Date: 07 January 2011
Click here for printable version
One more Christmas and New Year down, hopefully many more to go. Thankfully
this year seemed to bring with it many fewer incidents of holiday season
targeted malware; unless it was just the eggnog being much stronger this
If you are anything like me then the storms were more dangerous to your
systems than the malware out there. Due to an unfortunate BIOS setting
(what to do after a power failure), a short blackout, and a little dash
of Christmas cheer, I had not realised that a quick press of the power
button would have brought my baby back to life. Instead, I ventured into
the unknown, and spent Christmas day OUTSIDE! My pale pasty skin managed
to survive the occasional ray of sunshine that snuck through the clouds
while I walked along the beach accompanied by four bedraggled dogs and a few people.
Fortunately for me, the holidays also presented vulnerability discoverers
with a socially acceptable alternative to fuzzing, eating and sleeping (or
NOPing as a friend once said). This resulted in a rather subdued first
week back, but I am sure things will pick up.
Of note this week is a Wordpress patch, bringing it up to version 3.0.4.
Also keep an eye out for the 3.1 release (currently sitting on RC2).
This week also brought the release of two new Microsoft vulnerabilities, bringing the total number of unpatched vulnerabilities publicly
known to four; one for Windows and three for Internet Explorer.
Unfortunately, Microsoft has only announced 2 bulletins for next "patch
Tuesday", BOTH of which are listed as Windows. So I would stake my BIOS
configuration skills on there being known Internet Explorer vulnerabilities
not patched this coming Tuesday/Wednesday.
I would mention the Apple Mac OS X 10.6.6 update, but there was only one
vulnerability and 10.5 didn't even need an update.
Lastly Debian has released a bulletin(s) for nss,
apache2 and openssl that
implement the RFC5746 renegotiation extension. Unfortunately they seem to
have released it as one bulletin and then two completely different updates
to that bulletin. However, with my well trained eagle eyes (and the help
of an "undo" button) I managed to recover the first two and send all three
for your reading pleasure (or ignoring if you don't run Debian).
Until next week, may the automatic power recovery setting be with you.