When an upgrade downgrades and patches for all

Date: 06 June 2008 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=9413 Greetings all, Another interesting week as far as major vulnerabilities go. Firstly we saw that Windows Service Pack 3 installed an older vulnerable version of Adobe Flash Player. Couple that with the active exploits we reported on last week and you have a recipe for infection. If you have upgraded to Service Pack 3 be sure to check out AA-2008.0102 for instructions on applying the patch. Secondly for those Hewlett Packard users out there, make sure to check out AL-2008.0070 regarding the vulnerability in HP Instant Support. If you do have a HP computer or are using HP peripherals you could be at risk as this software may be pre-installed, or installed when you update a HP driver. Make sure to upgrade to HP Instant Support v1.0.0.24 or later. Some poor coding has also left Skype users open to a serious vulnerability. The checks that Skype performs on links to see if they could be malicious are very easily bypassed, which can result in code being run on your machine. If you do use Skype be sure not to click on any links from untrusted sources. Upgrading to the latest Skype package will fix this vulnerability. If you're using a VMWare product, chances are that you would have done some patching this week as multiple vulnerabilities were reported across many of their packages. Cisco PIX and ASA users will also need to do some patching as a result of yesterdays Cisco Alert. Be sure to check the list of available systems and apply the relevant patches. Have a great weekend, Paul