Patch Tuesday, a Heads Up. (Jul-2008)

The heads up for this month is;

Four Microsoft Security Bulletins rated as Important. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer. [1]

4 (four) Bulletins in total, one for SQL Server rated Important, two for Windows rated Important, and one for Exchange rated Important.

Microsoft Security Bulletin Advance Notification for July 2008 [2]
Microsoft Security Bulletin Advance Notification issued: July 3, 2008
Microsoft Security Bulletins to be issued: July 8, 2008
This is an advance notification of security bulletins that Microsoft is intending to release on July 8, 2008.
This bulletin advance notification will be replaced with the July bulletin summary on July 8, 2008.

LINKS:
[1] July 2008 Advance Notification (2008-Jul-03) [MSRC]
[2] Microsoft Security Bulletin Advance Notification for July 2008 (2008-Jul-03) [MS]

Skype 3.8.0.139

From the better late than never school of posting – Skype has released Skype for Windows version 3.8.0.139. This fixes a vulnerability in all releases prior to and including 3.8.*.115.

II. DESCRIPTION

Remote exploitation of a security policy bypass in Skype could allow an attacker to execute arbitrary code in the context of the user.

The “file:” URI handler in Skype performs checks upon the URL to verify that the link does not contain certain file extensions related to executable file formats. If the link is found to contain a blacklisted
file extension, a security warning dialog is shown to the user. The following file extensions are checked and considered dangerous by Skype; .ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl, .crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js.

Due to improper logic when performing these checks, it is possible to bypass the security warning and execute the program. First of all, checking is performed using a case sensitive comparison. The second flaw in this check is that the blacklist fails to mention all potential executable file formats. By using at least one upper case character, or using an executable file type that is not covered in the list, an attacker can bypass the security warning.
– AUSCERT (2008-Jun-12) [2]

The preferred method for installing security updates is to download the software directly from Skype’s website, from the website of Skype’s authorized partners, or from a reliable mirror site.

[1] SKYPE-SB/2008-003: Skype File URI Security Bypass Code Execution Vulnerability (2008-Jun-06) [Skype]
[2] AL-2008.0068 — [Win] — Skype File URI Security Bypass Code Execution Vulnerability (2008-Jun-12) [AUSCERT]

FireFox 2.0.0.15

Mozilla released Firefox 2.0.0.15. on July 1, 2008

Fixed in Firefox 2.0.0.15 [1]
MFSA 2008-33 Crash and remote code execution in block reflow
MFSA 2008-32 Remote site run as local file via Windows URL shortcut
MFSA 2008-31 Peer-trusted certs can use alt names to spoof
MFSA 2008-30 File location URL in directory listings not escaped properly
MFSA 2008-29 Faulty .properties file results in uninitialized memory being used
MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X
MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range
MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
MFSA 2008-24 Chrome script loading from fastload file
MFSA 2008-23 Signed JAR tampering
MFSA 2008-22 XSS through JavaScript same-origin violation
MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)

Vulnerability ratings: 4 Critical, 4 High, 2 Moderate
Evaluation: Update now

We strongly recommend that all Firefox users upgrade to this latest release. If you already have Firefox 2.x, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu.
…
Note: Firefox 2.0.0.x will be maintained with security and stability updates until mid-December, 2008. All users are encouraged to upgrade to Firefox 3. [3]

[1] Fixed in Firefox 2.0.0.15 [Mozilla]
[2] Mozilla Firefox 2.0.0.15 Release Notes [Mozilla]
[3] Firefox 2.0.0.15 security and stability update now available for download (2008-Jul-01) [Mozilla]
[4] AA-2008.0147 — [Win][UNIX/Linux] — Firefox 2.0.0.15 and SeaMonkey 1.1.10 have been released correcting 12 and 13 security vulnerabilities respectively. (2008-Jun-03) [AUSCERT]
[5] Firefox 2.0.0.15 is out (2008-Jul-02) [SANS]