Non-Microsoft Patches

Mozilla extends bounty program to web applications

By

Mozilla on Wednesday began offering cash rewards to researchers who discover vulnerabilities in its web applications. The move extends the company's bounty program beyond incentives for finding flaws only in its Firefox web browser, or web applications that are considered "critical" or "extraordinary" risks to customer security, according to a Tuesday blog post. Bounties will range from $500 to $3,000. A list of the domains and web applications covered under the expanded program are listed here. - DK

Apple releases QuickTime 7.6.9 to fix 15 flaws

By

Apple this week released an update to its QuickTime multimedia player to fix 15 vulnerabilities that may allow an attacker to execute arbitrary code or obtain sensitive information, according to a security advisory. QuickTime 7.6.9 is available for machines running Mac OS X 10.5 (Leopard) and Windows 7, Vista, and XP SP 2 or later. The vulnerabilities, which could be exploited by tricking a user into viewing a maliciously crafted video or image file, already were fixed in Snow Leopard, with the Mac OS X 10.6.5 update that was released in November. — AM

Automated patches necessary for true endpoint security

By

Attackers are no longer going after the obvious software targets because there are too many ripe options available in the form of third-party applications, a panelist said at SC World Congress.

Adobe patches Flash for 18 vulnerabilities

By

Adobe on Thursday patched a previously known "critical" Flash Player vulnerability, disclosed last week. The flaw, which could cause a crash or allow an attacker to take control of an affected system, also is present in Reader and Acrobat, where it is being actively exploited. Adobe has said it is not aware of any attacks targeting Flash. The Flash update, which includes fixes for 17 other bugs, affects version 10.1.85.3 and earlier for Windows, Macintosh, Linux and Solaris. An update to Reader and Acrobat is due during the week of Nov. 15. - DK

Mozilla closes gaping remote code hole in Firefox

Mozilla quickly has turned around a patch for a dangerous zero-day vulnerability in its Firefox web browser. One day after the company publicly confirmed the flaw, Mozilla released a fix in Firefox versions 3.6.12 and 3.5.15, according to an advisory. The vulnerability, which was being exploited in the wild, could permit remote code execution. It was first discovered by researchers at security firm Norman ASA after discovering malware on the website for the Nobel Peace Price. — DK

Adobe discloses "critical" bug in Shockwave Player

By

Adobe on Thursday revealed a "critical" vulnerability impacting its Shockwave Player. The flaw, present in Shockwave 11.5.8.612 and earlier versions for Windows and Macintosh, could allow an attacker to assume total system control, according to a security bulletin. Though Adobe is not aware of any in-the-wild attacks, the bug has been disclosed publicly. The company did not say when a fix would be released. The current version of Shockwave was released in August to plug 20 holes. — DK

Oracle issues massive quarterly update with Java fixes

By

Oracle on Tuesday released a massive quarterly security update with fixes for a number of enterprise products, as well as a separate batch of security fixes for Java.

New Reader, Acrobat from Adobe fixed for 23 flaws

By

Adobe on Tuesday released updated versions of its flagship Reader and Acrobat products to close a whopping 23 vulnerabilities, including two publicly known issues.

Adobe Reader, Acrobat patches coming Tuesday

By

Adobe on Tuesday plans to release updates to its widely deployed Reader and Acrobat software to address a number of flaws, including a pair of known issues, the company announced Thursday.

Apple patches zero-day QuickTime flaw with 7.6.8 release

By

Apple on Wednesday released a new version of QuickTime to plug two vulnerabilities, including a zero-day flaw that is being actively exploited simply by tricking a victim into visiting a web page.

Adobe discloses Flash bug, moves up Reader fixes

By

Adobe on Monday revealed a "critical" vulnerability in Flash Player that can be used by an attacker to take control of a targeted system. The flaw affects Flash versions 10.1.82.76 and earlier for Windows, Macintosh, Linux, Solaris and Android, according to an advisory. The same bug also impacts Adobe Reader 9.3.4 for Windows, Mac and Linux and Acrobat 9.3.4 for Windows and Mac. Adobe is not aware of any public exploits, although there have been reports of them. A fix is scheduled for Sept. 27. Also on Monday, Adobe announced it plans to fast-track its planned quarterly Reader and Acrobat patches by one week, to the week of Oct. 4. The decision comes days after Adobe disclosed a dangerous zero-day vulnerability that is being leveraged in active attacks. — DK

Adobe plugs 20 flaws in Shockwave Player

By

Adobe on Tuesday released an update for Shockwave Player, which displays rich web content, to address a number of "critical" vulnerabilities that could allow an attacker to run malicious code on an affected system, according to Adobe's advisory. Users of Shockwave Player 11.5.7.609 and earlier versions for Windows and Mac are recommended to upgrade to the newest version, 11.5.8.612. The update resolves 20 vulnerabilities, including a number of memory corruption and denial-of service issues, along with an integer overflow flaw and a pointer offset bug. An estimated 200 million people have installed Shockwave. — AM

Apple releases OS X update, fixes 13 flaws

By

Apple on Tuesday issued an update to Mac OS X to fix 13 flaws, including one that is similar to the "jailbreak" vulnerability already patched in its mobile OS.

Apple updates iPhone, iPad for "jailbreak" flaw

By

Apple on Wednesday issued updates for its iOS mobile operating system to fix a vulnerability that was used by many to jailbreak the latest iPhone.

Adobe ships Flash Player update, ColdFusion hotfix

By

Adobe on Tuesday issued fixes for "critical" flaws in its Flash Player. Next week, it plans to release an out-of-band update for Reader and Acrobat.

Firefox updates for eight critical flaws

By

Mozilla has released an update to its Firefox browser to patch 14 vulnerabilities, eight of which are defined as "critical" in severity, meaning users' machines can be infected with malware simply by visiting a website — a tactic known as a drive-by download. Firefox version 3.6.7 and 3.5.11, released Tuesday, also corrects two flaws rated "high" and four bugs deemed "moderate." — DK

Oracle's quarterly update resolves 59 vulnerabilities

By

Oracle's quarterly security update released Tuesday includes fixes for the popular Database Server and Solaris operating system products.

Adobe "Launch" flaw may not be fixed after all

By

A security researcher on Thursday said that he has discovered a way to bypass Adobe's Reader and Acrobat fix for a highly publicized flaw that takes advantage of a native PDF feature.

New versions of Reader, Acrobat close publicized flaws

By

Adobe's release Tuesday of updates to Reader and Acrobat include fixes for a dangerous zero-day vulnerability and protection against exploiting the PDF specification's "/Launch" functionality.

Adobe preps Reader, Acrobat updates for Tuesday

By

As expected, Adobe is planning to release updates to its flagship Reader and Acrobat products on Tuesday, the company announced Thursday. The updates affect Reader 9.3.2 and earlier versions for Windows, Mac and Unix and Acrobat 9.3.2 for Windows and Mac. Tuesday's release comes two weeks earlier than scheduled because Adobe rushed to correct a zero-day vulnerability that is being actively exploited. An unknown number of other "critical" holes also are expected to be plugged, according to a bulletin released Thursday. — DK

Firefox, Opera updated to close numerous holes

By

Mozilla on Tuesday released a new version of its Firefox web browser to close seven vulnerabilities, including four rated "critical," meaning attackers could execute code and install malware. Version 3.6.4 of the browser also provides crash protection for users "by isolating third-party plug-ins [used to watch videos or play games] when they crash," according to a Mozilla blog post. Also this week, web browser maker Opera released version 10.54 to address four flaws, including one ranked "extremely severe," according to release notes. — DK

Apple releases iOS 4 to fix dozens of bugs

By

Apple on Monday released version 4 of its mobile operating system iOS, formerly called iPhone OS, to fix 65 vulnerabilities. The bugs could allow an attacker to run arbitrary code on an affected device, conduct cross-site scripting attacks or obtain sensitive information, Apple said in a security advisory. iOS 4 is available for iPhone 3G and 3GS, along with second- and third-generation iPod Touch devices. Meanwhile, iPad users will have to wait until fall for the same update. — AM

Mac update plugs 28 flaws, does not include Flash 10.1

By

Apple has pushed out a Mac OS X update, its fourth of the year, to close more than two dozen vulnerabilities.

Adobe readies Flash fix for Thursday

By

Less than a week after it announced a zero-day vulnerability in Flash Player, Adobe plans to release a fix.

Adobe patches Photoshop CS4 flaws

By

Adobe on Wednesday released an updated version of its Photoshop CS4 software to remedy a number of "critical" vulnerabilities that could permit attackers to take control of targeted systems, according to an advisory. Users can be infected if they are tricked into opening a malicious .ASL, .ABR or .GRD file. Adobe encourages customers to upgrade to version 11.0.2. None of the flaws corrected are present in Photoshop CS5. — DK

Apple updates Java for security bugs

By

Apple has released security updates for Java for Mac Leopard and Snow Leopard to close dozens of holes, the worst of which could lead to arbitrary code execution.

Adobe patches Shockwave Player, ColdFusion

By

Adobe on Tuesday issued an update to its Shockwave Player to close 18 "critical" vulnerabilities that could be exploited by attackers to run malware on victims' machines, according to a security bulletin. In addition, the company also pushed out an update for ColdFusion, a web application development platform, to rectify three "important" vulnerabilities which could result in cross-site scripting and information disclosure, a second bulletin said. None of the flaws are being actively exploited, an Adobe spokeswoman said. — DK

Symantec finds readers, plug-ins new exploit haven

By

PDF exploits, broadband penetration and targeted attacks helped drive the cybercriminal community in 2009, Symantec's annual "Global Internet Security Threat Report" found.

Apple patches Mac researcher's contest find

By

Apple has delivered a Mac OS X security update to close a vulnerability revealed by researcher Charlie Miller at the recent Pwn2Own hacker contest in Vancouver, British Columbia. The update plugs a flaw that could be exploited to run malicious code if a user is tricked into into viewing or downloading a document that contains a specially crafted embedded font, according to an Apple advisory released Wednesday. The update is for Mac OS X 10.5.8 and 10.6.3. — DK

Oracle issues critical patch update for 47 flaws

By

Oracle on Tuesday issued a critical patch update to correct 47 vulnerabilities across several of its portfolios, including the newly acquired Sun product line.

Sign up to our newsletters

RECENT COMMENTS

FOLLOW US