Posts tagged as:

Vulnerability

Microsoft Security Advisory (981374)

by certifiedbug on March 9, 2010

in Microsoft

TechNet

Vulnerability in Internet Explorer Could Allow Remote Code Execution

Microsoft is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7. Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected. The main impact of the vulnerability is remote code execution. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

Our investigation so far has shown that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable.

http://www.microsoft.com/technet/security/advisory/981374.mspx

{ 0 comments }

Energizer Bunny’s battery charger software contained backdoor Trojan

by certifiedbug on March 9, 2010

in Internet Security

Energizer Press Release

Energizer Announces Duo Charger and USB Charger Software Problem
ST. LOUIS, March 5, 2010 /PRNewswire via COMTEX/ — Energizer has been informed by the CERT Coordination Center (CERT) that the Windows software that was referenced and made available via a download with its Duo Charger, Model CHUSB, contains a vulnerability. Energizer introduced the Duo Charger in the United States and the USB Charger in Latin America, Europe and Asia in 2007. Both products charge Nickel Metal Hydride batteries from both a wall outlet and a USB connection. The product included a feature that would allow the user to view the battery charging status on a computer if associated software was installed. The Duo Charger product documentation referenced www.energizer.com/usbcharger to download the software. The site offered downloadable software in both Windows and Apple(R) versions; however only the Windows version contained the vulnerability.

Energizer has discontinued sale of this product and has removed the site to download the software. In addition, the company is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer. This will eliminate the vulnerability. In addition CERT and Energizer recommend that users remove a file that may remain after the software has been removed. The file name is Arucer.dll, which can be found in the Window system32 directory.

Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software. Additional technical information can be found at http://www.kb.cert.org/vuls/id/154421.

{ 0 comments }

Opera Vulnerability Identified

March 6, 2010

A vulnerability rated as critical has been identified in Opera 10.50 and prior versions.
The buffer overflow error when processing malformed HTTP “Content-Length:” headers could be exploited by remote attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a web page hosted on a malicious web server.
Confirmed by VUPEN [...]

Read the full article →

Microsoft Security Bulletin Advance Notification for March 2010

March 4, 2010

The Microsoft Security Response Center (MSRC)
Advance Notification. Preliminary information, subject to change.
Today we are providing advance notification to customers that we will be releasing two bulletins this month affecting Windows and Microsoft Office products. Both bulletins are rated Important and address a total of 8 vulnerabilities.
We recommend that customers review the Advance Notification webpage and [...]

Read the full article →

win32hlp and Internet Explorer issue

February 28, 2010

The Microsoft Security Response Center (MSRC)
Sunday, February 28, 2010
On Friday 2/26/2010, an issue was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to [...]

Read the full article →

Virus Bulletin Poll-Nearly 20% still running Insecure IE 6

February 24, 2010

A poll by Virus Bulletin showed a large number of respondents are still running IE 6, even in the workplace.
In VB’s poll, 15% of respondents said they were running the browser at work, indicating that, for many organizations, upgrading is not a priority – whether that is for reasons of compatibility with legacy applications or [...]

Read the full article →

Adobe Download Manager 0-day vulnerabilities

February 19, 2010

Days after Adobe released a security update for Flash Player, researcher Aviv Raff disclosed he has discovered a vulnerability in Adobe’s Download Manager which can be exploited to remotely install malware on end users computers.
Even if you upgraded to the latest Flash version (10.0.45.2) and use an alternative PDF reader you are probably not safe [...]

Read the full article →

Adobe Flash Player Security update available

February 11, 2010

All Platforms
Vulnerability identifier: APSB10-06
CVE number: CVE-2010-0186, CVE-2010-0187
A critical vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests.
Affected software versions
Adobe Flash Player 10.0.42.34 and earlier versions
Adobe AIR 1.5.3.1920 and earlier versions
To verify the Adobe Flash Player version number installed on your system, access the About Flash Player page, or right-click on content [...]

Read the full article →

Update on AMO Security Issue

February 10, 2010

Mozilla
Last week, we disclosed two instances of suspected malware in experimental add-ons on AMO. Since that disclosure, we’ve worked with security experts and add-on developers to determine that the suspected trojan in Version 4.0 of Sothink Video Downloader was a false positive and the extension does not include malware. The same investigation also [...]

Read the full article →

FeedDemon Vulnerability

February 10, 2010

SecurityFocus
FeedDemon is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
FeedDemon 2.7 and prior versions are vulnerable.
FeedDemon 3.1 Release Notes
Build 3.1.0.12 / February 2, 2010
Download

Read the full article →

← Previous Entries