http://www.securitytracker.com/id/1027677
Sun GlassFish Enterprise Server CORBA Bug Lets Remote Users Cause Partial DoS Conditions
http://www.securitytracker.com/id/1027676
Oracle Industry Applications Bugs Let Remote Users Partially Access and Modify Data and Deny Service
http://www.securitytracker.com/id/1027675
Oracle Siebel CRM Bugs Let Remote Users Access Data on the Target System
http://www.securitytracker.com/id/1027674
Oracle Financial Services Software Bugs Lets Remote Authenticated Users Access and Modify Data and Deny Service
http://www.securitytracker.com/id/1027673
Oracle Java Runtime Environment (JRE) Bugs Let Remote Users Gain Full Control of the Target System
http://www.securitytracker.com/id/1027672
Oracle PeopleSoft Products Bugs Lets Remote Authenticated Users Partially Access Data, Modify Data, and Deny Service
http://www.securitytracker.com/id/1027671
Oracle Supply Chain Products Suite Bugs Let Remote Users Access and Modify Data
http://www.securitytracker.com/id/1027670
Oracle Fusion Middleware Bugs Let Remote Users Access and Modify Data and Local and Remote Users Deny Service
http://www.securitytracker.com/id/1027669
Oracle E-Business Suite Bugs Let Remote Users Partially Access and Modify Data and Partially Deny Service
http://www.securitytracker.com/id/1027668
Solaris Lets Local Users Gain Root Privileges and Remote Users Deny Service
http://www.securitytracker.com/id/1027667
Oracle Virtualization Bugs Let Remote Users Partially Modify Data and Local Users Partially Deny Service
http://www.securitytracker.com/id/1027666
MySQL Multiple Bugs Let Remote Authenticated Users Access and Modify Data and Deny Service and Local Users Access Data
http://www.securitytracker.com/id/1027665
Oracle Database Bugs Let Remote Authenticated Users Partially Modify Data and Cause Partial Denial of Service Conditions
http://www.securitytracker.com/id/1027664

.

AplusWebMaster
2012-11-02, 02:48
FYI...

iOS 6.0.1 Software Update
- https://support.apple.com/kb/DL1606
Nov 1, 2012
"This update contains improvements and bug fixes, including:
• Fixes a bug that prevents iPhone 5 from installing software updates wirelessly over the air
• Fixes a bug where horizontal lines may be displayed across the keyboard
• Fixes an issue that could cause camera flash to not go off
• Improves reliability of iPhone 5 and iPod touch (5th generation) when connected to encrypted WPA2 Wi-Fi networks
• Resolves an issue that prevents iPhone from using the cellular network in some instances
• Consolidated the Use Cellular Data switch for iTunes Match
• Fixes a Passcode Lock bug which sometimes allowed access to Passbook pass details from lock screen
• Fixes a bug affecting Exchange meetings
For information on the security content of this update, please visit this website:
http://support.apple.com/kb/HT1222
This update is available via iTunes and wirelessly."

- https://secunia.com/advisories/51162/
Release Date: 2012-11-02
Criticality level: Highly critical
Impact: Security Bypass, Exposure of system information, System access
Where: From remote
CVE Reference(s): CVE-2012-3748, CVE-2012-3749, CVE-2012-3750, CVE-2012-5112
For more information: https://secunia.com/SA51157/
Solution: Apply iOS 6.0.1 Software Update.
Original Advisory: APPLE-SA-2012-11-01-1:
http://support.apple.com/kb/HT5567
> http://lists.apple.com/archives/security-announce/2012/Nov/msg00000.html
___

Safari 6.0.2 released
- https://support.apple.com/kb/HT5568
Nov 1, 2012
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.2
... WebKit -
1) Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A time of check to time of use issue existed in the handling of JavaScript arrays. This issue was addressed through additional validation of JavaScript arrays.
CVE-2012-3748 : Joost Pol and Daan Keuper of Certified Secure working with HP TippingPoint's Zero Day Initiative
2) Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use after free issue existed in the handling of SVG images. This issue was addressed through improved memory handling.
CVE-2012-5112 : Pinkie Pie working with Google's Pwnium 2 contest...

- https://secunia.com/advisories/51157/
Release Date: 2012-11-02
Criticality level: Highly critical
Impact: System access
Where: From remote
CVE Reference(s): CVE-2012-3748, CVE-2012-5112
For more information: https://secunia.com/SA50954/
The vulnerabilities are reported in versions prior to 6.0.2 running on OS X Lion and OS X Mountain Lion.
Solution: Update to version 6.0.2.
Original Advisory: APPLE-SA-2012-11-01-2:
http://support.apple.com/kb/HT5568
> http://lists.apple.com/archives/security-announce/2012/Nov/msg00001.html

:fear::fear:

AplusWebMaster
2012-11-08, 00:43
FYI...

Adobe PDF Reader 0-day in-the-wild ...
- https://krebsonsecurity.com/2012/11/experts-warn-of-zero-day-exploit-for-adobe-reader/
Nov 7th, 2012 - "Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground. The finding comes from malware analysts at Moscow-based forensics firm Group-IB, who say they’ve discovered that a new exploit capable of compromising the security of computers running Adobe X and XI (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. This is significant because — beginning with Reader X– Adobe introduced a “sandbox” feature aimed at blocking the exploitation of previously unidentified security holes in its software, and so far that protection has held its ground. But according to Andrey Komarov, Group-IB’s head of international projects, this vulnerability allows attackers to sidestep Reader’s sandbox protection...
> https://www.youtube.com/watch?feature=player_embedded&v=uGF8VDBkK0M#t=0s
... Adobe spokeswoman Wiebke Lips said the company was not contacted by Group-IB, and is unable to verify their claims, given the limited amount of information currently available... Group-IB says the vulnerability is included in a new, custom version of the Blackhole Exploit Kit, a malicious software framework sold in the underground that is designed to be stitched into hacked Web sites and deploy malware via exploits such as this one... consumers should realize that there are several PDF reader option apart from Adobe’s, including Foxit, PDF-Xchange Viewer, Nitro PDF and Sumatra PDF*."
* http://blog.kowalczyk.info/software/sumatrapdf/download-free-pdf-viewer.html
___

- http://h-online.com/-1746442
8 Nov 2012

:fear::fear:

AplusWebMaster
2012-11-08, 15:10
FYI...

QuickTime v7.7.3 released
- https://secunia.com/advisories/51226/
Release Date: 2012-11-08
Criticality level: Highly critical
Impact: System access
Where: From remote
CVE Reference(s): CVE-2011-1374, CVE-2012-3751, CVE-2012-3752, CVE-2012-3753, CVE-2012-3754, CVE-2012-3755, CVE-2012-3756, CVE-2012-3757, CVE-2012-3758
... vulnerabilities are reported in versions prior to 7.7.3.
Solution: Update to version 7.7.3.
Original Advisory: http://support.apple.com/kb/HT5581

> http://lists.apple.com/archives/security-announce/2012/Nov/msg00002.html
... QuickTime 7.7.3 may be obtained from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
-or-
Use Apple Software Update.
___

- http://h-online.com/-1746273
8 Nov 2012

:fear:

AplusWebMaster
2012-11-09, 14:45
FYI...

IrfanView v4.35 released
TIFF Image Decompression Buffer Overflow Vulnerability
- https://secunia.com/advisories/49856/
Release Date: 2012-11-09
Criticality level: Highly critical
Impact: System access
Where: From remote
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5022 - 6.8
This is related to vulnerability #4 in: https://secunia.com/SA43593/
... vulnerability is confirmed in version 4.33. Other versions may also be affected.
Solution: Update to version 4.35.
Original Advisory: http://www.irfanview.com/main_history.htm
Version 4.35 - 2012-11-07

- http://www.irfanview.com/main_download_engl.htm

- http://www.irfanview.com/plugins.htm
The current PlugIns version is: 4.35

:fear:

AplusWebMaster
2012-11-14, 23:22
FYI...

Skype - pwd reset vuln...
- http://heartbeat.skype.com/2012/11/security_issue.html
Nov 14, 2012 - "Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience."
___

- http://h-online.com/-1749720
14 Nov 2012

- http://www.theregister.co.uk/2012/11/14/skype_fixes_hijack_bug/
14 Nov 2012

:fear:

AplusWebMaster
2012-11-22, 02:32
FYI...

Thunderbird v17.0 released
- https://www.mozilla.org/en-US/thunderbird/17.0/releasenotes
Nov 20, 2012

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download
- https://www.mozilla.org/thunderbird/all.html

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17
___

- http://www.securitytracker.com/id/1027793
CVE Reference: CVE-2012-4201, CVE-2012-4202, CVE-2012-4204, CVE-2012-4205, CVE-2012-4207, CVE-2012-4208, CVE-2012-4209, CVE-2012-4212, CVE-2012-4213, CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-4217, CVE-2012-4218, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5836, CVE-2012-5838, CVE-2012-5839, CVE-2012-5840, CVE-2012-5841, CVE-2012-5842, CVE-2012-5843
Nov 21 2012
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Solution: The vendor has issued a fix (17.0)...

- https://secunia.com/advisories/51358/
Release Date: 2012-11-21
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, System access
Where: From remote...
Solution: Upgrade to version 17.0.

:fear::fear:

AplusWebMaster
2012-11-22, 13:56
FYI...

Adblock Plus 2.2.1 released
- https://adblockplus.org/releases/adblock-plus-221-released
2012-11-23

- https://adblockplus.org/en/changelog-2.2.1
. Fixed issue affecting loading of filters in old Firefox version (including Firefox 10).
. Fixed wrong apostrophe encoding in translations (especially Italian).

- https://adblockplus.org/en/changelog-2.2
Changelog for the previous release
2012-11-21

> https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

:blink:

AplusWebMaster
2012-11-27, 16:52
FYI...

"WordPress Plugin" search results ...
- https://secunia.com/advisories/search/?search=WordPress+Plugin
Found: 464 Secunia Security Advisories ...
Nov 27, 2012

>> http://piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/
Updated: Nov 27, 2012 - "... The website Piwik.org is running WordPress and got compromised, because of a security issue in a WordPress plugin... compromised by an attacker on 2012 Nov 26th, this attacker added a malicious code in the Piwik 1.9.2 Zip file... You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC. If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe..."
___

- http://h-online.com/-1757246
27 Nov 2012

:fear: :sad:

AplusWebMaster
2012-11-27, 21:08
FYI...

Java 0-Day exploit on sale for ‘Five Digits’
- https://krebsonsecurity.com/2012/11/java-zero-day-exploit-on-sale-for-five-digits/
Nov 27, 2012 - "Miscreants in the cyber underground are selling an exploit for a previously undocumented security hole in Oracle’s Java software that attackers can use to remotely seize control over systems running the program... The flaw, currently being sold by an established member of an invite-only Underweb forum, targets an unpatched vulnerability in Java JRE 7 Update 9, the most recent version of Java (the seller says this flaw does not exist in Java 6 or earlier versions)... The seller was not terribly specific on the price he is asking for this exploit, but set the expected offer at “five digits.” The price of any exploit is ultimately whatever the market will bear, but this is roughly in line with the last Java zero-day exploit that was being traded and sold on the underground...
How to Unplug Java from the Browser:
> http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

:fear: :mad:

AplusWebMaster
2012-12-03, 23:38
FYI...

0-day vulns in MySQL fixed by MariaDB
- http://h-online.com/-1761451
3 Dec 2012 - "A recently published security vulnerability in the MySQL open source database has been met with fixes by the developers of the open source MariaDB* fork... they also note that a supposed zero day vulnerability that enumerates MySQL users has been known about for ten years. MariaDB versions 5.1, 5.2, 5.3 and 5.5, in which CVE 2012-5579 is fixed, are available for download*. MySQL provider Oracle has yet to confirm the vulnerabilities, much less provide updated software."
* http://downloads.mariadb.org/
___

- https://secunia.com/advisories/51427/
Release Date: 2012-12-03
... may be related to vulnerability #1: https://secunia.com/SA51008/
CVE Reference(s): CVE-2012-5611, CVE-2012-5612, CVE-2012-5614, CVE-2012-5615
Impact: Brute force, DoS, System access
Where: From local network
Software: MySQL 5.x
Solution: No official solution is currently available...
___

- http://blog.trendmicro.com/trendlabs-security-intelligence/multiple-zero-day-poc-exploits-threaten-oracle-mysql-server/
Dec 6, 2012 - "... MySQL Database is famous for its high performance, high reliability and ease of use. It runs on both Windows and many non-Windows platforms like UNIX, Mac OS, Solaris, IBM AIX, etc. It has been the fastest growing application and the choice of big companies such as Facebook, Google, and Adobe among others. Given its popularity, cybercriminals and other attackers are definitely eyeing this platform..."

:fear::fear:

AplusWebMaster
2012-12-05, 16:13
FYI...

cPanel - updates available
- https://secunia.com/advisories/51494/
Release Date: 2012-12-05
Criticality level: Moderately critical
Impact: Unknown
Where: From remote
Software: cPanel 11.x
... vulnerabilities are reported in versions prior to 11.30.7.4, 11.32.5.15, and 11.34.0.11.
Solution: Update to version 11.30.7.4, 11.32.5.15, or 11.34.0.11.
Original Advisory:
http://cpanel.net/important-security-release-cpanel-whm-11-30/
http://cpanel.net/important-11-32-security-update-cpanel-whm/
http://cpanel.net/important-11-34-security-release-cpanel-whm/

:fear::fear:

AplusWebMaster
2012-12-15, 13:42
FYI...

iTunes 11.0.1 released
- https://support.apple.com/kb/DL1614
Dec 13, 2012 - "This update to the new iTunes addresses an issue where new purchases in iCloud may not appear in your library if iTunes Match is turned on, makes iTunes more responsive when searching a large library, fixes a problem where the AirPlay button may not appear as expected, and adds the ability to display duplicate items within your library. This update also includes other important stability and performance improvements."

Available on Apple Software Update.

:fear:

AplusWebMaster
2012-12-19, 00:34
FYI...

iOS 6.0.2 Software Update
- http://support.apple.com/kb/DL1621
Dec 18, 2012 - Fixes a bug that could impact Wi-Fi...
System Requirements: iPhone 5, iPad mini

- http://www.todaysiphone.com/2012/12/ios-6-0-2-released-by-apple/
"... everyone and their dogs are trying to download the delta update and Apple’s servers are having a hard time..."

- http://bgr.com/2012/12/18/apple-releases-ios-6-0-2258170-258170/
Dec 18, 2012 - "... these Wi-Fi issues were supposed to be fixed with the release of iOS 6.0.1 but notes that users have still reported problems connecting to known Wi-Fi hotspots even after installing the patch..."

:fear::fear:

AplusWebMaster
2012-12-20, 01:08
FYI...

Shockwave player - vulnerable Flash runtime
* http://www.kb.cert.org/vuls/id/323161
Last revised: 17 Dec 2012 - "Adobe Shockwave Player 11.6.8.638 and earlier versions on the Windows and Macintosh operating systems provide a vulnerable version of the Flash runtime..."

- http://h-online.com/-1772754
19 Dec 2012 - "US-CERT has warned that a security hole exists in Adobe's Shockwave Player*. Version 11.6.8.638 and earlier versions that were installed using the company's "Full" installer are affected. These all include an older version of Flash (10.2.159.1) that contains several exploitable vulnerabilities. Shockwave uses a custom Flash runtime instead of a globally installed Flash plugin. According to US-CERT, the Flash vulnerabilities can be exploited to execute arbitrary code at the user's privilege level via specially crafted Shockwave content. As the Shockwave Player tends to be used only rarely, simply uninstalling the software can provide protection. Adobe is even offering an uninstaller** for this purpose..."
** https://www.adobe.com/shockwave/download/alternates/
(See "Shockwave Player Uninstaller".)

- https://krebsonsecurity.com/2012/12/shocking-delay-in-fixing-adobe-shockwave-bug/
Dec 19, 2012 - "... U.S. CERT first warned Adobe about the vulnerability in October 2010, and Adobe says it won’t be fixing it until February 2013..."

- http://www.securitytracker.com/id/1027903
- http://www.securitytracker.com/id/1027904
- http://www.securitytracker.com/id/1027905
Dec 20 2012

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6270 - 9.3 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6271 - 9.3 (HIGH)

:fear::fear: :blink:

AplusWebMaster
2013-01-14, 15:57
FYI...

Sumatra PDF reader v2.2.1 released
- http://blog.kowalczyk.info/software/sumatrapdf/news.html
2013-01-12
Version history - Changes in this release:
• fixed ebooks sometimes not remembering the viewing position
• fixed Sumatra not exiting when opening files from a network drive
• fixes for most frequent crashes and PDF parsing robustness fixes

Download
- http://blog.kowalczyk.info/software/sumatrapdf/download-free-pdf-viewer.html

:fear:

AplusWebMaster
2013-01-19, 19:01
FYI...

Thunderbird v17.0.2 released
- https://www.mozilla.org/en-US/thunderbird/17.0.2/releasenotes
Jan 8 2013

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download
- https://www.mozilla.org/thunderbird/all.html

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17.0.2

- http://www.securitytracker.com/id/1027957
CVE Reference: CVE-2013-0743, CVE-2013-0744, CVE-2013-0745, CVE-2013-0746, CVE-2013-0747, CVE-2013-0748, CVE-2013-0749, CVE-2013-0750, CVE-2013-0752, CVE-2013-0753, CVE-2013-0754, CVE-2013-0755, CVE-2013-0756, CVE-2013-0757, CVE-2013-0758, CVE-2013-0759, CVE-2013-0760, CVE-2013-0761, CVE-2013-0762, CVE-2013-0763, CVE-2013-0764, CVE-2013-0766, CVE-2013-0767, CVE-2013-0768, CVE-2013-0769, CVE-2013-0770, CVE-2013-0771
Jan 9 2013
Impact: Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 17.0.2

:fear::fear:

AplusWebMaster
2013-01-25, 17:02
FYI...

WordPress v3.5.1 released
- https://wordpress.org/download/
"The latest stable release of WordPress (Version 3.5.1) is available..."

- https://wordpress.org/news/2013/01/wordpress-3-5-1/
Jan 24, 2013 - "... first maintenance release of 3.5, fixing 37 bugs... a security release for all previous WordPress versions..."

- https://secunia.com/advisories/51967/
Release Date: 2013-01-25
Criticality level: Moderately critical
Impact: Cross Site Scripting, Exposure of sensitive information
Where: From remote
... vulnerabilities are reported in versions prior to 3.5.1.
Solution: Update to version 3.5.1.
- http://www.securitytracker.com/id/1028045
Jan 25 2013
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Host/resource access via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 3.5.1 ...

"WordPress Plugin" search results ...
- https://secunia.com/advisories/search/?search=WordPress+Plugin
Found -530- Secunia Security Advisories ...
March 14, 2013
___

- http://h-online.com/-1791820
25 Jan 2013
- http://www.h-online.com/imgs/43/9/7/5/0/2/1/wp3-5-1.jpg-e8882f4c597dc045.jpeg

:fear::fear:

AplusWebMaster
2013-01-29, 23:08
FYI...

UPnP advisory - US CERT
- https://www.us-cert.gov/current/#cert_releases_upnp_security_advisory
29 Jan 2013 - "Multiple vulnerabilities have been announced in libupnp, the open source portable SDK for UPnP devices. Libupnp is employed by hundreds of vendors for UPnP-enabled devices. Information is also available in CERT Vulnerability Note VU#922681*..."
* http://www.kb.cert.org/vuls/id/922681
29 Jan 2013 - "... Disable UPnP: Consider disabling UPnP on the device if it is not absolutely necessary..."
___

- https://community.rapid7.com/docs/DOC-2150
Jan 29, 2013 - "... We strongly recommend people to check whether they may be vulnerable, and if so, disable the UPnP protocol* in any affected devices..."
* https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
Jan 29, 2013 - "... Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks.. In most cases, network equipment that is "no longer shipping" will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new..."

> https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-6031-2747/422-490/stats.png

UPnP Router Security Check: http://upnp-check.rapid7.com/
___

- http://atlas.arbor.net/briefs/index#-1299837074
Severity: High Severity
Jan 30, 2013
Universal Plug and Play provides a significant attack surface and should be protected from network access via robust access control protections on UDP port 1900 and/or hardened configuration.
Analysis: A large-scale scan of the Internet determined that a huge number of systems are vulnerable, and that exploitation in some cases can be performed with one UDP packet. This UDP packet can be spoofed. Actual attack details are not available to the public however we can rest assured that attackers are hard at work. While such bugs may not make their way into typical commodity crimeware exploit kits, targeted and opportunistic attackers with enough intelligence to create exploit code for these vulnerabilities are surely at work. One difficulty is that there are a large number of devices, each that may have their own specific configuration and device quirks that would require some research on the part of the attackers. The potential for a network-wide worm certainly exists. Organizations are encouraged to block uPnP as much as possible and ensure that attack surface is reduced because it is likely that the scanning activity will increase. While UDP port 1900 appears to the main vector, TCP/UDP port 2869 is also involved and should be monitored carefully and restricted as much as possible to reduce attack surface.
Source: http://arstechnica.com/security/2013/01/to-prevent-hacking-disable-universal-plug-and-play-now/

- http://h-online.com/-1794032
30 Jan 2013

:fear:

AplusWebMaster
2013-02-01, 15:44
FYI...

Changelog for Adblock Plus 2.2.3
- https://adblockplus.org/releases/adblock-plus-223-for-firefox-released
Feb 13, 2013 - The following lists the changes compared to Adblock Plus 2.2.3. If you experience issues with this release please check the list of known issues.
• Worked around AVG Security Toolbar 14.0.3.* breaking Adblock Plus among other things.
• Made sure that first-run page always opens is the current browser window (bug 819561)...
___

AdblockPlus v2.2.2 released
- https://adblockplus.org/en/changelog-2.2.2
2013-01-30

- http://news.slashdot.org/story/13/01/31/238238/online-ads-are-more-dangerous-than-porn-cisco-says
Feb 01, 2013 - "The popular belief is that security risks increase as the user engages in riskier and shadier behavior online, but that apparently isn't the case, Cisco found in its 2013 Annual Security report*. It can be more dangerous to click on an online advertisement than an adult content site these days, according to Cisco. For example, users clicking on online ads were 182 times more likely to wind up getting infected with malware than if they'd surfed over to an adult content site, Cisco said. The highest concentration of online security targets do not target pornography, pharmaceutical, or gambling sites as much as they affect legitimate sites such as search engines, online retailers, and social media. Users are 21 times more likely to get hit with malware from online shopping sites and 27 more times likely with a search engine than if they'd gone to a counterfeit software site..."
* http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html

AdBlockPlus for Firefox: https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

> https://adblockplus.org/en/getting_started#install

:fear:

AplusWebMaster
2013-02-09, 17:58
FYI...

Expect a v2 of iOS 6.1 ...

iOS 6.1 Leads to Battery Life Drain, Overheating for iPhone Users
- http://thenextweb.com/apple/2013/02/08/some-iphone-users-are-seeing-battery-drain-and-overheating-issues-after-upgrading-to-ios-6-1/
8 Feb 2013

- http://arstechnica.com/apple/2013/02/ios-6-1-brings-back-bug-that-gives-anyone-access-to-your-contacts-photos/
Feb 14, 2013 - "An -old- vulnerability in the iPhone's lock screen and Emergency Call feature appears to have resurfaced for a third time in iOS 6.1. With the right sequence of button clicking, it's possible to get to an iPhone user's voicemails, contacts, and photos—even if the iPhone is locked and password protected..."
- https://secunia.com/advisories/52173/

Access restriction in iOS 6 partially useless
- http://h-online.com/-1805842
19 Feb 2013

Rapid growth in transaction logs, CPU use, and memory consumption in Exchange Server 2010 when a user syncs a mailbox by using an iOS 6.1-based device
- http://support.microsoft.com/kb/2814847
Last Review: February 12, 2013 - Revision: 5.0
Status: Apple and Microsoft are investigating this issue. We will post more information in this article when the information becomes available...
Workaround: To work around this issue, do not process Calendar items such as meeting requests on iOS 6.1 devices. Also, immediately restart the iOS 6.1 device...

:fear::fear:

AplusWebMaster
2013-02-20, 13:54
FYI...

iOS 6.1.2 Software Update
- https://support.apple.com/kb/DL1639
Feb 19, 2013 - "Fixes an Exchange calendar bug that could result in increased network activity and reduced battery life...
System Requirements: iPhone 3GS and later, iPad 2 and later, iPod touch 4th generation and later, iPhone 5 ..."

- http://support.microsoft.com/kb/2814847
Last Review: February 19, 2013 Revision: 15.0 - "... Resolution: Apple has posted the following article to address the issue:
- https://support.apple.com/kb/TS4532
Feb 19, 2013 - ... Resolution: To resolve this issue, update to iOS 6.1.2..."
___

iTunes 11.0.2 released
- https://support.apple.com/kb/DL1614
Feb 19, 2013

APPLE-SA-2013-02-19-1 Java for OS X 2013-001 and Mac OS X v10.6 Update 13
- http://prod.lists.apple.com/archives/security-announce/2013/Feb/msg00002.html
2013-02-19
- http://support.apple.com/kb/HT5666

:fear::fear:

AplusWebMaster
2013-02-20, 19:59
FYI...

Thunderbird 17.0.3 released
- https://www.mozilla.org/en-US/thunderbird/17.0.3/releasenotes
Feb 19, 2013

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download
- https://www.mozilla.org/thunderbird/all.html

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17.0.3

- http://www.securitytracker.com/id/1028165
CVE Reference: CVE-2013-0765, CVE-2013-0772, CVE-2013-0773, CVE-2013-0774, CVE-2013-0775, CVE-2013-0776, CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780, CVE-2013-0781, CVE-2013-0782, CVE-2013-0783, CVE-2013-0784
Feb 20 2013
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 17.0.3

:fear:

AplusWebMaster
2013-02-28, 13:03
FYI...

Amazon fixes its book deleting iTunes Kindle app update
- http://www.theinquirer.net/inquirer/news/2251231/amazon-fixes-its-book-deleting-itunes-kindle-app-update
Feb 28 2013 - "... Amazon has revisited the webpage and the update. Version 3.6.2* of the Kindle app for iOS includes both a fix for the registration issue and "Various Bug Fixes and Security Fixes"..."
* https://itunes.apple.com/us/app/kindle-read-books-ebooks-magazines/id302584613?mt=8
Updated: Feb 27, 2013
Version: 3.6.2
Size: 21.4 MB
What's New in Version 3.6.2
• Fix for Registration Issue
• Various Bug Fixes and Security Fixes...

:fear::sad:

AplusWebMaster
2013-03-03, 02:55
FYI...

Apple blocks older insecure versions of Flash...
- https://isc.sans.edu/diary.html?storyid=15316
Last Updated: 2013-03-02 18:23:36 - "Apple has recently stepped up its response to security issues involving 3rd party plug-ins. They have aggressively used its anti-malware tool sets to enforce minimum versions of Adobe Flash*, Oracle Java, and similar popular plug-ins..."
* https://support.apple.com/kb/ht5655
Mar 1, 2013 - "... When attempting to view Flash content in Safari, you may see this alert: "Blocked Plug-in"
Selecting it will display this alert:
'Adobe Flash Player' is out of date.
- Click 'Download Flash…' to have Safari open the Adobe Flash Player installer website.
- Download the latest Adobe Flash Player installer--click the "Download now" button.
- Open the downloaded disk image.
- Open the installer and follow the onscreen instructions...'"

- https://support.apple.com/kb/HT5660
Mar 1, 2013

:fear::fear:

AplusWebMaster
2013-03-05, 13:23
FYI...

APPLE-SA-2013-03-04-1: Apple Mac OS X update for Java
- https://secunia.com/advisories/52484/
Release Date: 2013-03-05
Criticality level: Highly critical
Impact: System access
Where: From remote
CVE Reference(s): CVE-2013-0809, CVE-2013-1493
For more information: https://secunia.com/SA52451/
Original Advisory: APPLE-SA-2013-03-04-1:
- http://support.apple.com/kb/HT5677
- http://prod.lists.apple.com/archives/security-announce/2013/Mar/index.html

- http://prod.lists.apple.com/archives/security-announce/2013/Mar/msg00000.html

:fear::fear:

AplusWebMaster
2013-03-15, 00:16
FYI...

Safari v6.0.3 released
- https://support.apple.com/kb/HT5671
14 Mar 2013
> http://prod.lists.apple.com/archives/security-announce/2013/Mar/msg00003.html

- https://secunia.com/advisories/52658/
Release Date: 2013-03-15
Criticality level: Highly critical
Impact: Cross Site Scripting, System access
Where: From remote ...
Solution: Update to version 6.0.3.

- http://www.securitytracker.com/id/1028292
CVE Reference: CVE-2013-0960, CVE-2013-0961
Mar 14 2013
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 6.0.3...
___

APPLE-SA-2013-03-14-1 OS X Mountain Lion v10.8.3 and Security Update 2013-001
- https://support.apple.com/kb/HT5672
14 Mar 2013
> http://prod.lists.apple.com/archives/security-announce/2013/Mar/msg00002.html

- http://prod.lists.apple.com/archives/security-announce/2013/Mar/index.html

- https://secunia.com/advisories/52643/
Release Date: 2013-03-15
Criticality level: Highly critical
Impact: Spoofing, Security Bypass, Exposure of system information, Exposure of sensitive, information, Cross Site Scripting, System access
Where: From remote ...
Solution: Update to OS X Mountain Lion 10.8.3 or apply Security Update 2013-001.

- http://atlas.arbor.net/briefs/index#-1321171050
High Severity
March 15, 2013
Apple releases security patches for a variety of issues in OSX.
Analysis: Considering a typical attack on a end-user system, there are several issues that require attention to include: 1) A method for an attacker to launch a Java application even though Java may be disabled 2) Quicktime security vulnerabilities in the handling of MP4 files and 3) security issues in the way PDFKit handles certain malformed PDF documents. In addition to these issues there are multiple other issues that affect specific scenarios on a server install or issues that would open up the system to a local attack...

- http://www.securitytracker.com/id/1028294
CVE Reference: CVE-2013-0963, CVE-2013-0967, CVE-2013-0969, CVE-2013-0970, CVE-2013-0971, CVE-2013-0973, CVE-2013-0976
Updated: Mar 15 2013
Impact: Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.6.x, 10.7.x, 10.8.x...

About the OS X Mountain Lion v10.8.3 Update
- https://support.apple.com/kb/HT5612
Mar 14, 2013

OS X Mountain Lion Update v10.8.3 (Combo)
- https://support.apple.com/kb/DL1640
Mar 14, 2013

Security Update 2013-001 (Snow Leopard)
- https://support.apple.com/kb/DL1642
Mar 14, 2013

Security Update 2013-001 (Lion)
- https://support.apple.com/kb/DL1643
Mar 14, 2013

:fear::fear:

AplusWebMaster
2013-03-20, 14:08
FYI...

APPLE-SA-2013-03-19-1 iOS 6.1.3
- http://prod.lists.apple.com/archives/security-announce/2013/Mar/msg00004.html
19 Mar 2013

- https://support.apple.com/kb/HT5704

- http://www.securitytracker.com/id/1028314
CVE Reference: CVE-2013-0977, CVE-2013-0978, CVE-2013-0979, CVE-2013-0981
Mar 19 2013
Impact: Disclosure of system information, Execution of arbitrary code via local system, Modification of system information, Root access via local system, User access via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 6.1.3...
Impact: A local user can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix (iOS 6.1.3) as part of APPLE-SA-2013-03-19-1 iOS 6.1.3.

- https://secunia.com/advisories/52173/
Last Update: 2013-03-20
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote...
Operating System: Apple iOS 6.x for iPhone 3GS and later, iPad 6.x, iPod touch 6.x
Solution: Apply iOS 6.1.3 Software Update.
___

APPLE-SA-2013-03-19-2 Apple TV 5.2.1
- http://prod.lists.apple.com/archives/security-announce/2013/Mar/msg00005.html
19 Mar 2013

- https://secunia.com/advisories/52685/
Release Date: 2013-03-20
CVE Reference(s): CVE-2013-0977, CVE-2013-0978, CVE-2013-0981
Impact: Security Bypass
Where: Local system
Solution: Update to version 5.2.1.
___

Apple changes iOS 6.1 VPN feature
- http://h-online.com/-1837018
8 April 2013

:fear:

AplusWebMaster
2013-03-20, 21:35
FYI...

Google Picasa 136.17 ...
- https://secunia.com/advisories/51652/
Release Date: 2013-03-20
Criticality level: Highly critical
Impact: System access
Where: From remote...
For more information: https://secunia.com/SA35515/
... vulnerabilities are confirmed in version 3.9.0 Build 136.09 for Windows and reported in versions prior to 3.9.0 Build 3.9.14.34 for Mac. Other versions may also be affected.
Solution: Update to a fixed version.
Original Advisory: http://support.google.com/picasa/answer/53209
Windows: Build 136.17 - March 14, 2012

:fear:

AplusWebMaster
2013-04-03, 16:39
FYI...

Thunderbird v17.0.5 released
- https://www.mozilla.org/en-US/thunderbird/17.0.5/releasenotes
April 2, 2013
FIXED - Security fixes* ...
FIXED - Adjusting font size when composing emails should be easier (Bug 824926)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

Fixed in Thunderbird 17.0.5
* https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17.0.5
MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
MFSA 2013-38 Cross-site scripting (XSS) using timed history navigations
MFSA 2013-36 Bypass of SOW protections allows cloning of protected nodes
MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux
MFSA 2013-34 Privilege escalation through Mozilla Updater
MFSA 2013-32 Privilege escalation through Mozilla Maintenance Service
MFSA 2013-31 Out-of-bounds write in Cairo library
MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)

- http://www.securitytracker.com/id/1028382
CVE Reference: CVE-2013-0788, CVE-2013-0789, CVE-2013-0790, CVE-2013-0791, CVE-2013-0793, CVE-2013-0795, CVE-2013-0796, CVE-2013-0797, CVE-2013-0799, CVE-2013-0800
Apr 3 2013
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 17.0.5

:fear::fear:

AplusWebMaster
2013-04-17, 16:35
FYI...

Safari 6.0.4 released
- https://support.apple.com/kb/HT5701
Apr 16, 2013

- https://support.apple.com/kb/HT1222
___

- http://h-online.com/-1843736
17 April 2013

:fear:

AplusWebMaster
2013-05-09, 15:58
FYI...

Adblock Plus v2.2.4 released
- https://adblockplus.org/en/changelog-2.2.4
2013-05-08
• Fixed: Server names with a trailing dot were mistakenly treated as typos.
• Fixed a Firefox 22 compatibility issue (no colors/imaages in filters list and list of blockable items).

The Future of Facebook Ads (and how Adblock Plus will deal with them)
- https://adblockplus.org/blog/the-future-of-facebook-ads-and-how-adblock-plus-will-deal-with-them
2013-05-07

:fear:

AplusWebMaster
2013-05-15, 12:29
FYI...

Thunderbird v17.0.6 released
- https://www.mozilla.org/en-US/thunderbird/17.0.6/releasenotes
May 14, 2013

- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17.0.6
Fixed in Thunderbird 17.0.6
MFSA 2013-48 Memory corruption found using Address Sanitizer
MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
MFSA 2013-46 Use-after-free with video and onresize event
MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
MFSA 2013-42 Privileged access for content level constructor
MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

- https://secunia.com/advisories/53443/
Release Date: 2013-05-15
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote ...
For more information: https://secunia.com/SA53400/
... vulnerabilities are reported in versions prior to 17.0.6.
Solution: Update to version 17.0.6.

- http://www.securitytracker.com/id/1028559
CVE Reference: CVE-2013-0801, CVE-2013-1669, CVE-2013-1670, CVE-2013-1672, CVE-2013-1674, CVE-2013-1675, CVE-2013-1676, CVE-2013-1677, CVE-2013-1678, CVE-2013-1679, CVE-2013-1680, CVE-2013-1681
May 14 2013
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 17.0.6

:fear:

AplusWebMaster
2013-05-17, 13:12
FYI...

iTunes 11.0.3 released
- https://support.apple.com/kb/HT5766
May 16, 2013

- http://prod.lists.apple.com/archives/security-announce/2013/May/msg00000.html
May 16, 2013

Use Apple Software Update
-or-
- https://www.apple.com/itunes/download/
iTunes 11.0.3 for Windows XP, Vista or Windows 7

- http://www.securitytracker.com/id/1028575
CVE Reference: CVE-2013-0879, CVE-2013-0991, CVE-2013-0992, CVE-2013-0993, CVE-2013-0994, CVE-2013-0995, CVE-2013-0996, CVE-2013-0997, CVE-2013-0998, CVE-2013-0999, CVE-2013-1000, CVE-2013-1001, CVE-2013-1002, CVE-2013-1003, CVE-2013-1004, CVE-2013-1005, CVE-2013-1006, CVE-2013-1007, CVE-2013-1008, CVE-2013-1010, CVE-2013-1011, CVE-2013-1014
May 16 2013
Impact: Execution of arbitrary code via network, Modification of authentication information, User access via network
Fix Available: Yes Vendor Confirmed: Yes ...
Impact: A remote user can execute arbitrary code on the target system.
A remote user can spoof digital certificates.
Solution: The vendor has issued a fix (11.0.3).

:fear:

AplusWebMaster
2013-05-23, 12:48
FYI...

QuickTime 7.7.4 released
- https://support.apple.com/kb/HT5770
May 22, 2013

- https://support.apple.com/kb/HT1222

> http://prod.lists.apple.com/archives/security-announce/2013/May/msg00001.html
... QuickTime 7.7.4 may be obtained from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
-or-
Use Apple Software Update.

- https://secunia.com/advisories/53520/
Release Date: 2013-05-23
Criticality level: Highly critical
Impact: System access
Where: From remote...
CVE Reference(s): CVE-2013-0986, CVE-2013-0987, CVE-2013-0988, CVE-2013-0989, CVE-2013-1015, CVE-2013-1016, CVE-2013-1017, CVE-2013-1018, CVE-2013-1019, CVE-2013-1020, CVE-2013-1021, CVE-2013-1022
... vulnerabilities are reported in versions prior to 7.7.4.
Solution: Update to version 7.7.4.

- http://www.securitytracker.com/id/1028589
CVE Reference: CVE-2013-0986, CVE-2013-0987, CVE-2013-0988, CVE-2013-0989, CVE-2013-1015, CVE-2013-1016, CVE-2013-1017, CVE-2013-1018, CVE-2013-1019, CVE-2013-1020, CVE-2013-1021, CVE-2013-1022
May 23 2013
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7.7.4 ...

- http://h-online.com/-1868186
23 May 2013

:fear:

AplusWebMaster
2013-05-30, 14:51
FYI...

IrfanView FlashPix PlugIn FPX 4.36 released
- https://secunia.com/advisories/53579/
Release Date: 2013-05-30
Criticality level: Highly critical
Impact: System access
Where: From remote...
Software: IrfanView FlashPix PlugIn 4.x
CVE Reference: CVE-2013-3486
... vulnerability is caused due to an integer overflow error within the Fpx.dll module...
- http://www.irfanview.com/plugins.htm
PlugIns updated after the version 4.35:
FPX Plugin (4.36) - Installer or ZIP - Fixed loading of FPX (FlashPix) files (reported by Secunia)
- http://www.irfanview.net/plugins/irfanview_plugin_fpx.exe

:fear::fear:

AplusWebMaster
2013-06-05, 12:36
FYI...

Apple OS X 10.8.4 - Security Update 2013-002
- http://www.securitytracker.com/id/1028625
CVE Reference: CVE-2013-0982, CVE-2013-0983, CVE-2013-0984, CVE-2013-0985, CVE-2013-0975, CVE-2013-0990, CVE-2013-1024
Jun 5 2013
Impact: Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.8.x prior to 10.8.4; 10.6.x, 10.7.x ...
Solution: The vendor has issued a fix (10.8.4; Security Update 2013-002).
Vendor URL: http://support.apple.com/kb/HT5784

- http://prod.lists.apple.com/archives/security-announce/2013/Jun/msg00000.html

- https://secunia.com/advisories/53684/
Release Date: 2013-06-05
Criticality level: Highly critical
Impact: Cross Site Scripting, Exposure of sensitive information, Security Bypass, DoS, System access
Where: From remote...

- http://h-online.com/-1883007
5 June 2013

- https://support.apple.com/kb/HT1222
___

Safari v6.0.5 released
- http://www.securitytracker.com/id/1028627
CVE Reference: CVE-2013-0926, CVE-2013-1009, CVE-2013-1012, CVE-2013-1013, CVE-2013-1023
Jun 5 2013
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 6.0.5
Solution: The vendor has issued a fix (6.0.5).
Vendor URL: http://support.apple.com/kb/HT5785

- http://prod.lists.apple.com/archives/security-announce/2013/Jun/msg00001.html

- https://secunia.com/advisories/53711/
Release Date: 2013-06-05
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, System access
Where: From remote...
___

- https://isc.sans.edu/diary.html?storyid=15929
Last Updated: 2013-06-05 02:43:44 UTC

:fear::fear:

AplusWebMaster
2013-06-23, 18:00
FYI...

WordPress v3.5.2 released
- https://wordpress.org/download/
June 21, 2013 - "The latest stable release of WordPress (Version 3.5.2) is available..."

- https://wordpress.org/news/
June 21, 2013 - "... This is the second maintenance release of 3.5, fixing 12 bugs. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. The WordPress security team resolved seven security issues, and this release also contains some additional security hardening... Download WordPress 3.5.2 or update now from the Dashboard..."
- https://wordpress.org/news/2013/06/wordpress-3-5-2/

Release notes
- https://codex.wordpress.org/Version_3.5.2
CVE-2013-2173, CVE-2013-2199, CVE-2013-2200, CVE-2013-2201, CVE-2013-2202, CVE-2013-2203, CVE-2013-2204, CVE-2013-2205

"WordPress Plugin" search results ...
- https://secunia.com/advisories/search/?search=WordPress+Plugin
Found -606- Secunia Security Advisories ...
June 21, 2013
___

- http://www.securitytracker.com/id/1028700
CVE Reference: CVE-2013-2199, CVE-2013-2200, CVE-2013-2201, CVE-2013-2202, CVE-2013-2203, CVE-2013-2204, CVE-2013-2205
Jun 25 2013
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 3.5.2 ...

- http://h-online.com/-1895188
24 June 2013

:fear::fear:

AplusWebMaster
2013-06-26, 16:58
FYI...

Thunderbird v17.0.7 released
- https://www.mozilla.org/en-US/thunderbird/17.0.7/releasenotes
June 25, 2013

- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17.0.7
Fixed in Thunderbird 17.0.7
MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
MFSA 2013-56 PreserveWrapper has inconsistent behavior
MFSA 2013-55 SVG filters can lead to information disclosure
MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
MFSA 2013-53 Execution of unmapped memory through onreadystatechange event
MFSA 2013-51 Privileged content access and execution via XBL
MFSA 2013-50 Memory corruption found using Address Sanitizer
MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html
___

- https://secunia.com/advisories/53953/
Release Date: 2013-06-26
Criticality level: Highly Critical
Impact: Security Bypass, Exposure of sensitive information, System access
... vulnerabilities are reported in versions prior to 17.0.7.
Solution: Update to version 17.0.7.

- http://www.securitytracker.com/id/1028704
CVE Reference: CVE-2013-1682, CVE-2013-1683, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1690, CVE-2013-1692, CVE-2013-1693, CVE-2013-1694, CVE-2013-1697
Jun 26 2013
Impact: Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 17.0.7 ...

:fear:

AplusWebMaster
2013-06-27, 21:21
FYI...

Ruby update - SSL vuln
- https://isc.sans.edu/diary.html?storyid=16076
Last Updated: 2013-06-27 16:57:11 UTC - "An update has been released for the SSL vulnerability reported in Ruby. From the site: "All Ruby versions are affected". The Ruby update also contains a patch for a DOS vulnerability... details here*."
* http://h-online.com/-1901986
___

- http://www.securitytracker.com/id/1028714
CVE Reference: CVE-2013-4073
Jun 27 2013
Impact: Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 1.8.7-p374, 1.9.3-p448, 2.0.0-p247
Impact: A remote user can spoof SSL servers in certain cases.
Solution: The vendor has issued a fix (1.8.7-p374, 1.9.3-p448, 2.0.0-p247).
... vendor's advisory is available at:
- http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/

- https://secunia.com/advisories/54011/
Release Date: 2013-06-28
Where: From remote
Impact: Spoofing
Solution Status: Vendor Patch
CVE Reference: CVE-2013-4073
Solution: Update to version Ruby 1.8.7-p374, 1.9.3-p448, or 2.0.0-p247.
Original Advisory: Ruby:
http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/
___

Ruby 1.8.7 retired
- http://www.ruby-lang.org/en/news/2013/06/30/we-retire-1-8-7/
30 Jun 2013

:fear::fear:

AplusWebMaster
2013-07-05, 19:58
FYI...

IrfanView v4.36 released
- https://secunia.com/advisories/53976/
Release Date: 2013-07-05
Criticality: Highly Critical
Where: From remote
Impact: System access
Solution Status: Vendor Patch
Software: IrfanView 4.x
... vulnerability is confirmed in version 4.35. Prior versions may also be affected.
Solution: Update to version 4.36.

- http://www.irfanview.com/main_download_engl.htm

- http://www.irfanview.com/main_history.htm
Release date: 2013-06-27

- http://www.irfanview.com/plugins.htm
The current PlugIns version is: 4.36

:fear:

AplusWebMaster
2013-07-23, 21:26
FYI...

OpenOffice 4.0 released
- https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.0+Release+Notes
Jul 23, 2013

- http://www.openoffice.org/security/bulletin.html

Bug Fixes
- https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.0+Release+Notes#AOO4.0ReleaseNotes-BugFixes
"As of July 17th 2013 there were -498- verified issues that have been resolved..."

- https://secunia.com/advisories/54133/
Release Date: 2013-07-26
Criticality: Highly Critical
Impact: System access
CVE Reference(s): CVE-2013-2189, CVE-2013-4156
... vulnerabilities are reported in versions 3.4.0 and 3.4.1. Prior versions may also be affected.
Solution: Upgrade to version 4.0
Original Advisory:
http://www.openoffice.org/security/cves/CVE-2013-2189.html
http://www.openoffice.org/security/cves/CVE-2013-4156.html

Instructions for Downloading and Installing Apache OpenOffice 4.0.0
- http://www.openoffice.org/download/common/instructions.html

Download
- http://www.openoffice.org/download/

:fear::fear:

AplusWebMaster
2013-07-25, 14:43
FYI...

AdblockPlus 2.3.1 released
- https://adblockplus.org/releases/adblock-plus-231-for-firefox-adblock-plus-152-for-chrome-and-opera-released
2013-07-24
Changes:
- Improved filter list downloads.
- Implemented filter forward-compatibility proposal.
- Implemented an emergency notification mechanism that can be used to communicate important issues.

:fear::fear:

AplusWebMaster
2013-08-03, 00:02
FYI...

WordPress v3.6 released
- https://wordpress.org/download/
August 1, 2013 - "The latest stable release of WordPress (Version 3.6) is available..."

- https://wordpress.org/news/2013/08/oscar/
"... WordPress, version 3.6, is now live to the world and includes a beautiful new blog-centric theme, bullet-proof autosave and post locking, a revamped revision browser, native support for audio and video embeds, and improved integrations with Spotify, Rdio, and SoundCloud..."

Release Post
- https://codex.wordpress.org/Version_3.6

Changelog
- https://codex.wordpress.org/Changelog/3.6

:spider:

AplusWebMaster
2013-08-12, 04:34
FYI...

Thunderbird v17.0.8 released
- https://www.mozilla.org/en-US/thunderbird/17.0.8/releasenotes
August 6, 2013

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird17.0.8
Fixed in Thunderbird 17.0.8
MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-71 Further Privilege escalation through Mozilla Updater
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html
___

- http://www.securitytracker.com/id/1028887
CVE Reference: CVE-2013-1701, CVE-2013-1702, CVE-2013-1706, CVE-2013-1707, CVE-2013-1709, CVE-2013-1710, CVE-2013-1712, CVE-2013-1713, CVE-2013-1714, CVE-2013-1717
Aug 6 2013
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 17.0.8 ...

- https://secunia.com/advisories/54413/
Release Date: 2013-08-07
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, Spoofing, Exposure of sensitive information, Privilege escalation, System access
... vulnerabilities are reported in the following products:
* Mozilla Thunderbird and Thunderbird ESR versions prior to 17.0.8...

:fear::fear:

AplusWebMaster
2013-09-13, 16:33
FYI...

WordPress v3.6.1 released
- https://wordpress.org/download/
Sep 11, 2013 - "The latest stable release of WordPress (Version 3.6.1) is available..."

- http://www.securitytracker.com/id/1029025
Sep 11 2013
Impact: Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 3.6.1 ...
Solution: The vendor has issued a fix (3.6.1).
The vendor's advisory is available at:
- http://codex.wordpress.org/Version_3.6.1
... Summary: From the announcement post*, this maintenance release addresses 13 bugs with version 3.6... Additionally: Version 3.6.1 fixes three security issues..."
* http://wordpress.org/news/2013/09/wordpress-3-6-1/

- https://secunia.com/advisories/54803/
Release Date: 2013-09-13
Criticality: Moderately Critical
Where: From remote
Impact: Security Bypass, Spoofing, System access
CVE Reference(s):
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4338 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4339 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4340 - 3.5
... weakness, security issue, and vulnerability are reported in versions prior to 3.6.1.
Solution: Update to version 3.6.1...

:fear::fear:

AplusWebMaster
2013-09-18, 14:32
FYI...

Thunderbird v24.0 released
- https://www.mozilla.org/en-US/thunderbird/24.0/releasenotes/
Sep 17, 2013

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird24.0
Fixed in Thunderbird 24.0
MFSA 2013-92 GC hazard with default compartments and frame chain restoration
MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-85 Uninitialized data in IonMonkey
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-81 Use-after-free with select element
MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-77 Improper state in HTML5 Tree Builder with templates
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html
___

- http://www.securitytracker.com/id/1029044
CVE Reference: CVE-2013-1718, CVE-2013-1719, CVE-2013-1720, CVE-2013-1722, CVE-2013-1723, CVE-2013-1724, CVE-2013-1726, CVE-2013-1728, CVE-2013-1730, CVE-2013-1732, CVE-2013-1735, CVE-2013-1736, CVE-2013-1737, CVE-2013-1738
Sep 17 2013
Impact: Denial of service via network, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 24.0; prior to ESR 17.0.9...

:fear::fear:

AplusWebMaster
2013-09-19, 13:49
FYI...

iOS7 released
- http://support.apple.com/kb/HT5934
Sep 18, 2013
- http://lists.apple.com/archives/security-announce/2013/Sep/msg00006.html

- https://secunia.com/advisories/54886/
Release Date: 2013-09-19
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Spoofing, Brute force, Exposure of sensitive information, DoS, System access
Operating System: Apple iOS 4.x for iPhone 3GS and later, Apple iOS 4.x for iPhone 4 (CDMA), Apple iOS 5.x for iPhone 3GS and later, Apple iOS 6.x for iPhone 3GS and later, Apple iOS for iPad 4.x, Apple iOS for iPad 5.x, Apple iOS for iPad 6.x, Apple iOS for iPod touch 6.x ...
Solution: Upgrade to version 7...
Original Advisory: APPLE-SA-2013-09-18-2:
http://support.apple.com/kb/HT5934

- http://www.securitytracker.com/id/1029054
CVE Reference: CVE-2011-2391, CVE-2013-0957, CVE-2013-1036, CVE-2013-1037, CVE-2013-1038, CVE-2013-1039, CVE-2013-1040, CVE-2013-1041, CVE-2013-1042, CVE-2013-1043, CVE-2013-1044, CVE-2013-1045, CVE-2013-1046, CVE-2013-1047, CVE-2013-3950, CVE-2013-3953, CVE-2013-3954, CVE-2013-3955, CVE-2013-4616, CVE-2013-5125, CVE-2013-5126, CVE-2013-5127, CVE-2013-5128, CVE-2013-5129, CVE-2013-5131, CVE-2013-5134, CVE-2013-5137, CVE-2013-5138, CVE-2013-5139, CVE-2013-5140, CVE-2013-5141, CVE-2013-5142, CVE-2013-5145, CVE-2013-5149, CVE-2013-5150, CVE-2013-5151, CVE-2013-5152, CVE-2013-5153, CVE-2013-5154, CVE-2013-5155, CVE-2013-5156, CVE-2013-5157, CVE-2013-5158, CVE-2013-5159
Sep 18 2013
Impact: Denial of service via local system, Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7 ...

- http://www.securitytracker.com/id/1029072
Sep 20 2013
Impact: User access via local system
Vendor Confirmed: Yes Exploit Included: Yes
Version(s): 7
... A local user can invoke the Apple Control Center and bypass the passcode lock screen to access photos and related photo sharing applications.... No solution was available at the time of this entry.
The vendor is working on a fix...
___

- http://www.theinquirer.net/inquirer/news/2295689/ios-7-download-glitches-infuriate-apple-users
Sep 19 2013 - "... Apple released its iOS 7 mobile operating system update on Wednesday, although download problems have meant that thousands still haven't been able to upgrade to the latest software. As seems typical with iOS updates, the release of iOS 7 didn't go smoothly. Thousands of keen iPhone and iPad users tried to download the iOS 7 update as soon as it went live... some users inundated with error messages after trying to install the software, while others were unable to download it at all... download failures likely having occurred because the firm's network and servers infrastructure couldn't handle the huge surge in traffic..."
___

iTunes 11.1 released
- http://support.apple.com/kb/HT5936
Sep 18, 2013
- http://lists.apple.com/archives/security-announce/2013/Sep/msg00005.html

- https://secunia.com/advisories/54893/
Release Date: 2013-09-19
Criticality: Highly Critical
Where: From remote
Impact: System access
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1035 - 9.3 (HIGH)
... vulnerability is reported in versions prior to 11.1.
Solution: Update to version 11.1.
Original Advisory: APPLE-SA-2013-09-18-1:
http://support.apple.com/kb/HT5936

- http://www.securitytracker.com/id/1029053
CVE Reference: CVE-2013-1035
Sep 18 2013
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 11.1 ...

:fear:

AplusWebMaster
2013-09-27, 05:08
FYI...

iOS 7.0.2 released
- http://support.apple.com/kb/HT5957
Sep 26, 2013
- http://lists.apple.com/archives/security-announce/2013/Sep/msg00009.html

- http://www.securitytracker.com/id/1029100
CVE Reference:
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5160 - 3.3
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5161 - 4.4
Sep 26 2013
Impact: User access via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 7.0 ...
Solution: The vendor has issued a fix (7.0.2)...
___

iPhone and iPad users - iMessage bug in iOS 7
- http://www.theinquirer.net/inquirer/news/2297868/iphone-and-ipad-users-discover-an-imessage-bug-in-ios-7
Oct 01 2013 - "... some of Apple's forum members appear to have discovered a solution for the problem. Those suffering from the bug should disable iMessage in Settings > Messages, then reset the iPhone's network under Settings > General > Reset, then enable iMessage again. We've tried this, and our iMessage function seems to be back up and running as normal..."

:fear:

AplusWebMaster
2013-10-05, 21:47
FYI...

OpenOffice 4.0.1 released ...
- https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.0.1+Release+Notes
Sep 29, 2013 - "Apache OpenOffice 4.0.1 is a maintenance release which fixes critical issues and improves the overall quality of the application. All users of Apache OpenOffice 4.0 or earlier are advised to upgrade. You can download Apache OpenOffice 4.0.1 here*.
General areas of improvement include: additional native language translations, bug fixes, performance improvements and Windows 8 compatibility enhancements...

* http://www.openoffice.org/download/

Performance Improvements/Enhancements compared to OpenOffice 4.0.0:
The performance for saving XLS files was boosted by more than 230%.

Improvements/Enhancements missing in the OpenOffice 4.0.0 release notes:
OpenOffice 4.0 integrated the very popular extensions "Presenter Screen" and "Presentation Minimizer" into the core product.

Bug Fixes ..."

:blink:

AplusWebMaster
2013-10-09, 23:01
FYI...

Adblock Plus updates...
- https://adblockplus.org/releases/adblock-plus-24-for-firefox-adblock-plus-16-for-chrome-and-opera-released
2013-10-09 - "Adblock Plus 2.4 for Firefox, Adblock Plus 1.6 for Chrome and Opera released...
• Firefox-only changes
Fixed: Adblock Plus icon wasn’t showing up on browser startup for some users.
Fixed: Redirect blocking wasn’t working in current Firefox versions.
Fixed: Issue reporter fails to process some console errors.
Fixed: Adblock Plus fails to start up when updating in current Firefox nightly builds (workaround for bug 924340).
• Chrome/Opera-only changes
The number of ads blocked on a page and in total now shows up when in the icon is clicked..."

- https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

:bigthumb:

AplusWebMaster
2013-10-16, 16:31
FYI...

Apple-SA-2013-10-15-1 Java for OS X 2013-005 and Mac OS X v10.6 Update 17
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html
15 Oct 2013

- https://secunia.com/advisories/55328/
Release Date: 2013-10-16
Criticality: Highly Critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
CVE Reference(s): CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5775, CVE-2013-5776, CVE-2013-5777, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5788, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5800, CVE-2013-5801, CVE-2013-5802, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5805, CVE-2013-5806, CVE-2013-5809, CVE-2013-5810, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5838, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5844, CVE-2013-5846, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851, CVE-2013-5852, CVE-2013-5854
... update for Java for Mac OS X. This fixes multiple vulnerabilities, which can be exploited by malicious users to manipulate certain data and by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.
For more information: https://secunia.com/SA55315/
Solution: Apply Java for OS X 2013-005 or Mac OS X v10.6 Update 17 (please see the vendor's advisory for details).
Original Advisory: APPLE-SA-2013-10-15-1:
http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html

:fear::fear:

AplusWebMaster
2013-10-22, 17:18
FYI...

Customizable Facebook page
- https://adblockplus.org/blog/customizable-facebook-page
2013-10-21 - "You can now customize Facebook with Adblock Plus. Under default settings, ABP blocks all Facebook ads – sponsored stories, page post ads, standard ads, promoted posts or otherwise. But there are other unneeded, potentially unwanted elements that insert themselves automatically into your news feed and sidebar. Now you can block these too..."
- http://facebook.adblockplus.me/en/

- http://www.infoworld.com/t/web-browsers/adblock-plus-new-target-facebook-annoyances-229247
Oct 22, 2013 - "... Many end users understand all too well that the vast majority of sites need ad revenue to survive, but are fed up with obnoxious, experience-killing ads that leak privacy data..."

:fear:

AplusWebMaster
2013-10-23, 14:34
FYI...

iOS 7.0.3 ...
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00002.html
22 Oct 2013
- https://secunia.com/advisories/55447/
Release Date: 2013-10-23
NOT Critical ...
- http://www.securitytracker.com/id/1029233
CVE Reference: CVE-2013-5144, CVE-2013-5162, CVE-2013-5164
Oct 23 2013
Impact: User access via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 7.0.2; iPhone 4 and later ...
Solution: The vendor has issued a fix (7.0.3).
The vendor's advisory is available at:
http://support.apple.com/kb/HT6010
___

Safari 6.1 ...
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00003.html
22 Oct 2013
- https://secunia.com/advisories/55448/
Release Date: 2013-10-23
Criticality: Highly Critical
Where: From remote
Impact: Cross Site Scripting, Exposure of sensitive information, System access
CVE Reference(s): CVE-2013-1036, CVE-2013-1037, CVE-2013-1038, CVE-2013-1039, CVE-2013-1040, CVE-2013-1041, CVE-2013-1042, CVE-2013-1043, CVE-2013-1044, CVE-2013-1045, CVE-2013-1046, CVE-2013-1047, CVE-2013-2842, CVE-2013-2848, CVE-2013-5125, CVE-2013-5126, CVE-2013-5127, CVE-2013-5128, CVE-2013-5129, CVE-2013-5130, CVE-2013-5131
... vulnerabilities are reported in versions prior to 6.1.
Solution: Update to version 6.1.
Original Advisory: APPLE-SA-2013-10-22-2:
http://support.apple.com/kb/HT6000
___

OS X Mavericks v10.9 ...
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
22 Oct 2013
- https://secunia.com/advisories/55446/
Release Date: 2013-10-23
Criticality: Highly Critical
Where: From remote
Impact: Hijacking, Security Bypass, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access
Operating System: Apple Macintosh OS X
CVE Reference(s): CVE-2011-2391, CVE-2011-3389, CVE-2011-3427, CVE-2011-4944, CVE-2012-0845, CVE-2012-0876, CVE-2012-1150, CVE-2013-0249, CVE-2013-1667, CVE-2013-1944, CVE-2013-3950, CVE-2013-3954, CVE-2013-4073, CVE-2013-5135, CVE-2013-5138, CVE-2013-5139, CVE-2013-5141, CVE-2013-5142, CVE-2013-5145, CVE-2013-5165, CVE-2013-5166, CVE-2013-5167, CVE-2013-5168, CVE-2013-5169, CVE-2013-5170, CVE-2013-5171, CVE-2013-5172, CVE-2013-5173, CVE-2013-5174, CVE-2013-5175, CVE-2013-5176, CVE-2013-5177, CVE-2013-5178, CVE-2013-5179, CVE-2013-5180, CVE-2013-5181, CVE-2013-5182, CVE-2013-5183, CVE-2013-5184, CVE-2013-5185, CVE-2013-5186, CVE-2013-5187, CVE-2013-5188, CVE-2013-5189, CVE-2013-5190, CVE-2013-5191, CVE-2013-5192
Solution: Update to version 10.9 (Maverick).
Original Advisory: APPLE-SA-2013-10-22-3:
http://support.apple.com/kb/HT6011
http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
___

iTunes 11.1.2
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00009.html
22 Oct 2013
- https://secunia.com/advisories/55442/
Release Date: 2013-10-23
Criticality: Highly Critical
Where: From remote
Impact: Exposure of sensitive information, DoS, System access
Solution Status: Vendor Patch
CVE Reference(s): CVE-2011-3102, CVE-2012-0841, CVE-2012-2807, CVE-2012-2825, CVE-2012-2870, CVE-2012-2871, CVE-2012-5134, CVE-2013-1024, CVE-2013-1037, CVE-2013-1038, CVE-2013-1039, CVE-2013-1040, CVE-2013-1041, CVE-2013-1042, CVE-2013-1043, CVE-2013-1044, CVE-2013-1045, CVE-2013-1046, CVE-2013-1047, CVE-2013-2842, CVE-2013-5125, CVE-2013-5126, CVE-2013-5127, CVE-2013-5128
... vulnerabilities are reported in versions prior to 11.1.2.
Solution: Update to version 11.1.2.
Original Advisory: APPLE-SA-2013-10-22-8:
http://support.apple.com/kb/HT6001

:fear::fear::fear:

AplusWebMaster
2013-10-25, 21:53
FYI...

WordPress 3.7 released
- https://wordpress.org/download/
Oct 24, 2013 - "The latest stable release of WordPress (Version 3.7) is available..."

- http://wordpress.org/news/2013/10/basie/

- https://codex.wordpress.org/Version_3.7

- https://codex.wordpress.org/Changelog/3.7

- http://core.trac.wordpress.org/query?status=closed&milestone=3.7
Results... 438
___

- http://nakedsecurity.sophos.com/2013/10/26/wordpress-3-7-is-out-now-and-promises-to-update-while-you-sleep/
Oct 26, 2013 - "... it will automatically update itself with the latest maintenance and security releases... researchers believe that as many as 73% of the WordPress sites out there are vulnerable to attack purely because they aren't running the latest version... The automatic updater also supports themes and plugins - the software skins and add-ons that allow users to customise their WordPress websites..."
> http://nakedsecurity.sophos.com/2013/09/27/how-to-avoid-being-one-of-the-73-of-wordpress-sites-vulnerable-to-attack/

:fear::fear:

AplusWebMaster
2013-10-30, 13:27
FYI...

Thunderbird 24.1.1
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird24.1.1
Fixed in Thunderbird 24.1.1
MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities
- https://www.mozilla.org/security/announce/2013/mfsa2013-103.html

- https://www.mozilla.org/en-US/thunderbird/24.1.1/releasenotes/
Nov 19, 2013
___

Thunderbird v24.1 released
- https://www.mozilla.org/en-US/thunderbird/24.1/releasenotes/
Oct 29, 2013

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird24.1
Fixed in Thunderbird 24.1
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html
___

- https://secunia.com/advisories/55489/
Release Date: 2013-10-30
Criticality: Highly Critical
Where: From remote
Impact: Spoofing, System access
... see the vendor's advisories for a list of affected products and versions.
Solution: Update to a fixed version...

- http://www.securitytracker.com/id/1029272
CVE Reference: CVE-2013-5590, CVE-2013-5591, CVE-2013-5592, CVE-2013-5593, CVE-2013-5595, CVE-2013-5596, CVE-2013-5597, CVE-2013-5599, CVE-2013-5600, CVE-2013-5601, CVE-2013-5602, CVE-2013-5603, CVE-2013-5604
Oct 30 2013
Impact: Disclosure of system information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 24.1 ...
Solution: The vendor has issued a fix (24.1)...

:fear::fear:

AplusWebMaster
2013-10-30, 20:33
FYI...

WordPress 3.7.1 - Maintenance Release
- https://wordpress.org/news/2013/10/wordpress-3-7-1/
Oct 29, 2013 - "WordPress 3.7.1 is now available. This maintenance release addresses 11 bugs in WordPress 3.7 ..."

Changelog
- http://core.trac.wordpress.org/log/branches/3.7?stop_rev=25914&rev=25986

- http://core.trac.wordpress.org/query?milestone=3.7.1

:fear::fear:

AplusWebMaster
2013-11-04, 20:37
FYI...

OS X Mavericks upgr. destroys data, reports WD
Issues extend to external hard drives, as well as eSATA- or Thunderbolt-based peripherals from other vendors
- http://www.infoworld.com/t/storage/os-x-mavericks-upgrade-destroys-data-reports-western-digital-230100
Nov 04, 2013

:fear::fear::sad:

AplusWebMaster
2013-12-11, 11:24
FYI...

Thunderbird 24.2 released

- https://www.mozilla.org/en-US/thunderbird/24.2.0/releasenotes/
Dec 10, 2013

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird24.2
Fixed in Thunderbird 24.2
MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html
___

- https://secunia.com/advisories/56002/
Release Date: 2013-12-10
Criticality: Highly Critical
Where: From remote
Impact: Unknown, Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access
CVE Reference(s): CVE-2013-5609, CVE-2013-5610, CVE-2013-5612, CVE-2013-5613, CVE-2013-5614, CVE-2013-5615, CVE-2013-5616, CVE-2013-5618, CVE-2013-5619, CVE-2013-6629, CVE-2013-6630, CVE-2013-6671, CVE-2013-6672, CVE-2013-6673
Solution: Update to a fixed version.

:fear:

AplusWebMaster
2013-12-14, 12:37
FYI...

WordPress v3.8 released
- http://wordpress.org/download/
Dec 12, 2013 - "The latest stable release of WordPress (Version 3 .8 ) is available..."

- https://wordpress.org/news/2013/12/parker/

- http://core.trac.wordpress.org/log/branches/3.8

- http://core.trac.wordpress.org/query?milestone=3.8

:fear:

AplusWebMaster
2013-12-17, 16:21
FYI...

Safari 7.0.1 released
- https://secunia.com/advisories/56122/
Release Date: 2013-12-17
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, System access
CVE Reference(s): CVE-2013-2909, CVE-2013-5195, CVE-2013-5196, CVE-2013-5197, CVE-2013-5198,
CVE-2013-5199, CVE-2013-5225, CVE-2013-5227, CVE-2013-5228
Solution: Update to version 6.1.1. or 7.0.1.
Original Advisory: APPLE-SA-2013-12-16-1:
http://support.apple.com/kb/HT6082
___

OSX 10.9.1 released
- https://secunia.com/advisories/56144/
Release Date: 2013-12-17
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, System access
CVE Reference(s): CVE-2013-2909, CVE-2013-5195, CVE-2013-5196, CVE-2013-5197, CVE-2013-5198,
CVE-2013-5199, CVE-2013-5225, CVE-2013-5227, CVE-2013-5228
For more information: https://secunia.com/SA56122/
... security issue and vulnerabilities are reported in version 10.9.
Solution: Update to version 10.9.1.
Original Advisory: APPLE-SA-2013-12-16-2:
http://support.apple.com/kb/HT6084

:fear::fear:

AplusWebMaster
2013-12-18, 06:43
FYI...

IrfanView 4.37 released
- https://secunia.com/advisories/54959/
Release Date: 2013-12-17
Criticality: Highly Critical
Where: From remote
Impact: System access
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5351
... vulnerability is confirmed in version 4.36. Prior versions may also be affected.
Solution: Update to version 4.37.
Original Advisory: IrfanView:
- http://www.irfanview.com/main_history.htm
Version 4.37 ( - CURRENT VERSION - ) (Release date: 2013-12-16)

- https://secunia.com/advisories/54444/
Release Date: 2013-12-17
Criticality: Highly Critical
Where: From remote
Impact: System access
CVE Reference(s): CVE-2013-3944, CVE-2013-3945, CVE-2013-3946
... vulnerabilities are confirmed in version 4.36. Prior versions may also be affected.
Solution: Updated to version 4.37.
Original Advisory: IrfanView:
- http://www.irfanview.com/plugins.htm
The current PlugIns version is: 4.37
___

- http://www.irfanview.com/main_download_engl.htm

Alternative download sites:
- http://www.majorgeeks.com/files/details/irfanview.html

- http://www.majorgeeks.com/files/details/irfanview_plugins.html

:fear:

AplusWebMaster
2013-12-18, 08:20
FYI...

Winamp ends - 12.20.2013 ...
- http://www.winamp.com/media-player/en
"Winamp.com and associated web services will no longer be available past December 20, 2013. Additionally, Winamp Media players will no longer be available for download. Please download the latest version before that date. See release notes for latest improvements to this last release. Thanks for supporting the Winamp community for over 15 years."

:sad:

AplusWebMaster
2013-12-20, 13:18
FYI...

Google Picasa 3.9.0 Build 137.69 released
- https://secunia.com/advisories/55555/
Release Date: 2013-12-20
Criticality: Highly Critical
Where: From remote
Impact: System access
CVE Reference(s): CVE-2013-5349, CVE-2013-5357, CVE-2013-5358, CVE-2013-5359
... vulnerabilities are confirmed in version 3.9.0 Build 136.20 running on Windows and reported in versions -prior- to 3.9.0 Build 137.69 running on Mac. Prior versions may also be affected.
Solution: Update to version 3.9.0 Build 137.69 or later.
Original Advisory: Google Picasa:
- https://support.google.com/picasa/answer/53209
Secunia Research:
- http://secunia.com/secunia_research/2013-14/

- http://www.securitytracker.com/id/1029527
CVE Reference: CVE-2013-5349, CVE-2013-5357, CVE-2013-5358, CVE-2013-5359
Dec 20 2013
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 3.9.0 Build 136.20 for Windows; possibly other versions
Solution: The vendor has issued a fix (3.6 Build 137.69 for Windows, 3.9.137.119 for Mac).
The vendor's advisory is available at:
- https://support.google.com/picasa/answer/53209

:fear:

AplusWebMaster
2014-01-23, 03:25
FYI...

iTunes 11.1.4 released
- https://support.apple.com/kb/HT6001
Jan 22, 2014
CVE-2011-3102, CVE-2012-0841, CVE-2012-2807, CVE-2012-2825, CVE-2012-5134, CVE-2012-2870, CVE-2012-2871, CVE-2013-1024, CVE-2013-1037, CVE-2013-1038, CVE-2013-1039, CVE-2013-1040, CVE-2013-1041, CVE-2013-1042, CVE-2013-1043, CVE-2013-1044, CVE-2013-1045, CVE-2013-1046, CVE-2013-1047, CVE-2013-2842, CVE-2013-5125, CVE-2013-5126, CVE-2013-5127, CVE-2013-5128, CVE-2014-1242

Use Apple Software Update to get it.

- http://www.securitytracker.com/id/1029671
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1242 - 5.8
Jan 23 2014
Impact: Disclosure of system information, Modification of system information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 11.1.4
Description: A vulnerability was reported in Apple iTunes. A remote user can conduct man-in-the-middle attacks.
Solution: The vendor has issued a fix (11.1.4)...

:fear:

AplusWebMaster
2014-01-28, 13:30
FYI...

Missing msvcr80.dll not found after the install of iTunes latest update
Had to uninstall iTunes and reinstall ...

Microsoft Visual C++ 2005 SP1 Redistributable Package (x64)
- http://www.microsoft.com/en-us/download/details.aspx?id=18471

- https://discussions.apple.com/message/24633790#24633790

- https://discussions.apple.com/thread/5817040?start=0&tstart=0

... patchmanagement.org // get patchmanagement 32979
Date: Mon, 27 Jan 2014 16:32:59 -0800
From: Susan Bradley ...
___

- http://www.infoworld.com/t/microsoft-windows/msvcr80dll-errors-and-other-problems-plague-itunes-11114-windows-235228
Jan 29, 2014

:fear::fear:

AplusWebMaster
2014-02-05, 14:39
FYI...

Thunderbird v24.3.0 released
- http://www.securitytracker.com/id/1029721
CVE Reference: CVE-2014-1477, CVE-2014-1478, CVE-2014-1479, CVE-2014-1481, CVE-2014-1482, CVE-2014-1486, CVE-2014-1487, CVE-2014-1490, CVE-2014-1491
Feb 5 2014
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 24.3 ...
Solution: The vendor has issued a fix (24.3)...
- https://www.mozilla.org/en-US/thunderbird

Release Notes
- https://www.mozilla.org/en-US/thunderbird/24.3.0/releasenotes/

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird24.3
MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects
MFSA 2014-12 NSS ticket handling issues
MFSA 2014-09 Cross-origin information leak through web workers
MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing
MFSA 2014-04 Incorrect use of discarded images by RasterImage
MFSA 2014-02 Clone protected content with XBL scopes
MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

:fear:

AplusWebMaster
2014-02-07, 15:19
FYI...

Process Explorer v16.0
- http://technet.microsoft.com/en-us/sysinternals/bb896653
Feb 4, 2014 - "Thanks to collaboration with the team at VirusTotal, this Process Explorer update introduces integration with VirusTotal.com, an online antivirus analysis service. When enabled, Process Explorer sends the hashes of images and files shown in the process and DLL views to VirusTotal and if they have been previously scanned, reports how many antivirus engines identified them as possibly malicious. Hyperlinked results take you to VirusTotal.com report pages and you can even submit files for scanning."

> https://isc.sans.edu/diaryimages/images/process%20explorer%20-%20virus%20total.png

:bigthumb:

AplusWebMaster
2014-02-22, 13:26
FYI...

iOS 7.0.6
- http://support.apple.com/kb/HT6147
Feb 21, 2014 - "... Data Security: Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later...
CVE-2014-1266..."

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1266 - 6.8

iOS 6.1.6
- http://support.apple.com/kb/HT6146
Feb 21, 2014 - "... Data Security: Available for: iPhone 3GS, iPod touch (4th generation)...
CVE-2014-1266..."

- http://www.securitytracker.com/id/1029811
CVE Reference: CVE-2014-1266
Feb 21 2014
Fix Available: Yes Vendor Confirmed: Yes...
Impact: A remote user with the ability to conduct a man-in-the-middle attack can decrypt SSL/TLS sessions.
Solution: The vendor has issued a fix (6.1.6, 7.0.6)...
___

Apple TV 6.0.2
- http://support.apple.com/kb/HT6148
Feb 21, 2014 - "... Apple TV: Available for: Apple TV 2nd generation and later...
CVE-2014-1266..."

- http://www.securitytracker.com/id/1029812
CVE Reference: CVE-2014-1266
Feb 22 2014
Fix Available: Yes Vendor Confirmed: Yes...
Impact: A remote user with the ability to conduct a man-in-the-middle attack can decrypt SSL/TLS sessions.
Solution: The vendor has issued a fix (6.0.2)...
___

Apple Releases Security Updates for iOS devices and Apple TV
- https://www.us-cert.gov/ncas/current-activity/2014/02/21/Apple-Releases-Security-Updates-iOS-devices-and-Apple-TV
Feb 21, 2014

- http://support.apple.com/kb/HT1222

:fear::fear:

AplusWebMaster
2014-02-25, 23:15
FYI...

OS X Mavericks v10.9.2 update
- http://support.apple.com/kb/HT6114
Feb 25, 2014 - "OS X Mavericks v10.9.2 Update is recommended for all OS X Mavericks users. It improves the stability, compatibility, and security of your Mac..."
(More detail at the URL above.)

OS X Mavericks 10.9.2 and Security Update 2014-001
- http://support.apple.com/kb/HT6150
Feb 25, 2014

- http://lists.apple.com/archives/security-announce/2014/Feb/msg00000.html

- http://www.securitytracker.com/id/1029825
CVE Reference: CVE-2014-1254, CVE-2014-1255, CVE-2014-1256, CVE-2014-1257, CVE-2014-1258, CVE-2014-1259, CVE-2014-1260, CVE-2014-1261, CVE-2014-1262, CVE-2014-1263, CVE-2014-1264, CVE-2014-1265
Feb 26 2014
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of system information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.7.5, 10.8.5, 10.9, 10.9.1...
Solution: The vendor has issued a fix (OS X Mavericks v10.9.2, Security Update 2014-001)...
___

Safari 6.1.2, 7.0.2
- http://support.apple.com/kb/HT6145
Feb 25, 2014

- http://lists.apple.com/archives/security-announce/2014/Feb/msg00001.html

- http://www.securitytracker.com/id/1029826
CVE Reference: CVE-2014-1268, CVE-2014-1269, CVE-2014-1270
Feb 26 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 6.1.2 and 7.0.2...
Solution: The vendor has issued a fix (6.1.2, 7.0.2)...
___

QuickTime 7.7.5 released
- http://support.apple.com/kb/HT6151
Feb 25, 2014 - "Available for: Windows 7, Vista, XP SP2 or later..."

- http://lists.apple.com/archives/security-announce/2014/Feb/msg00002.html

- http://www.securitytracker.com/id/1029823
CVE Reference: CVE-2014-1243, CVE-2014-1244, CVE-2014-1245, CVE-2014-1246, CVE-2014-1247, CVE-2014-1248, CVE-2014-1249, CVE-2014-1250, CVE-2014-1251
Feb 26 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7.7.5 for Windows...
Solution: The vendor has issued a fix (7.7.5 for Windows; on OS X apply APPLE-SA-2014-02-25-1 OS X Mavericks 10.9.2 or Security Update 2014-001)...

... use Apple Software Update.

:fear:

AplusWebMaster
2014-03-11, 11:05
FYI...

iOS 7.1 released
- http://www.securitytracker.com/id/1029888
CVE Reference: CVE-2013-5133, CVE-2013-6835, CVE-2014-1267, CVE-2014-1271, CVE-2014-1272, CVE-2014-1273, CVE-2014-1274, CVE-2014-1275, CVE-2014-1276, CVE-2014-1277, CVE-2014-1278, CVE-2014-1281, CVE-2014-1282, CVE-2014-1284, CVE-2014-1285, CVE-2014-1286, CVE-2014-1287, CVE-2014-1280, CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, CVE-2014-1294
Mar 11 2014
Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7.1 ...
Solution: The vendor has issued a fix (7.1).
The vendor's advisory is available at:
- http://support.apple.com/kb/HT6162
"... Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later..."

- https://secunia.com/advisories/57294/
Release Date: 2014-03-11
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, Spoofing, Exposure of sensitive information, System access
Operating System: Apple iOS 7.x for iPhone 4 and later, Apple iOS for iPad 7.x, Apple iOS for iPod touch 7.x
Solution: Update to version 7.1.
___

Apple TV 6.1 released
- http://www.securitytracker.com/id/1029889
CVE Reference: CVE-2014-1267, CVE-2014-1271, CVE-2014-1272, CVE-2014-1273, CVE-2014-1275, CVE-2014-1278, CVE-2014-1279, CVE-2014-1280, CVE-2014-1282, CVE-2014-1287, CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, CVE-2014-1294
Mar 11 2014
Impact: Denial of service via network, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 6.1 ...
Solution: The vendor has issued a fix (6.1).
The vendor's advisory is available at:
- http://support.apple.com/kb/HT6163

- https://secunia.com/advisories/57297/
Release Date: 2014-03-11
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, Spoofing, Exposure of sensitive information, System access
Operating System: Apple TV 6.x
Solution: Update to version 6.1.

:fear::fear:

AplusWebMaster
2014-03-19, 13:21
FYI...

Thunderbird 24.4 released
- http://www.securitytracker.com/id/1029930
CVE Reference: CVE-2014-1493, CVE-2014-1494, CVE-2014-1496, CVE-2014-1497, CVE-2014-1499, CVE-2014-1505, CVE-2014-1508, CVE-2014-1509, CVE-2014-1510, CVE-2014-1511, CVE-2014-1512, CVE-2014-1513, CVE-2014-1514
Mar 19 2014
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 24.4
- https://www.mozilla.org/en-US/thunderbird

Release Notes
- https://www.mozilla.org/en-US/thunderbird/24.4.0/releasenotes/

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird24.4
MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering
MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
MFSA 2014-30 Use-after-free in TypeObject
MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs
MFSA 2014-28 SVG filters information disclosure through feDisplacementMap
MFSA 2014-27 Memory corruption in Cairo during PDF font rendering
MFSA 2014-26 Information disclosure through polygon rendering in MathML
MFSA 2014-17 Out of bounds read during WAV file decoding
MFSA 2014-16 Files extracted during updates are not always read only
MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

:fear:

AplusWebMaster
2014-03-24, 19:38
FYI...

Malwarebytes 2.0 released
- http://blog.malwarebytes.org/news/2014/03/malwarebytes-anti-malware-2-0/
Mar 24, 2014 - "... This is the biggest rewrite we have ever undertaken... Malwarebytes Anti-Malware 2.0 ships with a completely redesigned user interface to make the product easier to use, more informative, and to provide quicker access to key functionality... We believe that products should be nag-free and cleanup shouldn’t cost our users a dime, and we’re going to stay true to that. Scanning for and removing malware will be free in this new version and beyond! You didn’t pay to get infected, you shouldn’t pay to clean it up... all that said, you can download 2.0 here*... FAQs for 2.0 here**..."
* http://www.malwarebytes.org/update/

** https://helpdesk.malwarebytes.org/entries/45274777-What-does-Malwarebytes-Anti-Malware-2-0-mean-for-me-
___

Users Guide
- http://www.malwarebytes.org/support/guides/mbam/

:2thumb:

AplusWebMaster
2014-04-02, 16:22
FYI...

Safari 7.0.3, 6.1.3 released
- http://www.securitytracker.com/id/1029983
CVE Reference: CVE-2013-2871, CVE-2014-1297, CVE-2014-1298, CVE-2014-1299, CVE-2014-1300, CVE-2014-1301, CVE-2014-1302, CVE-2014-1303, CVE-2014-1304, CVE-2014-1305, CVE-2014-1307, CVE-2014-1308, CVE-2014-1309, CVE-2014-1310, CVE-2014-1311, CVE-2014-1312, CVE-2014-1313
Apr 2 2014
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 6.1.3 and 7.0.3
Solution: The vendor has issued a fix (6.1.3, 7.0.3).
The vendor's advisory is available at:
- http://support.apple.com/kb/HT6181

:fear:

AplusWebMaster
2014-04-10, 21:40
FYI...

WordPress 3.8.2 released
- https://secunia.com/advisories/57769/
Release Date: 2014-04-10
Criticality: Moderately Critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting
... vulnerabilities are reported in versions prior to 3.8.2.
Solution: Update to version 3.8.2.
Original Advisory:
- http://wordpress.org/news/2014/04/wordpress-3-8-2/
April 8, 2014 - "WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately. This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies... This release also fixes nine bugs and contains three other security hardening changes..."

- http://wordpress.org/download/

Changelog
- https://core.trac.wordpress.org/browser/?rev=28060
___

- http://www.securitytracker.com/id/1030071
CVE Reference:
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0165 - 4.0
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0166 - 6.4 (HIGH)
Apr 11 2014
Impact: Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 3.7.2 and 3.8.2 ...
Solution: The vendor has issued a fix (3.7.2, 3.8.2)...
- http://wordpress.org/news/2014/04/wordpress-3-8-2/

:fear::fear:

AplusWebMaster
2014-04-14, 13:24
FYI...

- http://tools.cisco.com/security/center/publicationListing.x

Multiple Cisco Products - OpenSSL Heartbeat Extension Vulnerability
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
Last Updated: 2014 April 18 - "Summary: Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords. Please note that the devices that are affected by this vulnerability are the devices acting as an SSL server terminating SSL connections or devices acting as an SSL Client initiating an SSL connection. Devices that are simply traversed by SSL traffic without terminating it are not affected. This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available..."
Revision 1.10 - 2014-April-18 - Updated the Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable, and Software Versions and Fixes sections.

:fear:

AplusWebMaster
2014-04-24, 17:21
FYI...

iOS 7.1.1
- http://support.apple.com/kb/HT6208
Apr 22, 2014 - iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later
- https://secunia.com/advisories/58140/

OSX Security Update 2014-002
- http://support.apple.com/kb/HT6207
Apr 22, 2014 - OS X Lion v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.2
- https://secunia.com/advisories/58081/

AirPort Base Station Firmware Update 7.7.3
- http://support.apple.com/kb/HT6203
Apr 22, 2014 - AirPort Extreme and AirPort Time Capsule base stations with 802.11ac
- https://secunia.com/advisories/58142/

- http://support.apple.com/kb/HT1222

:fear::fear:

AplusWebMaster
2014-04-30, 13:22
FYI...

Thunderbird 24.5.0 released
- http://www.securitytracker.com/id/1030165
CVE Reference: CVE-2014-1520, CVE-2014-1523, CVE-2014-1524, CVE-2014-1529, CVE-2014-1530, CVE-2014-1531, CVE-2014-1532
Apr 30 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 24.5.0 ...
Solution: The vendor has issued a fix (24.5.0)...

- https://www.mozilla.org/en-US/thunderbird

Release Notes
- https://www.mozilla.org/en-US/thunderbird/24.5.0/releasenotes/

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird24.5
Fixed in Thunderbird 24.5
MFSA 2014-46 Use-after-free in nsHostResolve
MFSA 2014-44 Use-after-free in imgLoader while resizing images
MFSA 2014-43 Cross-site scripting (XSS) using history navigations
MFSA 2014-42 Privilege escalation through Web Notification API
MFSA 2014-38 Buffer overflow when using non-XBL object as XBL
MFSA 2014-37 Out of bounds read while decoding JPG images
MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer
MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

:fear:

AplusWebMaster
2014-05-03, 13:53
FYI...

OpenOffice 4.1.0 released
- http://www.openoffice.org/download/
2014-Apr-29

AOO 4.1 Release Notes
- https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1+Release+Notes
last edited May 05, 2014

- https://blogs.apache.org/OOo/entry/the_apache_openoffice_project_announce

Buglist
- https://issues.apache.org/ooo/buglist.cgi?bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&list_id=135003&query_format=advanced&target_milestone=4.1.0
313 issues found.

:spider:

AplusWebMaster
2014-05-08, 15:51
FYI...

Sumatra PDF 2.5.1 released
- http://blog.kowalczyk.info/software/sumatrapdf/download-free-pdf-viewer.html

Version history
- http://blog.kowalczyk.info/software/sumatrapdf/news.html
2.5.1 (2014-05-07)
Supported OS: Windows 8, Windows 7, Vista, XP.
Changes in this release:
... fix frequent ebook crashes
2.5 (2014-05-05)
Changes in this release:
2 page view for ebooks
new keybindings:
Ctrl+PgDn, Ctrl+Right : go to next page
Ctrl+PgUp, Ctrl+Left : go to previous page
10x faster ebook layout
support JP2 images
new advanced settings: ShowMenuBar, ReloadModifiedDocuments, CustomScreenDPI
left/right clicking no longer changes pages in fullscreen mode (use Presentation mode if you rely on this feature)
fixed multiple crashes and made multiple minor improvements...

:fear:

AplusWebMaster
2014-05-09, 21:40
FYI...

WordPress 3.9.1 released
- https://wordpress.org/download/
May 8, 2014 - "The latest stable release of WordPress (Version 3.9.1) is available..."

- https://wordpress.org/news/2014/05/wordpress-3-9-1/
"... This maintenance release fixes -34- bugs in 3.9, including numerous fixes for multisite networks, customizing widgets while previewing themes, and the updated visual editor. We’ve also made some improvements to the new audio/video playlists feature and made some adjustments to improve performance..."

:fear::fear:

AplusWebMaster
2014-05-22, 17:50
FYI...

Safari 6.1.4, 7.0.4 released
- http://support.apple.com/kb/HT6254
May 21, 2014

- http://support.apple.com/kb/HT1222

- http://www.securitytracker.com/id/1030269
CVE Reference: CVE-2013-2875, CVE-2014-1323, CVE-2014-1324, CVE-2014-1326, CVE-2014-1327, CVE-2014-1329, CVE-2014-1330, CVE-2014-1331, CVE-2014-1333, CVE-2014-1334, CVE-2014-1335, CVE-2014-1336, CVE-2014-1337, CVE-2014-1338, CVE-2014-1339, CVE-2014-1341, CVE-2014-1342, CVE-2014-1343, CVE-2014-1344, CVE-2014-1731, CVE-2014-1346
May 22 2014
Impact: Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 6.1.4, 7.0.4 ...
Solution: The vendor has issued a fix (6.1.4, 7.0.4).
The vendor's advisory is available at:
- http://support.apple.com/kb/HT6254

:fear:

AplusWebMaster
2014-06-05, 15:39
FYI...

OpenSSL Security Advisory 2014.06.05 ...
- https://www.openssl.org/news/secadv_20140605.txt
5 Jun 2014
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0195 - 6.8
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198 - 4.3
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0221 - 4.3
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 - 6.8
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3470 - 4.3
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298 - 4.0

- https://www.openssl.org/source/

- https://isc.sans.edu/diary.html?storyid=18211
2014-06-05 - "... update to one of these OpenSSL versions:
OpenSSL 0.9.8za
OpenSSL 1.0.0m
OpenSSL 1.0.1h ..."

- http://www.kb.cert.org/vuls/id/978508
Last revised: 06 Jun 2014
- http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=978508&SearchOrder=4
___

- http://www.securitytracker.com/id/1030336
CVE Reference: CVE-2014-0224
Jun 5 2014
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 0.9.8za, 1.0.0m, 1.0.1h ...
Impact: A remote user can conduct a man-in-the-middle attack to decrypt and modify data.
Solution: The vendor has issued a fix (0.9.8za, 1.0.0m, 1.0.1h)...
The vendor's advisory is available at:
- http://www.openssl.org/news/secadv_20140605.txt

> http://www.securitytracker.com/id/1030337

> http://www.securitytracker.com/id/1030338

:fear::fear:

AplusWebMaster
2014-06-07, 12:00
FYI...

AdblockPlus 2.6.3 released
- https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/versions/?page=1#version-2.6.3
June 3, 2014
* Worked around a Firefox bug preventing filters from being saved in Firefox 22 and older on Windows.
* Default context menu is no longer overridden on the toolbar icon if a left click would result in the same action already.
* Fixed: Adblock Plus toolbar icon appears delayed.
* Fixed: Warning shows up in console concerning use of setUserData (only resolved for Firefox 32 and higher).
* Fixed: Bogus tooltip on the "Slow" column in Filter Preferences.

:fear:

AplusWebMaster
2014-06-11, 11:54
FYI...

Thunderbird 24.6 released
- http://www.securitytracker.com/id/1030386
CVE Reference: CVE-2014-1533, CVE-2014-1534, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538, CVE-2014-1541
Jun 11 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 24.6 ...
Impact: A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (24.6)...

- https://www.mozilla.org/en-US/thunderbird

- https://www.mozilla.org/en-US/thunderbird/24.6.0/releasenotes/
v.24.6.0, released: June 10, 2014

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird24.6
Fixed in Thunderbird 24.6
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

:fear:

AplusWebMaster
2014-07-01, 11:27
FYI...

OS X 10.9.4 / Security Update 2014-003
- https://support.apple.com/kb/HT6296
Jun 30, 2014
- http://www.securitytracker.com/id/1030505
CVE Reference: CVE-2014-1317, CVE-2014-1370, CVE-2014-1371, CVE-2014-1372, CVE-2014-1373, CVE-2014-1375, CVE-2014-1376, CVE-2014-1377, CVE-2014-1378, CVE-2014-1379, CVE-2014-1380, CVE-2014-1381

Safari 6.1.5 / 7.0.5
- https://support.apple.com/kb/HT6293
Jun 30, 2014
- http://www.securitytracker.com/id/1030495
CVE Reference: CVE-2014-1325, CVE-2014-1340, CVE-2014-1345, CVE-2014-1362, CVE-2014-1363, CVE-2014-1364, CVE-2014-1365, CVE-2014-1366, CVE-2014-1367, CVE-2014-1368, CVE-2014-1369, CVE-2014-1382

iOS 7.1.2
- http://support.apple.com/kb/HT6297
Jun 30, 2014
- http://www.securitytracker.com/id/1030500
CVE Reference: CVE-2014-1348, CVE-2014-1349, CVE-2014-1350, CVE-2014-1351, CVE-2014-1352, CVE-2014-1353, CVE-2014-1354, CVE-2014-1355, CVE-2014-1356, CVE-2014-1357, CVE-2014-1358, CVE-2014-1359, CVE-2014-1360, CVE-2014-1361
- http://support.apple.com/kb/HT4623

Apple TV 6.2
- http://support.apple.com/kb/HT6298
Jun 30, 2014
- http://www.securitytracker.com/id/1030503
CVE Reference: CVE-2014-1383

:fear::fear:

AplusWebMaster
2014-07-11, 18:06
FYI...

OS X / Safari - Flash Player updates available
- http://support.apple.com/kb/HT5655
July 10, 2014 - "... If the version of Adobe Flash plug-in you are using is out of date, you may see the message, "Blocked plug-in", "Flash Security Alert” or "Flash out-of-date" when attempting to view Flash content in Safari. Clicking the indicator displays an alert, "Adobe Flash Player is out-of-date."
In order to use Adobe Flash you need to update to a later version:
- Click the Download Flash button.
- Safari opens Adobe Flash Player installer page on the Adobe website.
- Click the Download now button on the Adobe website to download the latest Adobe Flash Player installer.
- After the download completes, open the downloaded disk image (usually located in your Downloads folder) if it does not open automatically.
In the window that appears, open the installer and follow the onscreen instructions.
Note: If you need to run an older version of Flash, you can use web plug-in management* to re-enable it for specific websites using "Run in Unsafe Mode" (??) in Safari 6.1 or later..."
* http://support.apple.com/kb/HT5954

:fear::fear:

AplusWebMaster
2014-07-16, 02:43
FYI...

Oracle Critical Patch Update Advisory - July 2014
- https://www.us-cert.gov/ncas/current-activity/2014/07/15/Oracle-Releases-July-2014-Security-Advisory
July 15, 2014 - "Oracle has released its Critical Patch Update for July 2014 to address 113 vulnerabilities across multiple products.
This update contains the following security fixes:
• 5 for Oracle Database Server
• 29 for Oracle Fusion Middleware
• 7 for Oracle Hyperion
• 1 for Oracle Enterprise Manager Grid Control
• 5 for the Oracle E-Business Suite
• 3 for Oracle Supply Chain Products Suite
• 5 for Oracle PeopleSoft Products
• 6 for Oracle Siebel CRM
• 1 for Oracle Communications Applications
• 3 for Oracle Retail Applications
• 20 for Oracle Java SE
• 3 for Oracle and Sun Systems Products Suite
• 15 for Oracle Virtualization
• 10 for Oracle MySQL
US-CERT encourages users and administrators to review the Oracle July 2014 Critical Patch Update* and apply the necessary updates."
* http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#PIN

> https://blogs.oracle.com/security/entry/july_2014_critical_patch_update
___

- https://atlas.arbor.net/briefs/index#-1227693199
High Severity
17 Jul 2014

:fear:

AplusWebMaster
2014-07-23, 11:59
FYI...

Thunderbird 31.0 released
- http://www.securitytracker.com/id/1030620
CVE Reference: CVE-2014-1547, CVE-2014-1548, CVE-2014-1549, CVE-2014-1550, CVE-2014-1551, CVE-2014-1552, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557, CVE-2014-1558, CVE-2014-1559, CVE-2014-1560
Jul 22 2014
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.0 ...

- https://www.mozilla.org/en-US/thunderbird

- https://www.mozilla.org/en-US/thunderbird/31.0/releasenotes/
v31.0, released: July 22, 2014

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird31
Fixed in Thunderbird 31
MFSA 2014-66 IFRAME sandbox same-origin access through redirect
MFSA 2014-65 Certificate parsing broken by non-standard character encoding
MFSA 2014-64 Crash in Skia library when scaling high quality images
MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache
MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library
MFSA 2014-61 Use-after-free with FireOnStateChange event
MFSA 2014-59 Use-after-free in DirectWrite font handling
MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering
MFSA 2014-57 Buffer overflow during Web Audio buffering for playback
MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

:fear:

AplusWebMaster
2014-07-26, 15:29
FYI...

AdBlock Plus 2.6.4
- https://adblockplus.org/releases/adblock-plus-264-for-firefox-released
2014-07-22
Changes:
- Made sure that data is always written to disk immediately whenever filter hit counts are reset (issue 430).
- Fixed: Moving filters with Ctrl-Up/Down doesn’t work in Firefox 30 and above (issue 716).
- Fixed: Find functionality in the preferences doesn’t indicate that the search pattern wasn’t found (issue 455).
- Fixed: User isn’t informed about anti-adblock warnings on websites producing them (issue 764).
- Fixed: Blockable items aren’t refreshed on tab change in SeaMonkey (issue 290).
- Fixed: “Disable on this page only” doesn’t work correctly if the address ends with # (issue 580)...

- https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

:fear:

AplusWebMaster
2014-08-07, 12:21
FYI...

WordPress 3.9.2 released
- https://wordpress.org/download/
Aug 6, 2014 - "The latest stable release of WordPress (Version 3.9.2) ..."

- http://wordpress.org/news/2014/08/wordpress-3-9-2/
Aug 6, 2014 - "WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately..."

Release notes
- http://codex.wordpress.org/Version_3.9.2

- https://core.trac.wordpress.org/log/branches/3.9?stop_rev=29383&rev=29411
___

- http://www.securitytracker.com/id/1030684
Aug 7 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 3.9.2 ...

- http://atlas.arbor.net/briefs/index#918586250
Elevated Severity
7 Aug 2014

:fear::fear:

AplusWebMaster
2014-08-13, 16:03
FYI...

AdblockPlus 1.2 for IE released
- https://adblockplus.org/releases/adblock-plus-12-for-internet-explorer-released
2014-08-13

:fear:

AplusWebMaster
2014-08-14, 03:11
FYI...

Safari 6.1.6, 7.0.6 released
- http://support.apple.com/kb/HT6367
Aug 13, 2014
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.4
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling...
___

- http://www.securitytracker.com/id/1030731
CVE Reference: CVE-2014-1384, CVE-2014-1385, CVE-2014-1386, CVE-2014-1387, CVE-2014-1388, CVE-2014-1389, CVE-2014-1390
Aug 14 2014
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 6.1.6, 7.0.6 ...
Impact: A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (6.1.6, 7.0.6)...

:fear::fear:

AplusWebMaster
2014-08-25, 14:12
FYI...

OpenOffice 4.1.1 released
- http://www.openoffice.org/download/
Released 2014-08-21

Release Notes
- https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.1+Release+Notes
"Apache OpenOffice 4.1.1 is a micro release intended to fix critical issues. All users of Apache OpenOffice 4.1.0 or earlier are advised to upgrade. You can download Apache OpenOffice 4.1.1 here*. Please review these Release Notes to learn what is new in this version as well as important remarks concerning known issues and their workarounds. Our Bugzilla issue tracking database provides a detailed list of solved issues**..."
* http://www.openoffice.org/download/

** http://s.apache.org/AOO411-solved

Known Issues
- https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.1+Release+Notes#AOO4.1.1ReleaseNotes-KnownIssues
___

- http://www.securitytracker.com/id/1030754
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3575 - 4.3
Aug 22 2014
Impact: Disclosure of system information, Disclosure of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 4.1.1
Impact: A remote user can obtain potentially sensitive file information.
Solution: The vendor has issued a fix (4.1.1)...

- http://www.securitytracker.com/id/1030755
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3524 - 9.3 (HIGH)
Aug 22 2014
Impact: Disclosure of user information, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 4.1.0 and prior...
Solution: The vendor has issued a fix (4.1.1)...

:fear::fear:

AplusWebMaster
2014-09-03, 14:56
FYI...

Thunderbird 31.1 released
- http://www.securitytracker.com/id/1030794
CVE Reference: CVE-2014-1553, CVE-2014-1554, CVE-2014-1562, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567
Sep 3 2014
Impact: Disclosure of system information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 24.8, 31.1 ...
Solution: The vendor has issued a fix (24.8, 31.1).

- https://www.mozilla.org/en-US/thunderbird

- https://www.mozilla.org/en-US/thunderbird/31.1.0/releasenotes/
v.31.1.0, released: Sep 2, 2014

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#31.1
Fixed in Thunderbird 31.1
MFSA 2014-72 Use-after-free setting text directionality
MFSA 2014-70 Out-of-bounds read in Web Audio audio timeline
MFSA 2014-69 Uninitialized memory use during GIF rendering
MFSA 2014-68 Use-after-free during DOM interactions with SVG
MFSA 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

:fear:

AplusWebMaster
2014-09-04, 16:22
FYI...

Adblock Plus 1.8.4 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-184-for-chrome-opera-and-safari-released
2014-09-03
Adblock Plus 1.8.4 for Chrome:
- https://chrome.google.com/webstore/detail/cfhdojbkjhnklbpkdaibdccddilifddb
Adblock Plus 1.8.4 for Opera (Opera 17 or higher required):
- https://addons.opera.com/extensions/details/opera-adblock/
Adblock Plus 1.8.4 for Safari (Safari 6 or higher required):
- https://adblockplus.org/en/safari

:spider:

AplusWebMaster
2014-09-04, 22:42
FYI...

WordPress 4.0 released
- https://wordpress.org/download/
Sep 4, 2014 - "The latest stable release of WordPress (Version 4.0) is available..."

Release notes
- http://codex.wordpress.org/Version_4.0

Changelog
- http://codex.wordpress.org/Changelog/4.0

:fear:

AplusWebMaster
2014-09-08, 16:07
FYI...

Adblock Plus 1.8.5 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-185-for-chrome-opera-and-safari-released
2014-09-08
Adblock Plus 1.8.5 for Chrome:
- https://chrome.google.com/webstore/detail/cfhdojbkjhnklbpkdaibdccddilifddb
Adblock Plus 1.8.5 for Opera (Opera 17 or higher required):
- https://addons.opera.com/extensions/details/opera-adblock/
Adblock Plus 1.8.5 for Safari (Safari 6 or higher required):
- https://adblockplus.org/en/safari
Changes:
Fixed: “Block Element” dialog was sometimes covered up by other page elements (issue 703).
Fixed: Checkbox labels on the options page should be clickable (issue 1226).
Chrome/Opera-only changes
Adapted for changes in Chrome 36, Opera 23 and higher. Removed side-effects of element hiding on affected websites (e.g. Outlook 365) again (issue 1290).

:fear:

AplusWebMaster
2014-09-09, 15:25
FYI...

Prenotification Security Advisory for Adobe Reader and Acrobat
- https://helpx.adobe.com/security/products/reader/apsb14-20.html
Sep 5, 2014: Clarified the affected versions of Reader and Acrobat for the Windows and Macintosh platforms.
Sep 8, 2014: Updated the expected release date from September 9, 2014 to the week of September 15, 2014. The release was -delayed- to address issues identified during regression testing.

:fear:

AplusWebMaster
2014-09-18, 06:14
FYI...

iOS 8 released
- http://www.securitytracker.com/id/1030866
CVE Reference: CVE-2014-4352, CVE-2014-4353, CVE-2014-4354, CVE-2014-4356, CVE-2014-4357, CVE-2014-4361, CVE-2014-4362, CVE-2014-4363, CVE-2014-4364, CVE-2014-4366, CVE-2014-4367, CVE-2014-4368, CVE-2014-4369, CVE-2014-4371, CVE-2014-4372, CVE-2014-4373, CVE-2014-4374, CVE-2014-4375, CVE-2014-4377, CVE-2014-4378, CVE-2014-4379, CVE-2014-4380, CVE-2014-4381, CVE-2014-4383, CVE-2014-4384, CVE-2014-4386, CVE-2014-4388, CVE-2014-4389, CVE-2014-4404, CVE-2014-4405, CVE-2014-4407, CVE-2014-4408, CVE-2014-4409, CVE-2014-4410, CVE-2014-4411, CVE-2014-4412, CVE-2014-4413, CVE-2014-4414, CVE-2014-4415, CVE-2014-4418, CVE-2014-4419, CVE-2014-4420, CVE-2014-4421, CVE-2014-4422, CVE-2014-4423
Sep 18 2014
Impact: Denial of service via local system, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 8.0 ...
Solution: The vendor has issued a fix (8.0).
The vendor's advisory is available at:
- http://support.apple.com/kb/HT6441
Sep 17, 2014

- http://support.apple.com/kb/HT1222
17 Sept 2014
iOS 8 - iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
___

Safari 6.2 and 7.1
- http://support.apple.com/kb/HT6440
Sep 18, 2014

OS X Mavericks v10.9.5 and Security Update 2014-004
- http://support.apple.com/kb/HT6443
Sep 18, 2014

OS X Server v3.2.1
- http://support.apple.com/kb/HT6448
Sep 18, 2014
___

- http://atlas.arbor.net/briefs/index#2074331089
High Severity
Sep 26, 2014

:fear:

AplusWebMaster
2014-09-25, 13:26
FYI...

iOS 8.0.1 revoked - iPhone 6, 6+
- http://www.theinquirer.net/inquirer/news/2372128/apple-yanks-ios-801-after-update-borks-iphone-connectivity-touch-id
Sep 25, 2014 - "... iPhone 6 and iPhone 6 Plus users that downloaded the iOS 8.0.1 update and found that it somewhat ruined their days to roll back the update*. Apple released iOS 8.0.1 to iPhones on Wednesday, but all didn't go to plan. While speculation had suggested that the update would arrive with a slew of bug fixes, the update appears to have created more issues. Apple has accepted that some iPhone users have experienced loss of connectivity and breakage in Touch ID sign-in..."
* http://support.apple.com/kb/HT6487
Sep 25, 2014
___

- http://support.apple.com/kb/HT6487
Last Modified: Sep 26, 2014 - "iOS 8.0.2 is available now. It fixes the loss of cellular service and use of Touch ID that may have affected you if you have an iPhone 6 or iPhone 6 Plus and you downloaded iOS 8.0.1. It includes improvements and bug fixes originally in iOS 8.0.1. We apologize for inconveniencing you if you were affected by the bug in iOS 8.0.1. To resolve this issue, update your device to iOS 8.0.2* or later."
* http://support.apple.com/kb/HT4623

- https://discussions.apple.com/search.jspa?facet=content&type=discussion&sort=relevanceDesc&showAnsweredFirst=true&q=iOS%208.0.2%20problems
___

APPLE-SA-2014-09-23-1 OS X: Flash Player plug-in blocked
- https://lists.apple.com/archives/security-announce/2014/Sep/msg00000.html
Sep 23, 2014
Due to security issues in older versions, Apple has updated the
web plug-in blocking mechanism to disable all versions prior to
Flash Player 15.0.0.152 and 13.0.0.244.

Information on blocked web plug-ins will be posted to:
- http://support.apple.com/kb/HT5655
Last Modified: Sep 24, 2014

:fear:

AplusWebMaster
2014-09-27, 16:46
FYI...

Advisory (ICSA-14-269-01)
Bash Command Injection Vulnerability
- https://ics-cert.us-cert.gov//advisories/ICSA-14-269-01
Sep 26, 2014 - "... A command injection vulnerability has been reported in the Bourne again shell (bash). Bash is the common command-line used in most Linux/Unix-based operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system... Exploits that target this vulnerability are publicly available...
ICS-CERT recommends that -users- take the following measures to protect themselves from social engineering attacks:
1. Do not click web links or open unsolicited attachments in email messages.
2. Refer to Recognizing and Avoiding Email Scams* for more information on avoiding email scams.
3. Refer to Avoiding Social Engineering and Phishing Attacks**. for more information on social engineering attacks..."

* http://www.us-cert.gov/reading_room/emailscams_0905.pdf

** https://www.us-cert.gov/ncas/tips/st04-014

:fear::fear:

AplusWebMaster
2014-09-30, 02:16
FYI...

OS X bash Updates ...
- http://support.apple.com/kb/HT6495
Sep 29, 2014 - Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands
Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement...

APPLE-SA-2014-09-29-1 OS X bash Update 1.0
- https://lists.apple.com/archives/security-announce/2014/Sep/msg00001.html
29 Sep 2014

OS X Lion
- http://support.apple.com/kb/DL1767
Sep 29, 2014
File Size: 3.5 MB

OS X Mountain Lion
- http://support.apple.com/kb/DL1768
Sep 29, 2014
File Size: 3.3 MB

OS X Mavericks
- http://support.apple.com/kb/DL1769
Sep 29, 2014
File Size: 3.3 MB

- http://arstechnica.com/apple/2014/09/apple-patches-shellshock-bash-bug-in-os-x-10-9-10-8-and-10-7/
Sept 29 2014

:fear::fear:

AplusWebMaster
2014-10-15, 15:39
FYI...

Thunderbird v31.2 released
- http://www.securitytracker.com/id/1031030
CVE Reference: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1578, CVE-2014-1581, CVE-2014-1583, CVE-2014-1585, CVE-2014-1586
Oct 15 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.2 ...
Solution: The vendor has issued a fix (31.2)...

- https://www.mozilla.org/en-US/thunderbird

- https://www.mozilla.org/en-US/thunderbird/31.2.0/releasenotes/
v.31.2.0, released: Oct 14, 2014

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird31.2
Fixed in Thunderbird 31.2
MFSA 2014-81 Inconsistent video sharing within iframe
MFSA 2014-79 Use-after-free interacting with text directionality
MFSA 2014-77 Out-of-bounds write with WebM video
MFSA 2014-76 Web Audio memory corruption issues with custom waveforms
MFSA 2014-75 Buffer overflow during CSS manipulation
MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

:fear:

AplusWebMaster
2014-10-15, 18:06
FYI...

Adblock Plus 1.8.6 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-186-for-chrome-opera-and-safari-released
2014-10-15 - "Adblock Plus 1.8.6 for Chrome, Opera (Opera 17 or higher required), and Safari (Safari 6 or higher required)..."

Links to the install files and more detail at the URL above.

:bigthumb:

AplusWebMaster
2014-10-16, 21:50
FYI...

OpenSSL patches 4 vulnerabilities
- https://www.us-cert.gov/ncas/current-activity/2014/10/16/OpenSSL-Patches-Four-Vulnerabilities
Oct 16, 2014 - "OpenSSL has released updates patching four vulnerabilities, some of which may allow an attacker to cause a Denial of Service (DoS) condition or execute man-in-the-middle attacks. The following updates are available:
OpenSSL 1.0.1 users should upgrade to 1.0.1j
OpenSSL 1.0.0 users should upgrade to 1.0.0o
OpenSSL 0.9.8 users should upgrade to 0.9.8zc
US-CERT recommends users and administrators review the OpenSSL Security Advisory* for additional information and apply the necessary updates."
* https://www.openssl.org/news/secadv_20141015.txt

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 - 4.3
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
___

- http://www.securitytracker.com/id/1031053
Oct 15 2014

- http://www.securitytracker.com/id/1031052
Oct 15 2014

:fear::fear:

AplusWebMaster
2014-10-17, 13:17
FYI...

iTunes 12.0.1 released
- https://support.apple.com/kb/HT6537
Last Modified: Oct 16, 2014
CVE Reference(s): CVE-2013-2871, CVE-2013-2875, CVE-2013-2909, CVE-2013-2926, CVE-2013-2927, CVE-2013-2928, CVE-2013-5195, CVE-2013-5196, CVE-2013-5197, CVE-2013-5198, CVE-2013-5199, CVE-2013-5225, CVE-2013-5228, CVE-2013-6625, CVE-2013-6635, CVE-2013-6663, CVE-2014-1268, CVE-2014-1269, CVE-2014-1270, CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, CVE-2014-1294, CVE-2014-1298, CVE-2014-1299, CVE-2014-1300, CVE-2014-1301, CVE-2014-1302, CVE-2014-1303, CVE-2014-1304, CVE-2014-1305, CVE-2014-1307, CVE-2014-1308, CVE-2014-1309, CVE-2014-1310, CVE-2014-1311, CVE-2014-1312, CVE-2014-1313, CVE-2014-1323, CVE-2014-1324, CVE-2014-1325, CVE-2014-1326, CVE-2014-1327, CVE-2014-1329, CVE-2014-1330, CVE-2014-1331, CVE-2014-1333, CVE-2014-1334, CVE-2014-1335, CVE-2014-1336, CVE-2014-1337, CVE-2014-1338, CVE-2014-1339, CVE-2014-1340, CVE-2014-1341, CVE-2014-1342, CVE-2014-1343, CVE-2014-1344, CVE-2014-1362, CVE-2014-1363, CVE-2014-1364, CVE-2014-1365, CVE-2014-1366, CVE-2014-1367, CVE-2014-1368, CVE-2014-1384, CVE-2014-1385, CVE-2014-1386, CVE-2014-1387, CVE-2014-1388, CVE-2014-1389, CVE-2014-1390, CVE-2014-1713, CVE-2014-1731, CVE-2014-4410, CVE-2014-4411, CVE-2014-4412, CVE-2014-4413, CVE-2014-4414, CVE-2014-4415
___

Security Update 2014-005
- https://support.apple.com/kb/HT6531
Oct 16, 2014
> https://www.us-cert.gov/ncas/current-activity/2014/10/17/Apple-Releases-Security-Update-2014-005
Oct 17, 2014 - "... Security Update 2014-005 to address vulnerabilities in SSL 3.0..."
___

OS X Server v4.0
- http://support.apple.com/kb/HT6536
Oct 16, 2014

- http://www.securitytracker.com/id/1031071
___

OS X Yosemite v10.10
- http://support.apple.com/kb/HT6535
Oct 16, 2014

- http://www.securitytracker.com/id/1031063

- http://www.securitytracker.com/id/1031065

OS X Yosemite: List of available trusted root certificates
- http://support.apple.com/kb/HT6005
Oct 17, 2014

:fear::fear::fear:

AplusWebMaster
2014-10-17, 15:21
FYI...

Adblock Plus 2.6.5 for Firefox
- https://adblockplus.org/releases/adblock-plus-265-for-firefox-released
Changes:
- Fixed: Element hiding exceptions are broken by changes in Firefox 34 and Firefox 35 (issue 1241, issue 1381).
- Fixed: Blocking via context menu won’t always suggest blocking the most recent request (issue 362).
- Fixed: Issue reporter will complain about too many filter lists even when these filter lists are “special” like the anti-adblock list (issue 690).
- Fixed: Disabling filters via space bar no longer works in preferences (issue 1129).
- Fixed: Sharing Adblock Plus from the first-run page won’t work if the Anti-Social list is enabled (issue 1133).
- Fixed: Anti-Adblock warning will sometimes appear on websites without any anti-adblock behavior (issue 1161).
- Made $sitekey option behavior more consistent, it can be used similarly to $domain now rather than whitelisting complete websites only (issue 432).

- https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

:fear::fear:

AplusWebMaster
2014-10-21, 08:37
FYI...

iOS 8.1 released
- https://support.apple.com/kb/HT6541
Oct 20, 2014
Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

- http://www.securitytracker.com/id/1031077/
CVE Reference: CVE-2014-4448, CVE-2014-4449, CVE-2014-4450
Oct 20 2014
Impact: Disclosure of system information, Disclosure of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 8.1 ...

- https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-data-attack-coincides-launch-new-iphone
Oct 20, 2014 - "After previous attacks on Github, Google, Yahoo and Microsoft, the Chinese authorities are now staging a man-in-the-middle (MITM) attack on Apple’s iCloud... Firefox and Chrome will both prevent users from accessing iCloud.com when they are trying to access a site that is suffering from a MITM attack..."

- http://www.reuters.com/article/2014/10/21/us-apple-china-security-idUSKCN0I92H020141021
Oct 21, 2014
___

Apple TV 7.0.1
- https://support.apple.com/kb/HT6542
Oct 20, 2014

- https://support.apple.com/kb/HT1222

:fear:

AplusWebMaster
2014-10-23, 19:23
FYI...

- http://windowssecrets.com/top-story/protecting-yourself-from-poodle-attacks/
Oct 23, 2014 - "The following changes force your browser to not use SSL 3.0. Here’s what to adjust in the top three browsers...

Chrome: In Google’s browser, edit the shortcut that launches the browser, adding a flag to the end of the Shortcut path. Start by selecting the icon normally used to launch Chrome. Right-click the icon and select Properties. Under the Shortcut tab, find the box labeled “Target” and insert –ssl-version-min=tls1 immediately after chrome.exe” (see Figure 1). It should look something like this (note the space between .exe” and –ssl-):
“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –ssl-version-min=tls1
Figure 1: http://windowssecrets.com/wp-content/uploads/2014/10/W20141023-TS-Chrome.png

... in the Oct. 14 Mozilla blog post*, Firefox 34, due to be released on Nov. 25, will disable SSL 3.0 support. In the meantime, Mozilla recommends installing the add-on (download site**), “SSL Version Control 0.2? (see Figure 2), which will let you control SSL support within the browser. (Some websites have recommended adjusting Firefox settings in the configuration file, but Mozilla recommends using the add-on instead.)..."
* https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
** https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
Figure 2: http://windowssecrets.com/wp-content/uploads/2014/10/W20141023-TS-FF.png

... Internet Explorer: In IE, click the gear (settings) icon, open Internet options, and then select the Advanced tab. Scroll down the Settings list to the Security category, and then look for Use SSL 3.0. Uncheck the box (see Figure 3), click OK, and then relaunch IE... Microsoft released an initial security advisory on this topic; expect to see additional guidance in the near future...
Figure 3: http://windowssecrets.com/wp-content/uploads/2014/10/W20141023-TS-IE.png

... How to test your browser’s TLS/SSL protection:
Several websites test whether your currently open browser supports SSL 3.0. For a simple test, Poodletest.com displays a poodle dog if your browser still supports SSL 3.0, and a Springfield terrier if it doesn’t. On the other hand, Qualys SSL Labs (site***) provides a more detailed analysis of the SSL protocols your browser supports.
As noted above, some business sites such as online -banking- might still need SSL 3.0. Again, I recommend leaving SSL 3.0 support on -one- browser; it’ll be faster and safer than repeatedly adjusting browser settings. If you’re running a Web server or small-business server, you should -disable- SSL 3.0 support to better protect connected workstations and Internet-based phones... there’s a silver lining to this latest security mess — it should now force everyone on the Internet to finally abandon a dated, insecure protocol."
*** https://www.ssllabs.com/ssltest/viewMyClient.html
"Your user agent is not vulnerable..." < What you want to see after the new Firefox extention is installed.
___

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3513 - 7.1 (HIGH)
Last revised: 10/22/2014
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3567 - 7.1 (HIGH)
Last revised: 10/31/2014
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3568 - 4.3
Last revised: 10/31/2014

:fear::fear:

AplusWebMaster
2014-10-24, 14:01
FYI...

QuickTime 7.7.6 released
- https://support.apple.com/kb/HT6493
Oct 22, 2014
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4979 - 9.3 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4350 - 6.8
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4351 - 6.8
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1391 - 6.8

... use Apple Software Update.

- https://www.us-cert.gov/ncas/current-activity/2014/10/23/Apple-Releases-Security-Updates-QuickTime
Oct 23, 2014

:fear:

AplusWebMaster
2014-10-29, 13:40
FYI...

Adblock Plus 1.8.7 for Chrome and Opera released
- https://adblockplus.org/releases/adblock-plus-187-for-chrome-and-opera-released
2014-10-28
Install/update links at the URL above.

:fear:

AplusWebMaster
2014-11-10, 18:13
FYI...

Sumatra PDF reader v3.0 released
- http://blog.kowalczyk.info/software/sumatrapdf/news.html
Version history - v3.0 (2014-10-18)
Changes in this release:
- Tabs! Enabled by default. Use Settings/Options... menu to go back to the old UI
- support table of contents and links in ebook UI
- add support for PalmDoc ebooks
- swapped keybindings:
- F11: Fullscreen mode (still also Ctrl+Shift+L)
- F5: Presentation mode (also Shift+F11, still also Ctrl+L)
- added a document measurement UI. Press 'm' to start. Keep pressing 'm' to change measurement units
- new advanced settings: FullPathInTitle, UseSysColors (no longer exposed through the Options dialog), UseTabs
- replaced non-free UnRAR with a free RAR extraction library...

[prior version 2.5.2] ...

Download: http://blog.kowalczyk.info/software/sumatrapdf/download-free-pdf-viewer.html

:fear:

AplusWebMaster
2014-11-12, 16:41
FYI...

AdblockPlus 2.6.6 for Firefox released
- https://adblockplus.org/releases/adblock-plus-266-for-firefox-released
2014-11-11 - "... Adblock Plus will use a slightly different approach to read files from disk... reason is a change that Mozilla made for Firefox and that broke Adblock Plus completely in the Firefox nightly builds."

:fear:

AplusWebMaster
2014-11-18, 12:56
FYI...

iOS 8.1.1 released
- http://support.apple.com/en-us/HT6590
Nov 17, 2014
... for iPhone 4s and later, iPod touch 5th generation and later, and iPad 2 and later...
- http://www.securitytracker.com/id/1031232
CVE Reference: CVE-2014-4451, CVE-2014-4457, CVE-2014-4463
Nov 18 2014
Impact: Execution of arbitrary code via local system, User access via local system
Fix Available: Yes Vendor Confirmed: Yes ...
Solution: The vendor has issued a fix (8.1.1).
___

OS X Yosemite v10.10.1
- http://support.apple.com/en-us/HT6572
Nov 17, 2014
- http://www.securitytracker.com/id/1031230
CVE Reference: CVE-2014-4453, CVE-2014-4458, CVE-2014-4459, CVE-2014-4460
Nov 18 2014
Impact: Disclosure of system information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes ...
Solution: The vendor has issued a fix (10.10.1).
___

Apple TV 7.0.2
- http://support.apple.com/en-us/HT6592
Nov 17, 2014
- http://www.securitytracker.com/id/1031231
CVE Reference: CVE-2014-4452, CVE-2014-4455, CVE-2014-4461, CVE-2014-4462
Nov 18 2014
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes ...
Solution: The vendor has issued a fix (7.0.2).
___

- https://isc.sans.edu/diary.html?storyid=18961
Nov 17, 2014
- https://www.us-cert.gov/ncas/current-activity/2014/11/17/Apple-Releases-Security-Updates-iOS-OS-X-Yosemite-and-Apple-TV
Nov 17, 2014

:fear:

AplusWebMaster
2014-11-21, 12:03
FYI...

WordPress 4.0.1 Security Release
- https://wordpress.org/news/2014/11/wordpress-4-0-1/
Nov 20, 2014 - "WordPress 4.0.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately... WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site... This issue does not affect version 4.0, but version 4.0.1 does address these -eight- security issues..."

- http://www.securitytracker.com/id/1031243
Nov 20 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 3.7.5, 3.8.5, 3.9.3, 4.0.1
Description: Several vulnerabilities were reported in WordPress. A remote user can cause denial of service conditions. A remote user can conduct cross-site scripting attacks. A remote user can conduct cross-site request forgery attacks. A remote user can compromise a target user's account...
Solution: The vendor has issued a fix (3.7.5, 3.8.5, 3.9.3, 4.0.1).
The vendor's advisory is available at:
- https://wordpress.org/news/2014/11/wordpress-4-0-1/

:fear::fear:

AplusWebMaster
2014-12-02, 13:41
FYI...

Thunderbird 31.3 released
- https://www.mozilla.org/en-US/thunderbird/31.3.0/releasenotes/
Dec 1, 2014

Fixed in Thunderbird 31.3
- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird31.3
2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory
2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer
2014-88 Buffer overflow while parsing media content
2014-87 Use-after-free during HTML5 parsing
2014-85 XMLHttpRequest crashes with some input streams
2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html
___

- http://www.securitytracker.com/id/1031287
CVE Reference: CVE-2014-1587, CVE-2014-1588, CVE-2014-1590, CVE-2014-1592, CVE-2014-1593, CVE-2014-1594, CVE-2014-1595
Dec 3 2014
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.3 ...
Solution: The vendor has issued a fix (31.3).

:fear:

AplusWebMaster
2014-12-03, 23:12
FYI...

Adblock Plus 1.8.8 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-188-for-chrome-opera-and-safari-released
2014-12-02
___

Adblock Plus - How to keep people from knowing you’ve read their Facebook message
- https://adblockplus.org/blog/how-to-keep-people-from-knowing-you-ve-read-their-facebook-message
2014-12-02 - "You know how you’re able to see that someone has “seen” your message on Facebook? If you’ve ever wanted others -not- to be informed about when/if you’ve read their Facebook messages, Adblock Plus has a new solution for you. Just click HERE* (and then click Add) to enable it automatically; read on for an explanation. By displaying the “seen” message you know that the person you’ve sent the message to has read the message... To enable it automatically simply click HERE*..."
(More detail and link* at the adblockplus URL above.)

:spider:

AplusWebMaster
2014-12-04, 14:36
FYI...

Safari 8.0.1, 7.1.1, 6.2.1 released
- http://support.apple.com/en-us/HT6596
Dec 3, 2014

- http://www.securitytracker.com/id/1031296
CVE Reference: CVE-2014-4465, CVE-2014-4466, CVE-2014-4468, CVE-2014-4469, CVE-2014-4470, CVE-2014-4471, CVE-2014-4472, CVE-2014-4473, CVE-2014-4474, CVE-2014-4475
Dec 4 2014
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 6.2.1, 7.1.1, 8.0.1
Solution: The vendor has issued a fix (6.2.1, 7.1.1, 8.0.1).
___

- http://www.theinquirer.net/inquirer/news/2385351/apple-pulls-failing-safari-update-after-it-forces-users-to-reinstall-os-x
Dec 05 2014 - "... The Safari update from 3 December addressed 13 security vulnerabilities, including some that were serious, in versions 8.0.1, 7.1.1 and 6.2.1. Most of the vulnerabilities were discovered by Apple internally. However, Mac OS X users soon complained that the update failed. The update processing claimed that it completed successfully, but it did not, and instead it removed Safari from users' systems. Users said that Apple support instructed them to reinstall Mac OS X* in order to recover Safari..."
* https://discussions.apple.com/thread/6706616?start=0&tstart=0

> https://discussions.apple.com/servlet/JiveServlet/showImage/2-27224066-507704/Screen+Shot+2014-12-04+at+1.25.31+AM.png

- http://support.apple.com/en-us/HT6596
Dec 4, 2014

- http://forums.macrumors.com/showthread.php?t=1825558

> http://support.apple.com/downloads/ ??

:fear:

AplusWebMaster
2014-12-10, 16:27
FYI...

iOS 8.1.2
- http://support.apple.com/en-us/HT6598
Last Modified: Dec 10, 2014 - "Available for... iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later"

:fear:

AplusWebMaster
2014-12-17, 16:55
FYI...

Adblock Plus 1.3 for IE released
- https://adblockplus.org/releases/adblock-plus-13-for-ie-released
2014-12-15 - "... version 1.3 fixes a lot of issues where ABP for IE either incorrectly blocked a request, or falsely allowed the request through, when it shouldn’t have... hope you’ll notice the improvement... list of changes:
General blocking improvements (issue 1265):
Improved detection of mime types
Added support for XMLHttpRequests
Added support for requests from Flash
Improved detection of a referrer of a request.
Fix element hiding on some sites (issue 1148)
Fix incorrect blocking of video content on some sites (issue 1231)
Block video ads where they weren’t blocked before (issue 1500)
Fix “Navigation canceled” messages if IFRAME is blocked (issue 1264)
Fix version string in Add/Remove programs (issue 1222)
Changes in the First Run Page (issue 1230, issue 1356) ..."

:blink:

AplusWebMaster
2014-12-19, 14:41
FYI...

WordPress Download Manager Security Bypass Vulnerability
- https://secunia.com/advisories/62641/
Release Date: 2014-12-18
Criticality: Highly Critical
... vulnerability is confirmed in version 2.7.4. Prior versions may also be affected.
Solution: Update to version 2.7.5...
- https://wordpress.org/plugins/download-manager/changelog/
2.7.81: WordPress v4.1 compatibility release
Last Updated: 2014-12-18

:fear::fear:

AplusWebMaster
2015-01-09, 03:10
FYI...

Adblock Plus 1.8.9 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-189-for-chrome-opera-and-safari-released
Jan 6, 2015 - "Install links...
Changes:
Worked around some circumvention attempts.
Fixed: Extension pages didn’t respect direction of right-to-left languages (issue 1668).
Fixed an issue when generating filters based on the style attribute (issue 1658).
Fixed an issue where “Block element” from the context menu didn’t work or in an inferior way than from the popup (issue 1611).
When blocking elements suggest filters based on all URLs associated with the element (issue 1601).
Removed the ‘Hide placeholders’ option (issue 1671).
Updated the extension description (issue 1643)..."

:fear:

AplusWebMaster
2015-01-14, 12:36
FYI...

Thunderbird 31.4.0 released
- https://www.mozilla.org/en-US/thunderbird/31.4.0/releasenotes/
Jan 13, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird31.4
Fixed in Thunderbird 31.4
2015-04 Cookie injection through Proxy Authenticate responses
2015-03 sendBeacon requests lack an Origin header
2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/en-US/thunderbird/all.html
___

- http://www.securitytracker.com/id/1031534
CVE Reference: CVE-2014-8634, CVE-2014-8635, CVE-2014-8638, CVE-2014-8639
Jan 14 2015
Impact: Execution of arbitrary code via network, Modification of authentication information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.4 ...

:fear:

AplusWebMaster
2015-01-18, 19:17
FYI...

Adblock Plus 2.6.7 for Firefox released
- https://adblockplus.org/releases/adblock-plus-267-for-firefox-released
Jan 14, 2015
Changes:
Removed “Hide placeholders of blocked elements” option from the user interface (issue 1670).
Fixed: First-run page broken in Firefox nightlies if E10S is enabled (issue 1663, issue 1706).
Fixed first-run page layout for right-to-left languages (issue 1668).
Fixed: “Adblock Warning Removal List” is being displayed as the selected list on Firefox Mobile (issue 1712).
Fixed: “Disable on site” doesn’t always show up on Firefox Mobile (issue 1713)...

:fear:

AplusWebMaster
2015-01-21, 14:04
FYI...

Adblock Plus 1.8.10 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-1810-for-chrome-opera-and-safari-released
2015-01-20
> Changes
Fixed: “Block element” didn’t highlight some elements correctly (issue 1751 and issue 1755).
Fixed: “Block element” didn’t work while the first run page was open (issue 1741).
> Chrome/Opera-only changes
Worked around an issue that broke printing of spreadsheets on Google Docs (issue 1770).
Adapted for a new API feature introduced in Chrome 41 and Opera 28, that allows to identify frames more efficiently and reliably (issue 1739).
> Safari-only changes
Fixed a potential memory leak in the messaging code (issue 1724).

Install/download links at the adblockplus URL above.

:fear:

AplusWebMaster
2015-01-28, 11:54
FYI...

OS X v10.10.2 and Security Update 2015-001
- http://support.apple.com/en-us/HT204244
Jan 27, 2015
> AFP Server, bash, Bluetooth, CFNetwork Cache, CoreGraphics, CPU Software, CommerceKit Framework, CoreGraphics, CoreSymbolication, FontParser, Foundation, Intel Graphics Driver, IOAcceleratorFamily, IOHIDFamily, IOKit, IOUSBFamily, Kernel, LaunchServices, libnetcore, LoginWindow, lukemftp, OpenSSL, Sandbox, SceneKit, Security, security_taskgate, Spotlight, SpotlightIndex, sysmond, UserAccountUpdater
(More detail at the URL above.)
> http://www.securitytracker.com/id/1031650

Safari 8.0.3, 7.1.3, 6.2.3 released
- http://support.apple.com/en-us/HT204243
Jan 27, 2015
> Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1
CVE-2014-3192, CVE-2014-4476, CVE-2014-4477, CVE-2014-4479
> http://www.securitytracker.com/id/1031647

iOS 8.1.3
- http://support.apple.com/en-us/HT204245
Jan 27, 2015
Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
> AppleFileConduit, CoreGraphics, dyld, FontParser, Foundation, IOAcceleratorFamily, IOHIDFamily, iTunes Store, Kernel, libnetcore, MobileInstallation, Springboard, WebKit
(More detail at the URL above.)
> http://www.securitytracker.com/id/1031652

Apple TV 7.0.3
- http://support.apple.com/en-us/HT204246
Jan 27, 2015
> Available for: Apple TV 3rd generation and later
(More detail at the URL above.)
> http://www.securitytracker.com/id/1031651

> http://support.apple.com/en-us/HT1222

:fear::fear:

AplusWebMaster
2015-02-25, 12:22
FYI...

Thunderbird 31.5 released
- https://www.mozilla.org/en-US/thunderbird/31.5.0/releasenotes/
Feb 24, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird31.5
Fixed in Thunderbird 31.5
2015-24 Reading of local files through manipulation of form autocomplete
2015-19 Out-of-bounds read and write while rendering SVG content
2015-16 Use-after-free in IndexedDB
2015-12 Invoking Mozilla updater will load locally stored DLL files
2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/en-US/thunderbird/all.html
___

- http://www.securitytracker.com/id/1031792
CVE Reference: CVE-2015-0822, CVE-2015-0827, CVE-2015-0831, CVE-2015-0833, CVE-2015-0835, CVE-2015-0836
Feb 24 2015
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.5 ...

:fear:

AplusWebMaster
2015-02-25, 16:19
FYI...

Adblock Plus 1.8.11 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-1811-for-chrome-opera-and-safari-released
2015-02-24
Changes:
Improved the icon and logo (issue 1535 and issue 1989).
Fixed: Filters with internationalized domains didn’t match (issue 1801).
Fixed: On the options page, input was submitted even if the wrong button was pressed (issue 1448).
Fixed some issues with the “Block element” dialog.
Fixed: Overlays were sometimes covered by other elements (issue 1857).
Fixed: Matching elements weren’t highlighted sometimes (issue 1864).
Fixed: Mouse events handled by the page could prevent the dialog from showing up (issue 1665).
Fixed: Dialog wasn’t completely visible when selecting elements inside small frames (issue 350).
Fixed several issues related to framesets (issue 1867, issue 1870 and issue 1082).
Fixed issues caused by selecting SVG elements (issue 1856).
Fixed: Images weren’t recognized when using image maps (issue 1868).
Fixed a memory leak when routing messages across frames (issue 1840).

Chrome/Opera-only changes:
Fixed: Icon and badge didn’t update for pre-rendered tabs (issue 1976).
Fixed issue with third-party pages loaded in anonymous frames (issue 1977).
Fixed: CSS selectors containing commas partially broke element hiding (issue 1802).
Fixed: “Block element” dialog and highlighted elements were staying visible after the extension is unloaded (issue 1843).

Safari-only changes:
Fixed an issue that broke the user interface for some languages (issue 2008).

(Install links at the adblockplus URL above.)

:fear:

AplusWebMaster
2015-02-26, 20:19
FYI...

Adblock Plus 1.4 for IE released
- https://adblockplus.org/releases/adblock-plus-14-for-ie-released
2015-02-26
We are updating Adblock Plus for IE with version 1.4.

... list of all improvements since version 1.3.

New in this release: the addition of the installer for Active Directory installs, which we really hope network administrators would appreciate.
There’s a x64-bit and x86-bit variant of the GPO installer.
Also, this version is the first version that will perform queries for notifications like all other ABP versions.

> https://downloads.adblockplus.org/devbuilds/adblockplus/00latest.changelog.xhtml

:fear:

AplusWebMaster
2015-03-03, 18:55
FYI...

AdblockPlus 1.3 for Android
- https://adblockplus.org/releases/adblock-plus-13-for-android-released
2015-03-03
If you already have Adblock Plus for Android, it should notify you about the update shortly and download it automatically.

We did a lot of under-the-hood changes again, rewrote the way libadblockplus is integrated (#16) and cleaned up the different methods for setting the proxy and deciding which method to use (#547).
Besides that we:
improved compatibility with Android Lollipop (#1498, #1848)
reduced the memory usage (#303)
included twelve new translations
and, of course, fixed a lot of various minor and major issues...

(Install links at the adblockplus URL above.)

:fear:

AplusWebMaster
2015-03-10, 15:28
FYI...

Apple Security Update 2015-002
- https://support.apple.com/en-us/HT204413
Mar 9, 2015
- http://www.securitytracker.com/id/1031869
CVE Reference: CVE-2015-1066
Mar 10 2015
Impact: Root access via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.8.5, 10.9.5, 10.10.2...

iOS 8.2 released
- https://support.apple.com/en-us/HT204423
Mar 9, 2015
- http://www.securitytracker.com/id/1031868
CVE Reference: CVE-2015-1061, CVE-2015-1065
Mar 10 2015
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.8.5, 10.9.5, 10.10.2 ...
- https://lists.apple.com/archives/security-announce/2015/Mar/msg00000.html

Apple TV 7.1
- https://support.apple.com/en-us/HT204426
Mar 9, 2015

Xcode 6.2
- https://support.apple.com/en-us/HT204427
Mar 9, 2015

- https://support.apple.com/en-us/HT1222

- https://isc.sans.edu/diary.html?storyid=19443
Last Updated: 2015-03-10 - "... Apple also addressed a number of security vulnerabilities, most notably the "Freak" vulnerability. After updating, the affected operating systems no longer support export quality ciphers. However, Apple browsers continue to support SSLv3 and as a result, continue to be vulnerable to POODLE*...
* http://www.poodletest.com/
Quick Summary of the security content of Apple's updates:
- XCode 6.2: This update addresses 4 vulnerabilities in subversion and 1 in git.
- OS X: 5 vulnerabilities. The most serious of which is likely a code execution vulnerability in Keychain.
- Apple TV: 3 vulnerabilities. One of which would allow an attacker to write files to the system if the user mounts a corrupt disk image.
- iOS: 6 vulnerabilities. In addition to FREAK and the above mentioned Keychain problem, a vulnerability that allows an attacker with physical access to the device to see the home screen on a locked devices is patched..."

- https://www.us-cert.gov/ncas/current-activity/2015/03/09/Apple-Releases-Security-Updates-OS-X-iOS-and-Apple-TV
Mar 9, 2015

:fear::fear:

AplusWebMaster
2015-03-12, 12:59
FYI...

Adblock Plus 2.6.8 for Firefox released
- https://adblockplus.org/releases/adblock-plus-268-for-firefox-released
2015-03-10 - "This release features the improved icon and logo that are already being used in Chrome, Opera and Safari (issue 1534, issue 2053, issue 2072). It also fixes an issue with the search functionality in the Filter Preferences affecting Firefox 36 and above (issue 2041)..."

:fear:

AplusWebMaster
2015-03-13, 16:07
FYI...

Blind SQL Injection against WordPress SEO
- https://isc.sans.edu/diary.html?storyid=19457
2015-03-13 - "WordPress has released an advisory for the WordPress plugin SEO by Yoast. Version up to and including 1.7.3.3 can be exploited with a blind SQL injection. According to WordPress, this plugin has more than one million downloads. A description of the SQL injection with proof of concept is described here[3] and the latest update is available here[2]."

1] https://wordpress.org/plugins/wordpress-seo/
2] https://downloads.wordpress.org/plugin/wordpress-seo.1.7.4.zip
3] https://wpvulndb.com/vulnerabilities/7841

:fear::fear:

AplusWebMaster
2015-03-18, 04:40
FYI...

Safari 8.0.4, 7.1.4, 6.2.4 released
- https://support.apple.com/en-us/HT204560
Mar 17, 2015
- https://lists.apple.com/archives/security-announce/2015/Mar/msg00004.html

- https://support.apple.com/en-us/HT1222

- http://www.securitytracker.com/id/1031936
CVE Reference: CVE-2015-1068, CVE-2015-1069, CVE-2015-1070, CVE-2015-1071, CVE-2015-1072, CVE-2015-1073, CVE-2015-1074, CVE-2015-1075, CVE-2015-1076, CVE-2015-1077, CVE-2015-1078, CVE-2015-1079, CVE-2015-1080, CVE-2015-1081, CVE-2015-1082, CVE-2015-1083, CVE-2015-1084
Mar 17 2015
Impact: Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available: Yes Vendor Confirmed: Yes...
Solution: The vendor has issued a fix (6.2.4, 7.1.4, 8.0.4).
___

- https://www.us-cert.gov/ncas/current-activity/2015/03/18/Apple-Releases-Security-Updates-Safari
March 18, 2015 - "... Updates include:
Safari 8.0.4 for OS X Mountain Lion v10.8.5
Safari 7.1.4 for OS X Mavericks v10.9.5
Safari 6.2.4 for OS X Yosemite v10.10.2
US-CERT encourages users and administrators to review Apple security update HT204560 ..."

:fear:

AplusWebMaster
2015-03-21, 12:23
FYI...

Apple Security Update 2015-003
- https://support.apple.com/en-us/HT204563
Mar 17, 2015
- https://lists.apple.com/archives/security-announce/2015/Mar/msg00005.html
Available for: OS X Yosemite v10.10.2
CVE-2015-1061, CVE-2015-1065

- https://support.apple.com/en-us/HT1222
OS X Yosemite v10.10.2 - 19 Mar 2015
___

- https://www.us-cert.gov/ncas/current-activity/2015/03/20/Apple-Releases-Security-Update-OS-X-Yosemite
March 20, 2015

:fear:

AplusWebMaster
2015-03-24, 20:33
FYI...

Installer Hijacking Vulnerability in Android Devices
- https://www.us-cert.gov/ncas/current-activity/2015/03/24/Installer-Hijacking-Vulnerability-Android-Devices
March 24, 2015 - "A vulnerability in Google's Android OS* has been discovered that could allow an attacker to change or replace a seemingly safe Android application with -malware- during installation. An attacker exploiting this vulnerability could access and steal user data on compromised devices without user knowledge. Devices running Android version 4.4 or later are -not- vulnerable. US-CERT advises users to ensure their devices are running an up-to-date version of Android and to use caution when installing software from third-party app stores."
* http://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijacking-vulnerability-could-expose-android-users-to-malware/
March 24, 2015 - "Executive Summary: We discovered a widespread vulnerability in Google’s Android OS we are calling 'Android Installer Hijacking', estimated to impact 49.5 percent of all -current- Android users.
In detail: Android Installer Hijacking allows an attacker to modify or replace a seemingly benign Android app with malware, without user knowledge. This only affects applications downloaded from third-party app stores. The malicious application can gain full access to a compromised device, including usernames, passwords, and sensitive data. Palo Alto Networks worked with Google and major manufacturers such as Samsung and Amazon to inform them of the vulnerability and issue patches for their devices..."
____

- https://developer.android.com/about/dashboards/index.html
Data collected during a 7-day period ending on March 2, 2015
___

Backup Tool
> https://play.google.com/store/apps/details?id=com.backup.jl
Jan 15, 2015

How to Update an Android
> http://www.wikihow.com/Update-an-Android

How to update an Android OS
> http://www.ehow.com/how_6855334_update-android-os.html

> https://www.android.com/intl/en_us/phones/#tips
"*Instructions are tailored to most Android phones; however should these instructions not work for your device, please contact your manufacturer’s customer support..."

> https://www.android.com/intl/en_us/history/
___

Half of Android devices may be vulnerable to surreptitious install exploits
- http://arstechnica.com/security/2015/03/android-hijacking-bug-may-allow-attaclers-to-install-password-stealers/
Mar 25, 2015 - "... Time-of-check to time-of-use vulnerability*..."
* https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use

:fear::fear:

AplusWebMaster
2015-03-31, 00:15
FYI...

WordPress malware causes Psuedo-Darkleech Infection
- http://blog.sucuri.net/2015/03/pseudo-darkleech-server-root-infection.html
March 26, 2015 - "Darkleech* is a nasty malware infection that infects web servers at the root level. It uses malicious Apache modules to add hidden iFrames to certain responses. It’s difficult to detect because the malware is only active when both server and site admins are -not- logged in, and the iFrame is only injected once-a-day (or once a week in some versions) per IP address. This means that the infection symptoms are not easy to reproduce. Since it’s a server-level infection, even the most thorough website-level scans won’t reveal anything. And even when the culprit is identified, website owners may not be able to resolve the issue without help of a server administrator. Despite the detection difficulties, it was quite easy to tell that the server was infected with Darkleech when we saw the malicious code — it has followed the same recognizable pattern since 2012:
- Declaration of a CSS class with a random name and random negative absolute position
- A div of that class
- A malicious iFrame with random dimensions inside that div ..."
(More detail at the sucuri URL above.)
* http://blog.sucuri.net/2014/02/darkleech-bitly-com-insightful-statistics.html

> https://wordpress.org/plugins/sucuri-scanner/
WordPress Security plugin - Version 1.7.8
Last Updated: 2015-3-29
Active Installs: 100,000+
___

Current WordPress version 4.1.1
- https://wordpress.org/news/2015/02/wordpress-4-1-1/
Feb 18, 2015

:fear::fear:

AplusWebMaster
2015-04-01, 18:48
FYI...

Thunderbird 31.6 released
- https://www.mozilla.org/en-US/thunderbird/31.6.0/releasenotes/
March 31, 2015

- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird31.6
Fixed in Thunderbird 31.6
2015-40 Same-origin bypass through anchor navigation
2015-37 CORS requests should not follow 30x redirections after preflight
2015-33 resource:// documents can load privileged pages
2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/en-US/thunderbird/all.html
___

- http://www.securitytracker.com/id/1032000
CVE Reference: CVE-2015-0801, CVE-2015-0807, CVE-2015-0813, CVE-2015-0814, CVE-2015-0815, CVE-2015-0816
Apr 1 2015
Impact: Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.6...

:fear:

AplusWebMaster
2015-04-01, 19:54
FYI...

Adblock Plus 2.6.9 for Firefox released
- https://adblockplus.org/releases/adblock-plus-269-for-firefox-released
2015-03-31 - "This is another quality and stability release:
• Slightly optimized performance, domain-specific filters will no longer affect overall performance (issue 2177).
• Added extensions.adblockplus.suppress_first_run_page preference to allow administrators disable the first-run page if Adblock Plus is installed globally (issue 206). Note that additional changes are required to make this preference usable.
• Fixed: $elemhide filter option doesn’t consider website signatures correctly (issue 2151)..."

In Firefox: >Tools >Addons >Check for updates

:fear:

AplusWebMaster
2015-04-09, 02:43
FYI...

Security Update 2015-004 - OS X Yosemite v10.10.3
- https://support.apple.com/en-us/HT204659
Apr 8, 2015
> https://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
- http://www.securitytracker.com/id/1032048
CVE Reference: CVE-2015-1088, CVE-2015-1089, CVE-2015-1091, CVE-2015-1093, CVE-2015-1095, CVE-2015-1096, CVE-2015-1098, CVE-2015-1099, CVE-2015-1100, CVE-2015-1101, CVE-2015-1102, CVE-2015-1103, CVE-2015-1104, CVE-2015-1105, CVE-2015-1117, CVE-2015-1118, CVE-2015-1130, CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, CVE-2015-1134, CVE-2015-1135, CVE-2015-1136, CVE-2015-1137, CVE-2015-1138, CVE-2015-1139, CVE-2015-1140, CVE-2015-1141, CVE-2015-1142, CVE-2015-1143, CVE-2015-1144, CVE-2015-1145, CVE-2015-1146, CVE-2015-1147, CVE-2015-1148
Apr 8 2015

Safari 8.0.5, 7.1.5, 6.2.5
- https://support.apple.com/en-us/HT204658
Apr 8, 2015 - "Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2..."
> https://lists.apple.com/archives/security-announce/2015/Apr/msg00000.html
- http://www.securitytracker.com/id/1032047
CVE Reference: CVE-2015-1112, CVE-2015-1119, CVE-2015-1120, CVE-2015-1121, CVE-2015-1122, CVE-2015-1124, CVE-2015-1126, CVE-2015-1127, CVE-2015-1128, CVE-2015-1129
Apr 8 2015

iOS 8.3
- https://support.apple.com/en-us/HT204661
Apr 8, 2015 - "Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later..."
> https://lists.apple.com/archives/security-announce/2015/Apr/msg00002.html
- http://www.securitytracker.com/id/1032050
CVE Reference: CVE-2015-1085, CVE-2015-1086, CVE-2015-1087, CVE-2015-1090, CVE-2015-1092, CVE-2015-1094, CVE-2015-1097, CVE-2015-1106, CVE-2015-1107, CVE-2015-1108, CVE-2015-1109, CVE-2015-1110, CVE-2015-1111, CVE-2015-1113, CVE-2015-1114, CVE-2015-1115, CVE-2015-1116, CVE-2015-1123, CVE-2015-1125
Apr 9 2015

Apple TV 7.2
- https://support.apple.com/en-us/HT204662
Apr 8, 2015
> https://lists.apple.com/archives/security-announce/2015/Apr/msg00003.html

Xcode 6.3
- https://support.apple.com/kb/HT204663
Apr 8, 2015 - "Available for: OS X Mavericks v10.9.4 or later..."
> https://lists.apple.com/archives/security-announce/2015/Apr/msg00004.html
- http://www.securitytracker.com/id/1032049
CVE Reference: CVE-2015-1149
Apr 9 2015

- https://support.apple.com/en-us/HT201222
___

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1118
Last revised: 04/10/2015 - "... Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to cause a denial of service (memory corruption and application crash) via a crafted configuration profile..."
> http://www.theregister.co.uk/2015/04/10/apple_phantom_attack_ios_fix/
10 Apr 2015

:fear::fear:

AplusWebMaster
2015-04-13, 14:55
M$ rolls back commitment to Do Not Track

- http://www.networkworld.com/article/2905862/microsoft-subnet/microsoft-rolls-back-commitment-to-do-not-track.html
Apr 3, 2015 - "Microsoft today rolled back its commitment to the nearly-dead "Do Not Track" (DNT) standard, saying that it would no longer automatically switch on the signal in its browsers. "DNT will not be the default state in Windows Express Settings moving forward, but we will provide customers with clear information on how to turn this feature on in the browser settings should they wish to do so," said Brendon Lynch, the firm's chief privacy officer, in a blog post* Friday. "Windows Express" is Microsoft's label for the setup process after first turning on a new PC or after the installation of an upgrade. Do Not Track signals whether a user wants online advertisers and websites to track his or her movements, and was modeled after the Do Not Call list that telemarketers are supposed to abide by. All five major browsers -- Chrome, Firefox, Internet Explorer (IE), Opera and Safari -- can send a DNT request. "This change will apply when customers set up a new PC for the first time, as well as when they upgrade from a previous version of Windows or Internet Explorer," added Lynch.
His comments implied that when users of Windows 7, 8 and 8.1 upgrade to Windows 10 later this year, the DNT setting in IE11 and Project Spartan -- the new browser that will be named the default -- will be left as off. Lynch cited new emphasis in the DNT standard for the change... Previously, Microsoft had been adamant about automatically enabling DNT, a decision it made in mid-2012 as it developed IE10, the browser bundled with the then-impending Windows 8 and its offshoot, Windows RT. IE10 was also offered to Windows 7 users. At the time, Lynch made clear Microsoft's position. "We believe turning on Do Not Track by default in IE10 on Windows 8 is an important step in this process of establishing privacy by default, putting consumers in control and building trust online," Lynch said in late May 2012. Even then, the words "choice" and "deliberate" were being bandied about, with many, including the advertising industry, arguing that users had to explicitly choose DNT, and that an automatic setting of "on" should not be allowed... Even then, ad industry lobbying groups howled, calling Microsoft's DNT moves "unacceptable" and arguing that IE's setting would "harm consumers, hurt competition, and undermine American innovation." Today's decision may have been a reversal of Microsoft's former position -- the latter fueled, analysts said, by the company's desire to take the privacy high ground to differentiate IE from rivals like Google's Chrome -- but it was largely moot. DNT has been in tatters for years, progress stymied by the inability of the various parties, particularly privacy advocates and the ad industry, to reach agreement. Not surprisingly, each has called the other obstinate, or worse. The fact is that only a handful of websites honor the DNT signal. DoNotTrack.us, for instance, lists just 21, with Twitter and Pinterest the biggest names. Today, Lynch tried to characterize the change as conforming with its previous position, rather than a surrender. "We said in 2012 that browser vendors should clearly communicate to consumers whether the DNT signal is turned off or on, and make it easy for them to change the setting," he wrote. "We did that for IE10 and IE11. And we're continuing to do so with future versions of our browsers."
* http://blogs.microsoft.com/on-the-issues/2015/04/03/an-update-on-microsofts-approach-to-do-not-track/
Brendon Lynch
Chief Privacy Officer, Microsoft

> http://donottrack.us/
___

Tracking Protection in Firefox
> https://support.mozilla.org/en-US/kb/tracking-protection-firefox

Privacy Badger:
- https://www.eff.org/privacybadger#what_is_privacy_badger
[Beta]

:fear: :blink:

AplusWebMaster
2015-04-22, 11:43
FYI...

WordPress 4.1.2 released
- https://wordpress.org/news/
April 21, 2015 - "WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site... We also fixed three other security issues..."

- https://wordpress.org/news/2015/04/wordpress-4-1-2/

Download
- https://wordpress.org/download/

- https://codex.wordpress.org/Version_4.1.2
April 21, 2015
• A serious critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
• Files with invalid or unsafe names could be uploaded.
• Some plugins are vulnerable to an SQL injection attack.
• A very limited cross-site scripting vulnerability could be used as part of a social engineering attack.
• Four hardening changes, including better validation of post titles within the Dashboard.

- https://www.us-cert.gov/ncas/current-activity/2015/04/23/WordPress-Releases-Security-Update
April 23, 2015
___

- http://www.securitytracker.com/id/1032199
Apr 27 2015
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included: Yes
Version(s): 4.1.1, 4.1.2, and 4.2 (and prior)...
The original advisory is available at:
- http://klikki.fi/adv/wordpress2.html
Description: ... A remote user can conduct cross-site scripting attacks.
Solution: No solution was available at the time of this entry...

- https://www.exploit-db.com/exploits/36805/
2015-01-07
"Recommendation: The author has provided a fixed plugin version which should be installed
immediately.
product: WordPress Community Events Plugin
vulnerable version: 1.3.5 (and probably below)
fixed version: 1.4
CVE number: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3313
impact: CVSS Base Score 7.5 ...
homepage: https://wordpress.org/plugins/community-events/
___

WordPress Under Attack As Double Zero-Day Trouble Lands
- http://www.forbes.com/sites/thomasbrewster/2015/04/27/wordpress-zero-day-exploits/
4/27/2015 - "... The most pressing issue is a fresh zero-day, a previously unknown and unpatched weakness, affecting the latest version of WordPress, 4.2, and prior iterations, as revealed by Finnish company Klikki Oy yesterday. It released a video and proof of concept code for an exploit of the flaw, which allows a hacker to store malicious JavaScript code on WordPress site comments. Under normal circumstances, this should be blocked as it could be abused to send visitors’ usernames and passwords to a hacker’s site – what’s known as a cross-site scripting attack. All that’s required is for a user’s browser to parse the code when they land on the affected site... users should take all precautions necessary."

:fear::fear:

AplusWebMaster
2015-04-23, 00:52
FYI...

APPLE-SA-2015-04-21-1 OS X: Flash Player plug-in blocked
- https://lists.apple.com/archives/security-announce/2015/Apr/msg00005.html
21 Apr 2015 - "Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player 17.0.0.169 and 13.0.0.281.
Information on blocked web plug-ins will be posted to:
- http://support.apple.com/en-us/HT202681 "

:fear:

AplusWebMaster
2015-04-28, 02:55
FYI...

WordPress 4.2.1 - Security Release
- https://wordpress.org/news/
April 27, 2015 - "WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately... the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site...
WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.
For more information, see the release notes* or consult the list of changes**..."

* https://codex.wordpress.org/Version_4.2.1

** https://core.trac.wordpress.org/log/branches/4.2?rev=32311&stop_rev=32300

Download
- https://wordpress.org/download/
___

- https://www.us-cert.gov/ncas/current-activity/2015/04/27/WordPress-Releases-Security-Update
April 27, 2015

- http://arstechnica.com/security/2015/04/27/just-released-wordpress-0day-makes-it-easy-to-hijack-millions-of-websites/
Apr 27, 2015

- http://blog.trendmicro.com/trendlabs-security-intelligence/wordpress-vulnerability-puts-millions-of-sites-at-risk-trend-micro-solutions-available/
April 29, 2015 - "... We urge site administrators to upgrade their versions of WordPress to the latest version (4.2.1), which fixes these vulnerabilities. This can usually be easily done via the WordPress dashboard..."

:fear::fear:

AplusWebMaster
2015-05-07, 17:02
FYI...

WordPress 4.2.2 Security and Maintenance Release
- https://wordpress.org/news/2015/05/wordpress-4-2-2/
May 7, 2015 - "WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
Version 4.2.2 addresses two security issues:
> The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it...
> WordPress versions 4.2 and earlier are affected by a -critical- cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue...
The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor... WordPress 4.2.2 also contains fixes for -13- bugs from 4.2...

Release notes:
- https://codex.wordpress.org/Version_4.2.2

Download:
- https://wordpress.org/download/
... or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.
___

- https://www.us-cert.gov/ncas/current-activity/2015/05/07/WordPress-Security-and-Maintenance-Release
May 07, 2015
___

- http://www.theinquirer.net/inquirer/news/2407642/wordpress-xss-flaw-leaves-millions-of-users-vulnerable-to-hackers-again
May 8 2015 - "... The two culprits are JetPack, a customisation and performance tool with one million active installations, and TwentyFifteen, a theme designed to enable infinite scrolling that is installed into new WordPress sites as a default. A Document Object Model (DOM)-based cross-site scripting (XSS) flaw has made the plugins vulnerable to hackers, and could affect millions of WordPress users. The attack payload is executed as a result of modifying the DOM environment in a victim's browser used by the original client side script, so that the client side code runs in an unexpected way. Security firm Securi* found that the flaw in the two plugins is the result of an insecure file included with genericons, which are vector icons embedded in a web font..."
* https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html#disqus_thread
May 6, 2015

:fear::fear:

AplusWebMaster
2015-05-14, 00:40
FYI...

Thunderbird 38 - delayed ...
- http://emailmafia.net/2015/05/12/thunderbird-38-delayed/
May 12, 2015 - "... Thunderbird 38.0 will -not- ship on the same date as Firefox 38.0 but will likely be delayed a couple of weeks... there are still a number of regressions that we are working on, and last week’s beta was the first beta that was feature complete. That means we will not be ready to ship according to the original schedule.
A current estimate of when we will ship Thunderbird 38.0 is approximately May 26."
___

Thunderbird 31.7 released

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird31.7
Fixed in Thunderbird 31.7
2015-57 Privilege escalation through IPC channel messages
2015-54 Buffer overflow when parsing compressed XML
2015-51 Use-after-free during text processing with vertical text enabled
2015-48 Buffer overflow with SVG content and CSS
2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)

Thunderbird 31.7 download:
- https://www.mozilla.org/en-US/thunderbird/all/
___

- http://www.securitytracker.com/id/1032303
CVE Reference: CVE-2011-3079, CVE-2015-0797, CVE-2015-2708, CVE-2015-2709, CVE-2015-2710, CVE-2015-2713, CVE-2015-2716
May 13 2015
Impact: Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.7

:fear:

AplusWebMaster
2015-05-30, 13:55
FYI... iPhone "Text msg" bug

If Messages quits unexpectedly after you get a text with a specific string of characters
- https://support.apple.com/en-us/HT204897
Last Modified: May 29, 2015
"Apple is aware of an iMessage issue caused by a specific series of unicode characters and we will make a fix available in a software update. Until the update is available, you can use these steps to re-open the Messages app.
1. Ask Siri* to "read unread messages."
2. Use Siri to reply to the malicious message. After you reply, you'll be able to open Messages again.
3. If the issue continues, tap and hold the malicious message, tap More, and delete the message from the thread."

About Siri
* https://support.apple.com/en-us/HT204389
Last Modified: Apr 15, 2015
___

- http://www.idownloadblog.com/2015/05/28/apple-publishes-temporary-fix-for-messages-issue-says-software-update-coming-soon/
"... the company will be releasing a fix via a software update soon, presumably along iOS 8.4, which is still in beta stage."

:fear::fear:

AplusWebMaster
2015-06-17, 18:14
FYI...

Adblock Plus 1.9 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-19-for-chrome-opera-and-safari-released
2015-06-16
Install Adblock Plus 1.9 for Chrome
Install Adblock Plus 1.9 for Opera
Install Adblock Plus 1.9 for Safari (Safari 6 or higher required)
>> Changes:
Fixed: Placeholders weren’t hidden for elements that were blocked by an URL given in the srcset attribute (issue 2634).
Exception rules with protocol don’t imply the $document flag anymore (issue 2503).
Changed the label for the share buttons to reflect the functionality more accurately (issue 2202).
Implemented an alternative format for subscription links (issue 2212).
Fixed some issues with the “Block element” dialog:
Fixed some issues with element highlighting (issue 2077, issue 2209).
Fixed some issues with dragging the dialog (issue 2100, issue 2173, issue 2194).
Fixed issues with how the context menu interacted with other parts of the user interface (issue 2279, issue 2298).
The page no longer freezes when selecting an element that would result in a lot of other elements being blocked as well (issue 2215).
Performance improvements:
Mitigated the effect of slow request blocking filters (issue 2177).
Determine whether a page or frame is whitelisted more efficiently by only matching exception rules (issue 2132).
Moved code not crucial to blocking requests out of the critical path, decreasing load times (issue 2505).
> Chrome/Opera-only changes
Changed the way Adblock Plus stores persistent data such as setting and filter lists, replacing localStorage and the deprecated FileSystem API with chrome.storage (issue 2021, issue 2040).
Run content scripts in anonymous frames again, in order to block ads more reliably (issue 2216, issue 2217).
Worked around a Chromium bug that caused corruption of the page layout when using the feedback dialog on Google Mail and other Google websites (issue 2602).
Fixed element hiding filters using CSS selectors with commas inside quoted text (issue 2467).
Don’t assume Chromium-specific user agent string, fixing issues when using --user-agent switch, or running on a different platform (issue 2537).
Performance improvements:
Flush caches after filter changes only when absolutely necessary and respect the browser’s quotas (issue 2034, issue 2297).
Improved the performance of CSS selector injection, slightly decreasing page load time, in particular on pages with many frames and/or many active element hiding filters (issue 2528).
Avoid calling into JavaScript when processing headers when loading other resources than documents and frames (issue 2538).
Got rid of some try..catch statements which prevent functions from being (issue 2658, issue 2569).
Avoid iteration over a hash-table which prevents functions from being optimized, slightly improving performance of element hiding filter matching (issue 2582).
> Chrome-only changes
Added a pre-configurable preference to suppress the first run page (issue 1488).
> Opera-only changes
Fixed: Spanish translation wasn’t being used (issue 2665).
> Safari-only changes
Restored compatibility with Safari 6 (issue 2172).

:fear::fear:

AplusWebMaster
2015-06-22, 04:34
FYI...

- http://it.slashdot.org/story/15/06/20/027237/secunia-drops-public-listing-of-vulnerabilities
June 19, 2015 - "Secunia just announced on a forum post* that they will no longer provide public access to advisories newer than 9 months. According to Secunia they, "frequently encounter organizations engaged in wrongful use of Secunia Advisories" and that VIM customers, "have full access to all advisories." While Secunia is under no obligation to provide their aggregated vulnerabilities they've been doing it for over 10 years. The information they provide is primarily from public sources."

* https://secunia.com/community/forum/thread/show/15400
19th Jun, 2015 - "We have decided to make advisories more recent than nine months unavailable on secunia.com . The decision was made to avoid abuse of the advisories for commercial use, and because we frequently encounter organizations engaged in wrongful use of Secunia Advisories. Our advisories are made available for personal use only, and commercial use is prohibited.
Users who wish to make commercial use of our vulnerability intelligence must subscribe to our vulnerability management solution, the Secunia Vulnerability Intelligence Manager (Secunia VIM: - http://secunia.com/vulnerability_intelligence/ ). Users of the Secunia VIM have full access to all advisories and are able to analyse all the latest advisories in chronological order as well as proactive alerting the moment they have been released. Private users who have created a Secunia community profile ( http://secunia.com/community/profile/ ), can access advisories less than 9 months old using the search engine ( http://secunia.com/community/advisories/search/ ). We are aware that the search on the community pages is not working optimally and are working to fix that shortly.
Stay Secure,
Kasper Lindgaard, Director of Research and Security"

.

AplusWebMaster
2015-07-01, 15:03
FYI...

> https://support.apple.com/en-us/HT201222

iOS 8.4 released
- https://support.apple.com/en-us/HT204941
Jun 30, 2015
- http://www.securitytracker.com/id/1032761
CVE Reference: CVE-2015-3722, CVE-2015-3723, CVE-2015-3724, CVE-2015-3725, CVE-2015-3726, CVE-2015-3728
Jul 1 2015
Impact: Denial of service via network, Execution of arbitrary code via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 8.4...
___

QuickTime 7.7.7 released
- https://support.apple.com/en-us/HT204947
Jun 30, 2015
- http://www.securitytracker.com/id/1032756
CVE Reference: CVE-2015-3661, CVE-2015-3662, CVE-2015-3663, CVE-2015-3664, CVE-2015-3665, CVE-2015-3666, CVE-2015-3667, CVE-2015-3668, CVE-2015-3669
Jul 1 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7.7.7 ...
Download: https://www.apple.com/quicktime/download/
"QuickTime 7.7.7 for Windows Vista or Windows 7"
Alternate download site: http://www.majorgeeks.com/files/details/quicktime.html
Author: Apple, Inc.
Date: 07/01/2015 06:34 AM
Size: 39.9 MB
License: Freeware
Requires: Win 10/8/7/Vista
___

Safari 8.0.7, 7.1.7, 6.2.7
- https://support.apple.com/en-us/HT204950
Jun 30, 2015
- http://www.securitytracker.com/id/1032754
CVE Reference: CVE-2015-3658, CVE-2015-3659, CVE-2015-3660, CVE-2015-3727
Jun 30 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 6.2.7, 7.1.7, 8.0.7 ...
___

Security Update 2015-005 - OS X Yosemite v10.10.4
- https://support.apple.com/en-us/HT204942
Jun 30, 2015
- http://www.securitytracker.com/id/1032759
CVE Reference: CVE-2015-4000
Jul 1 2015
Impact: Modification of authentication information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.10 to 10.10.3 ...
Solution: The vendor has issued a fix (10.10.4, Security Update 2015-005)...
- http://www.securitytracker.com/id/1032760
CVE Reference: CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130, CVE-2015-3671, CVE-2015-3672, CVE-2015-3673, CVE-2015-3674, CVE-2015-3675, CVE-2015-3676, CVE-2015-3677, CVE-2015-3678, CVE-2015-3679, CVE-2015-3680, CVE-2015-3681, CVE-2015-3682, CVE-2015-3683, CVE-2015-3684, CVE-2015-3685, CVE-2015-3686, CVE-2015-3687, CVE-2015-3688, CVE-2015-3689, CVE-2015-3690, CVE-2015-3691, CVE-2015-3694, CVE-2015-3695, CVE-2015-3696, CVE-2015-3697, CVE-2015-3698, CVE-2015-3699, CVE-2015-3700, CVE-2015-3701, CVE-2015-3702, CVE-2015-3703, CVE-2015-3704, CVE-2015-3705, CVE-2015-3706, CVE-2015-3707, CVE-2015-3708, CVE-2015-3709, CVE-2015-3710, CVE-2015-3711, CVE-2015-3712, CVE-2015-3714, CVE-2015-3715, CVE-2015-3716, CVE-2015-3717, CVE-2015-3718, CVE-2015-3719, CVE-2015-3721
Jul 1 2015
Impact: Disclosure of system information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.8.5, 10.9.5, 10.10 to 10.10.3 ...
Solution: The vendor has issued a fix (10.10.4, Security Update 2015-005)...
___

Security Update 2015-001 - Mac EFI
- https://support.apple.com/en-us/HT204934
Jun 30, 2015
- http://www.securitytracker.com/id/1032755
CVE Reference: CVE-2015-3693
Jun 30 2015
Impact: Root access via local system, User access via local system
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.8.5, 10.9.5, 10.10 to 10.10.3 ...
Solution: The vendor has issued a fix (Security Update 2015-001, OS X 10.10.4).
___

iTunes 12.2 for Windows
- https://support.apple.com/en-us/HT204949
Jul 1, 2015

- https://www.apple.com/itunes/download/
___

- http://net-security.org/secworld.php?id=18577
01 July 2015 - "... The OS X update contains fixes for 77 vulnerabilities, many of which can be exploited by attackers to gain admin or root privilege, crash applications, perform unauthenticated access to the system, execute arbitrary code, intercept network traffic, and so on. It also includes fixes for vulnerabilities in the Mac EFI (Extensible Firmware Interface), one of which could allow a malicious app with root privileges to modify EFI flash memory when it resumes from sleep states...
The iOS security update contains fixes for a slew of vulnerabilities that could lead to unexpected application termination or arbitrary code execution just by making the users open or the OS process a malicious crafted PDF, text, font or .tiff file.
The 'Logjam bug' in coreTLS that could be exploited by an attacker with a privileged network position to SSL/TLS connections has also been plugged, as have two vulnerabilities discovered by FireEye researchers, which could allow attackers to deploy two new kinds of Masque Attack and prevent iOS and Watch apps from launching..."

> http://lists.apple.com/archives/security-announce/2015/Jun/index.html#00005

:fear::fear:

AplusWebMaster
2015-07-03, 18:13
FYI...

Thunderbird 38.1 released

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird38.1
Fixed in Thunderbird 38.1
2015-71 NSS incorrectly permits skipping of ServerKeyExchange
2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
2015-67 Key pinning is ignored when overridable errors are encountered
2015-66 Vulnerabilities found through code inspection
2015-63 Use-after-free in Content Policy due to microtask execution error
2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)

Download:
- https://www.mozilla.org/en-US/thunderbird/all/
___

- http://www.securitytracker.com/id/1032784
CVE Reference: CVE-2015-2721, CVE-2015-2722, CVE-2015-2724, CVE-2015-2725, CVE-2015-2726, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739, CVE-2015-2740, CVE-2015-2741, CVE-2015-4000
Jul 3 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 38.0 and prior ...
Solution: The vendor has issued a fix (38.1)...
___

Thunderbird 38.2

Download: https://www.mozilla.org/en-US/thunderbird/all/

- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird38.2
Aug 11, 2015
Fixed in Thunderbird 38.2
Vulnerabilities found through code inspection
2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
2015-85 Out-of-bounds write with Updater and malicious MAR file
2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links
2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)

:fear:

AplusWebMaster
2015-07-15, 21:59
FYI...

Adblock Plus 1.9.1 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-191-for-chrome-opera-and-safari-released
2015-07-14
Install Adblock Plus 1.9.1 for Chrome
Install Adblock Plus 1.9.1 for Opera
Install Adblock Plus 1.9.1 for Safari (Safari 6 or higher required)
Changes:
- Added global opt-out for notifications (issue 2195).
- Immediately show notifications after they were downloaded (issue 2419).
- Reduced delay of initial download of notifications (issue 2659).
- Fixed: Notification data was reset when pages load during extension intitialization (issue 2757).

:fear:

AplusWebMaster
2015-07-24, 05:28
FYI...

WordPress 4.2.3 released
- https://wordpress.org/news/2015/07/wordpress-4-2-3/
July 23, 2015 - "WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site... WordPress 4.2.3 also contains fixes for 20 bugs from 4.2..."

Release notes
- https://codex.wordpress.org/Version_4.2.3

Change log
- https://core.trac.wordpress.org/log/branches/4.2?rev=33382&stop_rev=32430

Download
- https://wordpress.org/download/

- https://www.us-cert.gov/ncas/current-activity/2015/07/23/WordPress-Releases-Security-Update
July 23, 2015
___

- http://www.securitytracker.com/id/1033037
CVE Reference: CVE-2015-5622, CVE-2015-5623
Jul 23 2015
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 4.2.2 and prior...
Solution: The vendor has issued a fix (4.2.3).

:fear::fear:

AplusWebMaster
2015-07-29, 19:05
FYI...

Adblock Plus 2.6.10 for Firefox released
- https://adblockplus.org/releases/adblock-plus-2610-for-firefox-released
2015-07-28 - "This is a quality and stability release, with the focus being compatibility with upcoming Firefox versions. Most of the changes are under the hood, only the visible changes are listed:
• suppress_first_run_page preference introduced by previous release can now be preconfigured by machine administrators via setting extensions.adblockplus.preconfigured.suppress_first_run_page Firefox preference (issue 2439).
• Issue reporter
Made sure there is always enough space to display report data (issue 344).
No longer intercepting right-clicks on the resulting report link, only left- and middle-clicks result in the report being opened (issue 701).
• Subscription links
Implemented an alternative format that is easier to use in forums or emails: https ://subscribe.adblockplus .org/?location=foo instead of abp:subscribe?location=foo (issue 2211).
• Fixed subscription links in multi-process Firefox (issue 1730)
• Notifications
Added global opt-out for notifications (issue 2192 and issue 2193).
Notifications are shown immediately after download rather than waiting for a browser restart (issue 2419).
• Removed inconsistent behavior (breaks backwards compatibility): exception rules starting with http:// or https:// no longer imply $document option (issue 2503).
• Reduced the initial delay for filter lists and notification updates after browser startup (issue 284 and issue 2659).
• First-run page: Fixed social buttons being broken starting with Firefox 38 (issue 2710)...

:fear::fear:

AplusWebMaster
2015-08-04, 20:36
FYI...

WordPress 4.2.4 released
- https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/
Aug 4, 2015 - "WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site..."

Release notes
- https://codex.wordpress.org/Version_4.2.4

Download
- https://wordpress.org/download/

- https://www.us-cert.gov/ncas/current-activity/2015/08/04/WordPress-Releases-Security-Update
Aug 04, 2015

Hardening WordPress: https://codex.wordpress.org/Hardening_WordPress
___

- http://www.securitytracker.com/id/1033178
CVE Reference: CVE-2015-2213, CVE-2015-5730, CVE-2015-5731, CVE-2015-5732, CVE-2015-5733, CVE-2015-5734
Aug 4 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 4.2.3 and prior versions...
Solution: The vendor has issued a fix (4.2.4)...

:fear::fear:

AplusWebMaster
2015-08-14, 02:49
FYI....

> https://support.apple.com/en-us/HT201222

iOS 8.4.1
- https://support.apple.com/en-us/HT205030
13 Aug 2015 - iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Update the iOS software on your iPhone, iPad, and iPod touch
> https://support.apple.com/en-us/HT204204
Last Modified: Aug 12, 2015
- http://www.securitytracker.com/id/1033275
CVE Reference: CVE-2015-3756, CVE-2015-3758, CVE-2015-3759, CVE-2015-3763, CVE-2015-3766, CVE-2015-3768, CVE-2015-3776, CVE-2015-3778, CVE-2015-3782, CVE-2015-3784, CVE-2015-3793, CVE-2015-3795, CVE-2015-3796, CVE-2015-3797, CVE-2015-3798, CVE-2015-3800, CVE-2015-3802, CVE-2015-3803, CVE-2015-3804, CVE-2015-3805, CVE-2015-3806, CVE-2015-3807, CVE-2015-5746, CVE-2015-5749, CVE-2015-5752, CVE-2015-5755, CVE-2015-5756, CVE-2015-5757, CVE-2015-5758, CVE-2015-5759, CVE-2015-5761, CVE-2015-5766, CVE-2015-5769, CVE-2015-5770, CVE-2015-5773, CVE-2015-5774, CVE-2015-5775, CVE-2015-5776, CVE-2015-5777, CVE-2015-5778, CVE-2015-5781, CVE-2015-5782
Aug 14 2015
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 8.4.1...
Solution: The vendor has issued a fix (8.4.1).

OS X Server v4.1.5
- https://support.apple.com/en-us/HT205032
13 Aug 2015 - BIND: Available for: OS X Yosemite v10.10.5 or later. CVE-2015-5477

OS X Yosemite 10.10.5 and Security Update 2015-006
- https://support.apple.com/en-us/HT205031
13 Aug 2015 - Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4
- http://www.securitytracker.com/id/1033276
CVE Reference: CVE-2014-7844, CVE-2015-3757, CVE-2015-3760, CVE-2015-3761, CVE-2015-3762, CVE-2015-3764, CVE-2015-3765, CVE-2015-3767, CVE-2015-3769, CVE-2015-3770, CVE-2015-3771, CVE-2015-3772, CVE-2015-3773, CVE-2015-3774, CVE-2015-3775, CVE-2015-3777, CVE-2015-3779, CVE-2015-3780, CVE-2015-3781, CVE-2015-3783, CVE-2015-3786, CVE-2015-3787, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3791, CVE-2015-3792, CVE-2015-3794, CVE-2015-3799, CVE-2015-5747, CVE-2015-5748, CVE-2015-5750, CVE-2015-5751, CVE-2015-5753, CVE-2015-5754, CVE-2015-5763, CVE-2015-5768, CVE-2015-5771, CVE-2015-5772, CVE-2015-5779, CVE-2015-5783, CVE-2015-5784
Aug 14 2015
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.10 - 10.10.4...
Solution: The vendor has issued a fix (10.10.5, Security Update 2015-006).

Safari 8.0.8, 7.1.8, 6.2.8
- https://support.apple.com/en-us/HT205033
13 Aug 2015 - Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.4
- http://www.securitytracker.com/id/1033274
CVE Reference: CVE-2015-3729, CVE-2015-3730, CVE-2015-3731, CVE-2015-3732, CVE-2015-3733, CVE-2015-3734, CVE-2015-3735, CVE-2015-3736, CVE-2015-3737, CVE-2015-3738, CVE-2015-3739, CVE-2015-3740, CVE-2015-3741, CVE-2015-3742, CVE-2015-3743, CVE-2015-3744, CVE-2015-3745, CVE-2015-3746, CVE-2015-3747, CVE-2015-3748, CVE-2015-3749, CVE-2015-3750, CVE-2015-3751, CVE-2015-3752, CVE-2015-3753, CVE-2015-3754, CVE-2015-3755
Aug 13 2015
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 6.2.8, 7.1.8, 8.0.8...
Solution: The vendor has issued a fix (6.2.8, 7.1.8, 8.0.8).

:fear::fear:

AplusWebMaster
2015-08-21, 16:39
FYI...

QuickTime 7.7.8 released
- https://support.apple.com/en-us/HT205046
Aug 18, 2015

- https://lists.apple.com/archives/security-announce/2015/Aug/msg00004.html
20 Aug 2015

- https://support.apple.com/en-us/HT201222

Download
- https://www.apple.com/quicktime/download/
QuickTime 7.7.8 for Windows Vista or Windows 7

... -or- use "Apple Software Update".
___

- http://www.securitytracker.com/id/1033346
CVE Reference: CVE-2015-5785, CVE-2015-5786
Aug 21 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7.7.8...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (7.7.8)...

- https://www.us-cert.gov/ncas/current-activity/2015/08/20/Apple-Releases-Security-Update-QuickTime
Aug 20, 2015

:fear:

AplusWebMaster
2015-09-08, 18:30
FYI...

Adblock -Browser- for Android -or- iOS
- https://adblockplus.org/releases/adblock-browser-10-for-android-and-ios-released
2015-09-08 - "... we’ve been working hard on Adblock Browser for Android and iOS over the past few months... today is the day where we release it on -both- platforms..."

> Install Adblock Browser for Android or iOS
___

- http://www.theinquirer.net/inquirer/news/2425002/adblock-plus-browser-comes-to-android-and-iphone-users-ahead-of-ios-9-release
Sep 08 2015 - "... There was some speculation that Adblock Plus was being blocked by Google, according to some sources yesterday, but it later emerged that it was a fault in the source code of Chromium itself*. Blocking advertising remains controversial. So-called 'malvertising' is on the increase, and the 'right' to block is important to many people, but many companies depend on advertising revenue to monetise their sites and will look down on this move."
* http://www.theinquirer.net/inquirer/news/2424871/google-starts-blocking-the-ad-blockers-in-youtube-on-chrome

> https://www.youtube.com/watch?v=8Mnh3KevyAY

:wink:

AplusWebMaster
2015-09-16, 05:29
FYI...

WordPress 4.3.1 Security and Maintenance Release
- https://wordpress.org/news/2015/09/wordpress-4-3-1/
Sep 15, 2015 - "WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.
• WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
• A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
• Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.
Our thanks to those who have practiced responsible disclosure of security issues.
WordPress 4.3.1 also fixes twenty-six bugs..."

Download WordPress 4.3.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.3.1.
> https://wordpress.org/download/

Release notes
> https://codex.wordpress.org/Version_4.3.1

List of changes
> https://core.trac.wordpress.org/log/branches/4.3/?rev=34199&stop_rev=33647
___

- https://www.us-cert.gov/ncas/current-activity/2015/09/15/WordPress-Releases-Security-Update
Sep 15, 2015

:fear::fear:

AplusWebMaster
2015-09-16, 22:22
FYI...

> https://support.apple.com/en-us/HT201222

iOS 9 released
- https://support.apple.com/en-us/HT205212
Sep 16, 2015 - "... Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later..."
APPLE-SA-2015-09-16-1 iOS 9
- https://lists.apple.com/archives/security-announce/2015/Sep/msg00001.html

- http://www.securitytracker.com/id/1033609
CVE Reference: CVE-2015-3801, CVE-2015-5764, CVE-2015-5765, CVE-2015-5767, CVE-2015-5788, CVE-2015-5789, CVE-2015-5790, CVE-2015-5791, CVE-2015-5792, CVE-2015-5793, CVE-2015-5794, CVE-2015-5795, CVE-2015-5796, CVE-2015-5797, CVE-2015-5799, CVE-2015-5800, CVE-2015-5801, CVE-2015-5802, CVE-2015-5803, CVE-2015-5804, CVE-2015-5805, CVE-2015-5806, CVE-2015-5807, CVE-2015-5809, CVE-2015-5810, CVE-2015-5811, CVE-2015-5812, CVE-2015-5813, CVE-2015-5814, CVE-2015-5816, CVE-2015-5817, CVE-2015-5818, CVE-2015-5819, CVE-2015-5820, CVE-2015-5821, CVE-2015-5822, CVE-2015-5823, CVE-2015-5824, CVE-2015-5825, CVE-2015-5826, CVE-2015-5827, CVE-2015-5829, CVE-2015-5831, CVE-2015-5832, CVE-2015-5834, CVE-2015-5835, CVE-2015-5837, CVE-2015-5838, CVE-2015-5839, CVE-2015-5840, CVE-2015-5841, CVE-2015-5842, CVE-2015-5843, CVE-2015-5844, CVE-2015-5845, CVE-2015-5846, CVE-2015-5847, CVE-2015-5848, CVE-2015-5850, CVE-2015-5851, CVE-2015-5855, CVE-2015-5856, CVE-2015-5857, CVE-2015-5858, CVE-2015-5860, CVE-2015-5861, CVE-2015-5862, CVE-2015-5863, CVE-2015-5867, CVE-2015-5868, CVE-2015-5869, CVE-2015-5874, CVE-2015-5876, CVE-2015-5879, CVE-2015-5880, CVE-2015-5882, CVE-2015-5885, CVE-2015-5892, CVE-2015-5895, CVE-2015-5896, CVE-2015-5898, CVE-2015-5899, CVE-2015-5903, CVE-2015-5904, CVE-2015-5905, CVE-2015-5906, CVE-2015-5907, CVE-2015-5912, CVE-2015-5916, CVE-2015-5921
Sep 18 2015
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.0...
Solution: The vendor has issued a fix (9.0)...
___

Xcode 7.0 released
- https://support.apple.com/en-us/HT205217
Sep 16, 2015 - "Available for: OS X Yosemite v10.10.4 or later..."
APPLE-SA-2015-09-16-2 Xcode 7.0
- https://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html

- http://www.securitytracker.com/id/1033596
CVE Reference: CVE-2015-5909, CVE-2015-5910
Sep 17 2015
Impact: Disclosure of system information, Disclosure of user information
Fix Available: Yes Vendor Confirmed: Yes...
Solution: The vendor has issued a fix (7.0).
___

iTunes 12.3 released
- https://support.apple.com/en-us/HT205221
Sep 16, 2015 - "Available for: Windows 7 and later..."
APPLE-SA-2015-09-16-3 iTunes 12.3
- https://lists.apple.com/archives/security-announce/2015/Sep/msg00003.html
___

OS X Server v5.0.3
- https://support.apple.com/en-us/HT205219
Sep 16, 2015 - "Available for: OS X Yosemite v10.10.5 or later..."
APPLE-SA-2015-09-16-4 OS X Server 5.0.3
- https://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html

- http://www.securitytracker.com/id/1033595
CVE Reference: CVE-2015-5911
Sep 17 2015
Impact: Not specified
Fix Available: Yes Vendor Confirmed: Yes...
Solution: The vendor has issued a fix (OS X Server 5.0.3)...
___

- https://www.us-cert.gov/ncas/current-activity/2015/09/16/Apple-Releases-Security-Updates-OS-X-Server-iTunes-Xcode-and-iOS
Sep 16, 2015
___

iOS 9, thoroughly reviewed
- http://arstechnica.com/apple/2015/09/ios-9-thoroughly-reviewed/
Sep 16, 2015

Apple users face issues upgrading to iOS 9 ...
- http://www.reuters.com/article/2015/09/16/us-apple-watch-ios-idUSKCN0RG2I720150916
Sep 16, 2015 - "Apple Inc customers were facing issues while upgrading to iOS 9, which was released on Wednesday, technology blog 9to5Mac* reported..."

* http://9to5mac.com/2015/09/16/ios-9-update-issues/
Sep 16, 2015 - "... several readers are reporting issues with updating to the new operating system. Developers using the iOS 9 GM seed released last week are also able to update to today’s release over-the-air, although the same error message is impacting those users... Other users are still seeing the previous iOS 8.4.1 version and unable to attempt to update just yet... As with any major release, the best troubleshooting solution is likely being patient and letting Apple’s servers catch up. In the meantime, some but not all users are reporting some success with updating using iTunes."

Apple customers report devices crash on iOS 9 update
- http://www.reuters.com/article/2015/09/18/us-apple-update-ios-idUSKCN0RI05P20150918
Sep 18, 2015 - "A significant number of Apple Inc customers are reporting their mobile devices have crashed after attempting to upload the new iOS 9 operating system, the latest in a line of launch glitches for the tech giant. Twitter and other social media were awash with disgruntled customers reporting two distinct faults, with one appearing to be linked specifically to older models of Apple iPhones and iPads... One group of users reported that iOS 9 upgrade would fail after several minutes, requiring them to start the process over. Many posted screen shots of the error message they received: "Software Update Failed". That problem was likely caused by servers that were overloaded when too many people tried to download the upgrade simultaneously... McKay and Brown said they always advised clients to wait several days before downloading any new upgrades from Apple, Google Inc or Microsoft Corp to make sure any glitches had been found and ironed out..."

:fear::fear:

AplusWebMaster
2015-09-24, 00:15
FYI...

Adblock Plus 1.5 for IE released
- https://adblockplus.org/releases/adblock-plus-15-for-ie-released
2015-09-22 - "... This release includes improvements for Large scale deployments. Here’s the list of changes since the last release:
Fixed: Some ads weren’t hidden (Issue 2055).
Fixed: Some Yahoo pages weren’t shown correctly in IE8 (Issue 1115).
New, improved icon (Issue 1538).
Fixed icon clipping on high DPI (Issue 176).
Fixed altering positions in IE8 (Issue 711).
Ensured the installer is capable of closing Internet Explorer in all cases (Issue 1686).
Fixed some issues with the enabling/disabling of ad blocking (Issue 1201, Issue 1104).
Support of notifications (Issue 1109).
More small fixes.
A complete list of changes can be found here*..."
* https://issues.adblockplus.org/query?milestone=Adblock-Plus-for-Internet-Explorer-1.5

:fear:

AplusWebMaster
2015-10-01, 12:52
FYI...

> https://support.apple.com/en-us/HT201222

iOS 9.0.2 released
- https://support.apple.com/en-us/HT205284
Sep 30, 2015 - "... Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later..."
APPLE-SA-2015-09-30-01 iOS 9.0.2
- https://lists.apple.com/archives/security-announce/2015/Sep/msg00006.html

- http://www.securitytracker.com/id/1033687
CVE Reference: CVE-2015-5923
Oct 1 2015
Impact: Disclosure of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.0.2...
Impact: A physically local user can obtain photos and contacts from a locked device.
Solution: The vendor has issued a fix (9.0.2)...
___

Safari 9 released
- https://support.apple.com/en-us/HT205265
"... Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5 and OS X El Capitan v10.11..."
APPLE-SA-2015-09-30-2 Safari 9
- https://lists.apple.com/archives/security-announce/2015/Sep/msg00007.html
30 Sep 2015

- http://www.securitytracker.com/id/1033688
CVE Reference: CVE-2015-5780, CVE-2015-5828
Oct 1 2015
Impact: Modification of system information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.0...
Impact: A remote user can cause a Safari extension to be silently replaced on the target user's system.
A remote user can return an HTTP redirect to the target connected plug-in without detection by the plugin.
Solution: The vendor has issued a fix (9.0)...
___

OS X El Capitan v10.11 released
- https://support.apple.com/en-us/HT205267
Sep 30, 2015 - "Available for: Mac OS X v10.6.8 and later..."
APPLE-SA-2015-09-30-3 OS X El Capitan 10.11
- https://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html

- http://www.securitytracker.com/id/1033703
CVE Reference: CVE-2013-3951, CVE-2014-9709, CVE-2015-3330, CVE-2015-3414, CVE-2015-3415, CVE-2015-3416, CVE-2015-3785, CVE-2015-5522, CVE-2015-5523, CVE-2015-5830, CVE-2015-5833, CVE-2015-5836, CVE-2015-5849, CVE-2015-5853, CVE-2015-5854, CVE-2015-5864, CVE-2015-5865, CVE-2015-5866, CVE-2015-5870, CVE-2015-5871, CVE-2015-5872, CVE-2015-5873, CVE-2015-5875, CVE-2015-5877, CVE-2015-5878, CVE-2015-5881, CVE-2015-5883, CVE-2015-5884, CVE-2015-5887, CVE-2015-5888, CVE-2015-5889, CVE-2015-5890, CVE-2015-5891, CVE-2015-5893, CVE-2015-5894, CVE-2015-5897, CVE-2015-5900, CVE-2015-5901, CVE-2015-5902, CVE-2015-5913, CVE-2015-5914, CVE-2015-5915, CVE-2015-5917, CVE-2015-5922
Oct 1 2015
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 10.11 ...
Solution: The vendor has issued a fix (10.11)....
___

- https://www.us-cert.gov/ncas/current-activity/2015/09/30/Apple-Releases-Security-Updates-OS-X-El-Capitan-Safari-and-iOS
Sep 30, 2015

:fear::fear::fear:

AplusWebMaster
2015-10-17, 15:12
FYI...

> https://support.apple.com/en-us/HT201222

Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6
- https://support.apple.com/en-us/HT205373
Oct 15, 2015

Keynote 6.6
- http://www.securitytracker.com/id/1033823
CVE Reference: CVE-2015-7032, CVE-2015-7033
Oct 16 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes ...
Solution: The vendor has issued a fix (6.6).

Pages 5.6
- http://www.securitytracker.com/id/1033821
CVE Reference: CVE-2015-7034
Oct 16 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes ...
Solution: The vendor has issued a fix (5.6).
- http://www.securitytracker.com/id/1033826
CVE Reference: CVE-2015-7032, CVE-2015-7033
Oct 16 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes ...
Solution: The vendor has issued a fix (5.6).

Numbers 3.6
- http://www.securitytracker.com/id/1033825
CVE Reference: CVE-2015-7032, CVE-2015-7033
Oct 16 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Solution: The vendor has issued a fix (3.6).
___

- https://www.us-cert.gov/ncas/current-activity/2015/10/15/Apple-Releases-Security-Updates-Keynote-Pages-and-Numbers
Oct 15, 2015 - "... Available updates include:
Keynote 6.6, Pages 5.6, and Numbers 3.6 for OS X Yosemite v10.10.4 or later
Keynote 6.6, Pages 5.6, and Numbers 3.6 for iOS v8.4 or later ..."

:fear:

AplusWebMaster
2015-10-22, 05:03
FYI...

> https://support.apple.com/en-us/HT201222

iOS 9.1
- https://support.apple.com/en-us/HT205370
Oct 21, 2015 - "Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later. Impact: Visiting a maliciously crafted website may lead to arbitrary code execution..."
- http://www.securitytracker.com/id/1033931
CVE Reference: CVE-2015-7010, CVE-2015-7018
Oct 22 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.1 ...

Safari 9.0.1
- https://support.apple.com/en-us/HT205377
Oct 21, 2015 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5 and OS X El Capitan v10.11. Impact: Visiting a maliciously crafted website may lead to arbitrary code execution..."
- http://www.securitytracker.com/id/1033939
CVE Reference: CVE-2015-5931, CVE-2015-7011, CVE-2015-7013
Oct 22 2015
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.0.1

iTunes 12.3.1
- https://support.apple.com/en-us/HT205372
Oct 21, 2015 - "Available for: Windows 7 and later. Impact: A man-in-the-middle attack while browsing the iTunes Store via iTunes may result in unexpected application termination or arbitrary code execution..."

Mac EFI Security Update 2015-002
- https://support.apple.com/en-us/HT205317
Oct 21, 2015 - "Available for: OS X Mavericks v10.9.5. Impact: An attacker can exercise unused EFI functions..."

OS X Server 5.0.15
- https://support.apple.com/en-us/HT205376
Oct 21, 2015 - "BIND: Available for: OS X Yosemite 10.10.5, OS X El Capitan 10.11.1 or later
Impact: Multiple vulnerabilities in BIND
Description: Multiple vulnerabilities existed in BIND versions prior to 9.9.7-P3, one of which may have allowed a remote attacker to cause a denial of service. These issues were addressed by updating BIND to version 9.9.7-P3..."
- http://www.securitytracker.com/id/1033933
CVE Reference: CVE-2015-7031
Oct 22 2015
Impact: Host/resource access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): OS X Server prior to 5.0.15 ...

OS X El Capitan v10.11.1 and Security Update 2015-007
- https://support.apple.com/en-us/HT205375
Oct 21, 2015 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan 10.11. Impact: Visiting a maliciously crafted website may lead to arbitrary code execution..."
- http://www.securitytracker.com/id/1033929
CVE Reference: CVE-2015-5924, CVE-2015-5925, CVE-2015-5926, CVE-2015-5927, CVE-2015-5928, CVE-2015-5929, CVE-2015-5930, CVE-2015-5935, CVE-2015-5936, CVE-2015-5937, CVE-2015-5939, CVE-2015-5940, CVE-2015-5942, CVE-2015-6974, CVE-2015-6975, CVE-2015-6976, CVE-2015-6977, CVE-2015-6978, CVE-2015-6979, CVE-2015-6981, CVE-2015-6982, CVE-2015-6983, CVE-2015-6986, CVE-2015-6988, CVE-2015-6989, CVE-2015-6990, CVE-2015-6991, CVE-2015-6992, CVE-2015-6993, CVE-2015-6994, CVE-2015-6995, CVE-2015-6996, CVE-2015-6997, CVE-2015-6999, CVE-2015-7000, CVE-2015-7002, CVE-2015-7004, CVE-2015-7005, CVE-2015-7006, CVE-2015-7008, CVE-2015-7009, CVE-2015-7012, CVE-2015-7014, CVE-2015-7015, CVE-2015-7017, CVE-2015-7022, CVE-2015-7023
Oct 22 2015
Impact: Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.9.5, 10.10.5, 10.11 ...

Xcode 7.1
- https://support.apple.com/en-us/HT205379
Oct 21, 2015 - "Available for: OS X Yosemite v10.10.5 or later. Impact: Swift programs performing certain type conversions may receive unexpected values. Description: A type conversion issue existed that could lead to conversions returning unexpected values. This issue was addressed through improved type checking..."
- http://www.securitytracker.com/id/1033930
CVE Reference: CVE-2015-7030
Oct 22 2015
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 7.1R22.1, 7.4, 8.0R11, 8.1R3 ...

watchOS 2.0.1
- https://support.apple.com/en-us/HT205378
Oct 21, 2015 - "Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes. Impact: Some cards may allow a terminal to retrieve limited recent transaction information when making a payment. Description: The transaction log functionality was enabled in certain configurations. This issue was addressed by removing the transaction log functionality. This update additionally addresses the issue for Apple Watches manufactured with watchOS 2..."
___

> https://www.us-cert.gov/ncas/current-activity/2015/10/21/Apple-Releases-Multiple-Security-Updates
Oct 21, 2015

:fear::fear::fear:

AplusWebMaster
2015-11-25, 14:28
FYI...

Adblock Plus 2.6.12 for Firefox released
- https://adblockplus.org/releases/adblock-plus-2612-for-firefox-released
2015-11-24
Changes:
Added $generichide and $generic block filter options (issue 647, issue 616).
Improved first-run display on small screens, especially on mobile devices (issue 2018).
Fixed: Findbar in Filter Preferences is being triggered when trying to edit filters (issue 3129, issue 3144).
Fixed: Ctrl+F wasn’t working as expected when the findbar was already open (issue 2580).
Fixed: Filter composer’s “Advanced view” button was broken in Firefox nightly builds (issue 3263).
Fixed: Anti-Adblock warning shouldn’t show up when Adblock Plus is disabled (issue 3254).
Fixed: Anti-Adblock warning shouldn’t be triggered by frames (issue 3253).

Adblock Plus 2.6.13 for Firefox released
- https://adblockplus.org/releases/adblock-plus-2613-for-firefox-released
2015-11-25 - "... an upcoming change that will break Adblock Plus in Firefox nightly builds. However, at that point we didn’t know the scope of the issue and didn’t have a simple solution. Turned out, Adblock Plus isn’t merely broken itself but breaks the browser’s user interface as well. Luckily, Nils Maier provided us with a simple work-around for the issue, so we could push out a new release quickly."
___

Adblock Plus 1.9.4 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-194-for-chrome-opera-and-safari-release
2015-11-24
This update contains the new $generichide and $genericblock filter options and some bug fixes.
Changes:
Fixed: Anti-Adblock warning was being triggered by frames in some cases (issue 3238).
Fixed: Key-based whitelisting was ignored for element collapsing (issue 3170).
Fixed how the “Block element” feature deals with attributes containing null character (issue 3163).
Added support for new $generichide and $genericblock filter options (issue 616, 647).
Improved first-run page display on small screens (issue 2018).

:fear:

AplusWebMaster
2015-11-27, 23:08
FYI...

Thunderbird 38.4 released

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/thunderbird/38.4.0/releasenotes/
Nov 23, 2015

Fixed in Thunderbird 38.4
- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird38.4
2015-133 NSS and NSPR memory corruption issues
2015-132 Mixed content WebSocket policy bypass through workers
2015-131 Vulnerabilities found through code inspection
2015-128 Memory corruption in libjar through zip files
2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
2015-123 Buffer overflow during image interactions in canvas
2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy
2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)

- https://www.mozilla.org/en-US/thunderbird/releases/

Download:
- https://www.mozilla.org/en-US/thunderbird/all/
___

- http://www.securitytracker.com/id/1034260
CVE Reference: CVE-2015-4513, CVE-2015-7189, CVE-2015-7193, CVE-2015-7197, CVE-2015-7198, CVE-2015-7199, CVE-2015-7200
Nov 26 2015
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Thunderbird version 38.4.0 ...

:fear:

AplusWebMaster
2015-12-08, 22:23
FYI...

> https://support.apple.com/en-us/HT201222

iOS 9.2
- https://support.apple.com/en-us/HT205635
Dec 8, 2015 - "Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later..."
- http://www.securitytracker.com/id/1034348
CVE Reference: CVE-2015-7037, CVE-2015-7051, CVE-2015-7055, CVE-2015-7069, CVE-2015-7070, CVE-2015-7072, CVE-2015-7079, CVE-2015-7080, CVE-2015-7093, CVE-2015-7113
Dec 9 2015
Impact: Disclosure of system information, Disclosure of user information, Modification of system information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.2 ...

Safari 9.0.2
- https://support.apple.com/en-us/HT205639
Dec 8, 2015 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1 ..."
- http://www.securitytracker.com/id/1034341
CVE Reference: CVE-2015-7048, CVE-2015-7050, CVE-2015-7095, CVE-2015-7096, CVE-2015-7097, CVE-2015-7098, CVE-2015-7099, CVE-2015-7100, CVE-2015-7101, CVE-2015-7102, CVE-2015-7103, CVE-2015-7104
Dec 9 2015
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.0.2 ...

OS X El Capitan 10.11.2 and Security Update 2015-008
- https://support.apple.com/en-us/HT205637
Dec 8, 2015 - "Available for: OS X El Capitan v10.11 and v10.11.1
Impact: Multiple vulnerabilities in PHP
Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.29, the most serious of which may have led to remote code execution. These were addressed by updating PHP to version 5.5.30..."
- http://www.securitytracker.com/id/1034344
CVE Reference: CVE-2012-1147, CVE-2012-1148, CVE-2015-5333, CVE-2015-5334, CVE-2015-7001, CVE-2015-7038, CVE-2015-7039, CVE-2015-7040, CVE-2015-7041, CVE-2015-7042, CVE-2015-7043, CVE-2015-7044, CVE-2015-7045, CVE-2015-7046, CVE-2015-7047, CVE-2015-7052, CVE-2015-7053, CVE-2015-7054, CVE-2015-7058, CVE-2015-7059, CVE-2015-7060, CVE-2015-7061, CVE-2015-7062, CVE-2015-7063, CVE-2015-7064, CVE-2015-7065, CVE-2015-7066, CVE-2015-7067, CVE-2015-7068, CVE-2015-7071, CVE-2015-7073, CVE-2015-7074, CVE-2015-7075, CVE-2015-7076, CVE-2015-7077, CVE-2015-7078, CVE-2015-7081, CVE-2015-7083, CVE-2015-7084, CVE-2015-7094, CVE-2015-7105, CVE-2015-7106, CVE-2015-7107, CVE-2015-7108, CVE-2015-7109, CVE-2015-7110, CVE-2015-7111, CVE-2015-7112
Dec 9 2015
Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Root access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes ...
Solution: The vendor has issued a fix.

Xcode 7.2
- https://support.apple.com/en-us/HT205642
Dec 8, 2015 - "Available for: OS X Yosemite v10.10.5 or later..."
- http://www.securitytracker.com/id/1034340
CVE Reference: CVE-2015-7049, CVE-2015-7056, CVE-2015-7057, CVE-2015-7082
Dec 9 2015
Impact: Execution of arbitrary code via local system, User access via local system
Fix Available: Yes Vendor Confirmed: Yes ...
Solution: The vendor has issued a fix (7.2).

tvOS 9.1
- https://support.apple.com/en-us/HT205640
Dec 8, 2015 - "Available for: Apple TV (4th generation)..."

watchOS 2.1
- https://support.apple.com/en-us/HT205641
Dec 8, 2015 - "Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes..."
___

- https://www.us-cert.gov/ncas/current-activity/2015/12/08/Apple-Releases-Multiple-Security-Updates
Dec 08, 2015

:fear::fear:

AplusWebMaster
2015-12-10, 00:19
FYI...

WordPress 4.4 update breaks itself with SSL certificate problem...
- http://myonlinesecurity.co.uk/wordpress-4-4-update-breaks-itself-with-ssl-certificate-problem-unable-to-get-local-issuer-certificate/
Dec 9, 2015 - "WordPress4.4 has just been released and it is highly recommended to update. BUT it is -broken- on many servers. The update will go OK -but- it will also update the SSL certificate bundle that WordPress uses to update itself, the themes and plugins. The certificate bundle appears to be damaged-or-incorrect and stops any WP updates. You will get a message saying http_request_failed: “SSL certificate problem: unable to get local issuer certificate” whenever you try to do anything involving WordPress updates, updating or installing themes or plugins or using Jetpack features like stats or sharing etc. The error screen will look something like this. It doesn’t matter what plugin or theme you try to update. the error message will be similar:
>> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/ssl-update-error.png
... found this post on WordPress support that does fix the problem. All my WP sites gave me the SSL warning until I used the certificate bundle from that post:
- https://wordpress.org/support/topic/cant-update-wordpress-ssl-certificate-problem-error14090086s
... until WordPress fixes/updates themselves, you should manually do this yourself...
WordPress could send out a hotfix of some sort now to make this update... - Derek"
___

WordPress hosting service WP Engine has been hacked
- http://www.theinquirer.net/inquirer/news/2438804/wordpress-hosting-service-wp-engine-has-been-hacked
Dec 10 2015

- https://wpengine.com/support/infosec/
Security Update: "Update 12/13/2015 1:00pm Central: WP Engine continues to work around the clock and as part of the ongoing investigation, our security team has begun to work with an additional security consultant in addition to our third-party cyber security firm in order to objectively accelerate the investigation. We will continue to post updates here as they become available..."

:fear::fear:

AplusWebMaster
2015-12-15, 21:48
FYI...

Adblock Plus 2.7 for Firefox released
- https://adblockplus.org/releases/adblock-plus-27-for-firefox-released
2015-12-15 - "... In order to support multiple processes properly we had to implement massive changes to the core functionality of Adblock Plus. These changes should have almost no visible effect other than improved performance however.
Visible changes:
- If pop-ups are blocked after the redirect, the pop-up window will actually be closed and not merely prevented from loading (issue 443).
- The diagnostic page under chrome://adblockplus/content/errors.html has been removed, it was of very limited use (issue 3357).
Known issues:
- Element hiding functionality isn’t working on Mac OS X when multi-process mode is enabled (bug 1187099). Given the lack of progress on Mozilla’s side, we will have to come up with some work-around later on.
- Issue reporter doesn’t create screenshots when multi-process mode is enabled (issue 3375). To be addressed in the next release.
- “Unsafe CPOW usage” warnings will still show up in Error Console sometimes when multi-process mode is enabled, most prominently when using the list of blockable items (issue 3407). To be addressed in the next release.
- Selection in the list of blockable items isn’t remembered reliably when multi-process mode is enabled (issue 3259). To be addressed in the next release."

:fear::fear:

AplusWebMaster
2015-12-26, 18:15
FYI...

Thunderbird 38.5 released

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/thunderbird/38.5.0/releasenotes/
Dec 23, 2015

Fixed in Thunderbird 38.5
- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird38.5
2015-149 Cross-site reading attack through data and view-source URIs
2015-146 Integer overflow in MP4 playback in 64-bit versions
2015-145 Underflow through code inspection
2015-139 Integer overflow allocating extremely large textures
2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)

- https://www.mozilla.org/en-US/thunderbird/releases/

Download:
- https://www.mozilla.org/en-US/thunderbird/all/
___

Version 38.5.1
- https://www.mozilla.org/en-US/thunderbird/38.5.1/releasenotes/
Jan 7, 2016

What’s New:
Changed: Use a SHA-256 signing certificate for Windows builds, to meet new signing requirements
Known Issues:
unresolved: Windows XP SP2 will no longer install Thunderbird (workaround: Install Thunderbird 38.5.0 then update)

:fear:

AplusWebMaster
2016-01-07, 05:40
FYI...

WordPress 4.4.1 Security and Maintenance Release
- https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
Jan 6, 2016 - "WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised... There were also several non-security bug fixes..."

- https://wordpress.org/download/

> https://www.us-cert.gov/ncas/current-activity/2016/01/06/WordPress-Releases-Security-Update
Jan 6, 2016
___

- http://www.securitytracker.com/id/1034622
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
Jan 8 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 4.4.1 ...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.4.1)...

:fear::fear:

AplusWebMaster
2016-01-08, 13:22
FYI...

QuickTime 7.7.9 released
- https://support.apple.com/en-us/HT205638
Jan 7, 2016

Download:
- https://www.apple.com/quicktime/download/
... for Windows Vista or Windows 7
___

- http://www.securitytracker.com/id/1034610
CVE Reference: CVE-2015-7085, CVE-2015-7086, CVE-2015-7087, CVE-2015-7088, CVE-2015-7089, CVE-2015-7090, CVE-2015-7091, CVE-2015-7092, CVE-2015-7117
Jan 8 2016
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7.7.9 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (7.7.9)...
___

... fails to install plug-in on Firefox - unless this procedure is followed:

1. Download QT 7.7.9 from:
> https://www.apple.com/quicktime/download/
... save download where you want.
2. Dble-click the .exe file.
3. Choose "Custom" install.
4. See "Optional Quicktime Features" and choose "QuickTime Web Plugin" (eliminate the red-x).
5. Choose "Next" and the upgrade/install should complete OK. If you don't do this in the recommended sequence, it will -fail- to install the plug-in for Firefox - likely other browsers, too.

:fear:

AplusWebMaster
2016-01-19, 22:33
FYI...

Adblock Plus 2.7.1 for Firefox released
- https://adblockplus.org/releases/adblock-plus-271-for-firefox-released
2016-01-19
"With this release Adblock Plus becomes fully compatible with the upcoming multi-process mode in Firefox, it no longer relies on backwards compatibility hacks in Firefox (issue 3259, issue 3407, issue 3449, issue 3465, issue 3486, issue 3494). This also means that the screenshot functionality in Issue Reporter is fully functional now (issue 3375), and also quite fast (issue 3504).
- Additional changes:
Improved performance: patterns.ini was being saved way more often than necessary (issue 3473).
$ping filter option is back and will especially apply to requests sent via navigator.sendBeacon() (issue 3452).
Requests produced by <img srcset> and <picture> will be assigned type image (issue 3459).
Requests produced by the Fetch API will be assigned type xmlhttprequest (issue 3459).
genericblock and generichide types will no longer show up in the filter assistant (issue 3478).
Removed non-standard JavaScript syntax, which caused warnings in Firefox Aurora and Nightly builds (issue 1434, issue 3418, issue 3421, issue 3502, issue 3505).
Fixed: Previously disabled and removed filter is still disabled when added back (issue 3451).
- Regressions fixed:
As the previous release changed Adblock Plus quite drastically, it inevitably introduced some issues. As far as we know, all of these have been resolved:
Pop-up blocking doesn’t catch redirects to a different domain (issue 3458).
Issue Reporter gets stuck if filter subscriptions need updating (issue 3461, issue 3464).
Screenshot marker in Issue Reporter is no longer red (issue 3503).
Fixed image preview in Blockable Items tooltip (issue 3491).
- Known issues:
Element hiding functionality isn’t working on Mac OS X when multi-process mode is enabled (bug 1187099). Mozilla is working on this..."

:fear::fear:

AplusWebMaster
2016-01-20, 06:55
FYI...

- https://support.apple.com/en-us/HT201222

iOS 9.2.1 released
- https://support.apple.com/en-us/HT205732
Jan 14, 2016 - "Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later.."
- http://www.securitytracker.com/id/1034737
CVE Reference: CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727, CVE-2016-1728, CVE-2016-1730
Jan 20 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.2.1
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can read and write cookies on the target user's system.
Solution: The vendor has issued a fix (9.2.1)...

Safari 9.0.3 released
- https://support.apple.com/en-us/HT205730
Jan 15, 2016 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.2..."

OS X El Capitan 10.11.3 and Security Update 2016-001
- https://support.apple.com/en-us/HT205731
Jan 19, 2016
- http://www.securitytracker.com/id/1034736
CVE Reference: CVE-2015-7995, CVE-2016-1716, CVE-2016-1717, CVE-2016-1718, CVE-2016-1719, CVE-2016-1720, CVE-2016-1721, CVE-2016-1722, CVE-2016-1729
Jan 20 2016
Impact: A local user can obtain kernel-level or root privileges on the target system.
Solution: The vendor has issued a fix (10.11.3; Security Update 2016-001).
___

- https://www.us-cert.gov/ncas/current-activity/2016/01/19/Apple-Releases-Security-Updates-iOS-OS-X-El-Capitan-and-Safari
Jan 19, 2016

:fear::fear::fear:

AplusWebMaster
2016-02-02, 23:01
FYI...

WordPress 4.4.2 - Security and Maintenance Release
- https://wordpress.org/news/
Feb 2, 2016 - "WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.4.1 and earlier are affected by two security issues: a possible XSS for certain local URIs... and an open redirection attack...
In addition to the security issues above, WordPress 4.4.2 fixes 17 bugs from 4.4 and 4.4.1. For more information, see the release notes or consult the list of changes..."

Release notes
- https://codex.wordpress.org/Version_4.4.2

List of changes
- https://core.trac.wordpress.org/query?milestone=4.4.2

Download
- https://wordpress.org/download/

- https://www.us-cert.gov/ncas/current-activity/2016/02/02/WordPress-Releases-Security-Update
Feb 02, 2016
___

- http://www.securitytracker.com/id/1034933
CVE Reference: CVE-2016-2221, CVE-2016-2222
Feb 4 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 4.4.2 ...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote user can cause the target user's browser to be redirected to an arbitrary web site.
Solution: The vendor has issued a fix (4.4.2)...

:fear::fear:

AplusWebMaster
2016-02-05, 00:42
FYI...

Adblock Plus 1.10.1 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-1101-for-chrome-opera-and-safari-released
2016-02-03 - "This is an emergency bugfix release, fixing a regression that was introduced in the previous release and broke compatibility with Chrome 37, Opera 24, and earlier versions (issue 3580)...
Install Adblock Plus 1.10.1 for Chrome
Install Adblock Plus 1.10.1 for Opera
Install Adblock Plus 1.10.1 for Safari (Safari 6 or higher required)...

Besides that and some changes under the hood, this release fixes the following minor bugs:
Subscription links caused the options page to be opened twice (issue 3153).
The “Block element” option wasn’t shown in icon popup while page was loading (issue 3472)."

:fear::fear:

AplusWebMaster
2016-02-24, 01:41
FYI...

Adblock Plus 2.7.2 for Firefox released
- https://adblockplus.org/releases/adblock-plus-272-for-firefox-released
2016-02-23
Install Adblock Plus 2.7.2 for Firefox
"This release works around some obscure Firefox bugs which Adblock Plus has been triggering since Adblock Plus 2.7 release (visible for example as issue 3489, issue 3541, bug 1127744).
Additional changes
Closed a pop-up blocking loophole misused by some websites (issue 3568).
Fixed tooltip display for very long filters (issue 1950)."

:fear:

AplusWebMaster
2016-03-06, 01:02
FYI...

Apple confirms OS X update broke Ethernet port on some Macs, here’s how to fix ...
- http://9to5mac.com/2016/02/28/apple-confirms-os-x-update-broke-ethernet-port-on-some-macs-heres-how-to-fix/
"... Read the -full- steps on Apple’s Support Site* and take care not to delete anything but the file in question. If you don’t mind losing data, it may be simpler to use Recovery Mode to just Reinstall OS X. This will fix the problem when OS X is started afresh, but obviously has the big downside of deleting other data. Make sure you have recent -backups- in any case."
* https://support.apple.com/en-us/HT205956
Last Modified: Mar 4, 2016

:fear::fear:

AplusWebMaster
2016-03-07, 20:50
FYI...

WordPress plugin backdoor
- https://www.helpnetsecurity.com/2016/03/07/popular-wordpress-plugin-opens-backdoor-steals-user-credentials/
Mar 7, 2016 - "If you are one of the 10,000+ users of the 'Custom Content Type Manager (CCTM)' WordPress plugin, consider your site to be compromised and proceed to clean your installation up, Sucuri Security researchers have warned. After finding “a very suspicious auto-update.php file inside wp-content/plugins/custom-content-type-manager/ during the cleanup on an -infected- WP site, the researchers have begun digging, and discovered that:
• The file in question is a backdoor that can download additional files from a third-party domain, and save them in the plugin directory
• The CCTM plugin has been available for download from the official WP Plugin Directory for around three years, but hasn’t been updated in the last 10 months. But, some two weeks ago, a new developer (“wooranker”) started -adding- “small tweeks by new owner” and “bug fixes”... Users who want to keep using the plugin are advised revert to using version 0.9.8.6. and to -disable- automatic plugin updates."
> https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html
Updated Mar 7, 2016
(More detail at both URLs above.)

:fear::fear:

AplusWebMaster
2016-03-10, 02:47
FYI...

Adblock Plus 1.11 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-111-for-chrome-opera-and-safari-released
2016-03-08
Install Adblock Plus 1.11 for Chrome
Install Adblock Plus 1.11 for Opera
Install Adblock Plus 1.11 for Safari (Safari 6 or higher required)
"This release features the new developer tools panel which shows blockable items along with applied filters, and provides an easy way to create new filters for these items, on Chrome and Opera. Another big change in this release: The “Block element” dialog is no longer injected into the page, but opened as a popup on Chrome and Opera, and as a new tab on Safari. This solved a couple issues, most notably a way that allowed websites to reliably detect whether Adblock Plus is installed..."

:fear::fear:

AplusWebMaster
2016-03-16, 18:51
FYI...

Thunderbird 45.0
- https://www.mozilla.org/en-US/thunderbird/45.0/releasenotes/
Apr 12, 2016
What’s New:
- Add a Correspondents column combining Sender and Recipient
- Much better support for XMPP chatrooms and commands.
- Implement option to always use HTML formatting to prevent unexpected format loss when converting messages to plain text.
- Use OpenStreetmap for maps (even allow the user to choose from list of map services)
- Allow spell checking and dictionary selection in the subject line
- Add dropdown in compose to allow specific setting of font size.
- Return/Enter in composer will now insert a new paragraph by default (shift-Enter will insert a line break)
- Mail.ru supports OAuth authentication.
- Improved options for remote content exceptions (but previous settings based on the sender's email address are not migrated, so these need to be added again by users).
- Allow editing of From when composing a message.
- Allow copying of name and email address from the message header of an email
Fixed:
- When sending e-mail which was composed using Chinese, Japanese or Korean characters, unwanted extra spaces were inserted within the text.
- XMPP had connection problems for users with large rosters
- Spell checker checked spelling in invisible HTML parts of the message.
- When saving a draft that is edited as new message, original draft was overwritten.
- External images not displayed in reply/forward
- Properly preserve pre-formatted blocks in message replies.
- Crashed in some cases while parsing IMAP messages.
- Copy/paste from a plain text editor lost white-space (multiple spaces/blanks, tabs, newlines)
- "Open Draft"/"Forward"/"Edit As New"/"Reply" created message composition with incorrect character encoding.
- Grouped By view sort direction change was broken, plus enabled custom column grouping.
- New emails into a mailbox did not adhere to sort order by received.
- Box.com attachments failed to upload.
- Drag and drop of multiple attachments failed to OS file folder.
Known Issues:
- unresolved - Outlook and Eudora import non-functional.

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird45
Fixed in Thunderbird 45
... fixes dtd. March 8, 2016 ?

> https://www.mozilla.org/en-US/thunderbird/releases/
___

Thunderbird v38.7 released
- https://www.mozilla.org/en-US/thunderbird/38.7.0/releasenotes/
March 14, 2016
Fixed: Various security fixes*
* https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird38.7
Fixed in Thunderbird 38.7
2016-37 Font vulnerabilities in the Graphite 2 library
2016-35 Buffer overflow during ASN.1 decoding in NSS
2016-34 Out-of-bounds read in HTML parser following a failed allocation
2016-31 Memory corruption with malicious NPAPI plugin
2016-27 Use-after-free during XML transformations
2016-24 Use-after-free in SetBody
2016-23 Use-after-free in HTML5 string parser
2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
2016-17 Local file overwriting and potential privilege escalation through CSP reports
2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)

... 60 bugs found.
> http://preview.tinyurl.com/jhljn2x

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/en-US/thunderbird/all/

- https://www.mozilla.org/en-US/thunderbird/releases/
___

Thunderbird 38.7.1
- https://www.mozilla.org/en-US/thunderbird/38.7.1/releasenotes/
Mar 25, 2016
> Disabled Graphite font shaping library

:fear::fear:

AplusWebMaster
2016-03-22, 02:40
FYI...

Do NOT install iOS 9.3 on your iPad 2 - Upgrade bricks slabs
> http://www.theregister.co.uk/2016/03/23/ios_93_update_bricks_ipad_2s/
23 Mar 2016 at 20:30

... iPad 2 (GSM model) after you update to iOS 9.3
>> https://support.apple.com/en-us/HT206214
Mar 25, 2016 Mar 28, 2016

> https://support.apple.com/en-us/HT206203
Mar 25, 2016 Mar 28, 2016 Mar 29, 2016

- https://apple.slashdot.org/story/16/03/29/156214/clicking-on-links-in-ios-93-can-crash-your-iphone-and-ipad
Mar 29, 2016 - "Many users are experiencing an issue with their iPhone and iPad wherein trying to open a link on Safari, Mail, Chrome or any other app causes it to freeze and crash*. The issue renders any type of search with Safari as useless as none of the links returned will open. The wide-spread issue - for which there's no-known-workaround just yet - seems to be affecting users on both iOS 9.2 and iOS 9.3. Apple has acknowledged the issue and says it will release a fix "soon." There's no official word on what's causing the issue, but a popular theory with developers is that the glitch has something to do with Universal Links, a feature Apple first introduced with iOS 9. It appears some apps, such as Booking .com, are abusing this capability, causing the Universal Link database to overload."
* https://discussions.apple.com/thread/7505840?start=765&tstart=0
___

- https://support.apple.com/en-us/HT201222

iOS 9.3 released
- https://support.apple.com/en-us/HT206166
21 Mar 2016 - "Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later..."
- http://www.securitytracker.com/id/1035353
CVE Reference: CVE-2015-8659, CVE-2016-0801, CVE-2016-0802, CVE-2016-1734, CVE-2016-1740, CVE-2016-1748, CVE-2016-1750, CVE-2016-1751, CVE-2016-1752, CVE-2016-1753, CVE-2016-1754, CVE-2016-1755, CVE-2016-1756, CVE-2016-1757, CVE-2016-1758, CVE-2016-1760, CVE-2016-1761, CVE-2016-1762, CVE-2016-1763, CVE-2016-1766, CVE-2016-1775, CVE-2016-1778, CVE-2016-1779, CVE-2016-1780, CVE-2016-1781, CVE-2016-1782, CVE-2016-1783, CVE-2016-1784, CVE-2016-1785, CVE-2016-1786, CVE-2016-1788
Mar 22 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.3 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote or local user can obtain potentially sensitive information on the target system.
An application can obtain elevated privileges on the target system.
An application can bypass security controls on the target system.
Solution: The vendor has issued a fix (9.3)...

Safari 9.1
- https://support.apple.com/en-us/HT206171
21 Mar 2016 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.3..."
- http://www.securitytracker.com/id/1035354
CVE Reference: CVE-2009-2197, CVE-2016-1771, CVE-2016-1772
Mar 22 2016
Impact: A remote user can cause denial of service conditions on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof the user interface.
Solution: The vendor has issued a fix (9.1)...

OS X El Capitan v10.11.4 and Security Update 2016-002
- https://support.apple.com/en-us/HT206167
21 Mar 2016 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3..."
- http://www.securitytracker.com/id/1035363
CVE Reference: CVE-2016-1732, CVE-2016-1733, CVE-2016-1735, CVE-2016-1736, CVE-2016-1737, CVE-2016-1738, CVE-2016-1741, CVE-2016-1743, CVE-2016-1744, CVE-2016-1745, CVE-2016-1746, CVE-2016-1747, CVE-2016-1749, CVE-2016-1764, CVE-2016-1767, CVE-2016-1768, CVE-2016-1769, CVE-2016-1770, CVE-2016-1773
Mar 22 2016
Fix Available: Yes Vendor Confirmed: Yes
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local or remote user can obtain potentially sensitive information on the target system.
A local user can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix (10.11.4, Security Update 2016-002)...

OS X Server 5.1
- https://support.apple.com/en-us/HT206173
21 Mar 2016 - "Available for: OS X Yosemite v10.10.5 and later..."
- http://www.securitytracker.com/id/1035342
CVE Reference: CVE-2016-1774, CVE-2016-1776, CVE-2016-1777, CVE-2016-1787
Mar 22 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): OS X Server prior to 5.1; OS X 10.10.5 and after...
Impact: A local user can obtain privileged files on the target system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (OS X Server 5.1)...

Xcode 7.3
- https://support.apple.com/en-us/HT206172
21 Mar 2016 - "Available for: OS X El Capitan v10.11 and later..."
- http://www.securitytracker.com/id/1035352
CVE Reference: CVE-2016-1765
Mar 22 2016
Fix Available: Yes Vendor Confirmed: Yes
Impact: A local user can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix (7.3)...

tvOS 9.2
- https://support.apple.com/en-us/HT206169
21 Mar 2016 - "Available for: Apple TV (4th generation)..."

watchOS 2.2
- https://support.apple.com/en-us/HT206168
21 Mar 2016 - "Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes..."

Apple Software Update 2.2
- https://support.apple.com/en-us/HT206091
Mar 10, 2016 - "Available for: Windows 7 and later..."
___

iOS 9.3
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
watchOS 2.2
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html
tvOS 9.2
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html
Xcode 7.3
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00003.html
OS X El Capitan 10.11.4 and Security Update 2016-002
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html
Safari 9.1
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00005.html
OS X Server 5.1
> https://lists.apple.com/archives/security-announce/2016/Mar/msg00006.html
___

- https://www.us-cert.gov/ncas/current-activity/2016/03/21/Apple-Releases-Multiple-Security-Updates
March 21, 2016

:fear::fear:

AplusWebMaster
2016-04-05, 23:11
FYI...

- https://support.apple.com/en-us/HT201222

iOS 9.3.1 released
- https://support.apple.com/en-us/HT206225
Last Modified: Mar 31, 2016 - "iOS 9.3.1 includes the security content of iOS 9.3."

> https://lists.apple.com/archives/security-announce/2016/Mar/index.html
??

- http://www.theinquirer.net/inquirer/news/2453423/ios-931-flaw-lets-anyone-access-a-locked-iphones-contacts-and-photos
Apr 05 2016 - "... AFTER releasing iOS 9.3.1 to fix the link-crashing glitch plaguing iPhones and iPads, a bug has been spotted in the update that allows -anyone- to access photos and contacts on a locked device. A YouTube video (below) shows the vulnerability in action and reveals that all a hacker needs to pilfer contacts from a passcode-locked iPhone 6S or 6S Plus is access to Siri and 3D Touch... there -is- a way to keep your iPhone's information safe should it fall into the hands of a hacker... Siri can carry out the command in question only if given permission to access Twitter account information, as well as contacts and photos. To -revoke- these permissions, head to:
Settings > Privacy and switch -off- Siri's access to Twitter and Photos. To stop it accessing your contacts, you'll need to -disable- Siri's lock screen activation by heading to Settings > Touch ID & Passcode."
(See Video 0:49 at the URL above.)
___

iBooks Author 2.4.1
- https://support.apple.com/en-us/HT206224
Last Modified: Mar 31, 2016
CVE-2016-1789

> https://lists.apple.com/archives/security-announce/2016/Mar/msg00008.html

- https://www.us-cert.gov/ncas/current-activity/2016/04/01/Apple-Releases-Security-Update
Apr 1, 2016
___

APPLE-SA-2016-03-28-1 OS X: Flash Player plug-in blocked
- https://lists.apple.com/archives/security-announce/2016/Mar/msg00007.html
28 Mar 2016 - "Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player 21.0.0.182 and 18.0.0.333. Information on blocked web plug-ins will be posted to:
- http://support.apple.com/en-us/HT202681 "
Last Modified: Mar 18, 2016

:fear::fear:

AplusWebMaster
2016-04-13, 14:39
FYI...

WordPress 4.5 released
- https://wordpress.org/news/
April 12, 2016

Release notes
- https://codex.wordpress.org/Version_4.5

Changelog/4.5
- https://codex.wordpress.org/Changelog/4.5

List of changes
- https://core.trac.wordpress.org/query?milestone=4.5
Results: 550

Download
- https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5) is available in two formats from the links..."

:fear::fear:

AplusWebMaster
2016-04-15, 14:52
FYI...

Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
- https://www.us-cert.gov/ncas/alerts/TA16-105A
April 14, 2016

> https://support.apple.com/en-us/HT205771
___

Apple is deprecating QuickTime for Windows
- http://blog.trendmicro.com/urgent-call-action-uninstall-quicktime-windows-today/
April 14, 2016 - "... Apple is deprecating QuickTime for Microsoft Windows. They will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it. Note that this does not apply to QuickTime on Mac OSX... our Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows..."
> http://zerodayinitiative.com/advisories/ZDI-16-241/
> http://zerodayinitiative.com/advisories/ZDI-16-242/

- http://www.securitytracker.com/id/1035579
Apr 15 2016
___

- https://support.apple.com/en-us/HT201175
Apr 20, 2016 - "QuickTime 7 for Windows is no longer supported by Apple... All current Windows web browsers support video without the need for browser plug-ins. If you no longer need QuickTime 7 on your PC, follow the instructions for uninstalling QuickTime 7 for Windows*."
* https://support.apple.com/kb/HT205771

:fear::fear:

AplusWebMaster
2016-04-27, 12:27
FYI...

WordPress 4.5.1 released
- https://wordpress.org/news/
April 26, 2016 - "... immediate availability of WordPress 4.5.1, a maintenance release. This release fixes 12 bugs, chief among them a singular class issue that broke sites based on the Twenty Eleven theme, an incompatibility between certain Chrome versions and the visual editor, and an Imagick bug that could break media uploads. This maintenance release fixes a total of 12 bugs in Version 4.5. For more information, see the release notes* or consult the list of changes**..."

Release notes
* https://codex.wordpress.org/Version_4.5.1

Change log
** https://core.trac.wordpress.org/log/branches/4.5?rev=37295&stop_rev=37182

Download
> https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5.1) is available..."

:fear::fear:

AplusWebMaster
2016-04-28, 22:58
FYI...

Adblock Plus 2.7.3 for Firefox released
- https://adblockplus.org/releases/adblock-plus-273-for-firefox-released
2016-04-27
Install Adblock Plus 2.7.3 for Firefox
This release adds support for the experimental CSS properties syntax to Adblock Plus for Firefox (issue 2401, issue 3955). This support isn’t complete yet, most important issue being that hits are not counted for CSS properties filters (issue 3969).
Additional changes
Fixed issues that Adblock Plus could potentially cause on Firefox startup (issue 2850).
Some first-run page optimizations (issue 2668, issue 1292, issue 3736, issue 3814).
Cleaned up internal messaging approach (issue 3499, issue 3851, issue 3853)...

:fear:

AplusWebMaster
2016-05-07, 13:33
FYI...

WordPress 4.5.2 Security Release
- https://wordpress.org/news/2016/05/wordpress-4-5-2/
May 6, 2016 - "WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues..."

Release notes
- https://codex.wordpress.org/Version_4.5.2

Changelog
- https://codex.wordpress.org/Version_4.5.2

Download
> https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5.2) is available..."
___

- http://www.securitytracker.com/id/1035818
CVE Reference: CVE-2016-4566, CVE-2016-4567
May 10 2016
Version(s): 4.5.1 and prior ...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.5.2)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/05/09/WordPress-Releases-Security-Updates
May 09, 2016

:fear::fear:

AplusWebMaster
2016-05-13, 15:37
FYI...

7-Zip v16.00 released
> http://www.7-zip.org/
Download 7-Zip 16.00 (2016-05-10) for Windows:
Link Type Windows Size
Download .exe 32-bit x86 1 MB
Download .exe 64-bit x64 1 MB

> https://sourceforge.net/p/sevenzip/discussion/45797/thread/a8fd6078/
___

- http://www.securitytracker.com/id/1035876
CVE Reference: CVE-2016-2334, CVE-2016-2335
May 12 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 16.00 ...
The original advisory is available at:
> http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
Impact: A remote user can create a file that, when loaded by the target application, will execute arbitrary code on the target system.
Solution: The vendor has issued a fix (16.00)...

:fear::fear:

AplusWebMaster
2016-05-17, 21:59
FYI...

- https://support.apple.com/en-us/HT201222

iOS 9.3.2 update appears to be bricking iPads
- http://www.theregister.co.uk/2016/05/17/apple_bricks_ipads/
17 May 2016 - "... Reports of borked iPads emerged on Twitter thanks reportedly to a hardware issue requiring users to possibly restore their devices or contact support... Users have Tweeted* to Apple Support (@AppleSupport) with complaints their iPads -cannot- be restored through iTunes..."
* https://twitter.com/AppleSupport/with_replies
___

iOS 9.3.2
- https://support.apple.com/en-us/HT206568
Last Modified: May 23, 2016 - "Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later..."
> http://www.securitytracker.com/id/1035890
CVE Reference: CVE-2016-1790, CVE-2016-1801, CVE-2016-1802, CVE-2016-1803, CVE-2016-1807, CVE-2016-1808, CVE-2016-1811, CVE-2016-1813, CVE-2016-1814, CVE-2016-1817, CVE-2016-1818, CVE-2016-1819, CVE-2016-1823, CVE-2016-1824, CVE-2016-1827, CVE-2016-1828, CVE-2016-1829, CVE-2016-1830, CVE-2016-1831, CVE-2016-1832, CVE-2016-1833, CVE-2016-1834, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, CVE-2016-1840, CVE-2016-1841, CVE-2016-1842, CVE-2016-1847, CVE-2016-1852
May 17 2016
Version(s): prior to 9.3.2 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can cause the target system to crash.
A remote or local user can obtain potentially sensitive information on the target system.
A remote user can gain elevated privileges on the target system.
Solution: The vendor has issued a fix (9.3.2)...
___

iTunes 12.4
- https://support.apple.com/en-us/HT206379
May 16, 2016 - "Available for: Windows 7 and later..."
> http://www.securitytracker.com/id/1035887
CVE Reference: CVE-2016-1742
May 17 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 12.4 ...
Impact: A local user can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix (12.4)...
___

Safari 9.1.1
- https://support.apple.com/en-us/HT206565
May 16, 2016 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.5..."
> http://www.securitytracker.com/id/1035888
CVE Reference: CVE-2016-1849, CVE-2016-1854, CVE-2016-1855, CVE-2016-1856, CVE-2016-1857, CVE-2016-1858, CVE-2016-1859
May 17 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.1.1 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (9.1.1)...
___

OS X El Capitan v10.11.5 and Security Update 2016-003
- https://support.apple.com/en-us/HT206567
May 16, 2016
> http://www.securitytracker.com/id/1035895
CVE Reference: CVE-2016-1791, CVE-2016-1792, CVE-2016-1793, CVE-2016-1794, CVE-2016-1795, CVE-2016-1796, CVE-2016-1797, CVE-2016-1798, CVE-2016-1799, CVE-2016-1800, CVE-2016-1804, CVE-2016-1805, CVE-2016-1806, CVE-2016-1809, CVE-2016-1810, CVE-2016-1812, CVE-2016-1815, CVE-2016-1816, CVE-2016-1820, CVE-2016-1821, CVE-2016-1822, CVE-2016-1825, CVE-2016-1826, CVE-2016-1843, CVE-2016-1844, CVE-2016-1846, CVE-2016-1848, CVE-2016-1850, CVE-2016-1851, CVE-2016-1853
May 17 2016
Fix Available: Yes Vendor Confirmed: Yes
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote or local user can modify data on the target system.
A remote user can cause denial of service conditions.
A local user can obtain elevated privileges on the target system.
A remote user can gain elevated privileges on the target system.
Solution: The vendor has issued a fix (10.11.5 and Security Update 2016-003)...
___

tvOS 9.2.1
- https://support.apple.com/en-us/HT206564
May 16, 2016
> http://www.securitytracker.com/id/1035893
May 17 2016
___

watchOS 2.2.1
- https://support.apple.com/en-us/HT206566
May 16, 2016
> http://www.securitytracker.com/id/1035894
May 17 2016
___

- https://www.us-cert.gov/ncas/current-activity/2016/05/16/Apple-Releases-Multiple-Security-Updates
May 16, 2016

:fear::fear::fear:

AplusWebMaster
2016-05-19, 21:45
FYI...

Thunderbird 45.1.1 released
- https://www.mozilla.org/en-US/thunderbird/45.1.1/releasenotes/
May 31, 2016
What’s New:
Fixed: When entering members into a mailing list, the enter key dismissed the panel instead of just moving onto the next line
Fixed: Email without HTML elements was sent as HTML, despite "Delivery Format: Auto-detect" option
Fixed: Options applied to a template were lost when the template was used.
Fixed: Contacts could not be deleted when they were found through a search
Fixed: Views from global searches did not respect "mail.threadpane.use_correspondents"

- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/

> https://www.mozilla.org/en-US/thunderbird/releases/

>> https://www.mozilla.org/en-US/thunderbird/all/
___

Thunderbird 45.1.0 released
- https://www.mozilla.org/en-US/thunderbird/45.1.0/releasenotes/
May 10, 2016
What’s New
Fixed:
- Drag & Drop a contact name from Thunderbird address book (list view) to address box in a new message “compose” window failed.
- UI elements became larger when moused over on retina displays/monitor on Mac OS X
- Automatic correspondents column upgrade disabled
- DIGEST-MD5 authentication in JS-XMPP failed for some users (now disabled).
- Font indicator in compose falsely claimed certain fonts were not installed.
- Printing failed in composition window.
- Various security fixes*
- Various improvements in handling of message compose in paragraph mode.
* https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird45.1
Fixed in Thunderbird 45.1
2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)

> https://www.mozilla.org/en-US/thunderbird/releases/

>> https://www.mozilla.org/en-US/thunderbird/all/

:fear:

AplusWebMaster
2016-06-02, 16:04
FYI...

Adblock Plus 1.12 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-112-for-chrome-opera-and-safari-released
2016-06-01
Install Adblock Plus 1.12 for Chrome
Install Adblock Plus 1.12 for Opera
Install Adblock Plus 1.12 for Safari (Safari 6 or higher required)
This release features experimental Safari Content Blocking support. So if you’re on Safari 9, you can try out the new (faster) blocking mechanism now by enabling it in the options. But please read the announcement* first; as that feature is still experimental and Content Blockers have some limitations, there are some caveats. However, Content Blockers will eventually completely replace the old mechanism we relied on so far on Safari.
* https://adblockplus.org/development-builds/experimental-safari-content-blocking-support
There also have been some bug fixes and other improvements for all platforms which are listed below, and some changes under the hood which aren’t visible to the user.
Changes:
- Improved performance of element hiding, reducing page load times (issue 235, issue 4038, issue 4036).
- Fixed a regression, introduced with the previous release, which caused the Adblock Warning Removal List to not be added anymore (issue 3772).
- Prevent websites from circumventing element hiding by removing or disabling the stylesheet (issue 3699).
- Prevent websites from showing previously blocked elements (issue 3840).
Chrome/Opera-only changes:
- Added an option to hide the Adblock Plus developer tools panel (issue 3796).
- Prevent websites from tricking users into adding subscriptions by simulating clicks on abp:subscribe links (issue 3828).
- Worked around a Chrome bug that broke the feedback functionality on blogger.com (issue 2687).
- Administrators deploying Adblock Plus via group policy can now configure additional subscriptions (issue 3801).
- Starting with this release, there are unified builds for Chrome and Opera, using the exact same code on both browsers (issue 3760).
Safari-only changes:
- Added experimental support for Safari Content Blocking (see above, issue 3687).
- Fixed: Wrong domain was whitelisted by icon menu after navigating through the history (issue 3924)...

:fear::fear::fear:

AplusWebMaster
2016-06-22, 18:14
FYI...

Apple - AirPort Base Station - Firmware Update 7.6.7 and 7.7.7
- https://support.apple.com/en-us/HT206849
Jun 20, 2016

- http://www.securitytracker.com/id/1036136
CVE Reference: CVE-2015-7029
Jun 21 2016
Fix Available: Yes Vendor Confirmed: Yes ...
Impact: A remote user can execute arbitrary code on the target system.
Solution: The vendor has issued a fix (7.6.7, 7.7.7)...

- https://www.us-cert.gov/ncas/current-activity/2016/06/21/Apple-Releases-Security-Update
June 21, 2016

:fear:

AplusWebMaster
2016-06-22, 18:18
FYI...

WordPress 4.5.3 released
- https://wordpress.org/news/2016/06/wordpress-4-5-3/
"WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately... fixes 17 bugs from 4.5, 4.5.1 and 4.5.2"

Release notes
- https://codex.wordpress.org/Version_4.5.3
"On 21 June, 2016, WordPress 4.5.3 was released to the public."

Changelog
- https://codex.wordpress.org/Version_4.5.3

Download
> https://wordpress.org/download/
"The latest stable release of WordPress (Version 4.5.3) is available..."

> https://www.us-cert.gov/ncas/current-activity/2016/06/22/WordPress-Releases-Security-Update
June 22, 2016
___

- http://www.securitytracker.com/id/1036163
CVE Reference: CVE-2016-5832, CVE-2016-5833, CVE-2016-5834, CVE-2016-5835, CVE-2016-5836, CVE-2016-5837, CVE-2016-5838, CVE-2016-5839
Jun 23 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 4.5.3 ...
Impact: A remote user can modify passwords on the target system.
A remote user can cause denial of service conditions.
A remote user can cause the target user's browser to be redirected to an arbitrary web site.
A remote user can obtain potentially sensitive information on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (4.5.3)...

:fear::fear:

AplusWebMaster
2016-07-07, 13:54
FYI...

Avast to acquire AVG - $1.3B
- https://www.yahoo.com/news/avast-acquire-avg-1-3-billion-internet-security-102705630--finance.html
July 7, 2016 PRAGUE (AP) - "Avast Software says it is acquiring its anti-virus rival AVG Technologies N.V. in a $1.3 billion deal. Prague-based Avast says it is ready to pay $25 per share in cash for Amsterdam-based AVG, 33 percent above Wednesday's closing price on the New York Stock Exchange after the two signed a deal on it. Avast said Thursday the deal is meant to "gain scale, technological depth and geographical breadth." It aims to "take advantage of emerging growth opportunities in internet security as well as organizational efficiencies" with a goal to becoming serious competition for the global leaders in the internet security business. The companies have over 400 million users combined. Avast says the transaction is expected to close between Sept 15 and Oct 15..."

:blink:

AplusWebMaster
2016-07-10, 15:03
FYI...

Thunderbird v45.2.0 released
- https://www.mozilla.org/en-US/thunderbird/45.2.0/releasenotes/
June 30, 2016
Fixed: Invitations to events could not be printed.
Fixed: Dragging and dropping of contacts from the contact list onto an addressbook while All Addressbooks is selected moved only one contact
Fixed: Falsely reported not enough disk space during compacting
Fixed: Links were not always detected properly in the message body (terminated early on "|", some long links not detected at all)

> https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird45.2
Fixed in Thunderbird 45.2
2016-49 Miscellaneous memory safety hazards (rv:47.0/rv:45.2)

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/thunderbird/releases/

Download
- https://www.mozilla.org/en-US/thunderbird/all/

:fear::fear:

AplusWebMaster
2016-07-19, 06:02
FYI...

- https://support.apple.com/en-us/HT201222

- https://lists.apple.com/archives/security-announce/2016/Jul/threads.html

iOS 9.3.3
- https://support.apple.com/en-us/HT206902
July 18, 2016 - "Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later..."
- http://www.securitytracker.com/id/1036344
CVE Reference: CVE-2016-1863, CVE-2016-1864, CVE-2016-1865, CVE-2016-4582, CVE-2016-4587, CVE-2016-4593, CVE-2016-4594, CVE-2016-4603, CVE-2016-4604, CVE-2016-4605, CVE-2016-4626, CVE-2016-4627, CVE-2016-4628, CVE-2016-4631, CVE-2016-4632, CVE-2016-4635, CVE-2016-4637
Jul 19 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.3.3 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote or local user can cause denial of service conditions on the target system.
A remote or local user can obtain potentially sensitive information on the target system.
A local user can obtain elevated privileges on the target system.
A remote user can spoof a URL or content.
Solution: The vendor has issued a fix (9.3.3)...
___

iTunes 12.4.2 for Windows
- https://support.apple.com/en-us/HT206901
July 18, 2016 - "Available for: Windows 7 and later..."

iCloud for Windows 5.2.1
- https://support.apple.com/en-us/HT206899
July 18, 2016 - "Available for: Windows 7 and later..."

Safari 9.1.2
- https://support.apple.com/en-us/HT206900
July 18, 2016 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.6..."
- http://www.securitytracker.com/id/1036343
CVE Reference: CVE-2016-4583, CVE-2016-4584, CVE-2016-4585, CVE-2016-4586, CVE-2016-4589, CVE-2016-4590, CVE-2016-4591, CVE-2016-4592, CVE-2016-4622, CVE-2016-4623, CVE-2016-4624, CVE-2016-4651
Jul 19 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.1.2 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can consume excessive memory resources on the target system.
A remote user can obtain potentially sensitive information on the target system.
A remote user can spoof user interface elements.
Solution: The vendor has issued a fix (9.1.2)...
___

OS X El Capitan v10.11.6 and Security Update 2016-004
- https://support.apple.com/en-us/HT206903
July 18, 2016 - "Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11 and later..."
- http://www.securitytracker.com/id/1036348
CVE Reference: CVE-2016-0718, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449, CVE-2016-4483, CVE-2016-4595, CVE-2016-4596, CVE-2016-4597, CVE-2016-4598, CVE-2016-4599, CVE-2016-4600, CVE-2016-4601, CVE-2016-4602, CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, CVE-2016-4610, CVE-2016-4612, CVE-2016-4614, CVE-2016-4615, CVE-2016-4616, CVE-2016-4619, CVE-2016-4621, CVE-2016-4625, CVE-2016-4629, CVE-2016-4630, CVE-2016-4633, CVE-2016-4634, CVE-2016-4638, CVE-2016-4639, CVE-2016-4640, CVE-2016-4641, CVE-2016-4645, CVE-2016-4646, CVE-2016-4647, CVE-2016-4648, CVE-2016-4649, CVE-2016-4650, CVE-2016-4652
Jul 19 2016
Fix Available: Yes Vendor Confirmed: Yes ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can cause denial of service conditions on the target system.
A remote or local user can obtain potentially sensitive information on the target system.
A local user can obtain elevated privileges on the target system.
A physically local user can view passwords.
Solution: The vendor has issued a fix (10.11.6, Security Update 2016-004)...
___

tvOS 9.2.2
- https://support.apple.com/en-us/HT206905
July 18, 2016 - "Available for: Apple TV (4th generation)..."

watchOS 2.2.2
- https://support.apple.com/en-us/HT206904
July 18, 2016 - "Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes..."
___

- https://www.us-cert.gov/ncas/current-activity/2016/07/18/Apple-Releases-Multiple-Security-Updates
July 18, 2016

:fear::fear:

AplusWebMaster
2016-08-05, 18:21
FYI...

- https://support.apple.com/en-us/HT201222

iOS 9.3.4 released
- https://support.apple.com/en-us/HT207026
Aug 4, 2016 - "Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later..."
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-2016-4654: Team Pangu

... Update fixes a single issue credited to prominent jailbreaking...
> http://arstechnica.com/apple/2016/08/apple-thwarts-jailbreakers-with-ios-9-3-4-update/
8/4/2016
___

- http://www.securitytracker.com/id/1036546
CVE Reference: CVE-2016-4654
Aug 6 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 9.3.3; possibly earlier versions...
Impact: An application can execute arbitrary code on the target system with kernel-level privileges.
Solution: The vendor has issued a fix (9.3.4)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/08/05/Apple-Releases-Security-Update
Aug 05, 2016

:fear:

AplusWebMaster
2016-08-18, 23:23
FYI...

WordPress 4.6 released
- https://wordpress.org/download/
Aug 16, 2016 - "The latest stable release of WordPress (Version 4.6) is available..."

Release notes
- https://codex.wordpress.org/Version_4.6

- https://wordpress.org/download/release-archive/
___

- http://www.securitytracker.com/id/1036683
CVE Reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6896
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6897
Aug 22 2016
Impact: Denial of service via network, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
Version(s): 4.5.3; possibly other versions ...
Impact: A remote user can take actions on the target system acting as the target authenticated user.
A remote authenticated user can cause the target application to fail.
Solution: The vendor has issued a fix (4.6)...

:fear::fear:

AplusWebMaster
2016-08-26, 00:31
FYI...

Out-of-Band iOS Patch Fixes 0-Day ...
- https://isc.sans.edu/diary.html?storyid=21409
2016-08-25 - "A new spyware has been discovered on the Apple platform. Called Pegasus... it turns out to be a sophisticated targeted spyware. Developed by professionals, it uses 0-day vulnerabilities, code obfuscation and encryption techniques. Apple released today an out-of-band patch for iOS (version 9.3.5)*. It fixes three critical vulnerabilities..."

iOS 9.3.5 released
* https://support.apple.com/en-us/HT207107
Aug 25, 2016 - "Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later..."

- https://lists.apple.com/archives/security-announce/2016/Aug/msg00000.html
25 Aug 2016

- http://www.securitytracker.com/id/1036694
CVE Reference: CVE-2016-4655, CVE-2016-4656, CVE-2016-4657
Aug 25 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 9.3.5...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
An application can obtain portions of kernel memory contents.
An application can obtain elevated privileges on the target system.
Solution: The vendor has issued a fix (9.3.5)...

- https://www.us-cert.gov/ncas/current-activity/2016/08/25/Apple-Releases-Security-Update
Aug 25, 2016

:fear::fear:

AplusWebMaster
2016-08-26, 13:49
FYI...

Adblock Plus 1.12.2 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-1122-for-chrome-opera-and-safari-released
2016-08-23
Install Adblock Plus 1.12.2 for Chrome
Install Adblock Plus 1.12.2 for Opera
Install Adblock Plus 1.12.2 for Safari (Safari 6 or higher required)
This is a minor release, focused on stability and preventing circumvention...

:fear:

AplusWebMaster
2016-09-02, 21:22
FYI...

- https://support.apple.com/en-us/HT201222

Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite
- https://support.apple.com/en-us/HT207130
Sep 1, 2016 - "Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6 ..."
- https://lists.apple.com/archives/security-announce/2016/Sep/msg00001.html

Safari 9.1.3
- https://support.apple.com/en-us/HT207131
Sep 1, 2016 - "Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11.6 ..."
- https://lists.apple.com/archives/security-announce/2016/Sep/msg00000.html
___

- https://isc.sans.edu/diary.html?storyid=21439
2016-09-02 - "... The OS X update, which is only available for El Capitan and Yosemite, fixes the two kernel vulnerabilities. The Safari update which is available for OS X Mavericks and Yosemite... fixes the WebKit vulnerability... recommend patching these quickly given that the same vulnerabilities have already been exploited for iOS."
___

- https://www.us-cert.gov/ncas/current-activity/2016/09/01/Apple-Releases-Security-Updates
Sep 01, 2016

:fear::fear:

AplusWebMaster
2016-09-08, 12:55
FYI...

WordPress 4.6.1 - Security and Maintenance Release
- https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
Sep 7, 2016 - "WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename... and a path traversal vulnerability in the upgrade package uploader... In addition to the security issues above, WordPress 4.6.1 fixes 15 bugs from 4.6. For more information, see the release notes* or consult the list of changes**..."

Release notes
* https://codex.wordpress.org/Version_4.6.1

List of changes
** https://core.trac.wordpress.org/query?milestone=4.6.1

Download
- https://wordpress.org/download/
___

- http://www.securitytracker.com/id/1036747
Sep 8 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 4.6 and prior...
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. The impact of the path traversal flaw was not disclosed.
Solution: The vendor has issued a fix (4.6.1)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/09/07/WordPress-Releases-Security-Update
Sep 7, 2016

:fear::fear:

AplusWebMaster
2016-09-14, 12:56
FYI...

- https://support.apple.com/en-us/HT201222

iOS 10
- https://support.apple.com/en-us/HT207143
Sep 13, 2016 - "Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later..."

iOS 10.0.1
- https://support.apple.com/en-us/HT207145
Sep 13, 2016 - "... iOS 10.0.1 also includes the security content of iOS 10."

- http://www.securitytracker.com/id/1036797
CVE Reference: CVE-2016-4620, CVE-2016-4719, CVE-2016-4740, CVE-2016-4741, CVE-2016-4746, CVE-2016-4747, CVE-2016-4749
Sep 13 2016
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available: Yes Vendor Confirmed: Yes ...
Impact: A remote user in a privileged network position can prevent software updates.
A remote user in a privileged network position can obtain mail credentials.
A local user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (10.0, 10.0.1)...
___

Xcode 8
- https://support.apple.com/en-us/HT207140
Sep 13, 2016 - "Available for: OS X El Capitan v10.11.5 and later..."

watchOS 3
- https://support.apple.com/en-us/HT207141
Sep 13, 2016 - "Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermčs"
___

- https://www.us-cert.gov/ncas/current-activity/2016/09/13/Apple-Releases-Security-Updates
Sep 13, 2016

:fear::fear:

AplusWebMaster
2016-09-21, 00:09
FYI...

- https://support.apple.com/en-us/HT201222

Safari 10
- https://support.apple.com/en-us/HT207157
Sep 20, 2016 - "Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6..."
- https://lists.apple.com/archives/security-announce/2016/Sep/msg00007.html

- http://www.securitytracker.com/id/1036854
CVE Reference: CVE-2016-4611, CVE-2016-4618, CVE-2016-4728, CVE-2016-4729, CVE-2016-4730, CVE-2016-4731, CVE-2016-4733, CVE-2016-4734, CVE-2016-4735, CVE-2016-4737, CVE-2016-4751, CVE-2016-4758, CVE-2016-4759, CVE-2016-4760, CVE-2016-4762, CVE-2016-4763, CVE-2016-4765, CVE-2016-4766, CVE-2016-4767, CVE-2016-4768, CVE-2016-4769
Sep 21 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 10.0 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can bypass security controls on the target system.
A remote user can spoof the address bar.
A remote user can obtain potentially sensitive information.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fix (10.0)...
___

macOS Sierra 10.12
- https://support.apple.com/en-us/HT207170
Sep 20, 2016 - "Available for: OS X El Capitan v10.11.6..."
- https://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html
___

macOS Server 5.2
- https://support.apple.com/en-us/HT207171
Sep 20, 2016 - "Available for: macOS Sierra 10.12..."
- https://lists.apple.com/archives/security-announce/2016/Sep/msg00009.html
___

iCloud for Windows 6.0
- https://support.apple.com/en-us/HT207147
Sep 20, 2016 - "Available for: Windows 7 and later..."
- https://lists.apple.com/archives/security-announce/2016/Sep/msg00013.html
___

iTunes 12.5.1 for Windows
- https://support.apple.com/en-us/HT207158
Sep 13, 2016 - "Available for: Windows 7 and later..."
- https://lists.apple.com/archives/security-announce/2016/Sep/msg00012.html
___

- https://www.us-cert.gov/ncas/current-activity/2016/09/20/Apple-Releases-Security-Updates
Sep 20, 2016

:fear::fear:

AplusWebMaster
2016-09-22, 22:01
FYI...

OpenSSL 1.0.1u, 1.0.2i, 1.1.0a released
- https://www.openssl.org/news/secadv/20160922.txt
22 Sep 2016 - "Severity: High ...
OpenSSL 1.1.0 users should upgrade to 1.1.0a
OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u ..."

- https://www.openssl.org/news/secadv/20160926.txt
26 Sep 2016 - "Severity: Critical
OpenSSL 1.1.0 users should upgrade to 1.1.0b ...
OpenSSL 1.0.2i users should upgrade to 1.0.2j ..."

> https://isc.sans.edu/diary.html?storyid=21509
2016-09-22 - "OpenSSL released an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0).
The update fixes -14- different vulnerabilities... With this update, the latest versions of OpenSSL for the various branches are 1.0.1u, 1.0.2i and 1.1.0a. All three branches are currently supported..."
(See chart @ the isc URL above.)
___

- http://www.securitytracker.com/id/1036878
CVE Reference: CVE-2016-6304
Sep 22 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 1.0.1, 1.0.2, 1.1.0...
Impact: A remote authenticated user can consume excessive memory resources on the target system.
Solution: The vendor has issued a fix (1.0.1u, 1.0.2i, 1.1.0a)...

- http://www.securitytracker.com/id/1036879
CVE Reference: CVE-2016-6305
Sep 22 2016
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
Version(s): 1.1.0...
Impact: A remote authenticated user can cause the target service to hang.
Solution: The vendor has issued a fix (1.1.0a)...

- http://www.securitytracker.com/id/1036885
CVE Reference: CVE-2016-6302, CVE-2016-6303, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, CVE-2016-7052
Updated: Sep 26 2016
Fix Available: Yes Vendor Confirmed: Yes
Impact: A remote user can cause the target service or application to crash.
Solution: The vendor has issued a fix (1.0.1u, 1.0.2i, 1.1.0a).
[Editor's note: On September 26, 2016, the vendor reported that two of the fixed versions contain vulnerabilities. Version 1.1.0a is affected by a use-after-free memory error (CVE-2016-6309), reported by Robert Swiecki (Google Security Team). Version 1.0.2i is affected by a CRL processing null pointer exception (CVE-2016-7052), reported by Bruce Stephens and Thomas Jakobi. The revised fixes are versions 1.1.0b and 1.0.2j.]
___

- https://www.us-cert.gov/ncas/current-activity/2016/09/23/OpenSSL-Releases-Security-Updates
Last revised: Sep 26, 2016

:fear::fear:

AplusWebMaster
2016-10-08, 23:57
FYI...

Thunderbird 45.4.0 released
- https://www.mozilla.org/en-US/thunderbird/45.4.0/releasenotes/
Oct 3, 2016
What’s New:
Fixed:
- Display name was truncated if no separating space before email address.
- Recipient addresses were shown in red despite being inserted from the address book in some circumstances.
- Additional spaces were inserted when drafts were edited.
- Mail saved as template copied In-Reply-To and References from original email.
- Threading broken when editing message draft, due to loss of Message-ID
- "Apply columns to..." did not honor special folders

... 12 bugs fixed.

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/thunderbird/releases/

Download
- https://www.mozilla.org/en-US/thunderbird/all/

Add-ons
- https://addons.mozilla.org/en-US/thunderbird/

:fear:

AplusWebMaster
2016-10-24, 23:51
FYI...

- https://support.apple.com/en-us/HT201222

iOS 10.1
- https://support.apple.com/en-us/HT207271
Oct 24, 2016 - "Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later..."
- http://www.securitytracker.com/id/1037088
CVE Reference: CVE-2016-4664, CVE-2016-4665, CVE-2016-4680, CVE-2016-4686
Oct 25 2016
Fix Available: Yes Vendor Confirmed: Yes
Impact: An application user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (10.1)...

Safari 10.0.1
- https://support.apple.com/en-us/HT207272
Oct 24, 2016 - "Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12..."
- http://www.securitytracker.com/id/1037087
CVE Reference: CVE-2016-4666, CVE-2016-4676, CVE-2016-4677
Oct 25 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 10.0.1...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (10.0.1)...

macOS Sierra 10.12.1
- https://support.apple.com/en-us/HT207275
Oct 24, 2016 - "Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6..."
- http://www.securitytracker.com/id/1037086
CVE Reference: CVE-2016-4635, CVE-2016-4660, CVE-2016-4661, CVE-2016-4662, CVE-2016-4663, CVE-2016-4667, CVE-2016-4669, CVE-2016-4671, CVE-2016-4673, CVE-2016-4674, CVE-2016-4675, CVE-2016-4678, CVE-2016-4679, CVE-2016-4682, CVE-2016-7579
Oct 25 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 10.12.1 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A local user can cause denial of service conditions on the target system.
A remote user can modify files on the target system.
A local user can obtain root privileges on the target system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (10.12.1)...

tvOS 10.0.1
- https://support.apple.com/en-us/HT207270
Oct 24, 2016 - "Available for: Apple TV (4th generation)..."

watchOS 3.1
- https://support.apple.com/en-us/HT207269
Oct 24, 2016 - "Available for: All Apple Watch models..."

:fear:

AplusWebMaster
2016-10-26, 03:12
FYI...

Adblock Plus 2.8 for Firefox released
- https://adblockplus.org/releases/adblock-plus-28-for-firefox-released
2016-10-25
Install Adblock Plus 2.8 for Firefox

This release changes the way element hiding works in Firefox, so that noticeable delays from changing a single element hiding rule should be no more. Also, the behavior should be more consistent now and filters not applying on a particular website should no longer be able to cause unexpected side-effects. On the downside, changes to element hiding rules will only apply after a page is reloaded now (which is actually consistent with blocking rules).
Additional changes:
- There is a special $websocket type option now to block WebSocket requests, the type was previously considered to be other here (announcement*).
* https://adblockplus.org/development-builds/new-filter-type-option-for-websockets
- Our toolbar icon will look better on high-resolution screens (issue 4142).
- Removed feature selection from the first-run page until the features can be removed similarly easily (issue 4294).
- Hits for CSS property filters which were introduced in the previous release are being counted now (issue 3969).
- Fixed: CSS property filters applied even when Adblock Plus was disabled everywhere (issue 4201).
- Fixed: A regression in pop-up blocking functionality caused websites to be mistakenly considered pop-ups under some circumstances (issue 4335).
- Corrected handling of frames with srcdoc attribute.
- Fixed and improved search functionality in Filter Preferences, was partially broken in Firefox nightly builds (issue 4510)...

:fear:

AplusWebMaster
2016-10-29, 00:07
FYI...

Adblock Plus 2.8.1 for Firefox released
- https://adblockplus.org/releases/adblock-plus-281-for-firefox-released
2016-10-28 - "Our Adblock Plus 2.8 release introduced a -regression- that went unnoticed for months in the development builds. Users who activated the please_kill_startup_performance preference were experiencing data loss: filters didn’t load completely. Also, importing custom filters was failing for large files. Both issues have the same root cause (issue 4576) and have been resolved in Adblock Plus 2.8.1. If your data is still incomplete after updating to Adblock Plus 2.8.1 please click the “Backup and Restore” button in Filter Preferences — one of the automatically created backups is certain to be correct."


:fear::fear::fear:

AplusWebMaster
2016-10-31, 21:47
FYI...

- https://support.apple.com/en-us/HT201222

iOS 10.1.1
- https://support.apple.com/en-us/HT207287
Oct 31, 2016 - "iOS 10.1.1 includes the security content of iOS 10.1*."

iOS 10.1
* https://support.apple.com/en-us/HT207271
Oct 24, 2016

> http://www.macrumors.com/2016/10/31/apple-releases-ios-10-1-1/
Oct 31, 2016 - "...Today's update fixes bugs including an issue where Health data could not be viewed for some users. iOS 10.1.1 can be downloaded as a free over-the-air update on all iPhone, iPad, and iPod touch models compatible with iOS 10...
Update: Apple has subsequently stopped signing iOS 10.0.2 and iOS 10.0.3, meaning that users can no longer downgrade to those software versions."

- http://appleinsider.com/articles/16/10/31/apple-issues-ios-1011-with-fix-for-viewing-data-in-health-app
Oct 31, 2016
___

iTunes 12.5.2 for Windows
- https://support.apple.com/en-us/HT207274
Oct 27, 2016 - "Available for: Windows 7 and later..."
- http://www.securitytracker.com/id/1037139
CVE Reference: CVE-2016-4613, CVE-2016-7578
Oct 28 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 12.5.2 ...
Impact: A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can obtain potentially sensitive information on the target system.
Solution: The vendor has issued a fix (12.5.2; for Windows)...
___

iCloud for Windows 6.0.1
- https://support.apple.com/en-us/HT207273
Oct 27, 2016 - "Available for: Windows 7 and later..."
___

Xcode 8.1
- https://support.apple.com/en-us/HT207268
Oct 27, 2016 - "Available for: OS X El Capitan v10.11.5 and later..."

:fear::fear::fear:

AplusWebMaster
2016-11-21, 13:52
FYI...

Thunderbird 45.5.0 released
- https://www.mozilla.org/en-US/thunderbird/45.5.0/releasenotes/
Nov 18, 2016
What’s New:
Changed: IMPORTANT: Changed recipient address entry: Arrow-keys now copy the pop-up value to the input field. Mouse-hovered pop-up value can no longer be confirmed with tab or enter key. This restores the behavior of Thunderbird 24.
Changed: Support changes to character limit in Twitter
Fixed:
- Reply with selected text containing quote resulted in wrong quoting level indication
- Mail address display at header pane displayed incorrectly if the address contains UTF-8 according to RFC 6532
- Attempting to sort messages on the Date field whilst a quick filter is applied got stuck on sort descending
- Email invitation might not be displayed when description contains non-ASCII characters

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/thunderbird/releases/

Download
- https://www.mozilla.org/en-US/thunderbird/all/

Add-ons
- https://addons.mozilla.org/en-US/thunderbird/

:fear:

AplusWebMaster
2016-11-23, 17:58
FYI...

Adblock Plus 2.8.2 for Firefox released
- https://adblockplus.org/releases/adblock-plus-282-for-firefox-released
2016-11-22
Install Adblock Plus 2.8.2 for Firefox
... This is a maintenance release, most importantly introducing some improvements to CSS property filters.
Additional changes:
- Made sure that element hiding rules don’t affect browser’s and extensions’ special pages, this regressed with Adblock Plus 2.8 (issue 4624, issue 4625).
- Fixed blockable items list slowing down page loading (issue 4587).
- Pop-ups using data: URLs and similar unusual schemes can be blocked now (issue 4368).
- When selecting keyboard shortcuts, more shortcut keys already in use by the browser can be recognized. This will change the shortcut key to show Blockable items list from Ctrl/Cmd-Shift-V to Ctrl/Cmd-Shift-U for pretty much everybody (issue 4544).

:fear::fear:

AplusWebMaster
2016-11-23, 17:59
FYI...

Network Time Protocol update
- https://www.us-cert.gov/ncas/current-activity/2016/11/21/Vulnerabilities-Identified-Network-Time-Protocol-Daemon-ntpd
Nov 21, 2016 - "The Network Time Foundation's NTP Project has released version ntp-4.2.8p9 to address multiple vulnerabilities in ntpd. Exploitation of some of these vulnerabilities may allow a remote attacker to cause a denial-of-service condition.
US-CERT encourages users and administrators to review Vulnerability Note VU#633847* and the NTP Security Notice Page** for vulnerability and mitigation details."
* http://www.kb.cert.org/vuls/id/633847

** http://nwtime.org/ntp428p9_release/
___

- http://www.securitytracker.com/id/1037354
CVE Reference: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, CVE-2016-9312
Nov 29 2016
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 4.2.8p9 ...
Impact: A remote user can cause the target service to crash.
A remote user can obtain potentially sensitive information from the target system.
A remote user can conduct denial of service amplification attacks against other targets.
Solution: The vendor has issued a fix (4.2.8p9)...
Vendor URL: http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se

:fear::fear:

AplusWebMaster
2016-12-01, 16:15
FYI...

Thunderbird 45.5.1 released
- https://www.mozilla.org/en-US/thunderbird/45.5.1/releasenotes/
Nov 30, 2016

- https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird45.5.1

- https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
Fixed in:
Thunderbird 45.5.1
CVE-2016-9079: Use-after-free in SVG Animation
Critical

Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

- https://www.mozilla.org/en-US/thunderbird/releases/

Download
- https://www.mozilla.org/en-US/thunderbird/all/

Add-ons
- https://addons.mozilla.org/en-US/thunderbird/
___

- http://www.securitytracker.com/id/1037371
CVE Reference: CVE-2016-9079
Dec 1 2016
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
Version(s): prior to 45.5.1
Impact: A remote user can create JavaScript content that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: Mozilla.org has issued a fix for Mozilla Thunderbird (45.5.1)...
___

- https://www.us-cert.gov/ncas/current-activity/2016/11/30/Mozilla-Releases-Security-Updates
Nov 30, 2016

:fear::fear: