Skip to content

TOO Many Serious Vulnerabilities!! 18-02-2008

10-2-2008

The last couple of days have brought up multiple serious vulnerabilities in very commonly used client software:

As you already know, clients are one of the main targets for attacks nowadays. Ensure your automatic software update mechanisms are working properly or go back to the manual update process, but please, patch!
BTW, based on a quick test, at this time only some of the new updates already show up on the automatic update features of the affected products: Adobe Reader and Firefox do, while Quick Time does not.

A topic I have been researching a little bit about recently is “update tools for third-party client applications”. What tools do you use to manage updates on commonly used third-party client tools?

Your best two that I should have given each XP system or higher is U.D.C. and then SSI *or* PSI.

Threse are very simple programs that assist you to keep your system Patched. It is your choice when you patch it but it is best to do it at least one a week!

WARNING!!!

Realplayer finally MARKED BADWARE!!!

See these articles!!

http://www.scmagazineus.com/…../article/104951/
“An internet security nonprofit has designated the two latest versions of the popular RealPlayer as “badware.”
Maxim Weinstein, manager of StopBadware.org, told SCMagazine.com today that versions 10.5 and 11 of the cross-platform audio and video player were… ”

http://www.stopbadware.org/report……realplayer01282008
“We find that RealPlayer 10.5 is badware because it fails….”

Holes in numerous ActiveX controls

Users of Yahoo’s Music Jukebox should consider uninstalling the software. Several security holes in two of its ActiveX controls allow attackers to manipulate a system and infect it with malware via a crafted web site visited using Internet Explorer.

Buffers in YMP DataGrid (datagrid.dll) and Yahoo! Mediagrid (mediagridax.dll), can be overflowed by passing excessively long parameters to the functions AddImage, AddButton and AddBitmap, allowing code to be written to the stack and executed. The errors have been confirmed in the current version 2.2.2.056 of Yahoo! Music Jukebox. Other versions are probably also affected. According to the vulnerability database at Securityfocus, the affected controls are also present in Yahoo! Instant Messenger 3.5, Yahoo! Instant Messenger 5.5, and subsequent versions.

There are no updates at the moment, but exploits taking advantage of the holes are already available at Milw0rm. To remedy the problem, the software can be uninstalled, ActiveX can be switched off, or the kill bit can be set for the controls. The MediaGrid control has the CLSID 22FD7C0A-850C-4A53-9821-0B0915C96139, and the ID for the DataGrid control is CLSID 5F810AFC-BB5F-4416-BE63-E01DD117BD6C2. The Internet Storm Center has published a tool for setting the kill bit very easily in order to prevent Internet Explorer loading the vulnerable controls.

The same tool can also set the kill bit for the Facebook Photo Uploader ActiveX control and the MySpace Uploader Control ActiveX control, which also display critical holes. Update 1.0.0.6 for the MySpace control is however available to close the gap.

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: