Thunderbird v24.3.0 released
FYI...
Thunderbird v24.3.0 released
- http://www.securitytracker.com/id/1029721
CVE Reference: CVE-2014-1477, CVE-2014-1478, CVE-2014-1479, CVE-2014-1481, CVE-2014-1482, CVE-2014-1486, CVE-2014-1487, CVE-2014-1490, CVE-2014-1491
Feb 5 2014
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 24.3 ...
Solution: The vendor has issued a fix (24.3)...
- https://www.mozilla.org/en-US/thunderbird
Release Notes
- https://www.mozilla.org/en-US/thunde.../releasenotes/
Security Advisories
- https://www.mozilla.org/security/kno...hunderbird24.3
MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects
MFSA 2014-12 NSS ticket handling issues
MFSA 2014-09 Cross-origin information leak through web workers
MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing
MFSA 2014-04 Incorrect use of discarded images by RasterImage
MFSA 2014-02 Clone protected content with XBL scopes
MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
Automated Updates: https://support.mozillamessaging.com...ng-thunderbird
Manual check: Go to >Help >About Thunderbird
Download: https://www.mozilla.org/thunderbird/all.html
:fear:
Process Explorer v16.0 ...
FYI...
Process Explorer v16.0
- http://technet.microsoft.com/en-us/s...rnals/bb896653
Feb 4, 2014 - "Thanks to collaboration with the team at VirusTotal, this Process Explorer update introduces integration with VirusTotal.com, an online antivirus analysis service. When enabled, Process Explorer sends the hashes of images and files shown in the process and DLL views to VirusTotal and if they have been previously scanned, reports how many antivirus engines identified them as possibly malicious. Hyperlinked results take you to VirusTotal.com report pages and you can even submit files for scanning."
> https://isc.sans.edu/diaryimages/ima...us%20total.png
:bigthumb:
iOS 7.0.6, 6.1.6, Apple TV 6.0.2 ...
FYI...
iOS 7.0.6
- http://support.apple.com/kb/HT6147
Feb 21, 2014 - "... Data Security: Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later...
CVE-2014-1266..."
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-1266 - 6.8
iOS 6.1.6
- http://support.apple.com/kb/HT6146
Feb 21, 2014 - "... Data Security: Available for: iPhone 3GS, iPod touch (4th generation)...
CVE-2014-1266..."
- http://www.securitytracker.com/id/1029811
CVE Reference: CVE-2014-1266
Feb 21 2014
Fix Available: Yes Vendor Confirmed: Yes...
Impact: A remote user with the ability to conduct a man-in-the-middle attack can decrypt SSL/TLS sessions.
Solution: The vendor has issued a fix (6.1.6, 7.0.6)...
___
Apple TV 6.0.2
- http://support.apple.com/kb/HT6148
Feb 21, 2014 - "... Apple TV: Available for: Apple TV 2nd generation and later...
CVE-2014-1266..."
- http://www.securitytracker.com/id/1029812
CVE Reference: CVE-2014-1266
Feb 22 2014
Fix Available: Yes Vendor Confirmed: Yes...
Impact: A remote user with the ability to conduct a man-in-the-middle attack can decrypt SSL/TLS sessions.
Solution: The vendor has issued a fix (6.0.2)...
___
Apple Releases Security Updates for iOS devices and Apple TV
- https://www.us-cert.gov/ncas/current...s-and-Apple-TV
Feb 21, 2014
- http://support.apple.com/kb/HT1222
:fear::fear:
OS X Mavericks, Safari, QuickTime updates
FYI...
OS X Mavericks v10.9.2 update
- http://support.apple.com/kb/HT6114
Feb 25, 2014 - "OS X Mavericks v10.9.2 Update is recommended for all OS X Mavericks users. It improves the stability, compatibility, and security of your Mac..."
(More detail at the URL above.)
OS X Mavericks 10.9.2 and Security Update 2014-001
- http://support.apple.com/kb/HT6150
Feb 25, 2014
- http://lists.apple.com/archives/secu.../msg00000.html
- http://www.securitytracker.com/id/1029825
CVE Reference: CVE-2014-1254, CVE-2014-1255, CVE-2014-1256, CVE-2014-1257, CVE-2014-1258, CVE-2014-1259, CVE-2014-1260, CVE-2014-1261, CVE-2014-1262, CVE-2014-1263, CVE-2014-1264, CVE-2014-1265
Feb 26 2014
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of system information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 10.7.5, 10.8.5, 10.9, 10.9.1...
Solution: The vendor has issued a fix (OS X Mavericks v10.9.2, Security Update 2014-001)...
___
Safari 6.1.2, 7.0.2
- http://support.apple.com/kb/HT6145
Feb 25, 2014
- http://lists.apple.com/archives/secu.../msg00001.html
- http://www.securitytracker.com/id/1029826
CVE Reference: CVE-2014-1268, CVE-2014-1269, CVE-2014-1270
Feb 26 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 6.1.2 and 7.0.2...
Solution: The vendor has issued a fix (6.1.2, 7.0.2)...
___
QuickTime 7.7.5 released
- http://support.apple.com/kb/HT6151
Feb 25, 2014 - "Available for: Windows 7, Vista, XP SP2 or later..."
- http://lists.apple.com/archives/secu.../msg00002.html
- http://www.securitytracker.com/id/1029823
CVE Reference: CVE-2014-1243, CVE-2014-1244, CVE-2014-1245, CVE-2014-1246, CVE-2014-1247, CVE-2014-1248, CVE-2014-1249, CVE-2014-1250, CVE-2014-1251
Feb 26 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7.7.5 for Windows...
Solution: The vendor has issued a fix (7.7.5 for Windows; on OS X apply APPLE-SA-2014-02-25-1 OS X Mavericks 10.9.2 or Security Update 2014-001)...
... use Apple Software Update.
:fear:
iOS 7.1, Apple TV 6.1 released
FYI...
iOS 7.1 released
- http://www.securitytracker.com/id/1029888
CVE Reference: CVE-2013-5133, CVE-2013-6835, CVE-2014-1267, CVE-2014-1271, CVE-2014-1272, CVE-2014-1273, CVE-2014-1274, CVE-2014-1275, CVE-2014-1276, CVE-2014-1277, CVE-2014-1278, CVE-2014-1281, CVE-2014-1282, CVE-2014-1284, CVE-2014-1285, CVE-2014-1286, CVE-2014-1287, CVE-2014-1280, CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, CVE-2014-1294
Mar 11 2014
Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7.1 ...
Solution: The vendor has issued a fix (7.1).
The vendor's advisory is available at:
- http://support.apple.com/kb/HT6162
"... Available for: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later..."
- https://secunia.com/advisories/57294/
Release Date: 2014-03-11
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, Spoofing, Exposure of sensitive information, System access
Operating System: Apple iOS 7.x for iPhone 4 and later, Apple iOS for iPad 7.x, Apple iOS for iPod touch 7.x
Solution: Update to version 7.1.
___
Apple TV 6.1 released
- http://www.securitytracker.com/id/1029889
CVE Reference: CVE-2014-1267, CVE-2014-1271, CVE-2014-1272, CVE-2014-1273, CVE-2014-1275, CVE-2014-1278, CVE-2014-1279, CVE-2014-1280, CVE-2014-1282, CVE-2014-1287, CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, CVE-2014-1294
Mar 11 2014
Impact: Denial of service via network, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 6.1 ...
Solution: The vendor has issued a fix (6.1).
The vendor's advisory is available at:
- http://support.apple.com/kb/HT6163
- https://secunia.com/advisories/57297/
Release Date: 2014-03-11
Criticality: Highly Critical
Where: From remote
Impact: Security Bypass, Spoofing, Exposure of sensitive information, System access
Operating System: Apple TV 6.x
Solution: Update to version 6.1.
:fear::fear:
Thunderbird 24.4 released
FYI...
Thunderbird 24.4 released
- http://www.securitytracker.com/id/1029930
CVE Reference: CVE-2014-1493, CVE-2014-1494, CVE-2014-1496, CVE-2014-1497, CVE-2014-1499, CVE-2014-1505, CVE-2014-1508, CVE-2014-1509, CVE-2014-1510, CVE-2014-1511, CVE-2014-1512, CVE-2014-1513, CVE-2014-1514
Mar 19 2014
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 24.4
- https://www.mozilla.org/en-US/thunderbird
Release Notes
- https://www.mozilla.org/en-US/thunde.../releasenotes/
Security Advisories
- https://www.mozilla.org/security/kno...hunderbird24.4
MFSA 2014-32 Out-of-bounds write through TypedArrayObject after neutering
MFSA 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
MFSA 2014-30 Use-after-free in TypeObject
MFSA 2014-29 Privilege escalation using WebIDL-implemented APIs
MFSA 2014-28 SVG filters information disclosure through feDisplacementMap
MFSA 2014-27 Memory corruption in Cairo during PDF font rendering
MFSA 2014-26 Information disclosure through polygon rendering in MathML
MFSA 2014-17 Out of bounds read during WAV file decoding
MFSA 2014-16 Files extracted during updates are not always read only
MFSA 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)
Automated Updates: https://support.mozillamessaging.com...ng-thunderbird
Manual check: Go to >Help >About Thunderbird
Download: https://www.mozilla.org/thunderbird/all.html
:fear:
Safari 7.0.3, 6.1.3 released
FYI...
Safari 7.0.3, 6.1.3 released
- http://www.securitytracker.com/id/1029983
CVE Reference: CVE-2013-2871, CVE-2014-1297, CVE-2014-1298, CVE-2014-1299, CVE-2014-1300, CVE-2014-1301, CVE-2014-1302, CVE-2014-1303, CVE-2014-1304, CVE-2014-1305, CVE-2014-1307, CVE-2014-1308, CVE-2014-1309, CVE-2014-1310, CVE-2014-1311, CVE-2014-1312, CVE-2014-1313
Apr 2 2014
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 6.1.3 and 7.0.3
Solution: The vendor has issued a fix (6.1.3, 7.0.3).
The vendor's advisory is available at:
- http://support.apple.com/kb/HT6181
:fear:
Cisco Products - OpenSSL Heartbeat Extension Vulnerability
FYI...
- http://tools.cisco.com/security/cent...ationListing.x
Multiple Cisco Products - OpenSSL Heartbeat Extension Vulnerability
- http://tools.cisco.com/security/cent...409-heartbleed
Last Updated: 2014 April 18 - "Summary: Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords. Please note that the devices that are affected by this vulnerability are the devices acting as an SSL server terminating SSL connections or devices acting as an SSL Client initiating an SSL connection. Devices that are simply traversed by SSL traffic without terminating it are not affected. This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available..."
Revision 1.10 - 2014-April-18 - Updated the Affected Products, Vulnerable Products, Products Confirmed Not Vulnerable, and Software Versions and Fixes sections.
:fear: