Here are some of the most significant bugs from the past week in the BugBlog:
Microsoft has issued an out-of-cycle security bulletin (meaning they didn't wait for Patch Tuesday) for the VML Buffer Overrun bug in Microsoft Internet Explorer. This bug was being actively exploited by hostile web sites, and could completely take over your computer, as shown in the 9/26 and 9/20 BugBlogs. Microsoft has a patch.
There is a bug in Mozilla Firefox's implementation of JavaScript, and it may allow malicious websites to run their code on your computer due to a stack overflow error. The bug was found by Mischa Spiegelmock, of SixApart, and Andrew Wbeelsoi. A spokesperson for Mozilla said that the issue looks genuine. Also, enough details were disclosed during the presentation that attacks may be mounted.
There is a bug in the way that Mac OS X 10.4.x computers view JPEG2000 images. An attacker may be able to construct one of these images that can either crash the application viewing it, or run hostile code on your machine. Apple has fixed this in the Security Update 2006-006 and have also patched it in Mac OS X 10.4.8. They credit Tom Saxton of Idle Loop Software Design for finding this bug.
Article comments
1 - Bruce Kratofil
There appears to be a major retraction in the claims about this JavaScript bug in Mozilla. It appears that all the bug will do is crash the browser -- so far, no one has gotten it to run malicious code. Mozilla will continue to investigate.