Updates

The H-Online: Tenable has released version 5.0 of Nessus, its popular vulnerability scanner. The new version of the tool includes an updated installation wizard that is said to make installing and configuring the server and client easier and quicker than before. Scan policies can now be created substantially faster than with previous versions, and the developers have also improved the way users navigate through the results of a vulnerability audit. ...

The H-Online: A developer preview of Mac OS X 10.8 is now available to registered Mac developers after Apple announced the new version, named Mountain Lion, and previewed a number of its features. Among those features is Gatekeeper which Apple says “helps prevent you from unknowingly downloading and installing malicious software”. The Gatekeeper feature has three levels of security for running applications downloaded from the Internet; “Mac App Store”, “Mac App Store and identified developers” and “Anywhere”. The first setting only runs applications downloaded from the Mac App Store, in a style similar to the iPhone only running apps from the App Store. Unlike the iPhone though, Gatekeeper lets users allow applications from other sources. The “Mac App Store and Identified Developers” option only allows applications from the store and from developers who have signed their program with an Apple-issued Developer ID, while “Anywhere” allows any program to be downloaded and run. It is unclear how Gatekeeper interacts with software loaded from other media, such as a USB memory stick or CD/DVD. ...

The H-Online: Oracle has fixed 14 security holes in the Java Standard Edition (Java SE) with a critical patch update. The vulnerabilities allow attackers to use specially crafted Java WebStart applications or web services in order to install malicious code on computers that run flawed versions of Java. Oracle says that such flawed versions are particularly likely to exist on Windows computers because Windows users tend to have admin privileges. The risk is smaller under operating systems such as Linux and Solaris, the company added. ...

The H-Online: As expected, Microsoft has released nine bulletins to close a total of 21 holes in its products. Four of the bulletins close critical vulnerabilities in Windows, Internet Explorer, .NET and Silverlight, including an issue in the Windows kernel-mode drivers that became publicly known in December of last year. The company advises those responsible for prioritizing update deployment to focus on the critical patches for Internet Explorer and the C Runtime Library in Windows, as these could be exploited by an attacker to remotely execute arbitrary code on a victim’s system. For an attack to be successful, a user must first visit a malicious web page or open a specially crafted file. The other critical bulletins fix issues in .NET and Silverlight, as well as the Windows kernel. Microsoft notes that it has yet to see any active attacks exploiting these issues in the wild. ...

The H-Online: Adobe has updated Shockwave Player on Windows and Mac OS X to version 11.6.4.634 after identifying nine critical vulnerabilities. The problems affect Shockwave Player 11.6.3.633 and all earlier versions on Windows and Mac OS X – Adobe recommend updating to the new release by downloading it from get.adobe.com/shockwave. To identify whether Shockwave Player is installed on a system, users should visit the test page on Adobe’s site. The majority of the problems are in the Shockwave 3D Asset where seven memory corruption vulnerabilities could lead to code execution; these were all reported by Hongnang Ren of FortiGuard Labs. An eighth memory corruption issue and a heap overflow vulnerability, both of which could also lead to code execution, were reported by “instruder” of vulnhunt.com and bring the flaw tally up to nine. ...

The H-Online: Opera has published a development snapshot of version 12 of its web browser that adds support for Mozilla’s “Do Not Track” (DNT) header. Code-named “Wahoo”, the unstable release is the first from Opera to support the DNT header, which signals web sites that the browser user wishes to opt-out of online behavioral tracking; online advertising networks use cookies and other web technologies to recognize internet users and serve them tailored advertising. Support for DNT in Opera 12 is currently disabled by default. Users can enable it in the preferences dialogue by selecting “Preferences > Advanced > Security > Ask websites not to track me”. ...

The H-Online: Mozilla has released Firefox 10.0.1, Firefox ESR 10.0.1, Thunderbird 10.0.1, Thunderbird ESR 10.0.1 and SeaMonkey 2.7.1 to fix a single critical security hole in the browsers and mail clients which appeared in version 10. The security advisory says that versions previous to Firefox 10, Thunderbird 10 and SeaMonkey 2.7 are unaffected by the use after free problem. The problem was discovered by Mozilla developers and causes a “potentially exploitable” crash in nsXBLDocumentInfo::ReadPrototypeBindings. Updates are available through Firefox, Thunderbird and SeaMonkey’s automatic update system and can be made to install by bringing up the “About” dialogue for the relevant application and selecting the “Apply Upgrade” button when it appears. Firefox and Thunderbird 10 were released at the end of January. ...

The Register: Microsoft plans to publish nine updates next Tuesday – four of which are critical – as part of a Valentine’s Day edition of its Patch Tuesday update cycle. Highlights of the batch, which collectively address 21 vulnerabilities, include a critical update for Internet Explorer. There are also two critical fixes for Windows itself, plus one for Microsoft’s .NET framework. Three the five remaining “important” fixes grapple with remote code execution-type vulnerabilities, one of which involves Office. Flaws of this type are best addressed sooner rather than later because they might easily be exploited by malware slingers. ...

gHacks: Mozilla, developers of the popular Firefox web browser, have just released an update for the browser’s stable branch that moves the version to 10.0.1. The release may come as a surprise to users of Firefox 10, who were updated to that version only ten days ago. This is not the first occurrence that a critical update is released shortly after a major version upgrade of the web browser. Similar updates had to be delivered after the release of Firefox 9 and Firefox 8. ...

LifeHacker: Google is releasing a major update to Chrome today that will make browsing the web seem faster and also add security protections. Chrome 17 (17.0.963.46) pre-renders pages in the background when you type in the URL in the omnibox address bar so the site will appear to come up almost instantaneously. Chrome also now scans download executable-s (e.g., “.exe” and “.msi” files) and warns you if it thinks the file is malicious. ...