Source:
washingtonpost.comTuesday, December 16, 2008; 6:19 PM
Microsoft will issue an emergency security patch Wednesday for all versions of Internet Explorer. The patch is considered a critical fix for the security flaw currently plaguing the IE browser. So far, more than 2 million computers are believed to have been infected.
An advance notification of the patch published Tuesday describes it as protection for a "remote code execution" vulnerability. The move follows Microsoft's security advisory posted last Wednesday and updated Monday explaining the vulnerability and suggesting temporary "workarounds" for protection.
The flaw can be used to let attackers steal personal data such as passwords if a user visits a compromised Web site, of which at least 10,000 are thought to already exist. Thus far, the vulnerability has been used primarily for grabbing gaming passwords for black market sales. The hole could, however, potentially also be used to steal more sensitive information such as banking passwords and other private information.
Some security analysts had gone as far as to suggest all IE users switch to a competing browser until Microsoft found a suitable fix.
Microsoft's emergency security patch will become available Wednesday at 1 p.m. EST at the Microsoft Update site as well as at the Microsoft Download Center. All users of IE5, 6, and 7 are advised to install it. A separate patch is expected to be made available for users of IE8 Beta 2. Expect to see far more detail by midday Wednesday when Microsoft officially issues its security bulletin.
Read more:
http://www.washingtonpost.com/wp-dyn/content/article/2008/12/16/AR2008121602378.html
Firefox tops list of 12 most vulnerable apps
Posted by Ryan Naraine @ 10:41 am
Mozilla’s flagship Firefox browser has earned the dubious title of the most vulnerable software program running on the Windows platform.
According to application whitelisting vendor Bit9, Firefox topped the list of 12 widely deployed desktop applications that suffered through critical security vulnerabilities in 2008. These flaws exposed millions of Windows users to remote code execution attacks.
The other applications on the list are all well-known and range from browsers to media players, to VOIP chat and anti-virus software programs. Here’s Bit9’s dirty dozen:
Mozilla Firefox: In 2008, Mozilla patched 10 vulnerabilities that could be used by remote attackers to execute arbitrary code via buffer overflow, malformed URI links, documents, JavaScript and third party tools.
Adobe Flash and Adobe Acrobat: Bit9 listed 14 flaws patched this year that exposed desktops of arbitrary remote code execution via buffer overflow,“input validation issues” and malformed parameters.
more.....
http://blogs.zdnet.com/security/?p=2304