2 vulnerabilities of which allow for cross-site scripting (XSS) attacks in Microsoft SharePoint with an issue with HTML sanitization.
3 privilege escalation vulnerabilities, including CVE-2010-2743 – involving with Stuxnet malware.
The vulnerability could allow remote code execution if an attacker sent a specially crafted RTSP packet to an affected system. However, Internet access to home media is disabled by default. In this default configuration, the vulnerability can be exploited only by an attacker within the same subnet.
A vulnerability in the embedded TruType font that was originally disclosed to TippingPoint via the Zero Day Initiative (ZDI) program on June 23, 2010.
This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs).
The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario.
This security update resolves two privately reported vulnerabilities in the Windows OpenType Font (OTF) format driver. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.
The vulnerabilities could allow elevation of privilege if a user views content rendered in a specially crafted OpenType font. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Fixes 11 vulnerabilities in Microsoft Word. The vulnerabilities could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user.
Fixes 13 vulnerabilities in Microsoft Excel. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file or a specially crafted Lotus 1-2-3 file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user.
The vulnerability could allow remote code execution if a user visited a specially crafted Web page. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.
A vulnerability in Windows Media Player affecting Windows XP/Vista, Windows 7, and Windows Server 2003/2008 allows for remote code execution if Windows Media Player opened specially crafted media content hosted on a malicious Web site.
Fixes a vulnerability in Wordpad and the Windows shell that allows remote code execution. The vulnerability could allow remote code execution if a user opens a specially crafted file using WordPad or selects or opens a shortcut file that is on a network or WebDAV share.
A stack-based buffer overflow in the Remote Procedure Call Subsystem (RPCSS) allowing for local privilege escalation. This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.
(Vista, 7, 2008, 2008 R2)
Denial of service vulnerability in ISS web servers running SSL. The vulnerability could allow denial of service if an affected system received a specially crafted packet message via Secure Sockets Layer (SSL). By default, all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not configured to receive SSL network traffic.
This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.
Oracle Java update
v.6 update 22
fixed 29 security vulnerabilities
fixed TLS/SSL renegotiation hole - their own implementation of the protocol was not fixed yet
fixed root CA and various other issues
Foxit Reader 4.2
Many switch from Adobe Reader to Foxit Reader which is less weight
Buffer-overflow issue - file containing over 512 characters, will crash the reader, which potentially opens the door to buffer-overflow
Facebook has added one-time password support
Purpose to login using a one-time password on a system you do not control and question the system’s security environment (such as the possibility of having keyloggers, etc)
txt string otp to number 3265 will receive a one-time password that expires after 20 minutes.
Must register cellphone number to facebook account.
UAE and RIM
Agreement has been made and the UAE and RIM pertaining to banning Blackberry cell phone technology in the UAE
Saudi Arabia and India has backed down as well.
RIM’s technology is strongly encrypted to the point where no ease-dropping or man-in-the-middle session can not be taken place.
What changed though for both the UAE and RIM to come into an agreement? RIM will not disclose stating that it is proprietary information.
Jailbroken Kindles can run Zork from Infocon.