Updates

The H-Online: In the latest round of updates of its suite of internet applications, Mozilla has detailed the security fixes in the Firefox 11 browser, Thunderbird 11 email and news client and SeaMonkey 2.8 “all-in-one internet application suite”. There are also fixes for the “enterprise” and legacy versions of Firefox and Thunderbird. These fixes include a correction to a memory error in Array.join() which had been fixed last month, but was exploited during the Pwn2Own contest by Vincenzo Iozzo. ...

The H-Online: Version 2.10.2 of the open source Pidgin instant messaging program has been released. According to its developers, the maintenance and security update brings a number of changes and addresses two denial-of-service (DoS) vulnerabilities that could be exploited by an attacker to cause the application to be terminated. These remote crashes are caused when the MSN server sends messages that are not UTF-8 encoded and also when some types of nickname changes occur in chat rooms using the XMPP protocol. Versions up to and including 2.10.1 are affected. Pidgin 2.10.2 fixes these issues and all users are advised to upgrade. ...

The H-Online: Version 1.98.8 of the popular XnView image viewer and converter has been released to close security holes in the software. According to an advisory from security service provider Secunia, the update addresses three “highly critical” vulnerabilities that could be exploited by an attacker to execute arbitrary code and compromise a victim’s system. These include a stack-based buffer overflow caused by a boundary error when parsing a directory name while browsing folders such as those from an extracted archive file, and, a heap-based buffer overflow when processing image content using the FlashPix plugin (Xfpx.dll). A second heap-based buffer overflow caused when processing image data in Personal Computer eXchange (PCX) files has also been fixed. For an attack to be successful, a user must first open a specially crafted file. ...

Apple has released version 5.1.4 of its Safari web browser for Windows and Mac OS X. According to the company, the maintenance and security update addresses more than 80 vulnerabilities. The update also includes includes various stability and performance improvements as well as fixes for other non-security related bugs. A majority of the security holes closed in 5.1.4 were found in the WebKit browser engine used by Safari. These include several cross-site scripting (XSS), cross-origin and HTTP authentication problems, as well as numerous memory corruption bugs that could be exploited by an attacker, for example, to cause unexpected application termination or arbitrary code execution. ...

H-Online: The Firefox team has announced that they are postponing the release of Firefox 11, originally planned for today, because of a security report which the team wants to evaluate to make sure the issue will not impact on their code. Jonathan Nightingale, Mozilla’s Senior Director of Firefox Engineering, also Microsoft’s monthly Patch Tuesday security update, also scheduled for today, as a reason to hold back on releasing the new Firefox version. ...

The H-Security: Next week’s Patch Tuesday sees Microsoft planning to publish a total of six bulletins, including one that addresses a critical vulnerability in all versions of Windows from Windows XP service pack 3 to Windows 7 service pack 1 and Windows Server 2008 R2. The rating means that the hole enables attackers to infect a system via the internet and inject malicious code. Other bulletins will address a privilege elevation flaw which affects the same span of Windows versions. ...

The H-Security: Google has released a new stable version of its Chrome browser. The update fixes seventeen high severity vulnerabilities and updates the bundled Flash player. Google referred users to Adobe for details of the Flash Player update, and as usual, revealed few details about the seventeen holes that it closed in the release. It did, though, say that the researchers earned between $500 and $3000 for their vulnerability disclosures. ...

H-Online: Version 2.0 of the HTTPS Everywhere browser extension has been released. Where possible, the add-on automatically redirects users to more secure HTTPS connections when they access certain web pages. HTTPS Everywhere 2.0 includes an optional “Decentralised SSL Observatory” feature that detects weaknesses in encryption. When the extension detects an encryption issue, such as weak keys, it notifies users that the site they are visiting may contain security vulnerabilities that could be used to for man-in-the-middle (MITM) attacks. “This is an extra level of protection that we encourage Firefox users to download, install, and use” said Electronic Frontier Foundation (EFF) Technology Projects Director Peter Eckersley. ...

WebTrickz: VideoLAN has finally released the much awaited 2.0 version of “VLC Media Player”, the best and most popular media player for Windows, Mac OS X and Linux. VLC is a free and open source cross-platform multimedia player that plays most multimedia files including DVD, Audio CD, VCD, and various streaming protocols. VLC 2.0.0 “Twoflower” is a major release, presented after 485 million downloads of VLC 1.1.x versions. It efficiently plays most codecs (MPEG-2, H.264, DivX, MPEG-4, WebM, WMV player) without requiring any codec packs. ...

The H-Online: The Mozilla Project has released updates to Firefox and Thunderbird. According to the release notes, the version 10.0.2 updates to the open source web browser and the news and email client address a security vulnerability; however, at the time of writing, the project’s security pages provide no details of what has been fixed; these releases came soon after a Chrome update which closed 13 security holes and took the version number to 17.0.963.56. ...