Tag Archives: Vulnerability

Avoiding Weak Passwords

Microsoft Research
Avoiding Vulnerable Passwords—and Rules, Too
Telepathwords

Snippet:

The free online research tool, launched Dec. 5, is called Telepathwords. Users can visit the project website and test the strength of their passwords—current ones, past ones, or ones they’re considering using.

“The system doesn’t ask the user to learn anything up-front or follow any specific rules,” Schechter says. “Rather, as you type each key of your intended password, it displays the characters it thinks you’re most likely to type next. If it succeeds in predicting one or more characters of the rest of your password, the evidence that these characters are predictable will be right in front of your eyes.”

Read the complete article: http://research.microsoft.com/en-us/news/features/telepathwords-120513.aspx

Firefox 13.0.1 released

Release notes: https://www.mozilla.org/en-US/firefox/13.0.1/releasenotes/

Flash 11.3 sometimes caused a crash on quit (747683*, fixed in 13.0.1

https://bugzilla.mozilla.org/show_bug.cgi?id=747683

Flash crashed after I updated Firefox to version 13.0.1.

http://www.zdnet.com/blog/btl/firefox-users-still-waiting-for-flash-crash-fix/80305

If you do not receive an update notice when using the application, select “Check for Updates” from the Help menu.

Or download: https://www.mozilla.com/firefox/all.html

Microsoft Security Advisory (2719615)

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution

Published: Tuesday, June 12, 2012

Microsoft is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007.

The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.

We are actively working with partners in our Microsoft Active Protections Program(MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.

Upon completion of our investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Please see the complete article:
http://technet.microsoft.com/en-us/security/advisory/2719615

A Microsoft Fix it solution is available that blocks the attack vector for this vulnerability. Microsoft encourages customers running an affected configuration to apply the Fix it solution as soon as possible.

http://support.microsoft.com/kb/2719615

https://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462

Firefox 13.0 released

Fixed in Firefox 13
MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer
MFSA 2012-39 NSS parsing errors with zero length items
MFSA 2012-38 Use-after-free while replacing/inserting a node in a document
MFSA 2012-37 Information disclosure though Windows file shares and shortcut files
MFSA 2012-36 Content Security Policy inline-script bypass
MFSA 2012-35 Privilege escalation through Mozilla Updater and Windows Updater Service
MFSA 2012-34 Miscellaneous memory safety hazards

https://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox13

Release notes: https://www.mozilla.org/en-US/firefox/13.0/releasenotes/
Bug fixes: https://www.mozilla.org/en-US/firefox/13.0/releasenotes/buglist.html

If you do not receive an update notice when using the application, select “Check for Updates” from the Help menu.

Or download: https://www.mozilla.com/firefox/all.html

Microsoft Security Intelligence Report Volume 12 Released

Microsoft Security Blog

Today we released the latest volume of the Microsoft Security Intelligence Report (SIR) containing a large body of new data and analysis on the threat landscape. This volume of the SIR includes:Latest industry vulnerability disclosure trends and analysis

  • Latest industry vulnerability disclosure trends and analysis
  • Latest data and analysis of global vulnerability exploit activity
  • Latest trends and analysis on global malware and potentially unwanted software
  • Latest analysis of threat trends in more than 100 countries/regions around the world
  • Latest data and insights on how attackers are using spam and other email threats
  • Latest global and regional data on malicious websites including phishing sites, malware hosting sites and drive-by download sites

In addition, we have included a section in the report focused on how the threat called Conficker continues to propagate.

http://blogs.technet.com/b/security/archive/2012/04/25/microsoft-security-intelligence-report-volume-12.aspx

Firefox 12.0 released

Fixed in Firefox version 12.
MFSA 2012-33 Potential site identity spoofing when loading RSS and Atom feeds
MFSA 2012-32 HTTP Redirections and remote content can be read by javascript errors
MFSA 2012-31 Off-by-one error in OpenType Sanitizer
MFSA 2012-30 Crash with WebGL content using textImage2D
MFSA 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
MFSA 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions
MFSA 2012-27 Page load short-circuit can lead to XSS
MFSA 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error
MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite
MFSA 2012-24 Potential XSS via multibyte content processing errors
MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface
MFSA 2012-22 use-after-free in IDBKeyRange
MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9
MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)

If you do not receive an update notice when using the application, select “Check for Updates” from the Help menu.

https://www.mozilla.org/firefox/12.0/releasenotes/

Download: https://www.mozilla.org/en-US/firefox/all.html

Firefox and Thunderbird 11.0 released

http://www.mozilla.org/en-US/firefox/11.0/releasenotes/
https://www.mozilla.org/en-US/thunderbird/11.0/releasenotes/

Every six weeks, another Firefox train leaves the station. This week we will release another update, but not on Tuesday as we typically do. There are two reasons for this:

This Tuesday is Microsoft’s scheduled monthly update to Windows, and those updates have interacted badly with our updates before. We don’t have reason to expect specific problems with this month’s updates, but we’d rather take a day or two to understand the impact before we update all of our users.
We’re also waiting for a report from ZDI about a security vulnerability that may affect this new version of Firefox. We expect to receive the report by end of day Monday. Once we can evaluate the vulnerability, we’ll know whether we need to include a fix in Firefox before the update is released.

UPDATE: The security bug reported by ZDI is one we had already identified and fixed through our internal processes. This eliminates the need for us to delay this week’s releases, and we will be shipping them later today. However, in order to understand the impacts of Microsoft’s “Patch Tuesday” fixes, we will initially release Firefox for manual updates only. Once those impacts are understood, we’ll push automatic updates out to all of our users.

If you do not receive an update notice when using the application, select “Check for Updates” from the Help menu.

Download Firefox http://www.mozilla.org/en-US/firefox/all.html
Download Thunderbird https://www.mozilla.org/en-US/thunderbird/all.html

Firefox and Thunderbird 10.0.2 released

Critical: MFSA 2012-11 libpng integer overflow

http://www.mozilla.org/en-US/firefox/10.0.2/releasenotes/
https://www.mozilla.org/en-US/thunderbird/10.0.2/releasenotes/

If you do not receive an update notice when using the application, select “Check for Updates” from the Help menu.

Download Firefox http://www.mozilla.org/en-US/firefox/all.html
Download Thunderbird https://www.mozilla.org/en-US/thunderbird/all.html

Firefox 9.0.1 released

The latest version of Firefox has the following changes:

Added Type Inference, significantly improving JavaScript performance
Improved theme integration for Mac OS X Lion
Added two finger swipe navigation for Mac OS X Lion
Added support for querying Do Not Track status via JavaScript
Added support for font-stretch
Improved support for text-overflow
Improved standards support for HTML5, MathML, and CSS
Fixed several stability issues
Fixed several security issues

http://www.mozilla.org/en-US/firefox/9.0/releasenotes/

Download Firefox 9.0.1 http://www.mozilla.org/en-US/firefox/all.html