Feeds

Get 'em while they're hot: critical security fixes from Microsoft, Apple

But still no relief from Carpet bombing menace

5 things you didn’t know about cloud backup

Microsoft and Apple released a batch of critical security fixes within 24 hours of each other, patching a variety of components including the Internet Explorer browser, Bluetooth services and the QuickTime media player.

Three Microsoft patches were rated critical, the highest threat ranking in Microsoft's four-tier scoring system. One purged IE of cross-domain and memory corruption vulnerabilities. Users could fall prey to them by visiting trusted websites that have been compromised by attackers. The Sans Internet Storm Center is urging people to apply the patch immediately, because details of the cross-domain bug have been public since March.

A second critical patch from Microsoft fixes a bug in the Windows implementation of Bluetooth. An attacker can use it to execute malicious code by flooding a vulnerable system with a large number of Bluetooth device queries. This would be particularly useful for pwning a machine while in use at an airport or coffee shop, it seems.

Microsoft also issued a critical fix for buggy DirectX components.

Not to be outdone, Apple on Monday fixed five vulnerabilities in QuickTime that allowed miscreants to execute malicious code by tricking users into opening booby-trapped pictures, video and sound files. The patch is available for both Macs and Windows machines, and like the Microsoft updates, should be installed as soon as possible.

To our disappointment, today's Patch Tuesday from Microsoft failed to neutralize a blended threat that confronts Windows users who browse sites with Apple's Safari browser. Two weeks ago, Microsoft warned users to stop using Safari until the threat is finally removed. It results from the combination of bugs, one in Safari and the other in IE.

By default, Safari downloads files, without any user prompting, to the Windows desktop. IE in some cases then executes those files. IE is just one of many applications that, when combined with Safari's "carpet bombing" flaw, creates this blended threat, according to security researcher Aviv Raff. He says a variety of mail clients, media players and instant messaging applications are similarly dangerous when used along side Safari, and in many cases can be launched from Safari itself.

Microsoft has indicated a fix is in the works for its role in this blended threat, but so far Apple has said it's OK with Safari's carpet bombing behavior. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.