Adobe has become the third major software vendor to begin shipping its security updates on a regular schedule. Following the lead of Microsoft and Oracle, who have been releasing patches on a set schedule for many years, Adobe now will ship its patches once per quarter. It’s a move that’s overdue for Adobe and one that other vendors (read: Apple) would do well to follow.
Browsing Category: Vulnerabilities
A security researcher from nCircle is accusing Microsoft of gamesmanship in its description of an unpatched IIS vulnerability in the way the WebDAV extension decodes a requested URL. The end result is that a successful exploit would allow a hacker to bypass authentication and gain unauthorized access to resources.
Borrowing a few pages from Microsoft’s playbook, Adobe today announced plans for a quarterly Patch Day for its Reader/Acrobat product lines and new initiatives to beef up its code hardening and security response processes.
Starting this summer, Adobe Reader and Acrobat security patches will be released on a quarterly schedule and will be timed to coincide with Microsoft’s second-Tuesday-of-the month bulletin releases. Read the full story [zdnet.com]. Also see Adobe’s announcement [adobe.com]
There is an easily exploitable vulnerability in the Java implementation in Apple’s Mac OS X which could allow an attacker to run arbitrary code on a remote machine. The flaw, which is similar to a vulnerability that has been public for five months and affect other vendors’ products, affects even the most recent version of OS X, which was released last week.
Dennis Fisher talks with Jeremiah Grossman, CTO and founder of WhiteHat Security, about the company’s new Website Vulnerability Statistics report, why SQL injection is still such a problem and when Web application security may improve.
Most Websites harbor at least one major vulnerability, and over 80 percent of Websites have had a critical security flaw, according to new data released today by WhiteHat Security.
The Website vulnerability statistics, based on Website vulnerability data gathered from WhiteHat’s own enterprise clients, show that 63 percent of Websites have at least one high, critical, or urgent vulnerability issue, and there’s an average of seven unfixed vulnerabilities in a Website today. Read the full story [darkreading.com]
From Computerworld (Gregg Keizer)
After discovering attack code on a brand new Windows XP netbook, anti-virus vendor Kaspersky Labs warned users yesterday that they should scan virgin systems for malware before connecting them to the Internet.
When Kaspersky developers installed their recently-released Security for Ultra Portables on an M&A Companion Touch netbook purchased for testing, “they thought something strange was going on,” said Roel Schouwenberg [viruslist.com], a senior anti-virus researcher with the Moscow-based firm. Schouwenberg scanned the machine — a $499 netbook designed for the school market — and found three pieces of malware. Read the full story [computerworld.com]
Microsoft has confirmed the reported vulnerability in the WebDAV implementation in IIS 5.0, 5.1 and 6.0, saying that the flaw could be used to bypass the authentication mechanism on the Web server. However, the company said that there are a number of mitigating factors involved and that company security officials have not seen any attacks against the weakness so far.
When news broke last year about the serious flaw in the Debian OpenSSL pseudorandom number generator, security experts knew it was a serious problem and warned users to regenerate any keys that had been created using the vulnerable versions of the OpenSSL package. It was a big problem, but it turns out that it could have been far worse.
A new remotely-exploitable vulnerability has been found in the Microsoft IIS 6.0 Web server. The flaw is quite similar to one that was discovered eight years ago in earlier versions of IIS, and exploitation of the weakness could enable an attacker to upload content to the vulnerable server.