Microsoft warns of 64-bit Windows 7 hole

Microsoft is working on a patch to fix a hole in a 64-bit Windows 7 graphics display component that could be exploited to crash the system or potentially take control of the computer by running code remotely.

The company is investigating a new publicly reported vulnerability in the Windows Canonical Display Driver (cdd.dll) that affects 64-bit versions of Windows 7 and Windows Server 2008 R2, and Itanium-based Windows Server 2008 R2. The driver enables applications to use graphics and formatted text on the video display and printer.

Microsoft is working on a security update to address the vulnerability and … Read more

Microsoft fixes 28 flaws; 6 are critical

Microsoft on Tuesday released its December 2008 security bulletin. The "critical" bulletins affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. The "important" updates affect SharePoint and Windows Media Components.

Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS08-070: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX … Read more

Firefox updates include a dozen security fixes

On Wednesday, Mozilla released Firefox 3.0.4 (download for Windows and Mac) and Firefox to address a dozen security flaws, half of which the browser maker ranks as critical. Among the critical is one that could allow an attacker privilege escalation after a session restore. Another could allow arbitrary code to execute with compromised Flash media files.

The updates are pushed automatically to current users and will take effect the next time the browser is restarted. Updates will soon no longer be available for users of Firefox 2; the update is a security update only. … Read more

Firefox update fixes a dozen flaws

Mozilla released Firefox 2.0.017 and Firefox 3.0.2, updated versions of its browser, on Wednesday to address a dozen security vulnerabilities. Four are ranked by Mozilla as critical, one high, two moderate, and the rest of the patches are considered low priority. About half do not apply to Firefox 3.

The updates are pushed automatically to current users and will take effect the next time the browser is restarted. Current users of Firefox 2 are encouraged to upgrade by manually downloading Firefox 3 as soon as possible. … Read more

Microsoft: Expect four bulletins on Patch Tuesday

On Thursday, Microsoft announced four security bulletins for Tuesday. The announcement is intended as a heads-up for IT departments before Patch Tuesday. All four are considered critical, the most serious ranking offered by the software giant.

Among the critical patches, two affect Windows Media Player, one affects Windows, while the other affects Microsoft Office. All could enable remote code execution if exploited.

Starting next month, Microsoft will be sharing the technical details of new vulnerabilities to give software developers a catch to update affected products before the public announcement. Also in October, Microsoft will start providing each bulletin with an … Read more

Firefox 3 suffers its first vulnerability

Less than one day after its launch, Firefox 3 has a vulnerability.

According to Tipping Point's Zero Day Initiative, the vulnerability, which it rates as critical, was reported within the first five hours of Firefox 3's release.

"Once the vulnerability was verified in TippingPoint's DVLabs and acquired from the researcher, the vulnerability was promptly reported to the Mozilla security team," said a representative.

Although the Zero Day Initiative team does not offer specifics until the vendor has a chance to patch it, the blog post did say this vulnerability, which also affects Firefox 2, requires … Read more

Yahoo IM affected by ActiveX vulnerabilities

On the heels of ActiveX vulnerabilities in the image uploading tools for Facebook and, researchers warned Monday that Yahoo Instant Messenger and Yahoo Messenger are vulnerable to ActiveX-based attacks.

Researcher Elazar Broad has disclosed a Boundary Condition vulnerability within mediagrid.dll, version 2.2.2 56. Researchers Krystian Kloskowski and Broad have disclosed a second Boundary Condition vulnerability within datagrid.dll, version 2.2.2 56c. And Kloskowski alone has disclosed a buffer overflow within datagrid.dll 2.2.2 56, which affects the AddImage function.

The three vulnerabilities are present within Yahoo Instant Messenger version 3.5 … Read more