Enterprise Software

Security news roundup: Updates available for Firefox and Safari

Here's a collection of recent security vulnerabilities, alerts, and news, which covers news that Microsoft will not prosecute ethical hackers probing its Web site for security holes, an exploitable flaw in the DivX Player involving subtitle files, and minor updates available for both Firefox and Safari Web browsers.

Here's a collection of recent security vulnerabilities, alerts, and news, which covers news that Microsoft will not prosecute ethical hackers probing its Web site for security hole; an exploitable flaw in the DivX Player involving subtitle files; and minor updates available for both Firefox and Safari Web browsers.

  • Microsoft says it is okay to probe its Web site for security holes

Microsoft has publicly pledged not to prosecute ethical hackers who find security flaws on its Web site. This announcement was made at the ToorCon security conference in Seattle. This attempt to be more responsive to security researchers comes in contrast to legal action taken against similar activities by other organizations.

Alex Stamos, a founding partner at iSEC Partners, a firm that provides penetration-testing services noted: "There's definitely a lot of trepidation among legitimate researchers to find flaws in public-facing web applications because you never know how [companies] are going to react. That hurts us because the only people finding these flaws are the bad guys."

In all, this is a very bold move given just how vast the Microsoft Web site is. It remains to be seen if this proclamation will be followed by other large Web properties.

  • DivX Player trips up over subtitles

The player bundled with the highly popular DivX codec has a flaw that causes it to crash over maliciously crafted subtitle files, potentially opening it to the arbitrary injection of code.

Version 6.7.0.22 of the DivX Player, which is included in DivX 6.8 is affected. Users are advised not to open .srt files from untrusted sources until the flaw is patched. Note that corresponding .srt files of the same base filenames are automatically opened by the player if they are present in the same directory.

You can check out the proof of concept (POC) here.

  • Updates available for Firefox, Safari Web browsers

Version 2.0.0.14 of the popular Firefox Web browser was released last week. It is primarily a stability fix, and addresses problems with crashes in its JavaScript garbage collector, which was apparently introduced by fixes for a security problem outlined in MFSA-2008-15 (CVE-2008-1237). There has been no evidence that this particular crash is exploitable, though Security Advisory 2008-20 cautions that "some crashes of this type have been shown to be exploitable in the past."

Apple has also updated its Safari Web browser version 3.1 to 3.1.1. This update fixes four security vulnerabilities that affect both the Windows and Mac OS X versions of the browser. According to Wired blogs:

[This version] fixes four flaws in the Windows version of Safari and two in the Mac version. Of those patched, the most serious are the two flaws that affect WebKit on both platforms. WebKit, the engine behind Safari, also powers some elements of Apple Mail, Dashboard and numerous third-party applications.

You can download the Firefox 2.0.0.14 here and Safari 3.1.1 here.

About Paul Mah

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

Editor's Picks

Free Newsletters, In your Inbox