Adobe has released updates for its Reader and Acrobat products in order to address several vulnerabilities that can be exploited to execute arbitrary code remotely.
The new 9.4.1 versions have only been released for Windows and Mac, the UNIX updates being scheduled to land on November 30.
Patched bugs include CVE-2010-4091, a memory corruption vulnerability disclosed as a zero-day at the beginning of the month.
Despite proof-of-concept exploit code being publicly available, no attacks exploiting this flaw have been detected in the wild so far.
There is reason to believe the issue was known in some hacking circles since November 2009, when details about it were published on Russian-language blogs. More »
Microsoft is making it easy for third-party developers to bulletproof their software using the same security assurance process that the company applied when building products such as Windows 7 and Windows Vista. In this sense, the software giant continues on a path it set on a few years back when it started sharing resources and guides associated with the Microsoft Security Development Lifecycle with the developer community. Devs looking to secure their software leveraging the same range of security activities used by Microsoft in developing solutions starting with Vista can take advantage of such resources as the Simplified Implementation of the Microsoft SDL white paper, which can be grabbed from the Microsoft Download Center.
“Because Microsoft created the SDL, some people think they have to have Microsoft-like resources to be able to implement it,” revealed David Ladd, principal security program manager of Microsoft’s SDL Team. “It’s true that we do invest a lot in the SDL, but that’s largely because we have so many products that go through it. This paper sets out how any development team — even teams of eight to 10 developers — can implement the SDL.” More »
It has by no means been a slow month as far as Microsoft security bulletins go, with no less than 13 patch packages being released by the company for a range of products. In total, the Redmond company patched no less than 34 security holes across Windows, Internet Explorer, Silverlight, Microsoft Office, Developer Tools, Forefront and SQL Server, revealed Christopher Budd, security response communications lead, Microsoft. October 2009 is also the first month in the software giant’s security patch cycle when updates were made available for the gold version of Windows 7. October 2009 marks yet another first, namely the first time that patches for Windows 7 RTM have been included into a company Security Release ISO Image.
At the bottom of this article you’ll be able to find a download link for the October 2009 Security Release ISO Image. The ISO package brings to the table all of the security updates made available for supported Windows operating systems, including Windows 7, Vista, Windows XP, Windows Server 2008 R2, etc. More »
When it comes down to the 32-bit Windows Vista vs. 64-bit Windows Vista, the comparison generally focuses on the added benefits synonymous with handling system memory. Because the address space of 64-bit Vista is not limited to 4GB, users are able to use a maximum of 128 GB of RAM with the Ultimate, Business and Enterprise SKUS. But at the same time, there are added benefits, and one of them is in terms of security. The 64-bit editions of Vista come to the table with PatchGuard (Kernel Patch Protection), Address Space Layout Randomization (ASLR), Heap and Stack randomization, and even heap corruption detection.
As far as Heap Based Buffer Overruns are concerned, both 32-bit and 64-bit Vista offer protection, but only in the x64 versions of the operating system is the even heap corruption detection enabled by default. Michael Howard, Senior Security Program Manager in the Security Engineering group at Microsoft, explained that, in x86 Vista, software developers have to call the HeapSetInformation API in order to enable heal corruption detection. More »