Wednesday, March 31, 2010

Patch day

There are a bunch of patches that you should know about. Apple released perhaps its biggest security update ever, with 88 fixes:

The Mac OS X v10.6.3 update, which is considered “critical,” covers flaws that could lead to remote code execution, information disclosure and denial-of-service attacks.

In some scenarios, a malicious hacker could take complete control of a Mac-powered machine if a user simply views a malicious image or movie file.


Here’s the full list of the patched vulnerabilities.

The Security Update 2010-002 / Mac OS X v10.6.3 may be obtained from the Software Update pane in System Preferences, or Apple’s Software Downloads web page.

Microsoft has also been busy, with an out-of-cycle patch for Internet Explorer that fixes a hole being exploited by malware in the wild:

Microsoft released an emergency IE patch on Tuesday after deciding that a upswing in hacking attacks targeting a zero-day vulnerability in IE 6 and 7 couldn't wait for the next scheduled edition of Patch Tuesday, due on 13 April.

The cumulative IE update (MS10-018) released on Tuesday also fixes nine other security bugs in Microsoft's browser software. All versions of IE from 5.01 to 8.0, on client and servers, are vulnerable to varying degrees and need patching. Other than the blockbuster bug - which involves the iepeers.dll library and creates a handy mechanism to drop malware onto vulnerable systems - other flaws fixed by the release focus on memory corruption vulnerabilities, as explained in a post by the SANS Institute's Internet Storm Centre here.

If you run Internet Explorer - and you shouldn't if you have any choice - get the patch. Out of Cycle patches are because there's bad juju.

Also, there's malware that disguises itself as an Adobe updater program:

Nguyen Minh Duc, director of Bkis Security, writes that the recently detected Fakeupver trojan establishes a backdoor on compromised systems while camouflaging its presence by posing as an Adobe update utility. The malware camouflages itself by using the same icons and version number as the official package.

Variants of the malware also pose as updaters for Java and other software applications.

Legitimate updates ALWAYS come from the vendor's web site (e.g. You should treat ANY email saying there's an update as malware spam.

Busy security week, and the week's not half over.

1 comment:

Anonymous said...

Considering that this update is for FOUR different versions of the OS that's not that bad. I'm glad a good chunk of them are from TippingPoint's Zero Day Initiative. Lets hope that was all of them.

That at least 23 of them are for other open source tools. Linux guys should make sure they're updated too.