Skip to content

Posts tagged ‘patch’

8
Feb

WordPress 3.0.5 Update Fixes Security Issues

WordPress 3.0.5 has been released, and is primarily a security update focusing on vulnerabilities which can be exploited through untrusted user accounts. This follows the recent 3.0.3 and 3.0.4 updates which were also security-focused. If your WordPress installation does not have any non-admin users, then this update is less urgent, however it is recommended that you update as soon as possible anyway.

Here is a description of the five main updates:

Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.

One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.

Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.

WordPress 3.1 is currently at RC4 and is expected to be officially released soon.

30
Dec

WordPress 3.0.4 Patches XSS Flaws in HTML Sanitation Library

WordPress have released an update (3.0.4), dubbed “the most important security release of the year”, that patches a core security bug in the HTML sanitation library (KSES). KSES is responsible for filtering user input and, as such, is used to protect WordPress sites from attacks such as Cross-Site Scripting (XSS). XSS vulnerabilities were discovered, however the details of these are not available (see below).

They rate this release “critical”, and so it’s recommended that all WordPress sites update as soon as possible. The full changeset for the 3.0.4 update is here. Security researchers are invited to review these changes to ensure the vulnerabilities have been fully fixed. Spread the news if you have any friends with a WordPress blog!

[Updated] One stored XSS exploit for 3.0.3 is available here.

9
Dec

WordPress 3.0.3 Fixes Authorization Issues

Hot on the heels of the previous update that patched an authenticated SQL injection vulnerability, WordPress have released version 3.0.3 which fixes authorization issues in the remote publishing interface. The vulnerability may allow Author and Contributor-level users to improperly edit, publish, or delete posts. WordPress state:

These issues only affect sites that have remote publishing enabled.

I would also add that these issues only affect sites that actually have Author and Contributor-level users. If you’re the only user of your blog, you don’t need to be worried (but update anyway).

Remote publishing is enabled and disabled in Settings > Writing > Remote Publishing.

8
Dec

Apple Releases QuickTime 7.6.9 Security Update

Apple has released QuickTime 7.6.9 for Leopard 10.5.8 and Windows (XP,V,7), patching a number of vulnerabilities including several that were fixed in the recent 10.6.5 update.

The vulnerabilities include improper handling of JP2, AVI, MPEG, Flashpix, GIF, PICT, and QTVR files. Viewing maliciously-crafted files can lead to remote code execution in some cases.

QuickTime definitely needs more strengthening. Leopard and Windows users, go forth and patch!

Read moreRead more

23
Nov

iOS 4.2.1 Released with Free “Find My iPhone”

Apple has finally released the highly-anticipated iOS 4.2 (actual version is 4.2.1), bringing support for the iPad along with several other feature including AirPlay and AirPrint.

Along with this release, Apple has made the “Find My iPhone” functionality in MobileMe free to all iPhone, iPad and iPod Touch device owners. This service uses a combination of GPS, cell tower and wifi-network triangulation to obtain the location of the device, which can then be mapped. It also allows you to send messages, lock or completely wipe the remote device. To use this feature, you’ll need add a MobileMe account using your iTunes Apple ID by going to Settings > Mail, Contacts, Calendars > Add account. You can then track your device using the Find My iPhone app available in iTunes, or using the MobileMe web interface.

Users concerned about the privacy implications of this feature can easily disable it by going to Settings > Mail, Contacts, Calendar > Select your MobileMe account > Set ‘Find My iPhone’ to Off. Have a look at Apple’s KnowledgeBase article for more info on this feature.

iOS 4.2.1 brings with it a number of security updates (including Safari and numerous WebKit patches). Although it’s not mentioned in the update details, the previously-reported cool-but-deadly keylock bypass vulnerability has been fixed. Hit the jump for full details.

Related: Protecting and Recovering Your iPhone and iPad from Loss and Theft!

Read moreRead more

19
Nov

Apple Releases Safari 5.0.3 and 4.1.3

Safari updates 5.0.3 and 4.1.3 (for both Mac OS X and Windows) have been released to patch a number of WebKit vulnerabilities, some of which can lead to arbitrary remote code execution.

Fire up your Software Update! Hit the jump for full details of the vulnerabilities fixed.

Read moreRead more

11
Nov

Apple Releases Mac OS X 10.6.5 (Security Update 2010-007)

Software UpdateApple has finally released Mac OS X 10.6.5 bringing a number of bugfixes and security patches to the OS and applications. The list includes numerous improvements to AFP (File Sharing Protocol), QuickTime, and other image/PDF-based issues. I noticed that Apple are crediting themselves on quite a few of these, so it’s nice to see they’re putting in the effort of hunting down bugs.

Available via Software Update!

Read moreRead more

4
Nov

iOS 4.2 Update Fixes Passcode Bypass Bug

The upcoming iOS 4.2 update, recently seeded to developers, fixes the recently-discovered keylock/passcode bypass bug. The bug allows any user with access to a locked iPhone to make phone calls, view/modify contacts, and send/view emails, by exploiting a simple bug on the “Emergency Call” screen.

Full details of security patches in this update will be announced upon release.

[Update] iOS 4.2.1 has been released.

8
Sep

Safari 5.0.2 Update Fixes WebKit Bugs

Apple has released Safari 5.0.2 and 4.1.2 updates for Mac OS X and Windows which fix issues in both Safari and WebKit (the browser’s rendering engine).

The first issue, which only affects Safari on Windows systems, may lead to code execution if the user attempts to reveal the location of a downloaded file. The other two vulnerabilities include an input validation issue in WebKit’s handling of floating point data types, and a use-after-free issue in WebKit’s handling of elements with run-in styling. Both of these could be used to perform arbitrary code execution.

These two updates should be available in Software Update.

Hit the jump for Apple’s full patch info.

Read moreRead more

25
Aug

Mac OS X Security Update 2010-005 (Fixes PDF Vulnerability)

Software UpdateApple has released security update 2010-005 for Mac OS X 10.5.8 and 10.6.4 which patches a number of issues, including the same PDF vulnerability used by jailbreakme (recently patched in iOS):

A stack buffer overlow exists in Apple Type Services’ handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved bounds checking.

Go off and patch! Full update details after the jump. Read moreRead more

css.php