Adobe Patches Flash Player

Written by on July 12, 2007

Adobe has issued an update to Flash Player (formerly known as Macromedia Flash Player) that patches several serious security vulnerabilities. The latest version is Flash Player 9.0.47.0 They’ve also updated the older version 7 to version 7.0.70.0.

The patch may be installed through the auto update feature of Flash Player or you can visit the About Flash Player page to see what version you have installed and download the update. You can also go directly to the Adobe Flash Player download page. If you run Flash under multiple browsers you’ll have to update the player for each browser. You’ll need to close all browser windows during the installation. The update is for Flash Player on both Windows and OS X.

Categories: Spam Chronicles 1.0 - Tags: , ,

Apple Adds to Patch Tuesday

Written by on July 11, 2007

Apple joins the the Tuesday patch party and releases a security update for Quicktime along with a bugfix update for iTunes. The patches are for the software on both Windows and OS X.

The Quicktime update, to version 7.2 includes eight security vulnerability fixes some of which will allow code execution. It also includes updates to the H.264 codec, support for full screen viewing and “numerous bug fixes”. The update requires a reboot on both Mac and Windows.

The iTunes update brings iTunes to 7.3.1 and fixes a problem with iTunes 7.3 accessing the library. No other changes are documented.

Both patches are available through Apple software update or from the Apple download page.

Categories: Spam Chronicles 1.0 - Tags: , , ,

Microsoft Patch Tuesday for July 2007

Written by on July 11, 2007

It’s the second Tuesday of July and that means patches from Microsoft. This month brings six patches, three rated critical, two important, and one moderate. Only five of the patches (and only two of the critical patches) are for desktops. The sixth patch only affects server operating systems. Windows Vista also gets its own unique patch although it’s the one rated moderate.

Two of the patches affect Microsoft Office software:

MS07-036 is rated critical and affects all versions of Microsoft Excel from Excel 2000 on up. It also applies to the Office 2007 compatibility pack. It’s only rated critical for Excel 2000. Microsoft rates the other versions as “important”. The bulletin does not list any known issues.

MS07-037 is rated important and affects Microsoft Office Publisher 2007 only. The bulletin does not list any known issues.

One patch affects Vista only:

MS07-038 is rated moderate and affects Windows Vista, both 32-bit and 64-bit versions. This patches a vulnerability in the Windows Vista firewall that could allow an attacker to gather information about a host. There are no known issues listed in the bulletin.

One patch affects .NET:

MS07-040 is rated critical and affects .NET versions 1.x and 2.x, version 3.x is not affected. All operating systems are affected if they have a vulnerable version of .NET installed. There are no known issues listed in the bulletin.

The final desktop patch, MS-07-041, is rated important and affects Microsoft Internet Information Server (IIS) when running on Windows XP SP2. Earlier versions of Windows XP may be affected but Microsoft only supports service pack 2. IIS is not installed by default on Windows XP.

The server patch is is MS07-039 and is a vulnerability in Active Directory that’s rated critical.

The patches are available through automatic update or can be downloaded individually from Microsoft.

Categories: Spam Chronicles 1.0 - Tags: , ,

Vulnerability Pits Firefox Against IE

Written by on July 10, 2007

A new zero-day vulnerability exists when both Firefox 2.x and Internet Explorer are installed on the same machine. The exploit is most likely to be available on PCs with Firefox 2.0.0.2 installed due to changes made for Microsoft Vista compatibility.

The general consensus of the comments are that both applications contribute the the exploit. Firefox is the attack vector and fails to validate the malicious code but Microsoft contributes by not properly passing quotes to the command line. You need to visit a malicious website using IE in order to trigger the exploit.

In a response to a user comment Thor Larholm responded:

… Firefox is the current attack vector but Internet Explorer is to blame for not escaping ” (quote) characters when passing on the input to the command line. I agree that Firefox could have registered its URL handler with pure DDE instead and thereby have avoided the possibility of a command line argument injection, but IE should still be able to safely launch external applications safely.

What I find interesting is the complexity of the requirements leading to the exploit. Neither product is vulnerable alone since both must be installed and both products have a flaw that contributes to the vulnerability.

Categories: Spam Chronicles 1.0 - Tags: , ,

Spam Counts for Week Ending June 24, 2007

Written by on June 24, 2007

My GMail spam count jumped 13% to 343 spam messages in the last 30 days. This was up from 303 last week. My second GMail account hasn’t received any new phishing emails and was spam free.

I continue to get a small number of spam emails to my ISP account. This is one that I’ve never used or given out. Based on other addresses in the email they seem to be spamming a sequential range of addresses.

Comment spam at The OS Quest continued to drop drastically. There were 331 comment spam attempts which is a 51% drop from the previous week and a 87% drop from the 2,458 attempts of two weeks ago. The slide started soon after I switched to the Spam Karma WordPress plugin. Spam Karma put two comments in moderation as possible spam and let two get through. All four of these comments were a format that didn’t include any URL’s in the comment itself, just linked to the name were WordPress allows an optional website address.

There were 10 comment spam attempts at this website which is a 67% increase from last weeks six attempts. The lifetime total for this site sits at 220 comment spam attempts.

Categories: Spam Chronicles 1.0 - Tags:

« Previous Page
Next Page »