Updates

As expected, Microsoft has pushed out a mandatory update to the Xbox 360 today, which adds support for USB storage devices, expanding the memory capacity of the five-year old video game console. The update will ostensibly allow any FAT32-formatted USB storage device between 1GB-16GB in size to be used to save profiles, game saves, and downloadable content. There are, however, a number of caveats, which mean users can’t just plug anything in and have it work. ...

Apple has issued Security Update 2010-002 (Mac OS X v10.6.3) that fixes 100 enumerated vulnerabilities in: — Mac OS X 10.5 — Mac OS X 10.6 — Mac OS X Server 10.5 — Mac OS X Server 10.6 The 400 MB+ download takes a while, so, be prepared. Info here: http://support.apple.com/kb/HT4077

MS10–018 If you’re using Internet Explorer versions 6 or 7 it wouldn’t be a good idea to miss this one. “Actively exploited” for drive by down loads from malicious web sites sums it up. There’s something in it for IE8 as well. See our post yesterday: “Microsoft out-of-band patch tomorrow”

Let the iPad hype and excitement begin: Apple’s preparation for the launch of the iPad has kicked into high gear. Today, the tech giant released version 9.1 of iTunes, its vastly popular music, app, and now book-managing software. The new update doesn’t do anything like radically change the iTunes interface. Instead, it is focused on providing support for the iPad, which launches this Saturday. The big addition in this software update is iPad syncing. Thus if and when you plug that glorious iPad of yours into your computer on Saturday, it’ll sync your computer’s music, movies, books, and other media with your tablet device. ...

Microsoft said today it will issue an out-of-band patch tomorrow for a vulnerability in Internet Explorer 6 and 7 that is being actively exploited. “The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution,” Microsoft said in its Security Advisory 981374 earlier this month. ...

Last month, Microsoft sent flowers to a mock funeral for Internet Explorer 6, in a show of support for the ideal that the old browser should be declared defunct worldwide. But for a few years yet, the company is still bound to support the product for those users (generally businesses) who refuse to upgrade it. That’s why new exploits that continue to target old browsers, such as IE6 and IE7, continue to get attention even a full year after the proper security fix — IE8 — has been deployed. ...

Mozilla Foundation has released version 3.6.2 of its Firefox browser a week early. The group had said the update would be available March 30. The update fixes a widely reported vulnerability (CVE-2010-1028) that prompted Germany’s CERT to advise Web users to switch to another browser until a fix was made. (My blog post “Germany’s CERT warns against Firefox use” ) Intevydis researcher Evgeny Legerov had found that Wide Open Font Format decoder in Firefox had an integer overflow in its font decompression mechanism. The flaw involved a memory buffer that was too small to handle a downloadable font. Legerov had found that exploiting the vulnerability could crash a victim’s browser making it possible to run arbitrary code on the system. ...

For the current vulnerability in Internet Explorer 6 and 7 which already gets actively exploited on the net, Microsoft is already testing a patch. The company is still considering whether to release the patch on the regular Patchday or out-of-band. Meanwhile, a “Fix-it”-solution is available. With some registry changes the affected peers factory in iepeers.dll gets disabled by a mouse click. You can download it from Microsoft’s knowledgebase.

A little more than a week ago Microsoft started delivering a new Browser Choice for Windows to be compliant to the European Union law. There are plenty of web browsers to choose from, and my colleague Sorin Mustaca recommended Firefox. Usually a good choice, but currently users should be cautious about which browser they choose: Opera just released version 10.51 of their web browser. According to the changelog, it fixes a vulnerability which could lead to execution of injected code. Users of opera 10.50 should update as soon as possible. ...

Del Harvey, Director of Twitter’s Trust and Safety team, announced on Twitter’s blog that the micro-blogging service has begun using its own shortening service to stop malicious operators from sending tweets with links to their dodgy sites disguised through shortening. He wrote: “By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links across all of Twitter. Even if a bad link is already sent out in an email notification and somebody clicks on it, we’ll be able keep that user safe.” ...