Apple has released a QuickTime security update to address "highly critical" security flaws in its media player that could allow malicious attackers to take control of a user's system.
The security flaws affect QuickTime 7 versions running on the Mac OS X and Windows. Users are advised to update to QuickTime 7.4.5, according to an Apple advisory issued Wednesday.
Apple issued 11 security updates designed to prevent malicious attackers from disclosing users' sensitive information, executing arbitrary code, or causing an application to suddenly crash.
Users can be hit with such evil dealings when visiting a Web site rigged with malicious Java applets, view a tampered movie file or open a malicious PICT image file, according to the advisory.
Lovely, eh?
For those who want to delve deeper into the nitty gritty details of the vulnerabilities check out TippingPoint Zero Day Initiative, which discovered some of these flaws, as well as security researcher Secunia, which lists all 11 updates.
Microsoft issued a security advisory late Tuesday that malicious attackers are targeting versions of its Office Excel with vulnerabilities.
Microsoft Office Excel 2003 with Service Pack 2; Excel Viewer 2003; Excel 2002; Excel 2000; and Microsoft Excel 2004 for the Mac are affected by the security vulnerabilities, according to the advisory.
People who open a malicious e-mail attachment or visit a malicious Web site may find that their systems are compromised and that arbitrary remote code is executed. Computers configured to allow the user to have administrative user rights are at greater risk that those with few user rights on the system.
Microsoft said it is still investigating the security vulnerabilities but noted the attacks appear to be targeted and not widespread, according to its security blog.
(Credit:
CoActiv)
The results of a fifteen-month study accessing the time to patch software associated with electronic health record (EHR) systems were published today by the eHealth Vulnerability Reporting Program. The program is a collaboration of health care industry organizations, technology companies and security professionals that is attempting to establish best practices within the emerging field of electronic health records in the adoption and reliance of eHealth systems, including electronic medical records (EMR), picture archiving and communication system (PACS), and medical devices. The 39-page report found much room for improvement.
It's one thing to have your credit card information compromised--that can be replaced. It's another to have your health history hacked and made public. The report focused mainly on how medical equipment providers currently disclose vulnerabilities to customers, preventing hospitals and doctors from appropriately managing risk.
The amount of time between when a eHealth vendor is notified of a vulnerability and when that vulnerability is patched exceeded the time needed to patch in mainstream application software. For example, one medical application in the study remained unpatched after 2,211 days; another was 384 days and counting. By comparison, Brian Krebs of the The Washington Post found that the time to patch for Microsoft Internet Explorer was only 284 days.
No one organization has providence over vulnerabilities in eHealth applications, the report found. Organizations such as the Certification Commission for Healthcare Information Technology (CCHIT) and Healthcare Information Technology Standards Panel (HITSP) offer general security practices and standards, but no assessment of risks associated with reported (or unreported "zero day") threats.
The eHealth Vulnerability Reporting Program would like to see eHealth vendors collaborate with security software vendors to establish ethical testing and reporting, along with better disclosure, vendor certification and, of course, more public education of the problem.
Microsoft is expanding the detail available in its service to notify people of upcoming security fixes, the company said Wednesday.
On the first Thursday of each month, Microsoft's Advance Notification Service (ANS) tells those who've signed up for it some particulars of patches the company issues the following Tuesday. Currently, Microsoft shares some aggregate information about the patches--for example, how many are severe--but beginning June 7, it will offer more information for each of the bulletins in the notification, according to Microsoft's Security Response Center blog.
Specifically, Microsoft will share for each vulnerability bulletin its maximum severity, its impact, information on detection and the software it affects. The descriptions will be stripped-down versions of the full bulletins, and once those full details are released on the Tuesday, the descriptions will be updated to include all the information, Microsoft said.
In addition, Microsoft is updating the layout of its security bulletins to make them more useful, and has posted an example online. Anyone can sign up for the alert service at Microsoft's ANS subscription site.
- prev
- 1
- next
