Archive for the ‘Software Updates’ Category

Yahoo! Messenger ActiveX Flaw Exploits Released!

Thursday, June 7th, 2007

Yahoo! Messenger

Two zero-day exploits for remote code execution flaws in Yahoo! Messenger’s Webcam application have been released.

One of the flaws is a boundary error in the Yahoo! Webcam Upload ActiveX control; the other is in the Yahoo! Webcam Viewer ActiveX control.

Yahoo! expects to have a fix for the flaws available soon.  The flaws have been confirmed in Yahoo! Messenger version 8.1.0.249 and may exist in other versions as well.

{Update: As of Friday, June 8, 2007, Yahoo! has already prompted yahoo messenger users to download and install a security upgrade to patch the security issue}

More info here on the Yahoo! ActiveX Flaw.

Posted in InfoSec Reading Materials, Privacy, Security Breach, Security Bulletin, Software Updates, Vulnerability, WWW | No Comments »

Microsoft Office 2003 Security Tool Protects Users from Infected Files

Tuesday, May 29th, 2007

Microsoft has released a free tool called Microsoft Office Isolated Conversion Environment, or MOICE, to help protect users from malware placed in Office files, a vector of attack that has recently gained popularity. 

MOICE converts Word, Excel and PowerPoint docs to their OpenXML counterparts and opens them in a quarantined environment to protect users’ computers from embedded malicious payloads designed to exploit holes in Microsoft Office

MOICE works in tandem with the File Block, a tool that allows administrators to establish group policies regarding users’ permissions to open certain file types.  Both tools work out of the box with Microsoft ffice 2007

Microsoft Office 2003 users need to install the Compatibility Pack for Word, Excel and PowerPoint 2007 Office File Formats first. 

There currently is no protection offered for users running versions prior to Microsof Office 2003.

http://support.microsoft.com/kb/935865

Posted in InfoSec Developments, Security Tools, Software Updates, Vulnerability, Windows | 1 Comment »

Wordpress Releases v2.2 codenamed Getz

Thursday, May 17th, 2007

This version includes a number of new features, most notably Widgets integration, and over two hundred bug fixes. It’s named in honor of tenor saxophonist Stan Getz.

Goodies:

  • WordPress Widgets allow you to easily rearrange and customize areas of your weblog (usually sidebars) with drag-and-drop simplicity. This functionality was originally available as a plugin Widgets are now included by default in the core code, significantly cleaned up, and enabled for the default themes.
  • Full Atom support, including updating our Atom feeds to use the 1.0 standard spec and including an implementation of the Atom Publishing API to complement our XML-RPC interface.
  • A new Blogger importer that is able to handle the latest version of Google’s Blogger product and seamlessly import posts and comments without any user interaction beyond entering your login.
  • Infinite comment stream, meaning that on your Edit Comments page when you delete or spam a comment using the AJAX links under each comment it will bring in another comment in the background so you always have 20 items on the page. (I know it sounds geeky, but try it!)
  • We now protect you from activating a plugin or editing a file that will break your blog.
  • Core plugin and filter speed optimizations should make everything feel a bit more snappy and lighter on your server.
  • We’ve added a hook for WYSIWYG support in a future version of Safari.

In addition there were also dozens of UI and accessibility improvements, ranging from more concise wording around options and links to things like a view and preview link above the content box when you’re editing a post or page, as well as several important security fixes. 

Wordpress will no longer continue to support the 2.1 branch, so this is a required upgrade.

Download Wordpress v2.2 Codename Getz.

Posted in Software Updates, WWW | No Comments »