Bugs and fixes: News from Avast, Apple and Microsoft

Microsoft released a massive Tuesday patch and Avast! inconvenienced anyone using a webpage running a specific type of script

(Writer's Comment: Starting today, Bugs and Fixes will be posted biweekly each month for your convenience. You'll still be able to read the Bugs and Fixes column in the monthly print issue of PCWorld.)

We're only halfway through April and there are already too many vulnerabilities to count. This month avast! released a false-positive virus definition that affected a number of innocent websites. Then, for their monthly Tuesday patch, Microsoft released 17 new security bulletins which addressed 64 vulnerabilities. Also, two days later, Apple released four security updates which cover software updates for iOS 3.0 through 4.3.1, Safari 5.0.5, and a security update to the Certificate Trust Policy for iOS.

Avast! Issues False-Positive Virus Definition

On April 11th avast! released a false-positive virus definition in update 110411-1 containing an error that caused a number of innocent websites to be flagged as infected. According to an update on the avast! blog, "all sites with a script in a specific format were affected." After the bad update was released Avast's virus lab staff quickly discovered the problem and immediately started working on a fix. Update 110411-2 (which fixes the problem) was released about 45 minutes after the false-positive was released.

As always, you should strive to keep your virus definitions updated. If you are using avast! be sure to enable the "Automatic Update" feature to get the latest virus definitions and bug fixes as quickly as possible. If you are using manual update, you can obtain the most up-to-date version of avast! by going to selecting the "Engine and Virus Definitions" option from the Update menu within the avast! taskbar. For more information on this issue, visit the avast! blog here.

Microsoft Releases Massive Patch Tuesday

This month Microsoft released a massive patch on Tuesday (April 12) containing seventeen security bulletins which addressed a whopping 64 vulnerabilities. Updates MS11-018 through MS11-034 address vulnerabilities in everything from Internet Explorer, Windows, Office, and the .NET Framework, as well as a number of other systems. Nine of these updates are rated 'critical' while the rest are rated 'important.'

Update MS11-018, which is rated 'critical' for IE 6 through 8 on Windows, resolves five vulnerabilities. If you were to view a specially-crafted web page using IE then an attacker could employ remote code execution by exploiting the unpatched vulnerability on your system, allowing the attacker to gain the same rights as the local user. According to Microsoft the update addresses the vulnerabilities by "modifying the way that Internet Explorer handles objects in memory, content during certain processes, and script during certain processes."

Another update, MS11-033 (bearing an 'important' rating) addresses a vulnerability found in WordPad Text Converters which affects Microsoft Windows. This vulnerability could permit remote code execution if you were to open a specially-crafted file using WordPad, allowing the attacker to gain the same rights as the local user. Update MS11-033 fixes this bug by altering the way that the WordPad Text Converters handle these custom attack delivery files.

As always, to prevent your system from being exploited you should install these updates as soon as possible using Windows Update. To learn more about each update -- and to download them manually -- visit the Microsoft Safety & Security Center here. Also check out PCWorld's Security Alert article on the topic by Tony Bradley here.

Apple Updates Certificate Trust Policy

So far Apple has released four new security updates this month, all on April 14th. These are: iOS 4.3.2 Software Update, iOS 4.2.7 Software Update for iPhone, Safari 5.0.5, and Security Update 2011-002.

The iOS 4.3.2 Software Update patches a number of Apple products including libxslt (a programming language library for the GNOME project -- a graphical user interface and desktop environment), QuickLook (a quick preview feature for files) and WebKit (a layout engine for browsers which allows them to render web pages).

The iOS 4.3.2 Software Update, along with the Security Update 2011-002 and the iPhone update, updates the Certificate Trust Policy to address the threat of the SSL certificates stolen last month. SSL certificates are a secure means for a Website to prove itself trustworthy to your browser. If your browser detects that the certificates are fraudulent, it should block the site and give you a warning. However, if you were to visit a site with fraudulent certificates your security and privacy could be at risk. The iPhone update also updates QuickLook, and both the iPhone update and Safari 5.0.5 also patch Webkit.

You should always keep your Mac updated; for more information about each update, check out the Apple security update page here.

[Photo "Computer Virus" via joelogon (Flickr)]

Follow James Mulroy on Twitter to get the latest in microbe, dinosaur, and death ray news.

Join the CSO newsletter!

Error: Please check your email address.

Tags online securityAppleMicrosoftsecurityAvastantivirus

More about AppleAvastMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by James Mulroy

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts