Tag Archive | Arbitrary code execution

Apple releases major update to iTunes with version 10.7

160 vulnerabilities are being fixed with a new release from Apple for iTunes 10.

The newest version number is 10.7. Update now!

Most of the fixes rolled out are involved with WebKit. WebKit is a layout engine from Apple, which allows webpages to be rendered in a browser. Therefore, the main problems faced in iTunes 10 are with the Store site. WebKit is also used in Safari browser by Apple and Chrome browser by Google. Google apparently helped get the fixes for Apple’s iTunes program.

Many of the vulnerabilities in WebKit are from bug reports in 2011. Just now fixing these flaws shows how low this is on the priority list with the Apple development team concerning iTunes. These same vulnerabilities were apparently fixed long ago in Safari and Chrome. So, what’s the excuse?

Users can get the security fixes by updating iTunes directly in the application.

Apple’s statement on the security update page:

Available for: Windows 7, Vista, XP SP2 or later

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues existed in WebKit. These issues are addressed through improved memory handling.

 

Protect your computer now from ANY vulnerability by getting a second opinion malware removal scanner and protection program:

 

Advertisements

Actively Exploited Microsoft Security Vulnerability

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution

Unpatched, critical, security vulnerability in Microsoft XML Core Services is actively being exploited by attackers.

By simply visiting the website on vulnerable machine, the computer can become infected.

Here are the provisions of this bug:

  • Web-based attack scenario, which means users have to be led to the site to exploit the vulnerability through a specifically crafted link (such as email message, instant message, etc.)
  • If the attacker successfully exploits this flaw and gets on to the victim’s machine, it will obtain the same user rights as the current user logged in. Depending on the type of account (limited or administrator), will declare the ability of the malware.

CVE entry: CVE-2012-1889

Microsoft KB entry: KB2719615

A temporary fix is in place by Microsoft: Fix-ItPlease secure your system now! The final fix is being developed by Microsoft.

 

You may want to consider purchasing Malwarebytes’ Anti-Malware to protect against these types of threats.

%d bloggers like this: