| |
 |
 |
 |
|
|
|
|
Date: 07 September 2012
Click here for printable version
Greetings,
As expected, this week we saw many vendors providing patches for their products following Oracle's Java patch for CVE-2012-4681. Apple however strangely only provided a patch for the related CVE-2012-0547, and appears yet to have patched CVE-2012-4681 which is being actively exploited.
Security researcher Adam Gowdiak claims to have demonstrated a complete JVM sandbox bypass by using outstanding vulnerabilities that he had previously reported to Oracle. Expect more Java patches from Oracle in the not too distant future.
Prudence would advise that if you don't need an application, un-install it. This certainly applies to Java, especially when considering all the attention it has received from those with malicious intent.
Good news for Android users - AV-Comparatives have evaluated 13 Mobile Security apps, designed to protect against malware and in most cases also including additional features. If you or people you care about use an Android device, take the time to read this document:
As a general rule of thumb, installing apps from any location other than the official Google Play site will significantly increase the risk of infection.
In case you've not already attended to them, here are my top 5 patches/actions for the week:
1) ESB-2012.0847 - [Win] Microsoft Windows: Reduced security - Unknown/unspecified
To their credit, Microsoft are hardening the certificates they consider trustworthy. This change however may have deep ramifications to your Enterprise. Take all the time you need to read and understand this bulletin.
2) ESB-2012.0835 - ALERT [Win][UNIX/Linux] Atlassian JIRA: Administrator compromise - Remote/unauthenticated
A nasty vulnerability that needs urgent attention if you're a user.
3) ASB-2012.0121 - [Win][Linux][OSX] Google Chrome: Multiple vulnerabilities
A patched web browser is a happy web browser.
4) ASB-2012.0123 - [Win][UNIX/Linux] WordPress: Increased privileges - Unknown/unspecified
Un-patched WordPress sites are frequently exploited and used for attacks and hosting malicious content. Save the grief and update it.
5) ESB-2012.0846 - [Mac][OSX] Java for OS X: Reduced security - Remote/unauthenticated
While this update is missing a fix for the dreaded CVE-2012-4681, it's a good idea to apply it anyway and at least mitigate against one Java vulnerability.
Stay safe,
Marco
|
|
|
|
 |
|
 |
|
|