Mozilla has released version 3.6.13 of its popular Firefox web browser.
This new version contains fixes for 11 security holes, nine of which have been given the worst rating of “critical” severity, as the vulnerabilities can be used to run malicious attack code and install software – the user has to do nothing to be hit in this way, just normal browsing is enough.
Fortunately Firefox contains an integrated update mechanism (Help / Check for Updates to kickstart the process) which can help ensure that most users are rapidly upgraded to the latest version.
However, don’t dawdle. Malicious hackers could try to exploit the vulnerabilities – described on Mozilla’s website – to infect your computer with malware.
Adobe has issued a security advisory about an as-yet unpatched vulnerability in its popular Flash Player software, affecting users of Windows, Mac, Linux, Solaris and even Google Android.
The critical security hole could allow an attacker to take control of your computer and run malicious code.
The firm also confirmed that the vulnerability also affects Adobe Reader 9.3.4 for Windows, Mac and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Mac. The reason that Acrobat and Reader are also affected is because the programs support Flash content inside PDF files
The new warnings follow closely after news last week of another vulnerability in Reader and Acrobat that was being exploited by malware authors.
Adobe has announced that an update for Flash Player tackling the latest vulnerability is expected to be available during the week of September 27, and an update for Acrobat and Reader will be available the following week.
Last month, Sophos blogger Chet Wisniewski interviewed Brad Arkin, Adobe’s Senior Director of Product Security and Privacy, about the firm’s security strategy and their upcoming sandboxing technology.
You can also download the interview directly in MP3 format.
If you’re a user of Windows or Flash (and I would imagine that covers the vast majority of you) then it’s time to roll out the latest critical security patches, as Microsoft and Adobe have released updates to their software.
First up is Microsoft, who have released a bumper bundle of fixes as part of their regular “Patch Tuesday” cycle, issuing 14 bulletins to remedy 34 security holes in Windows, Internet Explorer, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block.
Eight of the bulletins have been Microsoft’s highest severity rating of “critical”, with the rest being labelled “important”.
The good news, as Chet Wisniewski explains, is that we haven’t yet seen any malware spreading by exploiting these vulnerabilities – but that may only be a matter of time.
Separately, Microsoft has also issued an advisory about a zero-day vulnerability, which could allow untrusted code to run on a user’s machine by exploiting a weakness in the Windows Service Isolation feature.
Meanwhile, another platform commonly targeted by malicious hackers has been updated to defend against security vulnerabilities.
Adobe has identified critical vulnerabilities in Adobe Flash Player version 10.1.53.64 and earlier, and urged users to update their installations of Flash and Adobe Air.
If you’re not sure which version of the Adobe Flash Player you have installed, visit the About Flash Player page. Remember that if you use more than one browser on your computer you should check the version number on each.
A researcher has found a critical security flaw on Facebook that could be exploited by hackers to expose sensitive information about users.
M J Keith, a senior security analyst with security firm Alert Logic, discovered the vulnerability which could lead to private information being exposed, or users’ Facebook pages being maliciously defaced.
IDG security reporter Robert McMillan has explained the problem well:
The bug has to do with the way that Facebook checked to make sure that browsers connecting with the site were the ones they claimed to be. Facebook's servers use code called a "post_form_id" token to check that the browser trying to do something -- liking a group, for example -- was actually the browser that had logged into the account. Facebook's servers check this token before making any changes to the user's page, but Keith discovered that when he simply deleted the token from messages, he could change many settings on any Facebook account.
This is called a CSRF (Cross-site request forgery attack), which – if left unpatched – would allow hackers to set up malicious webpages that could submit instructions to the victim’s Facebook account without validation.
The consequence? Well, a hacker could make your hitherto private information public, or force your profile to “like” a Facebook group that you may find embarrassing.
M J Keith reports on AlertLogic’s website that he informed Facebook of the problem on the 11th of May, and that the problem has now been fixed.
However, IDG has reported that the security hole is still present.
Hopefully, if it’s not already patched, this privacy flaw – which comes at an embarrassing time for Facebook – will be removed soon.
If you’re a regular user of Facebook, you could do a lot worse than join the Sophos page on the site to ensure you are kept up-to-date with the latest security news. Oh, and remember to be careful about clicking on suspicious links..
By Graham Cluley, Sophos
It was “Patch Tuesday” yesterday, which means another parcel of security updates for computer users to unwrap, and this time the fixes aren’t just from Microsoft, but from Adobe too.
First on the menu is Microsoft, which has served up two security bulletins detailing vulnerabilities that could be exploited by hackers to execute malicious code (such as a worm) on your computer.
The first of these security holes exists in Outlook Express, Windows Mail, and Windows Live Mail. Microsoft’s Security Research & Defense blog goes into some detail about the vulnerability, explaining that although the security hole is given a “critical rating” on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008, it is considered less serious for Windows 7 users as Windows Live Mail is not installed by default on that platform.
The other patch from Microsoft addresses a vulnerability in Visual Basic for Applications, a component used by Microsoft Office and other third-party products. Microsoft has given this security update its highest possible rating – “Critical” – for all supported versions of Microsoft Visual Basic for Applications SDK and third-party applications that use Microsoft Visual Basic for Applications. It is also rated “Important” for all supported editions of Microsoft Office XP, Microsoft Office 2003, and the 2007 Microsoft Office System.
Next up is Adobe, who have released patches to squash over 20 security vulnerabilities in its Shockwave and ColdFusion products.
The critical vulnerabilities identified in Adobe Shockwave Player 220.127.116.116 and earlier versions impact both Windows and Macintosh users, and could allow attackers to run malicious code on your computer.
Adobe recommends that users update their version of Adobe Shockwave Player to version 18.104.22.1689.
Details of the ColdFusion vulnerabilities, classed as “important”, are provided in Adobe Security Bulletin APSB10-11.
Enough of waffle. Download and install the patches if your computer is affected.
By Graham Cluley, Sophos
Microsoft has announced that it will be issuing an emergency out-of-band patch for a critical security hole in some versions of Internet Explorer on Tuesday 30 March.
According to a Microsoft advisory, the emergency fix is designed to protect users of Internet Explorer 6 and Internet Explorer 7.
Microsoft normally bundles its security updates into a monthly package, known in the industry as “Patch Tuesday” (the second Tuesday of each month), and it is relatively unusual for the company to issue a fix for a security vulnerability outside of this cycle. Clearly Microsoft considers the bug particularly important to patch as soon as possible.
And in my opinion they’re right not to leave this vulnerability unpatched until April 13th. Earlier this month I described how hackers are actively exploiting the vulnerability, in their attempt to infect computers.
The researchers in SophosLabs reported some of the malicious spam messages we have seen being distributed which attempt to trick users into visiting websites that will exploit the zero day vulnerability and infect Windows PCs.
More information about the security flaw can be found in Sophos’s analysis of the problem.
So, if you are still using Internet Explorer versions 6 or 7, please be sure to update your systems as soon as Microsoft releases the fix. But, in all honesty, what are you doing running such old versions of IE anyway? Shouldn’t you have upgraded to Internet Explorer 8 by now?
By Graham Cluley, Sophos