Feeds

Get 'em while they're hot: critical security fixes from Microsoft, Apple

But still no relief from Carpet bombing menace

Combat fraud and increase customer satisfaction

Microsoft and Apple released a batch of critical security fixes within 24 hours of each other, patching a variety of components including the Internet Explorer browser, Bluetooth services and the QuickTime media player.

Three Microsoft patches were rated critical, the highest threat ranking in Microsoft's four-tier scoring system. One purged IE of cross-domain and memory corruption vulnerabilities. Users could fall prey to them by visiting trusted websites that have been compromised by attackers. The Sans Internet Storm Center is urging people to apply the patch immediately, because details of the cross-domain bug have been public since March.

A second critical patch from Microsoft fixes a bug in the Windows implementation of Bluetooth. An attacker can use it to execute malicious code by flooding a vulnerable system with a large number of Bluetooth device queries. This would be particularly useful for pwning a machine while in use at an airport or coffee shop, it seems.

Microsoft also issued a critical fix for buggy DirectX components.

Not to be outdone, Apple on Monday fixed five vulnerabilities in QuickTime that allowed miscreants to execute malicious code by tricking users into opening booby-trapped pictures, video and sound files. The patch is available for both Macs and Windows machines, and like the Microsoft updates, should be installed as soon as possible.

To our disappointment, today's Patch Tuesday from Microsoft failed to neutralize a blended threat that confronts Windows users who browse sites with Apple's Safari browser. Two weeks ago, Microsoft warned users to stop using Safari until the threat is finally removed. It results from the combination of bugs, one in Safari and the other in IE.

By default, Safari downloads files, without any user prompting, to the Windows desktop. IE in some cases then executes those files. IE is just one of many applications that, when combined with Safari's "carpet bombing" flaw, creates this blended threat, according to security researcher Aviv Raff. He says a variety of mail clients, media players and instant messaging applications are similarly dangerous when used along side Safari, and in many cases can be launched from Safari itself.

Microsoft has indicated a fix is in the works for its role in this blended threat, but so far Apple has said it's OK with Safari's carpet bombing behavior. ®

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.