Vulnerabilities


October Microsoft Patch Tuesday Has Something for Everyone

By Jason Miller
Microsoft has released 13 new security bulletins in the October 2009 version of Patch Tuesday.  Eight bulletins have a severity rating of Critical. The remaining five security bulletins have a severity rating of Important. For the first time, Windows 7 and Windows 2008 R2 are affected by security bulletins. The sheer volume of bulletins and subsequent patches this month will likely give administrator fits.

Phishing Attacks Continue to Evolve

Antispam vendors, browser makers and Internet service providers have been on the front lines in the battle to contain phishing attacks, but the cybercriminals behind phishing campaigns are getting savvy at defeating technologies and tricking victims into giving up their credentials and other data. Read the full story [SearchSecurity.com].

Adobe Ships 29 Patches for Reader and Acrobat

On the same day that Microsoft unleashed a torrent of 34 patches on its customer base, Adobe on Tuesday published patches for 29 vulnerabilities in its Acrobat and Reader products as part of its new quarterly patch release program.


Microsoft today released its largest ever batch of Patch Tuesday updates to fix a whopping 34 security holes in a wide range of widely deployed software products.
The latest patch batch covers critical vulnerabilities in software products that are bundled with Microsoft’s dominant Windows operating system (Internet Explorer and Windows Media Player) — and several known security problems (SMB v2 and FTP in IIS) for which functioning exploit code has already been publicly released.

Google has shipped a new version of the Android open-source mobile phone platform to fix a pair of security flaws that could lead to denial-of-service attacks.
According to an advisory from oCERT, a group that handles vulnerability disclosure for open-source projects, the flaws could allow hackers to render Android-powered devices useless.  Here’s a link to the oCERT advisory [ocert.org].

Adobe has confirmed a critical, unpatched vulnerability in its PDF Reader/Acrobat software is being exploited by malicious attackers.
The vulnerability affects Adobe Reader and Acrobat 9.1.3 and earlier versions on Windows, Macintosh and UNIX.  Adobe described the in-the wild attacks as limited and targeted, suggesting PDF documents rigged with exploits are being attached to e-mails and sent to business targets.

A security research firm has issued a warning for a vulnerability in multiple VMware products that can be exploited by malicious people to cause a denial-of-service condition.

The vulnerability is caused due to an error in the VMware Authorization Service when processing login requests.

Microsoft is planning a bumper Patch Tuesday next week — 13 bulletins covering 34 security vulnerabilities in a wide range of products. Eight of the 13 bulletins will be rated “critical,” Microsoft’s highest severity rating.

According to Microsoft’s advance notice, the patches coming on October 13 includes fixes for two serious issues that are well-known and already documented — a code execution bug in SMB v2 and a gaping hole in FTP in IIS.

PayPal suspended the account of a white-hat hacker on Tuesday, a day after someone used his research into website authentication to publish a counterfeit certificate for the online payment processor.

“Under the Acceptable Use Policy, PayPal may not be used to send or receive payments for items that show the personal information of third parties in violation of applicable law,” company representatives wrote in an email sent to the hacker, Moxie Marlinspike. “Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience.”  Read the full story [Dan Goodin/The Register]

Google has pushed out a new version of its Chrome browser to fix a high-severity security hole that could lead to malicious code execution attacks.
The vulnerability could be exploited to run arbitrary code within the Google Chrome sandbox, the company said in an advisory.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.