Thunderbird v17.0 released
FYI...
Thunderbird v17.0 released
- https://www.mozilla.org/en-US/thunde...0/releasenotes
Nov 20, 2012
Automated Updates: https://support.mozillamessaging.com...ng-thunderbird
Manual check: Go to >Help >About Thunderbird
Download
- https://www.mozilla.org/thunderbird/all.html
Security Advisories
- https://www.mozilla.org/security/kno...#thunderbird17
___
- http://www.securitytracker.com/id/1027793
CVE Reference: CVE-2012-4201, CVE-2012-4202, CVE-2012-4204, CVE-2012-4205, CVE-2012-4207, CVE-2012-4208, CVE-2012-4209, CVE-2012-4212, CVE-2012-4213, CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-4217, CVE-2012-4218, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5836, CVE-2012-5838, CVE-2012-5839, CVE-2012-5840, CVE-2012-5841, CVE-2012-5842, CVE-2012-5843
Nov 21 2012
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Solution: The vendor has issued a fix (17.0)...
- https://secunia.com/advisories/51358/
Release Date: 2012-11-21
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, System access
Where: From remote...
Solution: Upgrade to version 17.0.
:fear::fear:
WordPress Plugins - 464 Secunia Security Advisories ...
FYI...
"WordPress Plugin" search results ...
- https://secunia.com/advisories/searc...rdPress+Plugin
Found: 464 Secunia Security Advisories ...
Nov 27, 2012
>> http://piwik.org/blog/2012/11/securi...2012-nov-26th/
Updated: Nov 27, 2012 - "... The website Piwik.org is running WordPress and got compromised, because of a security issue in a WordPress plugin... compromised by an attacker on 2012 Nov 26th, this attacker added a malicious code in the Piwik 1.9.2 Zip file... You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC. If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe..."
___
- http://h-online.com/-1757246
27 Nov 2012
:fear: :sad:
Java 0-Day exploit on sale for ‘Five Digits’
FYI...
Java 0-Day exploit on sale for ‘Five Digits’
- https://krebsonsecurity.com/2012/11/...r-five-digits/
Nov 27, 2012 - "Miscreants in the cyber underground are selling an exploit for a previously undocumented security hole in Oracle’s Java software that attackers can use to remotely seize control over systems running the program... The flaw, currently being sold by an established member of an invite-only Underweb forum, targets an unpatched vulnerability in Java JRE 7 Update 9, the most recent version of Java (the seller says this flaw does not exist in Java 6 or earlier versions)... The seller was not terribly specific on the price he is asking for this exploit, but set the expected offer at “five digits.” The price of any exploit is ultimately whatever the market will bear, but this is roughly in line with the last Java zero-day exploit that was being traded and sold on the underground...
How to Unplug Java from the Browser:
> http://krebsonsecurity.com/how-to-un...m-the-browser/
:fear: :mad:
0-day vulns in MySQL fixed by MariaDB
FYI...
0-day vulns in MySQL fixed by MariaDB
- http://h-online.com/-1761451
3 Dec 2012 - "A recently published security vulnerability in the MySQL open source database has been met with fixes by the developers of the open source MariaDB* fork... they also note that a supposed zero day vulnerability that enumerates MySQL users has been known about for ten years. MariaDB versions 5.1, 5.2, 5.3 and 5.5, in which CVE 2012-5579 is fixed, are available for download*. MySQL provider Oracle has yet to confirm the vulnerabilities, much less provide updated software."
* http://downloads.mariadb.org/
___
- https://secunia.com/advisories/51427/
Release Date: 2012-12-03
... may be related to vulnerability #1: https://secunia.com/SA51008/
CVE Reference(s): CVE-2012-5611, CVE-2012-5612, CVE-2012-5614, CVE-2012-5615
Impact: Brute force, DoS, System access
Where: From local network
Software: MySQL 5.x
Solution: No official solution is currently available...
___
- http://blog.trendmicro.com/trendlabs...-mysql-server/
Dec 6, 2012 - "... MySQL Database is famous for its high performance, high reliability and ease of use. It runs on both Windows and many non-Windows platforms like UNIX, Mac OS, Solaris, IBM AIX, etc. It has been the fastest growing application and the choice of big companies such as Facebook, Google, and Adobe among others. Given its popularity, cybercriminals and other attackers are definitely eyeing this platform..."
:fear::fear:
cPanel - updates available
FYI...
cPanel - updates available
- https://secunia.com/advisories/51494/
Release Date: 2012-12-05
Criticality level: Moderately critical
Impact: Unknown
Where: From remote
Software: cPanel 11.x
... vulnerabilities are reported in versions prior to 11.30.7.4, 11.32.5.15, and 11.34.0.11.
Solution: Update to version 11.30.7.4, 11.32.5.15, or 11.34.0.11.
Original Advisory:
http://cpanel.net/important-security...nel-whm-11-30/
http://cpanel.net/important-11-32-se...te-cpanel-whm/
http://cpanel.net/important-11-34-se...se-cpanel-whm/
:fear::fear:
Shockwave - vulnerable Flash runtime
FYI...
Shockwave player - vulnerable Flash runtime
* http://www.kb.cert.org/vuls/id/323161
Last revised: 17 Dec 2012 - "Adobe Shockwave Player 11.6.8.638 and earlier versions on the Windows and Macintosh operating systems provide a vulnerable version of the Flash runtime..."
- http://h-online.com/-1772754
19 Dec 2012 - "US-CERT has warned that a security hole exists in Adobe's Shockwave Player*. Version 11.6.8.638 and earlier versions that were installed using the company's "Full" installer are affected. These all include an older version of Flash (10.2.159.1) that contains several exploitable vulnerabilities. Shockwave uses a custom Flash runtime instead of a globally installed Flash plugin. According to US-CERT, the Flash vulnerabilities can be exploited to execute arbitrary code at the user's privilege level via specially crafted Shockwave content. As the Shockwave Player tends to be used only rarely, simply uninstalling the software can provide protection. Adobe is even offering an uninstaller** for this purpose..."
** https://www.adobe.com/shockwave/download/alternates/
(See "Shockwave Player Uninstaller".)
- https://krebsonsecurity.com/2012/12/...shockwave-bug/
Dec 19, 2012 - "... U.S. CERT first warned Adobe about the vulnerability in October 2010, and Adobe says it won’t be fixing it until February 2013..."
- http://www.securitytracker.com/id/1027903
- http://www.securitytracker.com/id/1027904
- http://www.securitytracker.com/id/1027905
Dec 20 2012
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-6270 - 9.3 (HIGH)
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-6271 - 9.3 (HIGH)
:fear::fear: :blink:
Sumatra PDF reader v2.2.1 released
FYI...
Sumatra PDF reader v2.2.1 released
- http://blog.kowalczyk.info/software/...apdf/news.html
2013-01-12
Version history - Changes in this release:
• fixed ebooks sometimes not remembering the viewing position
• fixed Sumatra not exiting when opening files from a network drive
• fixes for most frequent crashes and PDF parsing robustness fixes
Download
- http://blog.kowalczyk.info/software/...df-viewer.html
:fear: