Chrome update contains Security fixes

Published: 2009-07-18
Last Updated: 2009-07-18 17:13:13 UTC
by Patrick Nolan (Version: 1)
0 comment(s)

On Thursday, July 16, Google Chrome 2.0.172.37 was released, it fixed what Google calls a Critical severity vulnerability, Memory corruption in the browser process, and a High severity vulnerability, Heap overflow with Javascript regular expressions. They report the vulnerabilities were identified by the  "Google Chrome security team".

Stable, Beta update: Bug fixes

0 comment(s)

From the Mailbag - taking Oracle and it's CPU to task

Published: 2009-07-18
Last Updated: 2009-07-18 17:10:53 UTC
by Patrick Nolan (Version: 1)
2 comment(s)

As a follow up to a previous Diary (Oracle Black Tuesday) we had a Storm Center participant, Brian, offer some comments about Oracle's CPU.

Brian said "Regarding your comment on Oracle Black Tuesday, I have several observations that may benefit other ISC readers.

The exposure of Oracle's CPU goes far beyond the database as they have expanded significantly into many other software, including key security management software (Identity Management/Authentication).

As Oracle repackages several open source products, administrators are stuck choosing between security and support.  For example, the recent patches to Apache's http server can't be applied because Oracle repackages that product as Oracle HTTP Server.  Apply the patches and you're no longer supported.

Oracle has got to find a way to make the CPU analysis easier.  The decision matrix an administrator has to go through is obscene.  I conducted an analysis of a recent CPU for our environment and it took me over a week solid to determine what the exposure was and what the pre-requisites for the CPU patches were.  And that doesn't include the support time and outages because Oracle's documentation was incorrect.  As a user community, we need to push Oracle to make this process simpler (think up2date or YaST or even Windows Update)
".

Thanks for the sending in your thoughts Brian. Banding together and working with the vendor is always effective. So if there is already a group of customers that have banded together to work effectively with Oracle, let us know some of the groups specifics and I'll update the diary.

In addition to the previous Diary's comment about the lack of substantial vulnerability information for non-customers, it should be noted that Oracle's public Critical Patch Update Advisory - July 2009 has a section called the Patch Availability Table and Risk Matrices, each products Matrix provides CVSS information that can help both customers and non-customers prioritize Oracle CPU's for deployment.

Keywords:
2 comment(s)

Vulnerability in FireFox 3.5.1 confirmed, exploit PoC, no patch

Published: 2009-07-18
Last Updated: 2009-07-18 15:04:23 UTC
by Patrick Nolan (Version: 1)
5 comment(s)

Various analysts and sites have recently confirmed a vulnerability is present in FireFox 3.5.1 that has had exploit PoC released. When exploited, the vulnerability can lead to system compromise or induce a DOS. No Patch is available.

Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability

CVE-2009-2479

Keywords:
5 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives