[SecurityRatty] tag: patches

Security Manager's Journal: When is a patch not really a patch?

Mon, 01 Dec 2008 02:00:00 +0000

When patches are dutifully installed but the servers aren't rebooted -- for as long as two years, in this case -- it's the same as not installing the patches at all.

Apple patches 12 iPhone bugs, adds Street View, podcast downloads

Fri, 21 Nov 2008 02:00:00 +0000

Apple today released iPhone 2.2, the first update to the phone's firmware in more than two months, patching a dozen security vulnerabilities and adding several new features.

Linux vendors patch XML parser

Wed, 19 Nov 2008 21:00:00 +0000

Most of the major Linux vendors have released patches for a pair of bugs in libxml2, an XML C parser and toolkit developed for the Gnome project. Both bugs could be exploited in a denial of service attack against systems that rely on the libxml2 module. Ubuntu, Mandriva, rPath and Debian are all out with patches today to remedy the problem.

Google patches Chrome file-stealing bug

Fri, 14 Nov 2008 02:00:00 +0000

Google has patched its Chrome browser to prevent attackers from stealing files from PCs running the open-source app.

Google patches Chrome file-stealing bug

Thu, 13 Nov 2008 21:00:00 +0000

Google has patched Chrome to prevent attackers from stealing files from PCs running the open-source browser.

Microsoft security patch was seven years in the making

Tue, 11 Nov 2008 21:00:00 +0000

Some security patches take time.

Vulnerabilities quickly mitigated by security-conscious vendors

Tue, 11 Nov 2008 17:10:00 +0000

As you are likely aware, I spend a fair bit of time heckling those I believe deserving due to their shortcomings with regard to protecting online consumers.
I do, however, continue to seek opportunities to shed positive light as well, and recent responses from a number of vendor/developers warrant an opportunity to do just that.
In the last 30 days, I've discovered vulnerabilities in products from four different vendors, and advised them all immediately upon discovery. Usually, that's where the story ends, as sadly, my repeated requests for action are often ignored. The last 30 days have proven to be entirely different, with swift responses and action from ALL vendors to whom I reported vulnerabilities. In all cases I received replies within 24 hours or less, and patches/fixes/updates were typically released within 24-72 additional hours. These are exemplary responses, and reflect why I choose to conduct vulnerability research. I believe we, as web application professionals (both developers and security practitioners), are beholden to the greater public and must endeavor to protect the online safety of the Internet consumer.
To each of these vendors/developers I'd like to issue a hearty "well done" and issue public kudos for their diligence and security consciousness, on behalf of consumers and website operators.
To Lukas of PlanetLuc, Jasper and Eric of Infrae/Silva, Alexander of CompactCMS, and Peter from ActiveCampaign may I say that your efforts are greatly appreciated. Where too few choose to do the right thing, your responses leave us with the perception of caring and integrity.
Thank you.

del.icio.us | digg | Submit to Slashdot

Microsoft patches long-known Windows bugs

Tue, 11 Nov 2008 02:00:00 +0000

Microsoft patched four vulnerabilities in two security updates for Windows and Office, including a critical bug that had been publicly disclosed nearly two years ago.

Microsoft security patch was seven years in the making

Tue, 11 Nov 2008 02:00:00 +0000

Some security patches take time.

One in four DNS servers still vulnerable to Kaminsky flaw, survey says

Sun, 09 Nov 2008 21:00:00 +0000

he Measurement Factory's 4th annual study of 80 million addresses in the IPv4 space proves several in the Internet community didn't heed the industry's warning to upgrade their DNS servers with patches for the Kaminsky flaw and other known vulnerabilities.