Firefox fixes multiple flaws
Mozilla has fixed 13 flaws affecting Firefox, SeaMonkey and Thunderbird. Attackers could exploit the vulnerabilities to take complete control of affected systems, bypass security restrictions, disclose sensitive information and launch arbitrary scripting code, the French Security Incident Response Team (FrSIRT) said in an advisory.
The 13 flaws include:
The flaws affect:
Users are advised to upgrade to Firefox 18.104.22.168, Thunderbird 22.214.171.124, and SeaMonkey 1.0.2.
Microsoft investigates Windows flaw
Attackers could exploit a new flaw in Microsoft Windows to cause a denial of service, Danish vulnerability clearinghouse Secunia said in an advisory.
"The vulnerability is caused due to a boundary error in inetcomm.dll within the processing of URLs with the "mhtml:" URI handler," Secunia said. "This can be exploited to cause a stack-based buffer overflow via an overly long URL by tricking a user into visiting a malicious Web site with Internet Explorer or opening a specially crafted Internet shortcut."
Secunia said successful exploitation crashes the application using the vulnerable library. The firm has confirmed the vulnerability on a fully patched system with Microsoft Windows XP SP2 and Microsoft Windows 2003 Server.
Secunia said the threat can be mitigated by disabling the "mhtml:" URI handler, though this may affect functionality.
Microsoft is investigating the flaw, according to published reports.
Data on 1.3 million people compromised
Student loan company Texas Guaranteed (TG) said personal data on 1.3 million borrowers may have been compromised after an employee from Hummingbird, a company TG uses to prepare a document management system, lost a piece of equipment containing the borrowers' names and Social Security numbers.
In a statement on its Web site, TG said the employee lost the data May 24, and that Hummingbird notified TG May 26. The non-profit organization never states just what type of equipment -- be it a laptop, server, PDA or other device -- went missing, nor how the loss occurred.
"Even though this information is not easily accessed and used, and even though the loss appears to be inadvertent, we are issuing this release out of an abundance of caution, because the piece of equipment has not been located," Sue McMillin, TG's president and CEO, said in the statement. "No personally identifiable information other than names and Social Security numbers were included on the piece of equipment."
She said letters will be mailed to individuals who were directly affected, with information about their records and recommendations on how to protect themselves from identity theft. A toll-free information call center will also be open Monday through Friday from 8 a.m. to 7 p.m. CT at (800) 530-0626.
F-Secure fixes buffer overflow flaw
Finnish antivirus firm F-Secure Corp. has fixed a buffer overflow flaw in the Web console of F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper.
The high-risk buffer overflow occurs in the Web console before authentication takes place, F-Secure said, adding that the overflow may crash the Web console process and leave the product running without console access. By default, the connections are only allowed from the local host.
"It may be possible to execute arbitrary code with this vulnerability," F-Secure said in its Web site advisory. "There are no known exploits for this, currently."
The advisory outlines the appropriate hotfix users can apply to solve the problem.