Vulnerability

Since 2003, the number of exploitable vulnerabilities has fallen considerably in Microsoft’s Office suite. H-Online: Independently of each other, security specialists Dan Kaminsky and Will Dormann from Carnegie Mellon University’s CERT have found that, in the past few years, the number of flaws and exploitable vulnerabilities in individual versions of Microsoft Office has fallen dramatically, achieving results that are even below those ofOpenOffice. However, their findings should be treated with caution, as they are based on automatic evaluations and say little about the actual threat potential. ...

Avira TechBlog: This is good news – for the recently acknowledged zero-day security vulnerability within Adobe Flash Player, Acrobat and Reader there will be a first update available tomorrow. Adobe updated their security advisory on that matter to reflect the update schedule – the Flash player update fixing the vulnerability for Windows, Mac, Linux and Solaris will be available tomorrow, Friday, April 15. For the also vulnerable Adobe Reader and Acrobat, updates are planned “no later than the week of April 25, 2011″. The only exception is Adobe Reader X for Windows which will be updated on the regular planned Patchday on June 14, as the integrated sandbox prevents successful exploitation there according to Adobe. ...

H-Online: Following on from last week’s S3M vulnerability in the VLC media player, a new advisory warns of a buffer overflow when playing MP4/MPEG-4 files.The bug, reported by Aliz Hammond, requires that a user open a specially crafted MP4 file. According to Secunia, the vulnerability is found in the MP4_ReadBox_skcr()function in the demultiplexer and is rated as “highly critical”. All versions from 1.0.0 to 1.1.8 are affected by the problem. ...

Avira TechBlog: Adobe released a security advisory in which it warns from a zero-day vulnerability within current version of Adobe Flash Player, Reader and Acrobat. Affected are Flash Player 10.2.153.1 and earlier versions for Windows, Mac, Linux and Solaris, the current version integrated in the Chrome web browser, and 10.2.156.12 and earlier versions for Android. The authplay.dll component of current and older version of Adobe Acrobat and Reader are also affected; according to Adobe, the sandbox of Acrobat Reader X prevents from execution of malicious payloads though. ...

Avira TechBlog: It looks like new Chrome releases aren’t due every six weeks as Google announced a few weeks ago, but once a week now – the company just released Chrome 10.0.648.204 and fixes 6 highly critical security vulnerabilities with it. Those security vulnerabilities allow attackers to smuggle in malware like Trojans without the user noticing. That is why the automatic update mechanism is so important: When clicking on the tool symbol and choosing the “About Google Chrome” menu entry, the version check should show that Chrome is already on the current release – or offer to download and install the update in case that didn’t happen yet. ...

Microsoft Malware Protection Center: On March 14, Adobe released a security advisory (APSA11-01) warning of 0-day attacks affecting Adobe Flash Player (versions earlier than and including 10.2.152.33). These attacks were hidden inside Microsoft Excel documents that were used as a vehicle to deliver the exploit. The Adobe Flash file embedded inside the Excel file is another carrier for the exploit. It loads shellcode inside memory, performs heap-spraying, and loads a Flash byte stream from memory to exploit the 0-day vulnerability, which is tracked as CVE-2011-0609. ...

Avira TechBlog: A vulnerability within the current versions of Adobe Flash Player on all supported platforms has been found, warns the company. Affected are not only the Flash Player installations, but also Adobe Reader and Acrobat via the “authplay.dll” Flash Player integration. Currently there is no mitigation which will help against the exploitation – so only opening expected documents from trusted sources for the time being is a good advice. ...

As announced Friday last week, Microsoft delivers 17 security updates on the December 2010 Patchday. The Updates close 2 highly critical security holes which allow for remote code execution and several privilege escalation vulnerabilities that allow attackers to gain administrative rights on Windows PCs. Overall, the 17 Updates deal with 40 vulnerabilities. Affected are the Windows operating Systems, Internet Explorer, Microsoft Office, SharePoint and Exchange. Users and administrators should apply the patches as soon as possible! ...

Avira TechBlog: Next Tuesday is going to be tough for administrators: The Redmond company announces 17 security bulletins which are supposed to fix 40 security vulnerabilities. Only two of the bulletins deal with “high”ly critical rated security holes within Windows and the Internet Explorer. The rest of the updates fixes the Windows operating systems, Microsoft’s Office, SharePoint and Exchange.

This week Apple announced the availability of QuickTime 7.6.9 for OS X 10.5 and Windows platforms. This release fixes 13 vulnerabilities in QuickTime for OS X Leopard and 15 vulnerabilities on the Windows platform. Keep in mind that if you use iTunes it requires that you install QuickTime as well, so be sure to check for updates. Apple has provided a direct download link for IT folks at http://www.apple.com/quicktime/download/. All 13 vulnerabilities for OS X can cause unexpected application termination (what you and I call a crash, but you can’t say crash on a Mac) or arbitrary code execution (make QuickTime run programs… BAD). ...