Alerts

OS X / Safari - Flash Player updates available

FYI...

OS X / Safari - Flash Player updates available
- http://support.apple.com/kb/HT5655
July 10, 2014 - "... If the version of Adobe Flash plug-in you are using is out of date, you may see the message, "Blocked plug-in", "Flash Security Alert” or "Flash out-of-date" when attempting to view Flash content in Safari. Clicking the indicator displays an alert, "Adobe Flash Player is out-of-date."
In order to use Adobe Flash you need to update to a later version:
- Click the Download Flash button.
- Safari opens Adobe Flash Player installer page on the Adobe website.
- Click the Download now button on the Adobe website to download the latest Adobe Flash Player installer.
- After the download completes, open the downloaded disk image (usually located in your Downloads folder) if it does not open automatically.
In the window that appears, open the installer and follow the onscreen instructions.
Note: If you need to run an older version of Flash, you can use web plug-in management* to re-enable it for specific websites using "Run in Unsafe Mode" (??) in Safari 6.1 or later..."
* http://support.apple.com/kb/HT5954

:fear::fear:
 
Oracle Critical Patch Update Advisory - July 2014

FYI...

Oracle Critical Patch Update Advisory - July 2014
- https://www.us-cert.gov/ncas/current-activity/2014/07/15/Oracle-Releases-July-2014-Security-Advisory
July 15, 2014 - "Oracle has released its Critical Patch Update for July 2014 to address 113 vulnerabilities across multiple products.
This update contains the following security fixes:
• 5 for Oracle Database Server
• 29 for Oracle Fusion Middleware
• 7 for Oracle Hyperion
• 1 for Oracle Enterprise Manager Grid Control
• 5 for the Oracle E-Business Suite
• 3 for Oracle Supply Chain Products Suite
• 5 for Oracle PeopleSoft Products
• 6 for Oracle Siebel CRM
• 1 for Oracle Communications Applications
• 3 for Oracle Retail Applications
• 20 for Oracle Java SE
• 3 for Oracle and Sun Systems Products Suite
• 15 for Oracle Virtualization
• 10 for Oracle MySQL
US-CERT encourages users and administrators to review the Oracle July 2014 Critical Patch Update* and apply the necessary updates."
* http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#PIN

> https://blogs.oracle.com/security/entry/july_2014_critical_patch_update
___

- https://atlas.arbor.net/briefs/index#-1227693199
High Severity
17 Jul 2014

:fear:
 
Last edited:
Thunderbird 31.0 released

FYI...

Thunderbird 31.0 released
- http://www.securitytracker.com/id/1030620
CVE Reference: CVE-2014-1547, CVE-2014-1548, CVE-2014-1549, CVE-2014-1550, CVE-2014-1551, CVE-2014-1552, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557, CVE-2014-1558, CVE-2014-1559, CVE-2014-1560
Jul 22 2014
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.0 ...

- https://www.mozilla.org/en-US/thunderbird

- https://www.mozilla.org/en-US/thunderbird/31.0/releasenotes/
v31.0, released: July 22, 2014

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird31
Fixed in Thunderbird 31
MFSA 2014-66 IFRAME sandbox same-origin access through redirect
MFSA 2014-65 Certificate parsing broken by non-standard character encoding
MFSA 2014-64 Crash in Skia library when scaling high quality images
MFSA 2014-63 Use-after-free while when manipulating certificates in the trusted cache
MFSA 2014-62 Exploitable WebGL crash with Cesium JavaScript library
MFSA 2014-61 Use-after-free with FireOnStateChange event
MFSA 2014-59 Use-after-free in DirectWrite font handling
MFSA 2014-58 Use-after-free in Web Audio due to incorrect control message ordering
MFSA 2014-57 Buffer overflow during Web Audio buffering for playback
MFSA 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

:fear:
 
AdBlock Plus 2.6.4 ...

FYI...

AdBlock Plus 2.6.4
- https://adblockplus.org/releases/adblock-plus-264-for-firefox-released
2014-07-22
Changes:
- Made sure that data is always written to disk immediately whenever filter hit counts are reset (issue 430).
- Fixed: Moving filters with Ctrl-Up/Down doesn’t work in Firefox 30 and above (issue 716).
- Fixed: Find functionality in the preferences doesn’t indicate that the search pattern wasn’t found (issue 455).
- Fixed: User isn’t informed about anti-adblock warnings on websites producing them (issue 764).
- Fixed: Blockable items aren’t refreshed on tab change in SeaMonkey (issue 290).
- Fixed: “Disable on this page only” doesn’t work correctly if the address ends with # (issue 580)...

- https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

:fear:
 
Last edited:
WordPress 3.9.2 released

FYI...

WordPress 3.9.2 released
- https://wordpress.org/download/
Aug 6, 2014 - "The latest stable release of WordPress (Version 3.9.2) ..."

- http://wordpress.org/news/2014/08/wordpress-3-9-2/
Aug 6, 2014 - "WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately..."

Release notes
- http://codex.wordpress.org/Version_3.9.2

- https://core.trac.wordpress.org/log/branches/3.9?stop_rev=29383&rev=29411
___

- http://www.securitytracker.com/id/1030684
Aug 7 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 3.9.2 ...

- http://atlas.arbor.net/briefs/index#918586250
Elevated Severity
7 Aug 2014

:fear::fear:
 
Last edited:
Safari 6.1.6, 7.0.6 released

FYI...

Safari 6.1.6, 7.0.6 released
- http://support.apple.com/kb/HT6367
Aug 13, 2014
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.4
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling...
___

- http://www.securitytracker.com/id/1030731
CVE Reference: CVE-2014-1384, CVE-2014-1385, CVE-2014-1386, CVE-2014-1387, CVE-2014-1388, CVE-2014-1389, CVE-2014-1390
Aug 14 2014
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 6.1.6, 7.0.6 ...
Impact: A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution: The vendor has issued a fix (6.1.6, 7.0.6)...

:fear::fear:
 
Last edited:
OpenOffice 4.1.1 released

FYI...

OpenOffice 4.1.1 released
- http://www.openoffice.org/download/
Released 2014-08-21

Release Notes
- https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.1+Release+Notes
"Apache OpenOffice 4.1.1 is a micro release intended to fix critical issues. All users of Apache OpenOffice 4.1.0 or earlier are advised to upgrade. You can download Apache OpenOffice 4.1.1 here*. Please review these Release Notes to learn what is new in this version as well as important remarks concerning known issues and their workarounds. Our Bugzilla issue tracking database provides a detailed list of solved issues**..."
* http://www.openoffice.org/download/

** http://s.apache.org/AOO411-solved

Known Issues
- https://cwiki.apache.org/confluence...elease+Notes#AOO4.1.1ReleaseNotes-KnownIssues
___

- http://www.securitytracker.com/id/1030754
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3575 - 4.3
Aug 22 2014
Impact: Disclosure of system information, Disclosure of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 4.1.1
Impact: A remote user can obtain potentially sensitive file information.
Solution: The vendor has issued a fix (4.1.1)...

- http://www.securitytracker.com/id/1030755
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3524 - 9.3 (HIGH)
Aug 22 2014
Impact: Disclosure of user information, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 4.1.0 and prior...
Solution: The vendor has issued a fix (4.1.1)...

:fear::fear:
 
Last edited:
Thunderbird 31.1 released

FYI...

Thunderbird 31.1 released
- http://www.securitytracker.com/id/1030794
CVE Reference: CVE-2014-1553, CVE-2014-1554, CVE-2014-1562, CVE-2014-1563, CVE-2014-1564, CVE-2014-1565, CVE-2014-1567
Sep 3 2014
Impact: Disclosure of system information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to versions 24.8, 31.1 ...
Solution: The vendor has issued a fix (24.8, 31.1).

- https://www.mozilla.org/en-US/thunderbird

- https://www.mozilla.org/en-US/thunderbird/31.1.0/releasenotes/
v.31.1.0, released: Sep 2, 2014

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#31.1
Fixed in Thunderbird 31.1
MFSA 2014-72 Use-after-free setting text directionality
MFSA 2014-70 Out-of-bounds read in Web Audio audio timeline
MFSA 2014-69 Uninitialized memory use during GIF rendering
MFSA 2014-68 Use-after-free during DOM interactions with SVG
MFSA 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

:fear:
 
Adblock Plus 1.8.4 for Chrome, Opera and Safari released

FYI...

Adblock Plus 1.8.4 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-184-for-chrome-opera-and-safari-released
2014-09-03
Adblock Plus 1.8.4 for Chrome:
- https://chrome.google.com/webstore/detail/cfhdojbkjhnklbpkdaibdccddilifddb
Adblock Plus 1.8.4 for Opera (Opera 17 or higher required):
- https://addons.opera.com/extensions/details/opera-adblock/
Adblock Plus 1.8.4 for Safari (Safari 6 or higher required):
- https://adblockplus.org/en/safari

:spider:
 
Adblock Plus 1.8.5 for Chrome, Opera and Safari released

FYI...

Adblock Plus 1.8.5 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-185-for-chrome-opera-and-safari-released
2014-09-08
Adblock Plus 1.8.5 for Chrome:
- https://chrome.google.com/webstore/detail/cfhdojbkjhnklbpkdaibdccddilifddb
Adblock Plus 1.8.5 for Opera (Opera 17 or higher required):
- https://addons.opera.com/extensions/details/opera-adblock/
Adblock Plus 1.8.5 for Safari (Safari 6 or higher required):
- https://adblockplus.org/en/safari
Changes:
Fixed: “Block Element” dialog was sometimes covered up by other page elements (issue 703).
Fixed: Checkbox labels on the options page should be clickable (issue 1226).
Chrome/Opera-only changes
Adapted for changes in Chrome 36, Opera 23 and higher. Removed side-effects of element hiding on affected websites (e.g. Outlook 365) again (issue 1290).

:fear:
 
Adobe Reader / Acrobat update delayed ...

FYI...

Prenotification Security Advisory for Adobe Reader and Acrobat
- https://helpx.adobe.com/security/products/reader/apsb14-20.html
Sep 5, 2014: Clarified the affected versions of Reader and Acrobat for the Windows and Macintosh platforms.
Sep 8, 2014: Updated the expected release date from September 9, 2014 to the week of September 15, 2014. The release was -delayed- to address issues identified during regression testing.

:fear:
 
iOS 8 released

FYI...

iOS 8 released
- http://www.securitytracker.com/id/1030866
CVE Reference: CVE-2014-4352, CVE-2014-4353, CVE-2014-4354, CVE-2014-4356, CVE-2014-4357, CVE-2014-4361, CVE-2014-4362, CVE-2014-4363, CVE-2014-4364, CVE-2014-4366, CVE-2014-4367, CVE-2014-4368, CVE-2014-4369, CVE-2014-4371, CVE-2014-4372, CVE-2014-4373, CVE-2014-4374, CVE-2014-4375, CVE-2014-4377, CVE-2014-4378, CVE-2014-4379, CVE-2014-4380, CVE-2014-4381, CVE-2014-4383, CVE-2014-4384, CVE-2014-4386, CVE-2014-4388, CVE-2014-4389, CVE-2014-4404, CVE-2014-4405, CVE-2014-4407, CVE-2014-4408, CVE-2014-4409, CVE-2014-4410, CVE-2014-4411, CVE-2014-4412, CVE-2014-4413, CVE-2014-4414, CVE-2014-4415, CVE-2014-4418, CVE-2014-4419, CVE-2014-4420, CVE-2014-4421, CVE-2014-4422, CVE-2014-4423
Sep 18 2014
Impact: Denial of service via local system, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 8.0 ...
Solution: The vendor has issued a fix (8.0).
The vendor's advisory is available at:
- http://support.apple.com/kb/HT6441
Sep 17, 2014

- http://support.apple.com/kb/HT1222
17 Sept 2014
iOS 8 - iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
___

Safari 6.2 and 7.1
- http://support.apple.com/kb/HT6440
Sep 18, 2014

OS X Mavericks v10.9.5 and Security Update 2014-004
- http://support.apple.com/kb/HT6443
Sep 18, 2014

OS X Server v3.2.1
- http://support.apple.com/kb/HT6448
Sep 18, 2014
___

- http://atlas.arbor.net/briefs/index#2074331089
High Severity
Sep 26, 2014

:fear:
 
Last edited:
iOS 8.0.1 revoked - iPhone 6, 6+

FYI...

iOS 8.0.1 revoked - iPhone 6, 6+
- http://www.theinquirer.net/inquirer...ter-update-borks-iphone-connectivity-touch-id
Sep 25, 2014 - "... iPhone 6 and iPhone 6 Plus users that downloaded the iOS 8.0.1 update and found that it somewhat ruined their days to roll back the update*. Apple released iOS 8.0.1 to iPhones on Wednesday, but all didn't go to plan. While speculation had suggested that the update would arrive with a slew of bug fixes, the update appears to have created more issues. Apple has accepted that some iPhone users have experienced loss of connectivity and breakage in Touch ID sign-in..."
* http://support.apple.com/kb/HT6487
Sep 25, 2014
___

- http://support.apple.com/kb/HT6487
Last Modified: Sep 26, 2014 - "iOS 8.0.2 is available now. It fixes the loss of cellular service and use of Touch ID that may have affected you if you have an iPhone 6 or iPhone 6 Plus and you downloaded iOS 8.0.1. It includes improvements and bug fixes originally in iOS 8.0.1. We apologize for inconveniencing you if you were affected by the bug in iOS 8.0.1. To resolve this issue, update your device to iOS 8.0.2* or later."
* http://support.apple.com/kb/HT4623

- https://discussions.apple.com/searc...c&showAnsweredFirst=true&q=iOS 8.0.2 problems
___

APPLE-SA-2014-09-23-1 OS X: Flash Player plug-in blocked
- https://lists.apple.com/archives/security-announce/2014/Sep/msg00000.html
Sep 23, 2014
Due to security issues in older versions, Apple has updated the
web plug-in blocking mechanism to disable all versions prior to
Flash Player 15.0.0.152 and 13.0.0.244.

Information on blocked web plug-ins will be posted to:
- http://support.apple.com/kb/HT5655
Last Modified: Sep 24, 2014

:fear:
 
Last edited:
Bash Command Injection Vulnerability

FYI...

Advisory (ICSA-14-269-01)
Bash Command Injection Vulnerability
- https://ics-cert.us-cert.gov//advisories/ICSA-14-269-01
Sep 26, 2014 - "... A command injection vulnerability has been reported in the Bourne again shell (bash). Bash is the common command-line used in most Linux/Unix-based operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system... Exploits that target this vulnerability are publicly available...
ICS-CERT recommends that -users- take the following measures to protect themselves from social engineering attacks:
1. Do not click web links or open unsolicited attachments in email messages.
2. Refer to Recognizing and Avoiding Email Scams* for more information on avoiding email scams.
3. Refer to Avoiding Social Engineering and Phishing Attacks**. for more information on social engineering attacks..."

* http://www.us-cert.gov/reading_room/emailscams_0905.pdf

** https://www.us-cert.gov/ncas/tips/st04-014

:fear::fear:
 
OS X bash Updates ...

FYI...

OS X bash Updates ...
- http://support.apple.com/kb/HT6495
Sep 29, 2014 - Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands
Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement...

APPLE-SA-2014-09-29-1 OS X bash Update 1.0
- https://lists.apple.com/archives/security-announce/2014/Sep/msg00001.html
29 Sep 2014

OS X Lion
- http://support.apple.com/kb/DL1767
Sep 29, 2014
File Size: 3.5 MB

OS X Mountain Lion
- http://support.apple.com/kb/DL1768
Sep 29, 2014
File Size: 3.3 MB

OS X Mavericks
- http://support.apple.com/kb/DL1769
Sep 29, 2014
File Size: 3.3 MB

- http://arstechnica.com/apple/2014/09/apple-patches-shellshock-bash-bug-in-os-x-10-9-10-8-and-10-7/
Sept 29 2014

:fear::fear:
 
Last edited:
Thunderbird v31.2 released

FYI...

Thunderbird v31.2 released
- http://www.securitytracker.com/id/1031030
CVE Reference: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1578, CVE-2014-1581, CVE-2014-1583, CVE-2014-1585, CVE-2014-1586
Oct 15 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 31.2 ...
Solution: The vendor has issued a fix (31.2)...

- https://www.mozilla.org/en-US/thunderbird

- https://www.mozilla.org/en-US/thunderbird/31.2.0/releasenotes/
v.31.2.0, released: Oct 14, 2014

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird31.2
Fixed in Thunderbird 31.2
MFSA 2014-81 Inconsistent video sharing within iframe
MFSA 2014-79 Use-after-free interacting with text directionality
MFSA 2014-77 Out-of-bounds write with WebM video
MFSA 2014-76 Web Audio memory corruption issues with custom waveforms
MFSA 2014-75 Buffer overflow during CSS manipulation
MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

:fear:
 
Last edited:
OpenSSL patches 4 vulnerabilities

FYI...

OpenSSL patches 4 vulnerabilities
- https://www.us-cert.gov/ncas/current-activity/2014/10/16/OpenSSL-Patches-Four-Vulnerabilities
Oct 16, 2014 - "OpenSSL has released updates patching four vulnerabilities, some of which may allow an attacker to cause a Denial of Service (DoS) condition or execute man-in-the-middle attacks. The following updates are available:
OpenSSL 1.0.1 users should upgrade to 1.0.1j
OpenSSL 1.0.0 users should upgrade to 1.0.0o
OpenSSL 0.9.8 users should upgrade to 0.9.8zc
US-CERT recommends users and administrators review the OpenSSL Security Advisory* for additional information and apply the necessary updates."
* https://www.openssl.org/news/secadv_20141015.txt

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 - 4.3
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
___

- http://www.securitytracker.com/id/1031053
Oct 15 2014

- http://www.securitytracker.com/id/1031052
Oct 15 2014

:fear::fear:
 
Last edited:
You must log in or register to reply here.
Back
Top