Adobe has released an update to its Shockwave Player, fixing 20 vulnerabilities that the company considers to be critical. “The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.” Users should update to Shockwave Player 11.5.8.612, downloading it from this page.
Apple has issued Security Update 2010-005, an 84 MB update that fixes a baker’s dozen flaws in Mac OS X 10.5 and 10.6, both client and server versions. One of the vulnerabilities that is corrected is described as follows:
A stack buffer overlow exists in Apple Type Services’ handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.
This flaw is similar to the “jailbreak vulnerability” that Apple fixed on its iOS. (We discussed the iOS update two weeks ago.)
Other fixes in this update cover networking, CoreGraphics, and update PHP to version 5.3.2.
Full information about the update is available here. You can get the update, as usual, through Software Update, or by download from Apple’s Downloads page.
The Mac Security Blog hit a milestone today with its 600th post. For the past three years, we have been serving the Mac community with timely, essential information on Mac security, an area that is not well covered by other web sites. We’re very happy to have come this far, and we plan to continue our efforts to provide Mac users with the security information they need in the years to come.
Apple has released updates for its iOS devices to fix the recently discovered vulnerability that allows remote jailbreak without user intervention. The gravity of this flaw was such that Apple rushed out the fixes, which resolve two issues:
Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution
Malicious code running as the user may gain system privileges
More information is available from Apple’s Security Updates page.
These updates affect the iPhone and iPod touch running iOS 4.0 or later, and the iPad, running iOS 3.2 or later. The updates are only available through iTunes, when the devices are connected to a computer.
Adobe has issued a security update for Flash Player, fixing six critical vulnerabilities which “could cause the application to crash and could potentially allow an attacker to take control of the affected system.” More information about the vulnerabilities is available here.
Users can download the new version, 10.1.82.76, from this page.
It is worth noting that with this release of Flash Player, Adobe has enabled hardware decoding of H.264 videos on Mac OS X. This only works with certain GPUs (video cards), but this means that playing H.264 videos from web sites will results in much lower CPU usage on Macs that can take advantage of this feature. More information about this here.
It’s been a while, and Microsoft has released new updates for Office, which include some security fixes. The 333 MB Microsoft Office 2008 for Mac 12.2.6 Update provides a number of bug fixes to the Office software, and “includes fixes for vulnerabilities that an attacker can use to overwrite the contents of your computer’s memory with malicious code.” The same flaw is fixed in the Microsoft Office 2004 for Mac 11.6.0 Update, which is 192 MB. It is strongly recommended that all Office users apply these updates.
Microsoft also updated their Open XML File Format Converter for Mac to version 1.1.6 to correct a critical security flaw.