Slashdot Mirror
Flurry of Security Patches
yggy writes "It's been a hectic day on the security patching front. Microsoft's bulletins for July include patches for three critical vulnerabilities on the same day that Mozilla releases new security updates for Firefox and Thunderbird. Not to be left behind, Apple fixed two Tiger flaws while Oracle issued a critical database server update." (See these separate stories on today's release of Firefox 1.0.5 and the 10.4.2 update from Apple, too.)
So today we have a bunch of new patches, which means tomorrow we will have all the exploits being developed and released. The major problem with patches is they often are not installed by end users, and that is the bread and butter of zombie botnets.
Voice your opinion!
...the zlib bug
http://www.frsirt.com/english/advisories/2005/1066
:
:a tch_1.4.1.txt a tch_1.4.1.txt
6 - 2005-002-kdc.txt - 2005-003-recvauth.txt
FrSIRT Advisory : FrSIRT/ADV-2005-1066
CVE Reference : CAN-2005-1174 - CAN-2005-1175 - CAN-2005-1689
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-07-12
* Technical Description *
Multiple vulnerabilities were identified in MIT Kerberos, which could be exploited by remote attackers to execute arbitrary commands or cause a denial of service.
The first issue occurs in the MIT krb5 Key Distribution Center (KDC) implementation when processing specially crafted TCP/UDP requests, which could be exploited by an unauthenticated attacker to cause a denial of service or execute arbitrary code on the KDC host.
The second vulnerability is due to a double-free error in the "krb5_recvauth()" function, which could be exploited by an unauthenticated remote attacker to execute arbitrary code in the context of a program calling the vulnerable function (this includes the kpropd program which typically runs on slave Key Distribution Center hosts).
* Affected Products *
MIT Kerberos 5 version 1.4.1 (krb5-1.4.1) and prior
* Solution *
Upgrade to krb5-1.4.2 release
http://web.mit.edu/kerberos/dist/index.html
Or apply patches
http://web.mit.edu/kerberos/advisories/2005-002-p
http://web.mit.edu/kerberos/advisories/2005-003-p
* References *
http://www.frsirt.com/english/advisories/2005/106
http://web.mit.edu/kerberos/advisories/MITKRB5-SA
http://web.mit.edu/kerberos/advisories/MITKRB5-SA
* Credits *
Vulnerabilities reported by Daniel Wachdorf and Magnus Hagander
Here's some good info that colfer from this MozillaZine thread dug up:
3 0
1 0
7 7
3 2
6 4
3 6
3 1 .ico file
1 8
0 6
5 2
7 0
1 3
7 8
1.0.5 is mainly a security fix, but I have seen a bunch of non-security fixes creep in also, such as removing the default checkbox "yes" for "make firefox my home page." This looks like a big cleanup for the 1.0.x branch, before 1.1 takes over.
I don't know about the security fixes, besides the medium-risk frame/window spoofing thing (with 1.0.4, you should not open untrusted sites at the same time as sensitive sites...). Here are the non-security fixes (non-security as it seems to me) checked in since 1.0.4:
https://bugzilla.mozilla.org/show_bug.cgi?id=2837
"Save As" dialog tries to overwrite link/shortcut (.lnk) file instead of opening the directory/folder
https://bugzilla.mozilla.org/show_bug.cgi?id=2952
Tab title different from window title on initial load at gmail
https://bugzilla.mozilla.org/show_bug.cgi?id=2837
Right arrow key after selecting autocomplete result no longer uses selected item
https://bugzilla.mozilla.org/show_bug.cgi?id=2912
update installer packages should offer unchecked check box for setting start page
https://bugzilla.mozilla.org/show_bug.cgi?id=2910
Helper app dialog incomplete for non-nsStandardURL types
https://bugzilla.mozilla.org/show_bug.cgi?id=2655
(64-bit only issue)
https://bugzilla.mozilla.org/show_bug.cgi?id=2456
Crash loading (particular)
https://bugzilla.mozilla.org/show_bug.cgi?id=1418
Table with large rowspans and colspans hangs the browser
https://bugzilla.mozilla.org/show_bug.cgi?id=2880
Drag image across browser windows --> crash
https://bugzilla.mozilla.org/show_bug.cgi?id=2950
Obscure Javascript crash
https://bugzilla.mozilla.org/show_bug.cgi?id=2962
Default user agent problem (AIX platform only)
https://bugzilla.mozilla.org/show_bug.cgi?id=2808
Crash on OS/2 platform
https://bugzilla.mozilla.org/show_bug.cgi?id=2937
bookmarks toolbar missing in 2nd opened window, links in second window possibly cause crash
Actually, it's the other day around. This is Microsoft Tuesday, patch day for them every month. It's the F/OSS world that is releasing patches at the same time as MS.
when microsoft releases security updates, it's cuz the software is crap. when others do it, it's cuz the software rocks. no double standards here. maybe it's like when girls get naked. if she's good looking, makes it better. if your she's bad looking, much worse. microsoft may be bloated, but needs love just like everyone else.
After taking to Apple tech support about my X11 problem, and having them refuse to help, I guess I'll just have to follow the MS support path and re-install the OS.
The sysadmin mantra lives on: All operating systems suck, they just suck differently.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
they continue making progress with the bug fixes. For me, FF is feature packed enough. I'd prefer to see some more work on the update facilities and performance when running on Linux (fix the RAM usage and crashes please). I like FF because it's light, I don't want more bloatware. The FF team need to remember that we can switch back to IE, or to Opera or something else, just as easily as we switched to FF. Many FF users aren't in it to snub MS (they're both free browsers, it's not like they lose money), they're using it cause it's a safer, more stable product. The second that changes, I and many like me go elsewhere.
Anyone that claims open source is entirely free of bugs is dreaming and/or misinformed.
The beautiful part is the speed at which critical bugs in OSS are corrected after being discovered.
Nah - its not that Microsoft sucks because the release patches.
Neither does OS suck because they release patches.
Its because microsoft takes so long to release patches for certain vulnerabilities that have been documents - even up to half a year before..
And that the continue to promote products that have been proven to be seriously flawed, and release new versions without those flaws fixed.
There is a difference between releasing a product, and then patching it - and releasing a product knowing it needs patches before its released.
I gotta admit - look how much testing the do on the patches they do release. Service Pack 2 anyone?
Although it can be funny, tell them to plug the power in.
You think so? Check out the patch list for FF 1.05
l nerabilities.html#Firefox
http://www.mozilla.org/projects/security/known-vu
12 vulnerabilities in this patch, the oldest was created in APRIL! And it's marked as high severity.
The newest we don't know, because Mozilla is keeping it hidden until July 20th, but if you take the Bugzilla report number, and add one to it you can get the bug that was created directly after it, and that was created in MAY!
So yes, Mozilla DOES sit on critical bugs for months.
If you need web hosting, you could do worse than here
Among the other fixes, Firefox 1.0.5 contains a patch to CAPS (Configurable Access Policies) that finally eliminates crashes reported by users of the NoScript extension. This should make Firefox users even more safe: its "whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality"...
It only passes if you use a nightly. A shipped release has never passed the acid 2 test.
save the GNUs!
There was also a high priority update for Microsoft Office in addition to the 3 OS patches. Nothing critical, just updated spam definitions.
Quote:
Update for Outlook 2003 Junk Email Filter (KB895658)
This update provides the Junk E-mail Filter in Microsoft Office Outlook 2003 with a more current definition of which e-mail messages should be considered junk e-mail. This update was released in July 2005.
I'm using the new Microsoft Update (as opposed to Windows and Office separately) and so should you. And yes, according to their FAQ it adds Office to Windows automatic update.
Link: http://update.microsoft.com/