Results 1 to 7 of 7

Thread: Alerts - Q4-2006-Q1-2007b

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Default Alerts - Q4-2006-Q1-2007b

    FYI...

    Flash v9.0.28.0 released
    Download:
    - http://www.adobe.com/shockwave/downl...ShockwaveFlash
    Version: 9,0,28,0
    Browser: Firefox, Mozilla, Netscape, Opera, and Internet Explorer
    Date Posted: 11/14/2006

    Security bulletins and advisories
    - http://www.adobe.com/support/security/

    Test version installed:
    - http://www.macromedia.com/software/flash/about/

    - http://isc.sans.org/diary.php?compare=1&storyid=1859
    Last Updated: 2006-11-14 23:58:33 UTC
    "...Affected versions include 9.x, 8.x and 7.x . If after reading the adobe announcement you are left wondering what modified HTTP headers of client requests can do to cause HTTP Request Splitting attacks, or what those are to start with, take a look at e.g.: http://en.wikipedia.org/wiki/HTTP_Response_splitting ..."
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Lightbulb SANS Top 20 - Internet Security Attack Targets 2006

    FYI...

    - http://isc.sans.org/diary.php?storyid=1863
    Last Updated: 2006-11-15 12:43:39 UTC
    "Today, the SANS Institute released an updated Top 20 Internet Security Attack Targets* list. This update reorganizes the list recognizing the new reality of operating system independent issues. Sections for cross-platform applications, network devices, policy and the overall issue of 0-day attacks where added. The list has been released for the last 7 years. From the start, organizations like the FBI assisted in putting the list together. It is in particular useful if you have to set and defend priorities..."

    * http://www.sans.org/top20/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Lightbulb Opera v9.10 released ...introduces Fraud Protection

    FYI...

    - http://www.opera.com/index.dml

    Changelog for Opera 9.10 for Windows
    - http://www.opera.com/docs/changelogs/windows/910/
    "Release Notes
    This release of Opera introduces Fraud Protection*..."

    * http://www.opera.com/docs/fraudprotection/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation QuickTime flaw kicks off "Month of Apple Bugs"

    FYI...

    - http://www.eweek.com/article2/0,1895,2078180,00.asp
    January 1, 2007
    "An easy-to-exploit security vulnerability in Apple Computer's QuickTime media player could put millions of Macintosh and Windows users at risk of code execution attacks. The QuickTime flaw kicked off the Month of Apple Bugs project, which promises to expose unpatched Mac OS X and Apple application vulnerabilities on a daily basis throughout the month of January..."

    > http://secunia.com/advisories/23540/

    - http://blog.washingtonpost.com/secur...f_month_1.html
    January 1, 2007
    "...LMH said the Windows and Mac QuickTime Version 7.1.3 and the Player Version 7.1.3 are vulnerable, and that earlier versions also are likely to be vulnerable. QuickTime users can mitigate the threat from this bug by not opening links that begin with "rtsp://" or by disabling the display of streaming files in QuickTime.

    To do that on a Mac, open QuickTime, go to "Preferences," then click on the "Advanced" tab. You should see a "Mime Settings" button; click on that, and then uncheck the box next to "Streaming - Streaming Movies."

    For Windows users of the most current QuickTime version, click on "Edit," then 'Preferences," and then "QuickTime Preferences". Click on the "File Types" tab, and then on the plus sign next to "Streaming - Streaming Movies" and uncheck the box next to "RSTP stream descriptor"..."

    Also see: http://isc.sans.org/diary.php?storyid=1993
    Last Updated: 2007-01-02 00:54:21 UTC
    (Screenshots available at the ISC URL above.)
    ==============================================

    QuickTime RTSP buffer overflow vuln ...iTunes also affected...
    > http://www.kb.cert.org/vuls/id/442497
    Last Updated: 01/02/2007

    Last edited by AplusWebMaster; 2007-01-03 at 16:21. Reason: Added US-CERT reference...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Locating new phishing sites ...Flash Phishing

    FYI...

    Locating new phishing sites
    - http://www.f-secure.com/weblog/archi....html#00001067
    January 3, 2007 ~ "Phishing sites are easy to locate once the bad boys start spamming out thousands of mails linking to their site. But how can such sites be found before that?... At the time of posting this entry, none of the common browsers (IE, Firefox, Opera) detected this site as a phishing site with their built-in filters. Soon they will."

    Flash Phishing
    - http://www.f-secure.com/weblog/archi....html#00001066
    January 3, 2007 ~ "We've now seen several phishing web sites that are using flash-based content instead of normal HTML. Probably the main to reason to do this is to try to avoid phishing toolbars that analyze page content. Two recent examples, both targeting PayPal: ... ppal-form-ssl. com and ... welcome-ppl. com . These sites look like the real PayPal front page, but they are actually Flash recreations..."

    (Screenshots available at the URLs above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Open Office vuln - update available

    FYI...

    - http://secunia.com/advisories/23612/
    Release Date: 2007-01-04
    Critical: Highly critical
    Impact: System access
    Where: From remote
    Solution Status: Vendor Patch
    Software: OpenOffice 1.0.x, OpenOffice 1.1.x, OpenOffice.org 2.x
    ...Successful exploitation may allow the execution of arbitrary code.
    Solution: Apply fixes or update to version 2.1...

    Fix:
    1. OpenOffice v2.1: http://download.openoffice.org/index.html
    ~or~
    2. Patch: http://www.openoffice.org/issues/show_bug.cgi?id=70042
    ----------------------------------------------------------------------

    OpenOffice.org 2.1
    - http://www.openoffice.org/
    "...significant improvement over all previous versions. Among other things:
    * Multiple monitor support for Impress
    * Improved Calc HTML export
    * Enhanced Access support for Base
    * Even more languages
    * Automatic notification of updates <<< ..."

    Release Notes
    - http://development.openoffice.org/releases/2.1.0.html

    Last edited by AplusWebMaster; 2007-01-04 at 21:15. Reason: Added options...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Adobe Reader updates...

    FYI...

    Update available for vulnerabilities in versions 7.0.8 and earlier of Adobe Reader and Acrobat
    - http://www.adobe.com/support/securit...apsb07-01.html
    Release date: January 9, 2007
    "...Solution: Adobe Reader on Windows
    Adobe strongly recommends upgrading to Adobe Reader 8, available from the following site:
    http://www.adobe.com/go/getreader .
    Users with Adobe Reader 7.0 through 7.0.8, who cannot upgrade to Reader 8, should upgrade to Reader 7.0.9. Adobe Reader 7.0.9 is available as a full installation package and not a patch. It can be installed on top of any older version of Reader 7 and user preferences will be preserved: http://www.adobe.com/go/getreader .

    Windows
    Adobe Acrobat 7.0.9 Standard/Professional/3D update - multiple languages
    * http://www.adobe.com/support/downloads/new.jsp
    1/9/2007

    Server-side workarounds to prevent potential cross-site scripting vulnerability in versions 7.0.8 and earlier...
    - http://www.adobe.com/support/securit...apsa07-02.html
    Release date: January 9, 2007
    ============================

    - http://www.adobe.com/support/securit...apsb07-01.html
    January 16, 2007 — "...Updated to reflect the availability of Adobe Reader and Acrobat 6.0.6* for Windows... Users with Adobe Reader 7.0 through 7.0.8, who cannot upgrade to Reader 8, should upgrade to Reader 7.0.9. Adobe Reader 7.0.9 is available as a full installation package and not a patch. It can be installed on top of any older version of Reader 7 and user preferences will be preserved: http://www.adobe.com/go/getreader.
    If customers are using Adobe Reader 6.0–6.0.5 and are unable to upgrade to version 8 or 7.0.9 due to Operating System constraints for example, Adobe recommends upgrading to version 6.0.6 either via a series of patches from:
    http://www.adobe.com/support/downloa...atform=Windows
    -or- by using the auto-update mechanism within the product when prompted..."

    .
    Last edited by AplusWebMaster; 2007-01-27 at 01:03. Reason: Added info re: ARv6.0.6 availability...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •