The last couple of days have brought up multiple serious vulnerabilities in very commonly used client software:

• QuickTime 7.4.1 - Heap buffer overflow that may cause arbitrary remote code execution.
• Adobe Reader 8.1.2 - It turns out that the non-clearly defined security vulnerabilities in the release notes include a stack overflow that can lead to remote code execution, as analyzed by Kostya Kortchinsky from Inmunity. PoC is already available.
• Firefox 2.0.0.12 - It fixes 10 security issues, some of them labeled as critical.
• ... and be ready for the new twelve security bulletins Microsoft will release next Tuesday, 7 labeled as critical and 5 as important, affecting the OS, Office, IE and IIS.

As you already know, clients are one of the main targets for attacks nowadays. Ensure your automatic software update mechanisms are working properly or go back to the manual update process, but please, patch! BTW, based on a quick test, at this time only some of the new updates already show up on the automatic update features of the affected products: Adobe Reader and Firefox do, while Quick Time does not.

A topic I have been researching a little bit about recently is "update tools for third-party client applications". What tools do you use to manage updates on commonly used third-party client tools, apart from the expensive corporate solutions? Please, send us your suggestions and I will summarize in a future post.

-- Raul Siles
www.raulsiles.com