The new adobe flash was released today. Its version 10.0.32.18
Archives for July 2009
On Thursday, two researchers plan to reveal an unpatched iPhone bug that could virally infect phones via SMS.
you receive a text message on your iPhone any time after Thursday
afternoon containing only a single square character, Charlie Miller
would suggest you turn the device off. Quickly.
That small cipher
will likely be your only warning that someone has taken advantage of a
bug that Miller and his fellow cybersecurity researcher Collin Mulliner
plan to publicize Thursday at the Black Hat cybersecurity conference in
Las Vegas. Using a flaw they’ve found in the iPhone’s handling of text
messages, the researchers say they’ll demonstrate how to send a series
of mostly invisible SMS bursts that can give a hacker complete power
over any of the smart phone’s functions. That includes dialing the
phone, visiting Web sites, turning on the device’s camera and
microphone and, most importantly, sending more text messages to further
propagate a mass-gadget hijacking.
“This is serious. The only thing you can do to prevent it is turn off
your phone,” Miller told Forbes. “Someone could pretty quickly take
over every iPhone in the world with this.”
Though Miller and Mulliner say they notified Apple about the vulnerability more than a month ago, the company hasn’t
released a patch, and it didn’t respond to Forbes’ repeated calls
Update July 31
A patch as been issued from the vendor on this.
Apple just released APPLE-SA-2009-07-31-1. iPhone OS 3.0.1 fixes the problem.
Advance Notification for July 2009 Out-of-Band Releases
We have just published our advance notification for an out-of-band security bulletin release, with a target of 10:00 AM Pacific Time next Tuesday, July 28, 2009.
this release is to address a single, overall issue, in order to provide
the broadest protections possible to customers, we’ll be releasing two
separate security bulletins:
1. One Security Bulletin for Visual Studio
2. One Security Bulletin for Internet Explorer
we can’t go into specifics about the issue prior to release, we can say
that the Visual Studio bulletin will address an issue that can affect
certain types of applications. The Internet Explorer bulletin will
provide defense-in-depth changes to Internet Explorer to help provide
additional protections for the issues addressed by the Visual Studio
bulletin. The Internet Explorer update will also address
vulnerabilities rated as Critical that are unrelated to the Visual
Studio bulletin that were privately and responsibly reported.
Critical: Highly critical
Impact: Cross Site Scripting
Where: From remote
Solution Status: Vendor Patch
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks or compromise a user’s system.
1) Multiple errors in the browser engine can be exploited to corrupt memory and potentially execute arbitrary code.
2) An integer overflow error in a base64 decoding function can be exploited to corrupt memory and potentially execute arbitrary code.
3) An error in the handling of multiple RDF files in a XUL tree element can be exploited to corrupt memory and potentially execute arbitrary code.
4) An error exists in the construction of documents, which can result in double copies of certain elements within this document.
5) An error in the handling of frames can be exploited to cause a memory corruption and potentially execute arbitrary code.
7) An error in the handling of Flash objects when navigating to another page can potentially be exploited to trigger a call to a deleted object and potentially execute arbitrary code.
8) Multiple vulnerabilities in various font glyph rendering libraries can be exploited by malicious people to compromise a user’s system.
9) An error in the handling of SVG elements on which a watch function and __defineSetter__ function have been set for a certain property can be exploited to cause a memory corruption and execute arbitrary code.
11) Various errors in the handling of wrappers for objects can potentially be exploited to access properties of such objects that have been set by a different site and e.g. conduct cross-site scripting attacks.
Update to version 3.0.12.
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code via specially crafted SWF content.
The vulnerability is reported in version 10.0.22.87, 22.214.171.124, and prior 9.x and 10.x versions.
Do not browse untrusted websites or follow untrusted links.
Updates will reportedly be available for Windows, Macintosh, and Linux versions by July 30.
Provided and/or discovered by:
Reported as a 0-day.