Australia's Leading Computer Emergency Response Team

AusCERT Week in Review for 11th May 2012
Date: 11 May 2012
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=15829


Greetings,

Over the past week AusCERT staff have been making the final preparations for the coming week's 11th annual AusCERT Information Security Conference which has kept us all very busy! Likewise, to keep us all on our toes, there has been no shortage of important bulletins released this week, thanks in part to Microsoft's monthly patch day as well as bulletin releases from Apple, MySQL, PHP and Adobe.

Earlier in the week Microsoft released three bulletins which they rated as critical and four bulletins which they rated as important. The first of the critical bulletins dealt with a code execution vulnerability in numerous versions of Microsoft Word. The second covered three publicly disclosed vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework and Microsoft Silverlight, which could allow for a potential administrator compromise, code execution and denial of service. The last of the critical bulletins dealt with a further code execution vulnerability in Microsoft's .NET Framework. It is recommended that administrators apply the patches for these as soon as is possible.

Apple also released a number of bulletins throughout the course of the week, the first of which addresses a number of vulnerabilities in iOS for the iPhone 3GS, iPhone 4, iPhone 4S, iPod touch, iPad and iPad 2. These vulnerabilities could potentially allow for code execution, cross-site scripting attacks and denial of service. Apple also released new versions of Safari and OS X, with the update for OS X covering a whopping thirty-six vulnerabilities.

Adobe released updates this week for both Flash Player and Shockwave Player. Adobe has reported that the vulnerability in Adobe Flash Player is being exploited in the wild via targeted attacks which are designed to trick users into clicking a malicious file delivered via email.

The week also saw new versions of two branches of MySQL, 5.1.63 and 5.5.24. Unfortunately Oracle did not provide any details regarding the impact of the flaws corrected in these versions of MySQL.

And finally, you might remember that last week we mentioned the disclosure of a 0-day vulnerability in PHP's CGI, and the release of new versions of PHP that didn't correctly fix the flaw. PHP has now released two new versions of PHP, 5.3.13 and 5.4.3 that do correctly fix this serious issue.

Have a great weekend, and we hope to see you next week at the conference!
Jonathan