Feeds

Get 'em while they're hot: critical security fixes from Microsoft, Apple

But still no relief from Carpet bombing menace

Securing Web Applications Made Simple and Scalable

Microsoft and Apple released a batch of critical security fixes within 24 hours of each other, patching a variety of components including the Internet Explorer browser, Bluetooth services and the QuickTime media player.

Three Microsoft patches were rated critical, the highest threat ranking in Microsoft's four-tier scoring system. One purged IE of cross-domain and memory corruption vulnerabilities. Users could fall prey to them by visiting trusted websites that have been compromised by attackers. The Sans Internet Storm Center is urging people to apply the patch immediately, because details of the cross-domain bug have been public since March.

A second critical patch from Microsoft fixes a bug in the Windows implementation of Bluetooth. An attacker can use it to execute malicious code by flooding a vulnerable system with a large number of Bluetooth device queries. This would be particularly useful for pwning a machine while in use at an airport or coffee shop, it seems.

Microsoft also issued a critical fix for buggy DirectX components.

Not to be outdone, Apple on Monday fixed five vulnerabilities in QuickTime that allowed miscreants to execute malicious code by tricking users into opening booby-trapped pictures, video and sound files. The patch is available for both Macs and Windows machines, and like the Microsoft updates, should be installed as soon as possible.

To our disappointment, today's Patch Tuesday from Microsoft failed to neutralize a blended threat that confronts Windows users who browse sites with Apple's Safari browser. Two weeks ago, Microsoft warned users to stop using Safari until the threat is finally removed. It results from the combination of bugs, one in Safari and the other in IE.

By default, Safari downloads files, without any user prompting, to the Windows desktop. IE in some cases then executes those files. IE is just one of many applications that, when combined with Safari's "carpet bombing" flaw, creates this blended threat, according to security researcher Aviv Raff. He says a variety of mail clients, media players and instant messaging applications are similarly dangerous when used along side Safari, and in many cases can be launched from Safari itself.

Microsoft has indicated a fix is in the works for its role in this blended threat, but so far Apple has said it's OK with Safari's carpet bombing behavior. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.