Feeds

Get 'em while they're hot: critical security fixes from Microsoft, Apple

But still no relief from Carpet bombing menace

5 things you didn’t know about cloud backup

Microsoft and Apple released a batch of critical security fixes within 24 hours of each other, patching a variety of components including the Internet Explorer browser, Bluetooth services and the QuickTime media player.

Three Microsoft patches were rated critical, the highest threat ranking in Microsoft's four-tier scoring system. One purged IE of cross-domain and memory corruption vulnerabilities. Users could fall prey to them by visiting trusted websites that have been compromised by attackers. The Sans Internet Storm Center is urging people to apply the patch immediately, because details of the cross-domain bug have been public since March.

A second critical patch from Microsoft fixes a bug in the Windows implementation of Bluetooth. An attacker can use it to execute malicious code by flooding a vulnerable system with a large number of Bluetooth device queries. This would be particularly useful for pwning a machine while in use at an airport or coffee shop, it seems.

Microsoft also issued a critical fix for buggy DirectX components.

Not to be outdone, Apple on Monday fixed five vulnerabilities in QuickTime that allowed miscreants to execute malicious code by tricking users into opening booby-trapped pictures, video and sound files. The patch is available for both Macs and Windows machines, and like the Microsoft updates, should be installed as soon as possible.

To our disappointment, today's Patch Tuesday from Microsoft failed to neutralize a blended threat that confronts Windows users who browse sites with Apple's Safari browser. Two weeks ago, Microsoft warned users to stop using Safari until the threat is finally removed. It results from the combination of bugs, one in Safari and the other in IE.

By default, Safari downloads files, without any user prompting, to the Windows desktop. IE in some cases then executes those files. IE is just one of many applications that, when combined with Safari's "carpet bombing" flaw, creates this blended threat, according to security researcher Aviv Raff. He says a variety of mail clients, media players and instant messaging applications are similarly dangerous when used along side Safari, and in many cases can be launched from Safari itself.

Microsoft has indicated a fix is in the works for its role in this blended threat, but so far Apple has said it's OK with Safari's carpet bombing behavior. ®

5 things you didn’t know about cloud backup

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?