software

The H-Online: RealNetworks is warning users about multiple security vulnerabilities in its RealPlayer media player application for Windows; the company says that none of the, now fixed, holes are known to have been used to compromise systems. The released update, version 15.0.4.53 of RealPlayer, closes three security holes. One hole is related to ASM RuleBook parsing that could be exploited by an attacker to remotely execute arbitrary code, another is a memory corruption problem related to MP4 file handling in the QuickTime plugin used by RealPlayer, and the third is a buffer overrun in the Media parser....

The H-Online: Google has announced that Chrome 19 is the new stable version of its open source based web browser. As usual, the browser sees a number of security fixes: this time there are seven high-severity fixes specifically for Chrome including various use-after-free and out-of-bounds errors. Two fixes with a wider impact than Chrome are also mentioned – a workaround for a Linux NVIDIA driver bug and an “off-by-one out-of-bounds” write in libxml....

The H-Online: Adobe has released a security advisory relating to an object confusion vulnerability which allows an attacker to crash the player or take control of an affected system. Adobe says that there are reports of this vulnerability being exploited in the wild as part of targeted email-based attacks which trick the user into clicking on a malicious file; this exploit only targets Flash Player on Internet Explorer on Windows, though the vulnerability exists on Windows, Mac OS X, Linux and Android versions of the player....

The H-Online: Google has released a new update to the stable 18.x branch of its Chrome web browser to close a number of security holes found in the application. The update, labelled 18.0.1025.168, addresses a total of five vulnerabilities, three of which are rated as “high severity” by the company. These include use-after-free problems in floating point handling and the XML parser; all of these bugs were detected using the AddressSanitizer....

H-Online: Soon, users running Firefox 3.6.x will start being automatically upgraded to the current version 12.0 release of the open source web browser. The plan to auto-update these users has been being discussed since the end of March, when Mozilla Release Manager Alex Keybl proposed the move on a Mozilla planning discussion thread. According to Keybl, Firefox 3.6.x users with updates enabled should start being upgraded in early May – the specific date has yet to be confirmed....

gHacks: Dropbox has just released a stable update that brings all desktop clients of the file synchronization and hosting service to 1.4. Feature-wise, it is not really a big change to previous versions, especially not so if you have been running experimental versions of the client before. When you look at the new feature set, you will notice that photo import from cameras, phones and SD cards is on top of that list....

The H-Online: The PHP developers have released the first update for PHP 5.4, the latest version of their popular scripting language, and an update to PHP 5.3, the older stable branch of the language. The developers say “All users of PHP are strongly encouraged to upgrade” to the new releases. PHP 5.4.1 has more than 20 bug fixes, including some related to security. One security bug concerned insufficient validating of the an upload name, which then led to corrupted $_FILES indices....

The H-Online: A beta of version 12 of the Opera web browser has been released with privacy and security-focused improvements. Code-named “Wahoo”, the Opera 12.00 beta now runs plugins out-of-process and includes optimizations for better SSL handling. Running plugins in their own process not only improves the smoothness and stability of the browser but can limit the damage some plugin exploits can do. Privacy is enhanced with support for the “Do Not Track” (DNT) header, which is used to tell web sites that the browser user wishes to opt-out of online behavioral tracking....

Mozilla has released new final versions of Firefox 12 and Thunderbird 12, its open source browser and email messaging tools. Neither update, despite the new version number, contains much in the way of exciting new features, but developments on future builds suggest version 13 could be a landmark release for both. Firefox 12 introduces one notable change for Windows users — the advent of silent updates with no User Account Control dialog getting in the way, while Thunderbird 12’s headline new feature is the ability to view message extracts in global search results....

The H-Security: The Ruby development team has published an update to the 1.9.3 series of its open source programming language to fix a vulnerability found in the RubyGems package management framework. The maintenance release of the scripting language, labelled 1.9.3-p194, updates RubyGems to close a security hole that caused SSL server verification to fail for remote repositories. This has been addressed by disallowing redirects from https to http connections and by enabling the verification of server SSL certificates in an updated version of RubyGems, 1....