Updates

The h-online: Following the recent Firefox 16 release, Mozilla has now detailed all of the security fixes in the new version of its open source web browser as well as in the Thunderbird news and email client. Version 2.13 of the SeaMonkey “all-in-one internet application suite” has also received fixes. In addition to adding new features, version 16.0 of Firefox closes a total of 14 security holes, 11 of which are rated as “Critical” by the project. ...

h-online: On its September Patch Tuesday, Microsoft released two security updates that are rated as important and which close holes in Visual Studio Team Foundation Server 2010 (TFS) and Systems Management Server 2003 and 2007. Both updates fix cross-site scripting (XSS) vulnerabilities in the web interfaces that allow attackers to execute arbitrary code in the victim’s browser. As the holes enable an attacker to access the web interfaces at the user’s privilege level, Microsoft has classified them as privilege escalation vulnerabilities. The company notes that, to its knowledge, neither of the holes is being actively exploited for attacks. ...

BetaNews: Symantec has released brand new versions of its Norton security packages for Windows, Norton Anti-Virus 2013, Norton Internet Security 2013 and Norton 360 2013. It’s the first time all three packages have been updated simultaneously, while the branding has also been amended to remove all references to a date, simply naming each Norton Anti-Virus, Norton Internet Security and Norton 360, respectively. The 2013 versions come with what Symantec describes as “five layers of patented protection”, which include stronger social networking and anti-scam protection. There’s also full, certified support for Windows 8 and the promise of better performance on multi-core CPUs. ...

TheRegister: In an uncommon break with its thrice-annual security update schedule, Oracle has released a patch for three Java 7 security flaws that have recently been targeted by web-based exploits. “Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” Eric Maurice, the company’s director of software security assurance, said in a blog post published on Thursday. Maurice said that the vulnerabilities patched only affect Java running in browsers, and not standalone desktop Java applications or Java running on servers. According to Oracle’s official advisory on the flaws: ...

Cross-copied from BetaNews: Mozilla has quietly placed major new versions of its open-source, cross-platform web browser and email client onto its download servers ahead of an official release. Firefox 15 FINAL benefits largely from behind-the-scenes performance tweaks, while Thunderbird 15 FINAL introduces a few new features, including a new curvy user interface. Firefox 15 FINAL’s most notable changes are performance-based. There’s faster startup on Windows PCs, plus incremental garbage collection and better management of plugins to prevent memory leaks. Other performance improvements surround WebGL enhancements. ...

h-Online: Adobe has released the second update for its Flash Player software in a week, this time for six critical vulnerabilities. Four of the issues addressed are problems with memory corruption that could lead to remote code execution; additionally, the update fixes an integer overflow vulnerability that could also lead to remote code execution. Another bug that was fixed is a cross-domain information leak. The problems exist in Flash Player 11.3.300.271 and earlier versions on Windows, Macintosh and Linux, and in the Android versions 11.1.115.11 (Android 4.0) and 11.1.111.10 (Android 3.x and 2.x) and earlier. ...

h-online: A flaw in the built-in XML functionality of PostgreSQL (CVE-2012-3488) and another in its optional XSLT handling (CVE-2012-3489) have been patched, and the developers have released updated versions of the open source database with relevant fixes. The holes being patched are related to insecure use of the widely used libxml2 and libxslt open source libraries and the PostgreSQL developers advise anyone using those libraries to check their systems for similar problems. ...

MSDN: The August 2012 Cumulative Security Update for Internet Explorer is now available via Windows Update. This security update resolves four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows servers For more information, see the full bulletin. ...

Adobe wrote: Today, Flash Player 11.3.300.270 for Windows was released to address a crash that was occurring in the Adobe Flash Player Update Service (FlashPlayerUpdateService.exe). There are no other fixes or changes provided with this build. This release is available for Windows only, and affects the Active X and Plug-in installers, uninstaller, and msi’s (available on the distribution page.) No other platforms are affected. Please be aware that this release is not available from the Product Download Center (http://get.adobe.com/flashplayer) which will continue to provide 11.3.300.268. We realize that this might cause confusion for some users. Due to the severity of this issue, we decided to make this build available immediately to help customers affected by this bug. Due to logistical issues and time constraints, we were unable to update the release on the Product Download Center. The next release of Flash Player will correct this disparity. Please note that unless you have been affected by the FlashPlayerUpdateService.exe crash, both 11.3.300.270 and 11.3.300.268 will be functionally identical. ...

h-online: With the release of Chrome 21, web applications can now directly access the local system’s built-in camera and microphone. Instead of requiring a special plugin, the major stable update to the WebKit-based web browser includes a new HTML5 <a href="http://www.html5rocks.com/en/tutorials/getusermedia/intro/">getUserMedia</a> API – currently a W3C Editor’s Draft – to provide web apps with access to the camera and microphone. For security purposes, users will be prompted to grant apps permission to access the hardware. ...