| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 43365 | 2004-03-12 08:41:00 | Update time(for outlook 2002, Mozilla browser & more...... | stu140103 (137) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 221917 | 2004-03-12 08:41:00 | Hello every one If you are running any off the below Programs / OS you might what to think about updating them, have a read of this: (from IDG Virus & Security Watch) * Microsoft revamps security bulletins; security the loser Microsoft has redesigned the web pages that display its security bulletins. As if it were not already bad enough that, under the old design, the security conscious using Internet Explorer had to click through more than a dozen script and ActiveX control permission dialog boxes to get a useful version of the page, Microsoft's web design wizards have now rendered all the 'section expansion' links in javascript, preventing successful reading of the page unless you take the security lowering option of enabling scripting in whatever browser you prefer. As a result you may have to decrease the security settings of your browser to read the useful content in the Microsoft Security Bulletins linked below and in future newsletters. * Critical Outlook 2002 code execution bug patched Finnish security researcher Jouko Pynnonen has discovered a vulnerability in Outlook's handling of parameters passed to it in response to a user clicking a mailto: URL in a web page, e-mail message and so on. Microsoft has released patches for Outlook 2002 (the version included in Office XP), but it is not necessary if the newly-released Service Pack 3 (see item below) for Office XP has already been installed, as Office XP SP3 contains this fix. Initially Microsoft rated the vulnerability as being of only 'important' severity because it incorrectly believed the vulnerability could only be triggered if an unusual, non-default configuration was in effect. However, Pynnonen posted a correction to that misconception to several security mailing lists and Microsoft revised its security bulletin, upping the severity to critical. Outlook mailto: URL handling flaw allows code execution - iki.fi - Microsoft Security Bulletin MS04-009 - [url=http://s0.tx.co.nz/at/tep34i43557a4j20616c292424s4t9n881431f1z] * MSN Messenger for Windows update fixes remote file retrieval flaw Microsoft has released an update to its MSN Messenger for Windows client that fixes a remote file retrieval vulnerability in MSN Messenger 6.0 and 6.1 (although the download page at msn.com simply identifies the current version as '6.1', its main executable has a version stamp of 6.1.0.211 and is date-stamped 4 March 2004 (at least in the Windows 2000 version the newsletter compiler just very quickly tested). Details of how to remotely exploit this vulnerability, so as to retrieve files whose absolute paths on the victim machine are known, or easily guessed, have been published. Thus, although Microsoft rates the severity of this vulnerability as 'moderate', all active MSN Messenger users are advised to update as soon as practicable. MSN Messenger home page - msn.com - [url=http://s0.tx.co.nz/at/tep34i43570a4j20616c292424s4t9n881431f1z] Microsoft Security Bulletin MS04-010 - [url=http://s0.tx.co.nz/at/tep34i43548a4j20616c292424s4t9n881431f1z] * MS03-022 updated Microsoft has become aware of situations under which the original MS03-022 update installer would not properly replace the vulnerable file (NSIISLOG.DLL). The updated installer addresses this issue and Windows Update has been updated to re-offer this patch if the older, unpatched version of the affected file is found to be present, even if the registry value suggesting this patch has already been installed is present. The revised security bulletin, linked below, details (in the 'Frequently asked questions' section) how to locate that file and check its version number manually, should administrators prefer doing this themselves or use other patch management methods than depending on Windows Update. Microsoft Security Bulletin MS03-022 - [url=http://s0.tx.co.nz/at/tep34i43551a4j20616c292424s4t9n881431f1z] * Office XP service pack released on the sly... Observant Office XP users probably noted with some interest the reference to Office XP SP3 in the Outlook parameter passing vulnerability item above. Although your newsletter compiler can find no 'official' comment from Microsoft about the release of this service pack, it does indeed seem that Office XP SP3 is now available for download from the page linked in the MS04-009 security bulletin. Note that there have been some comments posted to the NTBugtraq mailing list that installing Office XP SP3 seems to have broken (or at least seriously downgraded the usefulness of) at least two popular third-party spam-blocking products. Russ Cooper, the moderator of NTBugtraq list is sceptical that the service pack per se is the 'problem' here and has also posted his comments to that effect. We have linked to the March archive - readers interested in following up on this will have to scroll down and find the specific links to the 'Office XP SP3 breaks 3rd-party junk email filter' thread (the structure of the archive does not allow reliable linking to a specific thread and the 'read next/previous message in thread' options if we linked to the first message itself...). This issue may indicate the presence of some wider problem - users with any Outlook message filtering plug-ins would be well-advised to install the service pack on a test rig and c! arefully check that everything works as expected before rolling out SP3 to your production network (of course, you all do that already anyway, right?). Microsoft Security Bulletin MS04-009 - [url=http://s0.tx.co.nz/at/tep34i43556a4j20616c292424s4t9n881431f1z] Archived NTBugtraq list message - nybugtraq.com - [url=http://s0.tx.co.nz/at/tep34i43575a4j20616c292424s4t9n881431f1z] * Windows Adobe Acrobat Reader users recommended to update to v6.x Next Generation Security Software researchers have found an exploitable buffer overflow in the Windows version of Adobe Acrobat Reader v5.1. The vulnerability can be triggered when Acrobat Reader renders 'XML Forms Data Format' (XFDF) content and may be rendered automatically on download when using applications such as Internet Explorer. Adobe advised the discoverer of the vulnerability that the current release of Acrobat Reader is not vulnerable and users of the vulnerable version should update as soon as practicable. Acrobat Reader XML Forms Data Format Buffer Overflow - nextgenss.com -[url=http://s0.tx.co.nz/at/tep34i43576a4j20616c292424s4t9n881431f1z] Adobe download page - adobe.com - [url=http://s0.tx.co.nz/at/tep34i43562a4j20616c292424s4t9n881431f1z] * Multiple vulnerabilities fixed in Mozilla browser update Problems with cookie handling, ASN.1 parsing and various other security and privacy related flaws have been fixed in the latest release of the Mozilla browser. Popular amongst Linux distribution packagers, most of which have already shipped, or are preparing to ship, updated packages, pre-built Windows and Mac OS binary distributions of Mozilla 1.6 are also available from Mozilla's home page. [url]http://mozilla.org (s0.tx.co.nz) |
stu140103 (137) | ||
| 1 | |||||