Flurry of Security Patches

yggy writes "It's been a hectic day on the security patching front. Microsoft's bulletins for July include patches for three critical vulnerabilities on the same day that Mozilla releases new security updates for Firefox and Thunderbird. Not to be left behind, Apple fixed two Tiger flaws while Oracle issued a critical database server update." (See these separate stories on today's release of Firefox 1.0.5 and the 10.4.2 update from Apple, too.)

And don't forget...

[Afecks]

...the zlib bug

KRB5 vulnerability too

[ikewillis]

http://www.frsirt.com/english/advisories/2005/1066

FrSIRT Advisory : FrSIRT/ADV-2005-1066
CVE Reference : CAN-2005-1174 - CAN-2005-1175 - CAN-2005-1689
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-07-12

* Technical Description *

Multiple vulnerabilities were identified in MIT Kerberos, which could be exploited by remote attackers to execute arbitrary commands or cause a denial of service.

The first issue occurs in the MIT krb5 Key Distribution Center (KDC) implementation when processing specially crafted TCP/UDP requests, which could be exploited by an unauthenticated attacker to cause a denial of service or execute arbitrary code on the KDC host.

The second vulnerability is due to a double-free error in the "krb5_recvauth()" function, which could be exploited by an unauthenticated remote attacker to execute arbitrary code in the context of a program calling the vulnerable function (this includes the kpropd program which typically runs on slave Key Distribution Center hosts).

* Affected Products *

MIT Kerberos 5 version 1.4.1 (krb5-1.4.1) and prior

* Solution *

Upgrade to krb5-1.4.2 release :
http://web.mit.edu/kerberos/dist/index.html

Or apply patches :
http://web.mit.edu/kerberos/advisories/2005-002-pa tch_1.4.1.txt
http://web.mit.edu/kerberos/advisories/2005-003-pa tch_1.4.1.txt

* References *

http://www.frsirt.com/english/advisories/2005/1066
http://web.mit.edu/kerberos/advisories/MITKRB5-SA- 2005-002-kdc.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA- 2005-003-recvauth.txt

* Credits *

Vulnerabilities reported by Daniel Wachdorf and Magnus Hagander

Non-security fixes in Firefox 1.0.5

[Adam9]

Here's some good info that colfer from this MozillaZine thread dug up:

1.0.5 is mainly a security fix, but I have seen a bunch of non-security fixes creep in also, such as removing the default checkbox "yes" for "make firefox my home page." This looks like a big cleanup for the 1.0.x branch, before 1.1 takes over.

I don't know about the security fixes, besides the medium-risk frame/window spoofing thing (with 1.0.4, you should not open untrusted sites at the same time as sensitive sites...). Here are the non-security fixes (non-security as it seems to me) checked in since 1.0.4:

https://bugzilla.mozilla.org/show_bug.cgi?id=28373 0
"Save As" dialog tries to overwrite link/shortcut (.lnk) file instead of opening the directory/folder

https://bugzilla.mozilla.org/show_bug.cgi?id=29521 0
Tab title different from window title on initial load at gmail

https://bugzilla.mozilla.org/show_bug.cgi?id=28377 7
Right arrow key after selecting autocomplete result no longer uses selected item

https://bugzilla.mozilla.org/show_bug.cgi?id=29123 2
update installer packages should offer unchecked check box for setting start page

https://bugzilla.mozilla.org/show_bug.cgi?id=29106 4
Helper app dialog incomplete for non-nsStandardURL types

https://bugzilla.mozilla.org/show_bug.cgi?id=26553 6
(64-bit only issue)

https://bugzilla.mozilla.org/show_bug.cgi?id=24563 1
Crash loading (particular) .ico file

https://bugzilla.mozilla.org/show_bug.cgi?id=14181 8
Table with large rowspans and colspans hangs the browser

https://bugzilla.mozilla.org/show_bug.cgi?id=28800 6
Drag image across browser windows --> crash

https://bugzilla.mozilla.org/show_bug.cgi?id=29505 2
Obscure Javascript crash

https://bugzilla.mozilla.org/show_bug.cgi?id=29627 0
Default user agent problem (AIX platform only)

https://bugzilla.mozilla.org/show_bug.cgi?id=28081 3
Crash on OS/2 platform

https://bugzilla.mozilla.org/show_bug.cgi?id=29377 8
bookmarks toolbar missing in 2nd opened window, links in second window possibly cause crash

Re:Non-security fixes in Firefox 1.0.5

[CyricZ]

Links to the Mozilla Project's Bugzilla installation from Slashdot are disabled, you know.

Re:Non-security fixes in Firefox 1.0.5

[Adam9]

Slashdot linkified them for me; I just copy and pasted the info.

Re:Non-security fixes in Firefox 1.0.5

[mab]

Right Click "open link in new window" works:)

Re:New patch strategy for MS?

[Kimos]

Actually, it's the other day around. This is Microsoft Tuesday, patch day for them every month. It's the F/OSS world that is releasing patches at the same time as MS.

Re:Open source

[Tanmi-Daiow]

apple is hardly 'open source'.

Re:Open source

[techno-vampire]

Microsoft releases security updates on a regular schedule, rather than as soon as they're created. For all we know, these new patches may have been sitting on the servers at Redmond for over a month before being announced. Not so with Open Source. When a patch is needed, it's developed, tested and released. No waiting for the next scheduled patch release like Microsoft does.

Re:Open source

[StonedRat]

I believe this will be the case from firefox 1.1

Re:Open source

[gordgekko]

I'll believe it when my open source web browser tells me I have security updates. I just used Firefox's check for updates feature and tells me there are none.

Fx 1.0.5 fixes and NoScript

Among the other fixes, Firefox 1.0.5 contains a patch to CAPS (Configurable Access Policies) that finally eliminates crashes reported by users of the NoScript extension. This should make Firefox users even more safe: its "whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality"...

Re:Safari now FAILS "Acid test"

[Kyro]

It only passes if you use a nightly. A shipped release has never passed the acid 2 test.

Don't Forget MS Office!

[MrNonchalant]

There was also a high priority update for Microsoft Office in addition to the 3 OS patches. Nothing critical, just updated spam definitions.

Quote:
Update for Outlook 2003 Junk Email Filter (KB895658)
This update provides the Junk E-mail Filter in Microsoft Office Outlook 2003 with a more current definition of which e-mail messages should be considered junk e-mail. This update was released in July 2005.

I'm using the new Microsoft Update (as opposed to Windows and Office separately) and so should you. And yes, according to their FAQ it adds Office to Windows automatic update.

Link: http://update.microsoft.com/

Re:WindowsUpdate freezes PC

[jpkunst]

WTF is Slashdot really hacking my computer?

I noticed that every time after I post something on /. I get a line like this in my web server log:

slashdot.org - - [23/Jun/2005:21:58:59 +0200] "GET http://ask.slashdot.org/ok.txt HTTP/1.0" 404 200 "-" "libwww-perl/5.803"

No idea what it is supposed to accomplish, but I assume that that is what your firewall is complaining about.

(Note: slashcode converted the URL above into a link, obviously the logfile entry is just a plaintext URL.)

JP