Joomla! 2.5 Security Update Fixes Vulnerabilities

The Joomla! project has released version 2.5.3 of its open source content management system (CMS). This is a security update that addresses two “High Priority” vulnerabilities.

The first of these is caused by an unspecified programming error which could have allowed a malicious user to gain escalated privileges. The other hole is an error in random number generation when resetting passwords that could be exploited by an attacker to change a user’s password.

Versions 2.5.0 to 2.5.2 as well as all 1.7.x and 1.6.x releases are affected. The developers advise all users to upgrade to 2.5.3 to fix these problems. More details about the update can be found in the official release announcement and in the security advisories. Joomla! 2.5.3 is available to download from the project’s site and is licensed under the GPL.

Complete details here: http://www.h-online.com/security/news/item/Joomla-2-5-update-fixes-security-vulnerabilities-1476632.html

March 21, 2012 | Categories: Enterprise, General Security, Hacking, Network Management, Network Security, Patching, Security, Security Advisory, Vulnerabilities, Zero-Day | Tags: CMS, Content management system, enterprise-it, GNU General Public License, GPL, Joomla, Open source, open source content, Patching, PHP, random number generation, software, Technology, virtualization | Leave a comment

Love and Security: Microsoft Sends us Both

Happy Patch Day!

Instead of giving you the same breakdown of the recent critical fixes I have decided to go a different route. NSIT has compiled a list of websites that discuss the vulnerabilities in depth. Microsoft has release fixes for some critical exploits, know what they are is just half of what you need to know. How applying these updates affects your current environment is critical. Read On and keep patching!!

Microsoft’s Security Website: http://technet.microsoft.com/en-us/security/bulletin/ms12-feb

CIO Today:

Andrew Storms, director of security operations at nCircle, quipped that IT security teams are not getting any candy hearts from Microsoft for Patch Tuesday. Instead, every version of Internet Explorer gets a security update. Another analyst pointed to the HTML Layout and GDI Access Violation vulnerabilities as particularly important patches.

CSO Blogs:

Microsoft has just released its February 2012 security updates. Here’s some analysis from the folks at Symantec, McAfee and Qualys.

InfoPackets:

Microsoft will be offering fixes for a wide range of flaws affecting the company’s Internet Explorer (IE) web browser, every version of its Windows operating system (OS), as well as Microsoft Office.

Your feedback is encouraged http://feedback.netsecurityit.com

Microsoft Showing it’s Love – in Advance (netsecurityit.wordpress.com)
February 2012 Patch Tuesday Preview (laws.qualys.com)

February 14, 2012 | Categories: internet security alerts, network management security, Network Security News, Networking, NSIT, Patching, Remote Code Execution, Security, Security Advisory, Vulnerabilities, Zero-Day | Tags: candy hearts, html layout, Internet Explorer, McAfee, Microsoft, microsoft patch, Microsoft Windows, nsit, Patch Tuesday, Patching, Qualys, technet microsoft, Windows, windows operating system | Leave a comment

Microsoft Patches SSL BEAST; But warns of more!

In the first Patch Tuesday of 2012, Microsoft fixes an old issue and warns about a new security bypass risk.

Image representing Microsoft as depicted in Cr...

Image via CrunchBase

Microsoft is kicking off its 2012 Patch Tuesday release cycle with seven security bulletins. Among the items patched is an SSL issue that has been known publicly since at least September 2011.

The January Patch Tuesday update provides a fix for the SSL BEAST attack (an acronym for Browser Exploit Against SSL/TLS). The BEAST exploit takes advantage of a weakness in the TLS 1.0 version of SSL to decrypt encrypted HTTPS requests.

Read More: http://tinyurl.com/MS-BEAST

Bypass Security Risk; Windows Kernel: http://technet.microsoft.com/en-us/security/bulletin/ms12-001

Severity Rating: Important
Revision Note: V1.0 (January 10, 2012): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow an attacker to bypass the SafeSEH security feature in a software application. An attacker could then use other vulnerabilities to leverage the structured exception handler to run arbitrary code. Only software applications that were compiled using Microsoft Visual C++ .NET 2003 can be used to exploit this vulnerability.

BEAST SSL fix in supersized Patch Tuesday (go.theregister.com)
Microsoft Slays The Beast (lumension.com)
Microsoft finally vanquishes the BEAST-related bug (news.cnet.com)

January 11, 2012 | Categories: Digital Signing, Encryption, Enterprise, General Security, Hacking, Network Management, Network Security, Networking, Patching, Security | Tags: 2012 Patch Tuesday, Architecture of Windows NT, Browser exploit, HTTP Secure, Microsoft, Microsoft Windows, Patch Tuesday, Patching, SSL, SSL BEAST, Transport Layer Security | 1 Comment

Adobe Releases Updates for Adobe Reader and Acrobat

Adobe has released a Security Advisory for Adobe Reader and Acrobat to address a vulnerability affecting the following software versions:

* Adobe Reader X (10.1.1) and earlier versions for Windows and
Macintosh
* Adobe Reader (9.4.6) and earlier 9.x versions for Unix

Exploitation of this vulnerability may allow an attacker cause a denial-of-service condition or take control of the affected system.
*****Adobe also states that using Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit for this vulnerability.

http://www.us-cert.gov/current/index.html#adobe_releases_updates_for_adobe1

December 6, 2011 | Categories: Compliance, Patching, Security | Tags: Application Manangement, Patching | 1 Comment