Feeds

Get 'em while they're hot: critical security fixes from Microsoft, Apple

But still no relief from Carpet bombing menace

5 things you didn’t know about cloud backup

Microsoft and Apple released a batch of critical security fixes within 24 hours of each other, patching a variety of components including the Internet Explorer browser, Bluetooth services and the QuickTime media player.

Three Microsoft patches were rated critical, the highest threat ranking in Microsoft's four-tier scoring system. One purged IE of cross-domain and memory corruption vulnerabilities. Users could fall prey to them by visiting trusted websites that have been compromised by attackers. The Sans Internet Storm Center is urging people to apply the patch immediately, because details of the cross-domain bug have been public since March.

A second critical patch from Microsoft fixes a bug in the Windows implementation of Bluetooth. An attacker can use it to execute malicious code by flooding a vulnerable system with a large number of Bluetooth device queries. This would be particularly useful for pwning a machine while in use at an airport or coffee shop, it seems.

Microsoft also issued a critical fix for buggy DirectX components.

Not to be outdone, Apple on Monday fixed five vulnerabilities in QuickTime that allowed miscreants to execute malicious code by tricking users into opening booby-trapped pictures, video and sound files. The patch is available for both Macs and Windows machines, and like the Microsoft updates, should be installed as soon as possible.

To our disappointment, today's Patch Tuesday from Microsoft failed to neutralize a blended threat that confronts Windows users who browse sites with Apple's Safari browser. Two weeks ago, Microsoft warned users to stop using Safari until the threat is finally removed. It results from the combination of bugs, one in Safari and the other in IE.

By default, Safari downloads files, without any user prompting, to the Windows desktop. IE in some cases then executes those files. IE is just one of many applications that, when combined with Safari's "carpet bombing" flaw, creates this blended threat, according to security researcher Aviv Raff. He says a variety of mail clients, media players and instant messaging applications are similarly dangerous when used along side Safari, and in many cases can be launched from Safari itself.

Microsoft has indicated a fix is in the works for its role in this blended threat, but so far Apple has said it's OK with Safari's carpet bombing behavior. ®

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?