Aug242009

Vulnerability in Pidgin

Published by hirantha at 10:00 AM under Security | Instant Messaging

CORE security technologies published a vulnerability in libpurple.  Libpurple is the backend frame work to many Instant Messenger clients.

Pidgin, Finch, Adium, Meebo, and Gaim among others.  Although CORE only specifically mentions GAIM, Libpurple, Pidgin, and Adium specifically, the other libpurple based ones may be vulnerable as well.

Versions of Libpurple <= 2.5.8 (Pidgin <=2.5.8 and Adium <=1.3.5) are vulnerable.  The vulnerability is an exploit in the function msn_slplink_process_msg() which handles instant messages from the MSN network. 

All it takes to exploit this vulnerability is to receive a message from another MSN user.  They do not have to be on your buddy list.  Unless your buddy list states that you only allow specific users to contact you, it's the only mitigation step.  (Other than patching or logging off of the MSN network.)

Solution:

Upgrade to a version of your respective IM client that is based off of pidgin.  Non vulnerable versions of Libpurple are >=2.5.9.



  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags: ,

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses

Aug242009

Updates to VMWare Products

Published by hirantha at 9:04 AM under Security | VMWare

VMware has released the following new security advisory, VMSA-2009-0010

This advisory results in updates to

VMware Workstation
VMware Player
VMware ACE


  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags: ,

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses

Aug242009

Thunderbird Version 2.0.0.23 released

Published by hirantha at 9:01 AM under Mozilla | Thunderbird | Open Source

A new version of Thunderbird, version 2.0.0.23, is available.  Thus update fixes MFSA 2009-42 (Compromise of SSL-protected communication).

If you are a Thunderbird user, it is probably best to apply this update as soon as convenient.

Note that, It appears this update, which affects multiple Mozilla products, has changed the rules for security certificates generated with wildcards. More information is available at the Fourmilab Blog.



  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags: , ,

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses

Aug202009

Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1

Published by hirantha at 6:30 AM under Microsoft | Software Development | Windows 7

The Windows SDK for Windows 7 and .NET Framework 3.5 SP1 provides the documentation, samples, header files, libraries, and tools (including C++ compilers) that you need to develop applications to run on Windows 7 and the .NET Framework 3.5 SP1. To build and run .NET Framework applications, you must have the corresponding version of the .NET Framework installed. This SDK is compatible with Visual Studio® 2008, including Visual Studio Express Editions, which are available free of charge.

Please see the Release Notes for the full list of supported platforms, compilers, and Visual Studio versions and any late breaking issues. For detailed information about the content in this SDK, including a description of new content, please see the Getting Started section in the documentation.

Download at Microsoft Download



  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags: , ,

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses

Jul162009

Firefox 3.5 new exploit

Published by hirantha at 10:26 AM under Firefox | Mozilla | Security

The Mozilla security blog confirms an exploit against an unpatched vulnerability Firefox 3.5 exists and has been made public.

Do note that Heisse tried to confirm the vulnerability and only managed a crash on Vista and can't seem to make it work on Windows 7 RC1
http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761

The mozilla blog above has a workaround by temporary disabling the javascript.options.jit.content setting in about:config

Alternatively one could install and use NoSCript to disable all javascript by default.



  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags: , ,

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses