Here are three that I got from my SANS newsletter (See note at bottom):
–Security Update for Chrome 9
(February 9 & 10, 2011)
Google has issued a security update for version 9 of its Chrome browser
just days after Chrome 9 was released in its stable version. The fix
addresses five vulnerabilities, three of which are rated high priority.
Chrome 9.0.597.94 also includes an updated version of Adobe Flash.
http://www.h-online.com/security/news/item/Google-releases-Chrome-9-security-update-1186749.html
http://www.esecurityplanet.com/features/article.php/3924161/Google-Refreshes-Chrome-9-for-Security-and-Flash.htm
–Adobe Fixes 42 Flaws in Reader and Flash
(February 9, 2011)
Adobe’s quarterly security update includes fixes for 29 flaws in Reader
and 13 in Flash. The release marks the first update for Reader X, an
upgraded version of the PDF Reader that includes a sandboxing feature
in the Windows version to protect users’ systems from some attacks.
Most of the flaws in Reader are rated critical and two could allow
cross-site scripting (XSS) attacks. The updates bring Reader to
versions 8.2.6, 9.4.2 and 10.0.1 for Windows and Mac OS X. An update
for Linux is expected to be available on February 28. Flash is now at
version 10.2.152.26 for Windows, Mac OS X, Linux and Solaris.
http://www.computerworld.com/s/article/9208819/Adobe_patches_42_bugs_in_Reader_Flash?taxonomyId=17
http://www.scmagazineus.com/adobe-issues-slew-of-patches-for-its-software/article/195984/
[Editor's Note (Schultz): I'm a huge proponent of sandboxing--it's good
to learn that Abode has incorporated this function in its upgraded
version of the PDF Reader.]
–Microsoft Patches 22 Flaws and Disables AutoRun
(February 8 & 9, 2011)
Microsoft has addressed 22 vulnerabilities in its monthly security
update for February. Three of the 12 bulletins have been given maximum
severity ratings of critical, while the remaining nine have been rated
important. The vulnerabilities addressed affect Windows, Internet
Explorer (IE) and Office. The critical bulletins comprise a cumulative
security update for IE, and fixes for a flaw in Windows shell graphics
processing and the OpenType Compact Font Format driver that could allow
remote code execution. Microsoft has also released an update that
disables AutoRun, which has been used to propagate malware like
Conficker and Stuxnet. According to Microsoft, four of the top 10
malware families of the last quarter of 2010 used AutoRun to help them
spread. The same update was offered two years ago, but it was optional
at the time.
http://www.microsoft.com/technet/security/Bulletin/MS11-feb.mspx
http://www.zdnet.co.uk/news/security-management/2011/02/09/microsoft-fixes-css-exploit-in-patch-tuesday-update-40091724/
http://www.computerworld.com/s/article/9208660/Microsoft_delivers_big_month_of_patches_quashes_22_bugs?taxonomyId=17
http://www.computerworld.com/s/article/9208858/Microsoft_cripples_USB_drive_worms_with_new_XP_Vista_update?taxonomyId=17
http://krebsonsecurity.com/2011/02/adobe-microsoft-wordpress-issue-security-fixes/
[Editor's Note (Honan): Given the prevalence of viruses which spread via
USB keys and other portable media, we may find by disabling AutoRun that
this will be one of the most important recent patches issued by
Microsoft.]
NOTE:
NOW. you should have gotten the Microsoft patches automatically. If you are not sure, startup IE (erk) and go to update.Microsoft.com and follow the directions. you WILL have to reboot your machine after the patches are installed. Don’t poopoo the Adobe patches. They are finally on the bandwagon.
