Mozilla on Wednesday began offering cash rewards to researchers who discover vulnerabilities in its web applications. The move extends the company's bounty program beyond incentives for finding flaws only in its Firefox web browser, or web applications that are considered "critical" or "extraordinary" risks to customer security, according to a Tuesday blog post. Bounties will range from $500 to $3,000. A list of the domains and web applications covered under the expanded program are listed here. - DK
Apple this week released an update to its QuickTime multimedia player to fix 15 vulnerabilities that may allow an attacker to execute arbitrary code or obtain sensitive information, according to a security advisory. QuickTime 7.6.9 is available for machines running Mac OS X 10.5 (Leopard) and Windows 7, Vista, and XP SP 2 or later. The vulnerabilities, which could be exploited by tricking a user into viewing a maliciously crafted video or image file, already were fixed in Snow Leopard, with the Mac OS X 10.6.5 update that was released in November. — AM
Attackers are no longer going after the obvious software targets because there are too many ripe options available in the form of third-party applications, a panelist said at SC World Congress.
Adobe on Thursday patched a previously known "critical" Flash Player vulnerability, disclosed last week. The flaw, which could cause a crash or allow an attacker to take control of an affected system, also is present in Reader and Acrobat, where it is being actively exploited. Adobe has said it is not aware of any attacks targeting Flash. The Flash update, which includes fixes for 17 other bugs, affects version 10.1.85.3 and earlier for Windows, Macintosh, Linux and Solaris. An update to Reader and Acrobat is due during the week of Nov. 15. - DK
Mozilla quickly has turned around a patch for a dangerous zero-day vulnerability in its Firefox web browser. One day after the company publicly confirmed the flaw, Mozilla released a fix in Firefox versions 3.6.12 and 3.5.15, according to an advisory. The vulnerability, which was being exploited in the wild, could permit remote code execution. It was first discovered by researchers at security firm Norman ASA after discovering malware on the website for the Nobel Peace Price. — DK
Adobe on Thursday revealed a "critical" vulnerability impacting its Shockwave Player. The flaw, present in Shockwave 184.108.40.2062 and earlier versions for Windows and Macintosh, could allow an attacker to assume total system control, according to a security bulletin. Though Adobe is not aware of any in-the-wild attacks, the bug has been disclosed publicly. The company did not say when a fix would be released. The current version of Shockwave was released in August to plug 20 holes. — DK
Oracle on Tuesday released a massive quarterly security update with fixes for a number of enterprise products, as well as a separate batch of security fixes for Java.
Adobe on Tuesday released updated versions of its flagship Reader and Acrobat products to close a whopping 23 vulnerabilities, including two publicly known issues.
Adobe on Tuesday plans to release updates to its widely deployed Reader and Acrobat software to address a number of flaws, including a pair of known issues, the company announced Thursday.
Apple on Wednesday released a new version of QuickTime to plug two vulnerabilities, including a zero-day flaw that is being actively exploited simply by tricking a victim into visiting a web page.
Adobe on Monday revealed a "critical" vulnerability in Flash Player that can be used by an attacker to take control of a targeted system. The flaw affects Flash versions 10.1.82.76 and earlier for Windows, Macintosh, Linux, Solaris and Android, according to an advisory. The same bug also impacts Adobe Reader 9.3.4 for Windows, Mac and Linux and Acrobat 9.3.4 for Windows and Mac. Adobe is not aware of any public exploits, although there have been reports of them. A fix is scheduled for Sept. 27. Also on Monday, Adobe announced it plans to fast-track its planned quarterly Reader and Acrobat patches by one week, to the week of Oct. 4. The decision comes days after Adobe disclosed a dangerous zero-day vulnerability that is being leveraged in active attacks. — DK
Adobe on Tuesday released an update for Shockwave Player, which displays rich web content, to address a number of "critical" vulnerabilities that could allow an attacker to run malicious code on an affected system, according to Adobe's advisory. Users of Shockwave Player 220.127.116.119 and earlier versions for Windows and Mac are recommended to upgrade to the newest version, 18.104.22.1682. The update resolves 20 vulnerabilities, including a number of memory corruption and denial-of service issues, along with an integer overflow flaw and a pointer offset bug. An estimated 200 million people have installed Shockwave. — AM
Apple on Tuesday issued an update to Mac OS X to fix 13 flaws, including one that is similar to the "jailbreak" vulnerability already patched in its mobile OS.
Apple on Wednesday issued updates for its iOS mobile operating system to fix a vulnerability that was used by many to jailbreak the latest iPhone.
Adobe on Tuesday issued fixes for "critical" flaws in its Flash Player. Next week, it plans to release an out-of-band update for Reader and Acrobat.
Mozilla has released an update to its Firefox browser to patch 14 vulnerabilities, eight of which are defined as "critical" in severity, meaning users' machines can be infected with malware simply by visiting a website — a tactic known as a drive-by download. Firefox version 3.6.7 and 3.5.11, released Tuesday, also corrects two flaws rated "high" and four bugs deemed "moderate." — DK
Oracle's quarterly security update released Tuesday includes fixes for the popular Database Server and Solaris operating system products.
A security researcher on Thursday said that he has discovered a way to bypass Adobe's Reader and Acrobat fix for a highly publicized flaw that takes advantage of a native PDF feature.
Adobe's release Tuesday of updates to Reader and Acrobat include fixes for a dangerous zero-day vulnerability and protection against exploiting the PDF specification's "/Launch" functionality.
As expected, Adobe is planning to release updates to its flagship Reader and Acrobat products on Tuesday, the company announced Thursday. The updates affect Reader 9.3.2 and earlier versions for Windows, Mac and Unix and Acrobat 9.3.2 for Windows and Mac. Tuesday's release comes two weeks earlier than scheduled because Adobe rushed to correct a zero-day vulnerability that is being actively exploited. An unknown number of other "critical" holes also are expected to be plugged, according to a bulletin released Thursday. — DK
Mozilla on Tuesday released a new version of its Firefox web browser to close seven vulnerabilities, including four rated "critical," meaning attackers could execute code and install malware. Version 3.6.4 of the browser also provides crash protection for users "by isolating third-party plug-ins [used to watch videos or play games] when they crash," according to a Mozilla blog post. Also this week, web browser maker Opera released version 10.54 to address four flaws, including one ranked "extremely severe," according to release notes. — DK
Apple on Monday released version 4 of its mobile operating system iOS, formerly called iPhone OS, to fix 65 vulnerabilities. The bugs could allow an attacker to run arbitrary code on an affected device, conduct cross-site scripting attacks or obtain sensitive information, Apple said in a security advisory. iOS 4 is available for iPhone 3G and 3GS, along with second- and third-generation iPod Touch devices. Meanwhile, iPad users will have to wait until fall for the same update. — AM
Apple has pushed out a Mac OS X update, its fourth of the year, to close more than two dozen vulnerabilities.
Less than a week after it announced a zero-day vulnerability in Flash Player, Adobe plans to release a fix.
Adobe on Wednesday released an updated version of its Photoshop CS4 software to remedy a number of "critical" vulnerabilities that could permit attackers to take control of targeted systems, according to an advisory. Users can be infected if they are tricked into opening a malicious .ASL, .ABR or .GRD file. Adobe encourages customers to upgrade to version 11.0.2. None of the flaws corrected are present in Photoshop CS5. — DK
Apple has released security updates for Java for Mac Leopard and Snow Leopard to close dozens of holes, the worst of which could lead to arbitrary code execution.
Adobe on Tuesday issued an update to its Shockwave Player to close 18 "critical" vulnerabilities that could be exploited by attackers to run malware on victims' machines, according to a security bulletin. In addition, the company also pushed out an update for ColdFusion, a web application development platform, to rectify three "important" vulnerabilities which could result in cross-site scripting and information disclosure, a second bulletin said. None of the flaws are being actively exploited, an Adobe spokeswoman said. — DK
PDF exploits, broadband penetration and targeted attacks helped drive the cybercriminal community in 2009, Symantec's annual "Global Internet Security Threat Report" found.
Apple has delivered a Mac OS X security update to close a vulnerability revealed by researcher Charlie Miller at the recent Pwn2Own hacker contest in Vancouver, British Columbia. The update plugs a flaw that could be exploited to run malicious code if a user is tricked into into viewing or downloading a document that contains a specially crafted embedded font, according to an Apple advisory released Wednesday. The update is for Mac OS X 10.5.8 and 10.6.3. — DK
Oracle on Tuesday issued a critical patch update to correct 47 vulnerabilities across several of its portfolios, including the newly acquired Sun product line.