Wiz's Computer and Website Security Blog

May 2, 2007

Apple today released QuickTime 7.1.6 for Mac and QuickTime 7.1.6 for Windows which delivers numerous bug fixes, addresses a critical security issue with QuickTime for Java and includes support for:

Final Cut Studio 2
Timecode and closed captioning display in QuickTime Player

This update is recommended for all QuickTime 7 users, including Firefox users. (Firefox uses the QuickTime Plug-in which is vulnerable and needs updating)

About the security content of QuickTime 7.1.6:

CVE-ID: CVE-2007-2175
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2, Windows 2000 SP4

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. The code will run with the privileges of the target user.

QuickTime 7.1.6 is available via Software Update and also as standalone installers, using the following links:

QuickTime 7.1.6 for Mac (43.6MB)
http://www.apple.com/support/downloads/quicktime716formac.html

QuickTime 7.1.6 for Windows (19.1MB)
http://www.apple.com/support/downloads/quicktime716forwindows.html

The official Apple advisory is available at:
http://docs.info.apple.com/article.html?artnum=305446

Posted by Wiz at 7:54 PM | Permalink

Three flawed Windows security and driver updates were released on Patch Tuesday, February 13, and continued through Friday, February 16, 2007. The first one involves a defective "signed" VIA IDE driver update that places most computers into endless reboot cycles. The second involves installing an unnecessary Alps Pointing Device driver, on computers that don't have such a device. The third is a patch for PowerPoint that fails to fix the stated vulnerabilities it is meant to address.

The flawed VIA Primary IDE driver only appeared under optional Hardware Updates, if you ran manual updates, using the Custom Option. I first became aware of the problem on Friday, February 16, when I performed Windows Updates for a client, at his office. The first and second machines to receive updates had the VIA Primary IDE Driver listed under Hardware Updates, so I installed it and rebooted, and rebooted, and rebooted... After the third time I realized that there was a problem with that driver and I used F8 to get to the boot menu, where I selected "Last Known Good Configuration," which succeeded in getting back into Windows. From there I right-clicked on My Computer, selected Properties, then Hardware, then Device Manager > IDE ATA ATAPI Controllers, then rolled-back the VIA Primary Channel IDE driver update to the previous driver, rebooted, and all was well again.

Another one of the Hardware updates seems to have placed an unwanted and unneeded Alps Touchpad/Pointing device driver and icon on the computers that did not have an Alps Touchpad attached to them. Using Device Manager > Mice/Pointing Devices I rolled-back the driver and the touchpad icon and other pointer problems were resolved, after a reboot.

The third problem was just announced via Microsoft Technet, in this security re-release notice: http://www.microsoft.com/technet/security/bulletin/ms06-058.mspx

Microsoft Security Bulletin MS06-058
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163)
Published: October 10, 2006 | Updated: February 21, 2007

Recommendation: Customers should apply the update immediately

Security Update Replacement: This bulletin replaces a prior security update.

Why did Microsoft minor revise this bulletin on February 13, 2006?

Further investigation of CVE-2006-3877 as originally revealed that the update was not effective in removing the vulnerability from affected systems. The Microsoft Security bulletin, MS07-015 has been issued to properly address CVE-2006-3877 and customers should apply the updates in this bulletin immediately.

More information and links to download hotfixes are in the extended entry -->

Continue reading "Microsoft Releases Flawed Windows Updates in Feb 13-16, 2007 Patch and Hardware Updates" »

Posted by Wiz at 3:40 PM | Permalink

I am posting this for my viewers who use Apple's Mac operating systems, the percentage of which is not declining ;-)

Apple released Security Update 2006-007 in various versions. The update is available via Software Update and also as standalone installers.

Security Update 2006-007 is recommended for all users and improves the security of the following components:

- AirPort
- ATS
- CFNetwork
- Finder
- Font Book
- Font Importer
- Installer
- OpenSSL
- PHP
- PPP
- Samba
- Security Framework
- VPN
- WebKit
- gnuzip

About the security content of Security Update 2006-007:
http://docs.info.apple.com/article.html?artnum=304829

Continue reading "Apple releases Security Update 2006-007" »

Posted by Wiz at 6:20 PM | Permalink

YPOPs, a free POP3 email interface for sending and receiving Yahoo email via your POP3 email client, was updated on October 18, 2006. POP3 email clients include Outlook, Outlook Express, Thunderbird, Eudora, etc. If you use one of these programs and would like to be able use it to send and receive your Yahoo email, YPOPs will allow you to do so. Normally, Yahoo email must be accessed via HTTP, using a web browser. This program bridges the gap between HTTP and POP3 email.

I have written out instructions for configuring and using YPOPs on my Wiz's Workshop page. I am using YPOPs on various operating systems, including Windows Vista RC1. I am not affiliated with YPOPs in any way; I am just a happy user.

Download
You can download the latest version of YPOPs from Don Beusee's Download Site (He is involved in the project).

YPOPs Project information, documentation and discussion forums

Continue reading "YPOPs has been updated (delivers Yahoo email via POP3)" »

Posted by Wiz at 1:08 PM | Permalink

Microsoft Security Bulletin MS06-055:

Vulnerability in Vector Markup Language Could Allow Remote Code Execution - Patched

Published: September 26, 2006

This information deals with the VML vgx.dll buffer overflow vulnerability announced on September 19, 2006, and the VML exploits that are currently in the wild.

http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx

VML Buffer Overrun Vulnerability - CVE-2006-4868:

A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft has issued an out-of-cycle patch for the Vector Markup Language vulnerability mentioned above and in a previous entry on my blog. This is a critical vulnerability and if you have not already obtained the patch you should do so immediately. Go to Windows Updates to receive it manually, or turn on Automatic Windows Updates (Control Panel > Automatic Updates), or visit the page linked to above and download the patch for your OS.

Undo the suggested Microsoft workaround if you applied it! See my extended comments for details.

Continue reading "Microsoft Patch MS06-055 Issued for VML Exploit" »

Posted by Wiz at 12:48 PM | Permalink