NVDi Support News & Alerts » security updates

Alert: Microsoft to release out-of-band security update July 28th

wkwalker — Sat, 25 Jul 2009 03:06:15 +0000

Microsoft is releasing a pair of critical Windows security updates on July 28th. This is highly unusual. Microsoft normally issues security fixes on the second Tuesday of the month — “Patch Tuesday.” When they release an out-of-band update like this, it is usually because it deals with a critical vulnerability that is being actively exploited. According to Microsoft’s advance notification, the updates will affect Internet Explorer and Visual Studio. For most of us pluggers, it’s the Internet Explorer patch that will matter.

Alert: Firefox 3.5.1 released — fixes important vulnerability

wkwalker — Thu, 16 Jul 2009 18:46:34 +0000

Firefox 3.5.1. has just been released to fix a potentially critical vulnerability. It’s not listed on the regular download page yet, but should be shortly.

A couple of days ago, proof-of-concept code was posted showing how a malicious web site could trigger a “drive-by download” when a page was viewed with Firefox 3.5. The 3.5.1 release plugs this hole.

You can get the latest version of Firefox from the Mozilla web site or by clicking on “Check for updates…” in the Firefox Help menu or you can wait for the update to be offered to you automatically when you launch Firefox. Personally, I wouldn’t wait too long.

Alert: May 12th is “Patch Tuesday”

wkwalker — Fri, 08 May 2009 17:27:24 +0000

May 12th is “Patch Tuesday,” the day Microsoft traditionally issues security updates. Adobe is also issuing a patch for Adobe Reader and Acrobat.

The sole Microsoft patch fixes a “critical” flaw in PowerPoint. “Critical” means it’s a big deal. In this case, opening a maliciously crafted PowerPoint presentation could allow an attacker to execute code remotely on a victim’s computer. All versions of PowerPoint released in the past 10 years are vulnerable to this one.

Adobe is patching Reader/Acrobat to fix yet another problem associated with embedded JavaScript. This issue, as well as a work-around, was discussed in an earlier post here.

You can safely assume that the bad guys, knowing that people are often sloppy about security updates, will try to take advantage of both vulnerabilities. The Adobe Reader bug will likely be the primary target. Almost everyone has Adobe Reader installed on their computer and most folks are used to encountering PDF files on web sites.

Be careful out there.

Patch Tuesday looms

wkwalker — Fri, 10 Apr 2009 23:35:52 +0000

April 14th is “Patch Tuesday.” Barring a major panic, Microsoft issues security updates for its products on the second Tuesday of the month. This month, we’re looking at eight patches, five of them rated “critical.” Microsoft’s offical security bulletin has all the details they’re willing to share so far.

It’s generally a good idea not to let security updates slide for very long. Once the word is out, the bad guys try to reverse-engineer the patches. If they find anything particularly juicy, they take advantage of the fact that many people are remiss about applying the patches. For instance, the primary mode of infection used by the currently infamous Conficker worm is a vulnerability that was fixed several months ago.

A little side-note: April 14, 2009 is also the day Windows XP goes on “extended support.”