Patch Tuesday insecurity news and SSCC 18

Filed Under: Firefox, Malware, Microsoft, Oracle, Podcast, Vulnerability

Broken glass

For those administrators anxiously awaiting a fix for the zero day flaw in Windows Help Center disclosed by Tavis Ormandy last month your patch is ready. Microsoft released four patches today and their standard summary with priority and severity ratings.

MS10-042 fixes the Help Center vulnerability, while MS10-043 resolves the bug in Windows 7/2008 R2 in the Windows Aero interface that could lead to remote code execution.

Microsoft also resolved two flaws in Microsoft Office 2003/2007, MS10-044 addresses a flaw in Microsoft Access while MS10-045 fixes a vulnerability in Microsoft Outlook. All are listed as Critical except for the Outlook bug, but I would make it a priority as well considering it can be exploited by a malicious email.

I am not going to get into much detail on the state of security at Oracle, but they released fixes for 59 flaws today as well. 28 of the Oracle flaws are considered critical which means a lot of patching to do if you are an Oracle customer.

Firefox fox

Even Mozilla had some bad news today with a warning about two insecure plugins for it's Firefox browser. The first one called "Mozilla Sniffer" was simply malicious and would steal any usernames and passwords entered into the browser and send them off to a remote server. The second is a widely deployed vulnerable plugin called "CoolPreviews".

Mozilla advises users to patch their "CoolPreviews" to a newer release and in time will disable the vulnerable versions. Considering the inclusion of a genuinely malicious add-on making it into their site they are reviewing their policies concerning public publication before code review.

Last week Rami Jebara our Technical Product Manager for endpoint web security joined me for the Sophos Security Chet Chat. Rami and I discussed the new functionality in Endpoint Security and Control 9.5 and how we can now protect PCs against web threats using real-time detection.

Today Michael Argast and I discussed patch Tuesday, the whole full disclosure debate and the debate around anti-malware testing and whether all of the tests overlook important factors such as ease of management and breadth of protection.

Creative Commons photo courtesy of Nesster's Flickr photostream.

, , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.