Updates

The H-Online: RealNetworks has released an update to RealPlayer to close a number of holes in its media player application. Version 15.02.71 of RealPlayer addresses a total of seven remote code execution vulnerabilities, rated as highly critical by Secunia, which could be exploited by an attacker to compromise a victim’s system. These include errors when processing RMFF Flags, VIDOBJ_START_CODE and RealAudio coded_frame_size, as well as RV10 Encoded Height/Width, RV20 Frame Size Array and RV40 content. A remote code execution problem in Atrac Sample Decoding has also been fixed but is not found in the 15.x.x branch of the media player; this issue affects Mac RealPlayer 12.0.0.1701 but is reportedly not found in version 12.0.0.1703. ...

The H-Online: Versions 1.7.5 and 2.5.1 of the open source Joomla! content management system (CMS) have been released to address two information disclosure vulnerabilities. These include one medium severity problem in Joomla! 1.7.x that could allow an unauthorized user to gain access to the error log stored on a victim’s server, and, in both versions, an inadequate validation problem that could be exploited to gain access to private data. The update to Joomla! 2.5, which arrived last month, also fixes 30 bugs, including one that caused batch processing to break. ...

Mashable: Skype for Windows version 5.8 is out, bringing several interesting features, including full HD video-calling, group screen sharing and Facebook integration. Full HD video calls will be most useful to those who own a HD webcam, for example Logitech C920 which does the video encoding itself thus improving HD video quality on older computers. Video calling for Facebook works even with users who don’t use Skype. To start a video call with a Facebook buddy, select the person in your list and click “video call.” ...

The H-Security: The PHP developers are working to fix a critical security vulnerability in PHP that they introduced with a recent security patch. The current stable release is affected; however, it is not yet clear whether the questionable patch was also applied to older versions. The cause of the problem is the security update to PHP 5.3.9, which was written to prevent denial of service (DoS) attacks using hash collisions. To do so, the developers limited the maximum possible number of input parameters to 1,000 in php_variables.c using max_input_vars. Because of mistakes in the implementation, hackers can intentionally exceed this limit and inject and execute code. The bug is considered to be critical as code can be remotely injected over the web. ...

The H-Security: Following the release of new versions of its open source Firefox web browser, Thunderbird email client and SeaMonkey suite, Mozilla has detailed the security fixes included in each of the updates. According to the project’s Security Center page for Firefox, version 10.0 closes a total of 8 security holes in the browser, 5 of which are rated as “Critical” by Mozilla. ...

The H-Security: Apple has released Mac OS X 10.7.3 and, for Mac OS X 10.6.8 Snow Leopard users who have yet to upgrade to Lion, Security Update 2012-001; these maintenance and security updates addresses a number of vulnerabilities in the company’s desktop and server operating systems. According to Apple, the updates close more than 50 holes, many of which could be exploited by an attacker to, for example, remotely execute arbitrary code on a victim’s system, gain access to private information or cause a denial-of-service (DoS). ...

H-Security: Version 17 of Chrome has been released into the WebKit-based browser’s Beta channel. Its developers say that the new Chrome beta, version 17.0.963.26, is focused on improving two of the browser’s core principles: speed and security. To make Chrome “go even faster”, some web pages will start loading in the background before a user has even finished typing a URL into the Omnibox address and search bar. To reduce the time between a user pressing enter and the page being fully loaded, Chrome will pre-render some pages if the URL auto-completes to a site a user is likely to visit. According to Google Software Engineer Dominic Hamon, this will, in some cases, cause pages to appear “instantly”. ...

SophosLabs: Microsoft’s Ryan Gavin announced a new strategy to keep the web safe… Keep your Internet Explorer up to date. It is great news for Windows users who don’t appreciate the importance of staying up to date. Microsoft has been struggling with browser stragglers for years. They even ran their own campaign comparing IE 6 to spoiled milk including shameful infopr0n. ...

The H-Online: The first patches for the zero-day flaw in Adobe’s Acrobat and Reader applications, which the company confirmed was being exploited in the wild, have been released. The initial problem was caused by a memory corruption when processing Universal 3D (U3D) files, which could allow attackers to potentially take control of an affected system. The patches released also address a newly revealed critical flaw (CVE-2011-4369) which can cause memory corruption when processing Product Representation Compact (PRC) 3D files. ...

The H-Security: The online privacy and security service Tor was blocked by the Iranian government late evening (local time) 13 September. This was done by adding a filter rule to the Iranian border routers which identified Tor traffic and blocked it. The blocking was quickly discovered by Tor and the project released a fix a few hours later. The fix consists of a new version of the Tor software, Tor 0.2.3.4-alpha, and once this is installed on relays and bridges, the company expects normal service to be resumed for users in Iran. ...