Old Alerts

Thunderbird v.11.0 released

FYI...

Thunderbird v.11.0 released
- https://www.mozilla.org/en-US/thunderbird/11.0/releasenotes
v.11.0, released: March 13, 2012

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird11
Fixed in Thunderbird 11
MFSA 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)
MFSA 2012-18 window.fullScreen writeable by untrusted content
MFSA 2012-17 Crash when accessing keyframe cssText after dynamic modification
MFSA 2012-16 Escalation of privilege with Javascript: URL as home page
MFSA 2012-15 XSS with multiple Content Security Policy headers
MFSA 2012-14 SVG issues found with Address Sanitizer
MFSA 2012-13 XSS with Drag and Drop and Javascript: URL
MFSA 2012-12 Use-after-free in shlwapi.dll

Bugs fixed
- https://www.mozilla.org/en-US/thunderbird/11.0/releasenotes/buglist.html

Download
- https://www.mozilla.org/thunderbird/all.html

:fear:
 
IrfanView v4.33 released

FYI...

IrfanView v4.33 released
- https://secunia.com/advisories/47333/
Release Date: 2012-03-29
Criticality level: Highly critical
Impact: System access
Where: From remote ...
... vulnerabilities are reported in versions prior to 4.33.
Solution: Update to version 4.33.

- http://www.irfanview.com/main_history.htm
Version 4.33 CURRENT VERSION - Release date: 2012-03-28

Download: http://www.irfanview.com/main_download_engl.htm

- http://www.irfanview.com/plugins.htm

:fear:
 
Apple - Java update ...

FYI...

Apple - Java update for OS X Lion 2012-001 and Java for Mac OS X 10.6
- https://support.apple.com/kb/HT5228
April 03, 2012
This document describes the security content of Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7, which can be downloaded and installed via Software Update* preferences, or from Apple Downloads.
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, Lion Server v10.7.3
Impact: Multiple vulnerabilities in Java 1.6.0_29
Description: Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_31...

* https://support.apple.com/kb/HT1338

APPLE-SA-2012-04-03-1 Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7
- http://lists.apple.com/archives/security-announce/2012/Apr/msg00000.html
3 Apr 2012

- https://www.us-cert.gov/current/#apple_update_for_java_for
April 4, 2012

- https://secunia.com/advisories/48648/
Release Date: 2012-04-04
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
Solution: Apply updates.
Original Advisory: http://support.apple.com/kb/HT5228
___

Urgent Fix for Zero-Day Mac Java Flaw
- http://atlas.arbor.net/briefs/index#-674870906
Severity: Extreme Severity
Published: Thursday, April 05, 2012 23:09
Apple has released a critical Java patch that should be deployed ASAP to help counter the Flashback malware. Apple users should be aware that they are -not- invulnerable, even though OSX attacks and malware are much much less than for Windows systems.
Analysis: Flashback has started compromising OSX systems using an out-of-date version of Java. The trojan has been seen with two basic payloads, one to modify Safari settings and the other that is a password stealer. The Flashback botnet has been monitored by security company Dr. Web and their data shows approximately 600,000 OSX systems have been infected. More infections are on their way, given the lax attention to security that many OSX users have. It is likely that this Java security flaw has also been used in targeted attacks that won't get much, if any press.
Source: https://krebsonsecurity.com/2012/04/urgent-fix-for-zero-day-mac-java-flaw/

- http://h-online.com/-1500931
4 April 2012

:fear::fear:
 
Last edited:
Sumatra PDF reader v2.0.1 released

FYI...

Sumatra PDF reader v2.0.1 released
- http://blog.kowalczyk.info/software/sumatrapdf/download-free-pdf-viewer.html
April 8, 2012

System requirements
Supported OS: Windows 7, Vista, XP.

What's new
- http://blog.kowalczyk.info/software/sumatrapdf/news.html
2.0.1 (2012-04-08)
Changes in this release:
fix loading .mobi files from command line
fix a crash loading multiple .mobi files at once
fix a crash showing tooltips for table of contents tree entries
2.0 (2012-04-02)
Changes in this release:
support for MOBI eBook format
support opening CHM documents from network drives
a selection can be copied to a clipboard as an image by using right-click context menu
using ucrt to reduce program size...

:wink:
 
Samba vuln/update

FYI...

Samba vuln - v3.6.4 security update
- https://www.samba.org/samba/security/CVE-2012-1182
10 Apr 2012 - "Patches addressing this issue have been posted to: http://www.samba.org/samba/security/
Additionally, Samba 3.6.4, Samba 3.5.14 and 3.4.16 have been issued as security releases to correct the defect. Patches against older Samba versions are available at: http://samba.org/samba/patches/
Samba administrators running affected versions are advised to upgrade to 3.6.4, 3.5.14, or 3.4.16 or apply these patches as soon as possible.
Due to the seriousness of this vulnerability, patches have been released for all Samba versions currently out of support and maintenance from 3.0.37 onwards..."

- http://www.securitytracker.com/id/1026913
Date: Apr 10 2012
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1182 - 10.0 (HIGH)
Impact: Execution of arbitrary code via network, Root access via network
Version(s): 3.0.x to 3.6.3
Description: A vulnerability was reported in Samba. A remote user can execute arbitrary code on the target system...
Impact: A remote user can execute arbitrary code with root privileges on the target system.
Solution: The vendor has issued a fix (3.6.4)...
- https://www.samba.org/samba/history/samba-3.6.4.html

- https://www.us-cert.gov/current/#samba_releases_updates_for_3
April 11, 2012

- https://en.wikipedia.org/wiki/Samba_(software)
"... As of version 3, Samba provides file and print services for various Microsoft Windows clients and can integrate with a Windows Server domain, either as a Primary Domain Controller (PDC) or as a domain member. It can also be part of an Active Directory domain. Samba runs on most Unix and Unix-like systems, such as GNU/Linux, Solaris, AIX and the BSD variants, including Apple's Mac OS X Server (which was added to the Mac OS X client in version 10.2)..."

:fear::fear:
 
Last edited:
Apple - Java - Flashback - etc.

FYI...

Apple standalone Flashback malware removal tool
- http://h-online.com/-1526041
16 April 2012 - "Apple has announced* the release of a standalone version of the "Flashback malware removal tool"**. The 356KB tool is aimed at Mac OS X 10.7 Lion users without Java installed and, according to Apple, it "removes the most common variants of the Flashback malware". If the tool finds the Flashback malware, users will presented with a dialogue notifying them that it was removed; depending on the variant removed, the tool may require users to restart their system... The Flashback malware removal tool*** is available from Apple's Support Downloads site."

* http://lists.apple.com/archives/security-announce/2012/Apr/msg00002.html
13 Apr 2012

** http://support.apple.com/kb/HT5246

*** http://support.apple.com/kb/DL1517
___

2012-003 Apple - Java for OS X Lion
- http://support.apple.com/kb/HT5242
April 12, 2012 - "... Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion. This update is recommended for all Mac users with Java installed..."

Java for Mac OS X 10.6 Update 8
- http://support.apple.com/kb/HT5243
April 12, 2012 - "... Java for Mac OS X 10.6 Update 8 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java of Java for Mac OS X v10.6..."

APPLE-SA-2012-04-12-1 Java for OS X 2012-003 and Java for Mac OS X 10.6 Update 8
- http://lists.apple.com/archives/security-announce/2012/Apr/msg00001.html
12 Apr 2012

> https://isc.sans.edu/diary.html?storyid=12973
Last Updated: 2012-04-12 21:50:28 UTC

- http://h-online.com/-1520431
13 April 2012 - "... Java update -with- Flashback removal tool..."
___

Third Java update in 9 days...
- https://www.computerworld.com/s/article/9226175/Apple_delivers_Flashback_malware_hunter_killer
April 13, 2012

- https://www.computerworld.com/common/images/site/features/2012/04/Flashback Decline.jpg
April 12, 2012

:fear::fear:
 
Last edited:
HP switch may contain malware...

FYI...

HP 5400zl switch may contain malware
- https://www.us-cert.gov/current/#hp_procurve_5400_zl_switches
April 12, 2012 - "... security bulletin to address a security vulnerability affecting HP 5400 zl series switches purchased after April 30, 2011. These switches contain a compact flash card that may be infected with malware. US-CERT encourages users and administrators to review HP Security Bulletin HPSBPV02754*, which includes a list of infected switches and serial numbers, and apply any necessary steps to help mitigate the risk."
* https://h20566.www2.hp.com/portal/s...ac.admitted=1334254140544.876444892.199480143
Potential Security Impact: Local compromise of system integrity
"... HP 5400 zl series switch purchased after April 30, 2011 with the noted serial numbers..."
References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0133

:fear::fear:
 
IrfanView FlashPix PlugIn v4.34 released

FYI...

IrfanView FlashPix PlugIn v4.34 released
- https://secunia.com/advisories/48772/
Release Date: 2012-04-13
Criticality level: Highly critical
Impact: System access
Where: From remote ...
CVE Reference: CVE-2012-0278
Solution: Update to version 4.3.4.0...

- http://www.irfanview.com/plugins.htm
... PlugIns updated after the version 4.33:
FPX/FlashPix PlugIn (4.34):
- http://www.irfanview.net/plugins/irfanview_plugin_fpx.exe
... FPX-Library loading bug fixed

:fear:
 
Oracle Critical Patch Update Advisory - April 2012

FYI...

Oracle Critical Patch Update Advisory - April 2012
- http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
Apr 17, 2012

Text Form of Oracle Critical Patch Update - April 2012 Risk Matrices
- http://www.oracle.com/technetwork/topics/security/cpuapr2012verbose-366316.html
___

- https://www.us-cert.gov/current/#oracle_releases_critical_patch_update18
April 18, 2012 - "Oracle has released its Critical Patch Update for April 2012 to address 88 vulnerabilities across multiple products. This updates contains the following security fixes:
• 6 for Oracle Database Server
• 11 for Oracle Fusion Middleware
• 6 for Oracle Enterprise Manager Grid Control
• 4 for Oracle E-Business Suite
• 5 for Oracle Supply Chain Product Suite
• 15 for Oracle PeopleSoft Products
• 2 for Oracle Industry Applications
• 17 for Oracle Financial Services Software
• 1 for Oracle Primavera Product Suite
• 15 for Oracle Sun Product Suite
• 6 for Oracle MySQL
US-CERT Encourages users and administrators to review the April 2012 Critical Patch Update and apply any necessary updates to help mitigate the risks."
___

Oracle Critical Patch Update (CPU) Advisory - April 2012
Severity: High Severity
- http://atlas.arbor.net/briefs/
April 19, 2012 15:40
Oracle provides comprehensive information about the April 2012 Critical Patch Update.
Analysis: Oracle customers should check the CPU and apply the patches as soon as possible in order to protect against a variety of serious security holes. In some cases, work-arounds may be used but each situation will need to be analyzed to determine impact and effectiveness.
___

- http://h-online.com/-1541933
18 April 2012
___

Many listings - here: https://secunia.com/advisories/historic/
18th Apr, 2012

.
 
Last edited:
WordPress v3.3.2 released

FYI...

WordPress v3.3.2 released
- https://wordpress.org/download/
April 20, 2012 - "The latest stable release of WordPress (Version 3.3.2) is available..."

- https://wordpress.org/news/2012/04/wordpress-3-3-2/
"WordPress 3.3.2 is available now and is a security update for -all- previous versions. Three external libraries included in WordPress received security updates:
> Plupload (version 1.5.4), which WordPress uses for uploading media.
> SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
> SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes...
... also addresses:
> Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances...
> Cross-site scripting vulnerability when making URLs clickable...
> Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs...
These issues were fixed by the WordPress core security team. Five other bugs were also fixed in version 3.3.2..."

Changelog:
- https://core.trac.wordpress.org/log/branches/3.3?rev=20552&stop_rev=20087
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2399 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2400 - 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2401 - 5.0
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2402 - 5.5
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2403 - 4.3
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2404 - 4.3
Last revised: 04/23/2012 - "... WordPress before 3.3.2..."

- http://h-online.com/-1545416
23 April 2012

- https://secunia.com/advisories/48957/
Release Date: 2012-04-23
Criticality level: Moderately critical
Impact: Security Bypass, Cross Site Scripting
Where: From remote
... vulnerabilities are reported in versions prior to 3.3.2.
Solution: Update to version 3.3.2.

:fear::fear:
 
Last edited:
You must log in or register to reply here.
Back
Top