Leaderboard

Not to be outdone by Microsoft's and Adobe's Patch Tuesday releases, Mozilla pushed out its latest browser and email client updates today. The Firefox browser goes to 21.0, on Android as well as on desktops. (You don't install browsers on your servers, do you?) The Thunderbird email client is only available in an Extended Support Release these days, meaning it gets regular security patches but infrequent product enhancements; it hits 17.0.6. Microsoft's May 2013 Internet Explorer updates included two patches for which the world was waiting with bated breath - one to fix a vulnerability exposed at the 2013 PWN2OWN competition, and a second to close a much-publicised zero-day briefly found on a US government website at the end of April. Mozilla, on the other hand, fixed its own PWN2OWN-found flaws within 24 hours, so its last two updates, 20.0 and 21.0, have been largely proactive on the security front. This time round, there are 681 listed bug fixes, with eight separately-documented security advisories. Three of those close multiple holes that Mozilla admits "are potentially exploitable, allowing for remote code execution." "Memory corruption problems, where software incorrectly writes over its own or another program's code or data structures, are not always exploitable for malicious purposes. But they are always wrong, and often dangerous, especially in browsers and email clients, which spend most of their time processing content from untrusted external sources." Mozilla, very creditably, tends not to mince its words when dealing with bugs of this sort. For example, in Mozilla Foundation Security Advisory 2013-41, no exploits were immediately obvious for any of the bugs fixed, leading the team to report nothing worse that than "we presume that with enough effort at least some of these could be exploited to run arbitrary code." Nevertheless, this advisory was rated Critical. Many users will have Firefox set to grab and deploy updates automatically; if you're one of those who don't, it's Make Your Mind Up Time! If it helps you to decide, I just published this story in Firefox 21.0 on OS X, immediately after updating. That's a very minor and entirely unrepresentative "test", but I'm pleased to say my plugins (including the Firebug debugger) have all behaved themselves, and I haven't had any problems. Sursa : Mozilla pushes out new Firefox and Thunderbird: 8 security advisories, 3 critical fixes | Naked Security

Microsoft va emite o actualizare de securitate pentru a remedia o vulnerabilitate zero-day in Internet Explorer 8, la doar o saptamana dupa ce a lansat un consultativ de securitate pe aceasta tema. Patch-uul va fi inclus in cele zece buletine care vor fi emise la data de 21 mai, in cadrul actualizarii lunare de securitate Microsoft Patch Tuesday. Potrivit Advance Notification, cinci buletine de securitate vor acoperi vulnerabilitati care pot permite executarea codurilor de la distanta (RCE), a declarat Wolfgang Kandek, CTO in cadrul firmei de securitate Qualys. Buletinul 2 este destinat celei mai recente vulnerabilitati IE8 zero-day si este evaluat ca fiind "critic". "Acesta ar trebui sa fie in fruntea prioritatilor dvs. in situatia in care utilizati IE8, care, potrivit statisticilor BrowserCheck, reprezinta inca 43% dintre utilizatori", a declarat Kandek. Buletinul 1 este destinat, de asemenea, IE si se adreseaza versiunilor cuprinse intre 6 si 10 pe toate sistemele de operare Windows, de la XP la 8, precum si RT, incluzand patch-uri pentru vulnerabilitatile descoperite in cadrul competitiei PWN2OWN, desfasurate in cadrul CanSecWest, in luna martie a acestui an. Restul vulnerabilitatilor de tip RCE se concentreaza pe Microsoft Office. Instalat pe scara larga va fi, probabil, buletinul 7, care se adreseaza Word 2003 si Word Viewer. Buletinul 6 acopera Microsoft Publisher, inclus in Office 2003, 2007 si 2010, iar buletinul 5 se adreseaza modulelor Microsoft instant messaging - Communicator 2007 si Lync 2010. De asemenea, exista alte trei buletine de securitate (3,4 si 10) pentru Windows insusi, care remediaza vulnerabilitatile denial-of-service, spoofing si elevation of privilege, toate acestea fiind evaluate ca "importante". La randul sau, Adobe va lansa o actualizare de securitate la data de 21 mai, care va include o noua versiune a Adobe Reader si va remedia o noua vulnerabilitate zero-day in ColdFusion. Source