Software

The H-Online: As expected, Apple has released an updated version of the Java implementation for its Mac OS X operating system that includes a removal tool for the Flashback trojan. According to the company, the update, labelled “Java for OS X 2012-003“, finds and removes the “most common variants” of the malware which had infected approximately 600,000 systems using flaws in the previous version of Java. Additionally, the new Java update for Mac OS X 10.7 Lion prevents Java applets from being automatically executed by disabling the Java web plugin by default. Users can re-enable the automatic execution of Java applets via the Java Preferences application (Applications ➤ Utilities ➤ Java Preferences). However, if the plugin detects that Java applets have not been run for “an extended period of time”, it will automatically disable applet support again. ...

The H-Online: The Tuesday after the Easter weekend, 10 April, is set to be a busy one for system administrators as Microsoft and Adobe have sent out notifications that they will both be issuing fixes for critical vulnerabilities in their products. Microsoft’s April notification says there will be four critical advisories concerning Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server, Microsoft Server and Developer tools, which all lead to remote code execution. A fifth remote code execution vulnerability in Office is marked as important, as is a sixth information disclosure issue in Microsoft’s Forefront United Access Gateway. The critical bulletins will affect all versions of Windows, from Windows XP SP3 to Windows Server 2008R2. One critical bulletin for Internet Explorer covers IE 6, 7, 8 and 9 ...

The H-Online: Google has announced updates to the Stable and Beta channels of their Chrome browser, fixing several bugs and twelve security vulnerabilities. Seven of the twelve security fixes were classed as high-risk problems and Google paid a total of $6000 to the researchers who discovered the bugs. The update also includes a new version of the bundled Flash Player. Adobe have revised the Flash Player advisory from the end of March to include fixes for a Chrome/Flash only pair of memory corruption issues listed as CVE-2012-0724 and CVE-2012-0725. Given that these issues only affect Chrome and Chrome manages its own update, it is unlikely that Adobe will be reissuing or updating the advisory or patches for other browsers and platforms. ...

SophosLabs: Adobe released Flash Player version 11.2.202.228 for Windows, OS X and Linux today. In my view this is a milestone release as it finally introduces an automatic, silent updating mechanism to help users stay current with the latest releases from here forward. Google Chrome users may consider themselves spoiled, as they have been enjoying the worry-free joy of automatic updating of both their browser and integrated plugins like Flash Player for quite some time. ...

Google has released version 18 of Chrome, the company’s own extended version of the open source Chromium web browser. The new Stable channel release, labeled 18.0.1025.142, fixes several security vulnerabilities, and improves graphics and drawing performance on systems with capable hardware. This is done by adding support for GPU-accelerated rendering of 2D Canvas content on Windows and Mac OS X systems. According to the developers, the GPU acceleration should improve the overall performance of graphics-intensive web applications, making canvas-based animations and games “run faster and feel smoother”. For older systems that can’t make use of of the GPU, Chrome can now display 3D content using the SwiftShader software rasterizer, which Google licensed from TransGaming, Inc. However, the developers note that “a software-backed WebGL implementation is never going to perform as well as one running on a real GPU, but now more users will have access to basic 3D content on the web”. ...

The H-Security: Google has released version 17.0.963.83 of its Chrome web browser, a maintenance update that fixes issues with Flash games and closes several security holes. The Stable channel update addresses a total of nine vulnerabilities, six of which are rated as “high severity“. These include an integer issue in libpng (the official PNG reference library), a memory corruption problem in WebGL canvas handling and a cross-origin violation related to “magic iframe”, as well as use-after-free errors in first-letter handling, CSS cross-fade handling and block splitting. One medium-risk invalid read in the V8 JavaScript engine and two low-risk problems related to WebUI privileges and unpacked extension installation have also been fixed. ...

The H-Online: Version 2.10.2 of the open source Pidgin instant messaging program has been released. According to its developers, the maintenance and security update brings a number of changes and addresses two denial-of-service (DoS) vulnerabilities that could be exploited by an attacker to cause the application to be terminated. These remote crashes are caused when the MSN server sends messages that are not UTF-8 encoded and also when some types of nickname changes occur in chat rooms using the XMPP protocol. Versions up to and including 2.10.1 are affected. Pidgin 2.10.2 fixes these issues and all users are advised to upgrade. ...

The H-Security: Google has released a new stable version of its Chrome browser. The update fixes seventeen high severity vulnerabilities and updates the bundled Flash player. Google referred users to Adobe for details of the Flash Player update, and as usual, revealed few details about the seventeen holes that it closed in the release. It did, though, say that the researchers earned between $500 and $3000 for their vulnerability disclosures. ...

WebTrickz: VideoLAN has finally released the much awaited 2.0 version of “VLC Media Player”, the best and most popular media player for Windows, Mac OS X and Linux. VLC is a free and open source cross-platform multimedia player that plays most multimedia files including DVD, Audio CD, VCD, and various streaming protocols. VLC 2.0.0 “Twoflower” is a major release, presented after 485 million downloads of VLC 1.1.x versions. It efficiently plays most codecs (MPEG-2, H.264, DivX, MPEG-4, WebM, WMV player) without requiring any codec packs. ...

The H-Online: The Mozilla Project has released updates to Firefox and Thunderbird. According to the release notes, the version 10.0.2 updates to the open source web browser and the news and email client address a security vulnerability; however, at the time of writing, the project’s security pages provide no details of what has been fixed; these releases came soon after a Chrome update which closed 13 security holes and took the version number to 17.0.963.56. ...