Skip to content

Today! Update! Update! and More Updates!! TODAY!

29-7-2009

Cyber Security Alert SA09-209A

Hohes Risiko

“It’s not the second Tuesday of the month, but Microsoft has rushed out several patches for Internet Explorer. These are related to the zero-day exploit that was revealed earlier in the month; however it appears that the underlying vulnerability was not fixed; independent security researchers have discovered the underlying flaw and are ready to release at this week’s Black Hat security conference in Las Vegas. Microsoft is preempting the exploitation of this possible issue by taking the highly unusual step of releasing an out-of-cycle patch.

More information, as well as download links for the said patches, may be found below:

Post from: TrendLabs | Malware Blog – by Trend Micro

Microsoft Releases Out-of-Cycle Patches For Exploits”zCVBNM

IE REPAIRMicrosoft Windows and Internet Explorer Vulnerabilities
Original release date: July 28, 2009
Last revised: —
Source: US-CERT

Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Visual Studio and C++ Redistributable Package
* ActiveX controls from multiple vendors

Overview
Microsoft has released out-of-band updates to address critical
vulnerabilities in Microsoft Windows, Internet Explorer, and Visual
Studio.

Solution
Install updates

The updates to address these vulnerabilities are available on the
Microsoft Update site (requires Internet Explorer). We recommend
enabling Automatic Updates.

Microsoft Pounces on IE, Visual Studio FlawsCompany hurries out patches as details of the flaws are set to go public.

The software titan only rarely releases an out-of-band patch — so-called because the patch is considered so critical as to warrant releasing it in between the company’s regular “Patch Tuesday” drops. For consistency, Microsoft delivers new bug patches once a month on the second Tuesday. Therefore, the next Patch Tuesday is two weeks from now on Aug. 11 — a particularly long wait if a conference full of hackers is ready to swing into action.

That timing has security watchers likewise urging their customers to hop on the latest updates.

“Shavlik recommends installing the IE patch as soon as possible as it helps protect against a flaw being demonstrated at Black Hat tomorrow … that might allow an attacker to bypass the killbits that were set to protect a machine against unsafe ActiveX controls,” Eric Schultze, CTO of security vendor Shavlik Technologies, said in an e-mailed statement.

“Failing to patch for this issue is like purposely uninstalling eight prior IE patches — not something you want to do. Patch this one right away,” Schultze added.

ADOBE PATCHES!!?
Adobe has issued an important announcement, much of it relating to the impact of vulnerabilities in the Microsoft Active Template Library (ATL)

Adobe evaluated the impact of the vulnerable versions of the Microsoft Active Template Library (ATL) on their product portfolio. They determined that Flash Player 9.0.159.0 and 10.0.22.87, and earlier 9.x and 10.x versions installed on Windows for use with Internet Explorer leverage a vulnerable version of the ATL.

Note that this vulnerability is exclusive to Internet Explorer on Windows. Installations of Flash Player for Firefox or other web browsers on Windows are not vulnerable.

Adobe are in the process of developing a fix for the issue, and expect to provide an update for Flash Player 9 and 10 for Windows by July 30, 2009. Users should consider installing the latest cumulative security update for Internet Explorer.

Adobe Flash Player

Download it from http://www.macromedia.com/go/getflash

Direct Download link for Firefox, Safari, Opera HERE
For IE users: HERE

As the Shockwave Player goes, Shockwave Player 11.5.0.600 and earlier versions has this vulnerability, now  patched in the latest version. Adobe recommends Shockwave Player users on Windows install Shockwave version 11.5.1.601, available here: http://get.adobe.com/shockwave/.

Adobe Security Bulletins
To complete the triad, Adobe issued the following Security Bulletins:
APSA09-04 Security Advisory for Adobe Flash Player
APSB09-11 Security Update available for Shockwave Player

Check your version:
http://www.adobe.com/products/flash/about/
*or*
http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_15507&sliceId=1

Amb

Java SE Runtime Environment 6u15 Update

Sun Microsystems has released update Java SE 6u15, which addresses US-CERT Vulnerability Note VU#466161 describing a security vulnerability with “verifying HMAC-based XML digital signatures.”

In the event you have any old Java updates prior to 6u11, it is strongly advised that you go to Add/Remove programs and uninstall those versions as the “update mechanism” did not remove those vulnerable versions. Following the uninstall, run JavaRa. Merely unzip JavaRa to your desktop and do the following:

  • Double-click on JavaRa.exe to start the program. (Windows Vista users right-click JavaRa.exe > Select Run as Administrator)
  • Click on Remove Older Versions to remove older versions of Java.

At last check, the site has not been updated but the download link is live here: Java SE Runtime Environment 6u15. (Note: uncheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.)

References:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*Updated!!*
Filehippo.com Update Checker
v1.034

Changes: Fixed updates count shown in bubble when UDC is minimized to tray.

Download the installer or standalone from http://www.filehippo.com/updatechecker

Click on the image below to check your computer.

Secunia Software Inspector

****************************

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: