Software Patches

Mozilla releases patches for Firefox

Paul Mah — Fri, 18 Jul 2008 10:03:23 -0400

Mozilla has released patches for both versions 2.0 and 3.0 of the Firefox web browser. The updates patch two security vulnerabilities that have been rated as "critical" by Mozilla, including a variant of a vulnerability that could be exploited to do what has been termed as a "carpet bombing" attack. The second patch fixes the way Firefox handles references to CSS objects, which can be exploited to force a crash that can lead to malicious code being executed. A third patch resolves a security hole that applies only to Firefox 3.0 running on the Mac OS X, which was discovered by a security engineer at Apple.

Mozilla took the opportunity to issue a reminder that Firefox 2.0 will only be supported with security updates until mid-December. Users are encouraged to upgrade to Firefox 3.0.

For more on the new Firefox patches:
- check out this ComputerWorld article

Cisco rushes out IOS patch

Paul Mah — Fri, 23 May 2008 05:53:10 -0400

Cisco released a trio of security updates on Wednesday, hot on the heels of reports last week on the availability of a proof of concept rootkit targeted at the company's routers. The rootkit was developed by Sebastian Muniz of CORE Security, and was scheduled for a demonstration on Thursday at the EuSecWest Conference.

Though Cisco claims that all three vulnerabilities were discovered in-house, few are buying into it given that the patches were released just a day before the demonstration of the router rootkit. This is especially glaring as the network giant has just launched a twice-yearly patching cycle for IOS in March this year.

For more on Cisco's IOS patch:
- check out this The Register article

Windows XP SP3 available now

Mehan Jayasuriya — Tue, 29 Apr 2008 12:00:40 -0400

It's been a long and winding road, but we've finally arrived: Today Microsoft released Windows XP SP3 via its website, the last hurrah for the ill-fated OS. The final service pack contains some 1,100 hotfixes and patches, and even introduces a few new features to the 7-year-old operating system. While it's available now via Microsoft's website and Windows Update, it won't make its way out via Automatic Update until "early summer." The download weighs in at 316MB and appears to be a fairly painless install, based on the early reports we're hearing.

For more on XP SP3:
- see this DailyTech article
- and click here to download the service pack

ALSO NOTED: Also Noted: April will be a big month for Microsoft patches; IT free trade up in the air;

Mon, 07 Apr 2008 06:59:58 -0400

> Microsoft: April will be a big month for patches. Article
> IT free trade up in the air. Article
> Job tips for a recession. Article
> Legacy systems hurt e-Commerce growth. Article
> Harris Interactive names a new CIO. Article

And Finally… Viruses will top 1 million by '09. Article

ALSO NOTED: Apple patches 11 Quicktime bugs; In-flight WiFi finally cleared for takeoff;

Mehan Jayasuriya — Thu, 03 Apr 2008 16:27:14 -0400

> Apple patches 11 Quicktime bugs. Article
> Is Intel's Moorestown motherboard the world's smallest? Article
> In-flight WiFi finally cleared for takeoff by FAA. Article
> New Intel tech could render stolen laptops unbootable. Article

And Finally... An interview with the "PWN 2 OWN" contest winners. Article

April Patch Tuesday cometh

Mehan Jayasuriya — Thu, 03 Apr 2008 16:18:44 -0400

Another month, another Microsoft Patch Tuesday. What's in store for us this month? Well, it looks like we'll be seeing eight patches total, five of which will be labeled as "critical". The critical updates will address code execution vulnerabilites in both Windows and Internet Explorer. Affected versions are as follows: Windows Vista, Windows XP, and Windows 2000, Windows Server 2003, Windows Server 2008 and all versions of Internet Explorer. In addition to the critical fixes, the company will patch two "important" vulnerabilites relating to spoofing and unauthorized user privilege elevation attacks in Microsoft Office. More on the patches next week.

For more on the coming patches:
- see this Information Week story

ALSO NOTED: Sun ships vulnerable servers; Who patches zero-days the fastest?; and much more...

Mehan Jayasuriya — Fri, 28 Mar 2008 14:05:43 -0400

> Sun ships vulnerable servers. Article
> AMD launches new quad and triple-core offerings. Article
> H-1B supporters ask White House for help. Article
> 2008 Mac Pro, OS X Tiger get updates. Article
> Who patches zero-days faster: Microsoft or Apple? Article

And Finally... Microsoft and Intel finance the future. Article

Cisco patches IP phones

Fri, 15 Feb 2008 06:59:54 -0500

To think, there once was a time when you didn't have to worry about your phones, of all things, getting infected with viruses. Well, those carefree days are officially over: this week Cisco released a series of patches for buffer overflow and denial of service vulnerabilities in a number of its IP phones. The affected models are as follows: Cisco Unified IP Phone models 7940, 7940G, 7960 and 7960G. In related news, Cisco also patched its Unified Communications Manager this week, due to a vulnerability that could have allowed for SQL injection attacks.

For more on the patches:
- see this ZDnet article

Microsoft releases 11 patches, 6 critical

Tue, 12 Feb 2008 06:59:56 -0500

As we mentioned last week, today is February Patch Tuesday and that means patches, patches and more patches for users of Microsoft software. Looks like there are 11 patches this time around, 6 of which are critical, addressing 17 vulnerabilities in all. A quick run-down of the critical patches:

MS08-008: Addresses a vulnerability in OLE automation that could allow for a remote code execution attack. Affects Windows 2000, Windows XP, Windows Vista, Microsoft Office 2004 for the Mac and Visual Basic 6.
MS08-009: Addresses a vulnerability in Word that could allow for a remote code execution attack. Affects Office 2000, Office 2003 and Office Word Viewer 2003.
MS08-007: Addresses a vulnerability in the WebDAV Mini-Redirector. Affects Windows XP and Vista.
MS08-010: Addresses a vulnerability in Internet Explorer that could allow for remote code execution attacks. Affects IE 5-7.
MS08-012: Addresses a vulnerability in Microsoft Office Publisher that could allow for remote code execution attacks. Affects Microsoft Office Publisher 2000, Microsoft Office Publisher 2002 and Microsoft Office Publisher 2003 Service Pack 2.
MS08-013: Addresses a vulnerability in Microsoft Office that could allow for remote code execution attacks. Affects Microsoft Office XP, Microsoft Office 2003 and Microsoft Office 2004 for Mac.

For more on the latest patches:
- see this ZDnet article

ALSO NOTED: First look: Vista SP1; Mozilla patches Firefox vulnerability;

Fri, 08 Feb 2008 06:59:50 -0500

> Mozilla patches Firefox vulnerability. Article
> NEC launches official Vista downgrade product. Article
> Open-source OS kernels created using .NET. Article
> Amid threats, U.S. federal government seeks 10% increase in IT spend. Article
> First look: Vista SP1. Article

And Finally... Microsoft responds to "Save XP" petition. Article