Alerts - Q4-2006-Q1-2007b
FYI...
Flash v9.0.28.0 released
Download:
- http://www.adobe.com/shockwave/downl...ShockwaveFlash
Version: 9,0,28,0
Browser: Firefox, Mozilla, Netscape, Opera, and Internet Explorer
Date Posted: 11/14/2006
Security bulletins and advisories
- http://www.adobe.com/support/security/
Test version installed:
- http://www.macromedia.com/software/flash/about/
- http://isc.sans.org/diary.php?compare=1&storyid=1859
Last Updated: 2006-11-14 23:58:33 UTC
"...Affected versions include 9.x, 8.x and 7.x . If after reading the adobe announcement you are left wondering what modified HTTP headers of client requests can do to cause HTTP Request Splitting attacks, or what those are to start with, take a look at e.g.: http://en.wikipedia.org/wiki/HTTP_Response_splitting ..."
SANS Top 20 - Internet Security Attack Targets 2006
FYI...
- http://isc.sans.org/diary.php?storyid=1863
Last Updated: 2006-11-15 12:43:39 UTC
"Today, the SANS Institute released an updated Top 20 Internet Security Attack Targets* list. This update reorganizes the list recognizing the new reality of operating system independent issues. Sections for cross-platform applications, network devices, policy and the overall issue of 0-day attacks where added. The list has been released for the last 7 years. From the start, organizations like the FBI assisted in putting the list together. It is in particular useful if you have to set and defend priorities..."
* http://www.sans.org/top20/
:spider:
Opera v9.10 released ...introduces Fraud Protection
FYI...
- http://www.opera.com/index.dml
Changelog for Opera 9.10 for Windows
- http://www.opera.com/docs/changelogs/windows/910/
"Release Notes
This release of Opera introduces Fraud Protection*..."
* http://www.opera.com/docs/fraudprotection/
;)
QuickTime flaw kicks off "Month of Apple Bugs"
FYI...
- http://www.eweek.com/article2/0,1895,2078180,00.asp
January 1, 2007
"An easy-to-exploit security vulnerability in Apple Computer's QuickTime media player could put millions of Macintosh and Windows users at risk of code execution attacks. The QuickTime flaw kicked off the Month of Apple Bugs project, which promises to expose unpatched Mac OS X and Apple application vulnerabilities on a daily basis throughout the month of January..."
> http://secunia.com/advisories/23540/
- http://blog.washingtonpost.com/secur...f_month_1.html
January 1, 2007
"...LMH said the Windows and Mac QuickTime Version 7.1.3 and the Player Version 7.1.3 are vulnerable, and that earlier versions also are likely to be vulnerable. QuickTime users can mitigate the threat from this bug by not opening links that begin with "rtsp://" or by disabling the display of streaming files in QuickTime.
To do that on a Mac, open QuickTime, go to "Preferences," then click on the "Advanced" tab. You should see a "Mime Settings" button; click on that, and then uncheck the box next to "Streaming - Streaming Movies."
For Windows users of the most current QuickTime version, click on "Edit," then 'Preferences," and then "QuickTime Preferences". Click on the "File Types" tab, and then on the plus sign next to "Streaming - Streaming Movies" and uncheck the box next to "RSTP stream descriptor"..."
Also see: http://isc.sans.org/diary.php?storyid=1993
Last Updated: 2007-01-02 00:54:21 UTC
(Screenshots available at the ISC URL above.)
==============================================
QuickTime RTSP buffer overflow vuln ...iTunes also affected...
> http://www.kb.cert.org/vuls/id/442497
Last Updated: 01/02/2007
:fear: :spider:
Locating new phishing sites ...Flash Phishing
FYI...
Locating new phishing sites
- http://www.f-secure.com/weblog/archi....html#00001067
January 3, 2007 ~ "Phishing sites are easy to locate once the bad boys start spamming out thousands of mails linking to their site. But how can such sites be found before that?... At the time of posting this entry, none of the common browsers (IE, Firefox, Opera) detected this site as a phishing site with their built-in filters. Soon they will."
Flash Phishing
- http://www.f-secure.com/weblog/archi....html#00001066
January 3, 2007 ~ "We've now seen several phishing web sites that are using flash-based content instead of normal HTML. Probably the main to reason to do this is to try to avoid phishing toolbars that analyze page content. Two recent examples, both targeting PayPal: ... ppal-form-ssl. com and ... welcome-ppl. com . These sites look like the real PayPal front page, but they are actually Flash recreations..."
(Screenshots available at the URLs above.)
:spider:
Open Office vuln - update available
FYI...
- http://secunia.com/advisories/23612/
Release Date: 2007-01-04
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: OpenOffice 1.0.x, OpenOffice 1.1.x, OpenOffice.org 2.x
...Successful exploitation may allow the execution of arbitrary code.
Solution: Apply fixes or update to version 2.1...
Fix:
1. OpenOffice v2.1: http://download.openoffice.org/index.html
~or~
2. Patch: http://www.openoffice.org/issues/show_bug.cgi?id=70042
----------------------------------------------------------------------
OpenOffice.org 2.1
- http://www.openoffice.org/
"...significant improvement over all previous versions. Among other things:
* Multiple monitor support for Impress
* Improved Calc HTML export
* Enhanced Access support for Base
* Even more languages
* Automatic notification of updates <<< ..."
Release Notes
- http://development.openoffice.org/releases/2.1.0.html
:fear: :spider: