Southern writes:  

Jorge Luis Alvarez Medina, a security consultant working for Core Security, has discovered a string of vulnerabilities in Internet Explorer that make it possible for an attacker to gain access to your C drive - complete with files, authentication and HTTP cookies, session management data, etc.

Exploitation of the vulnerability relies solely on the ability for a would-be attacker to provide malicious HTML content from a website and to predict the full path name for the file that will be used to cache it locally on the victim's system," says the advisory Core Security published. "If the entire path name can be predicted, the attacker can cause a redirection to the locally stored file using an URI specified in UNC form and force the local content to be rendered as an HTML document, which will permit to run scripting commands and instantiate certain ActiveX controls."

net-security.org

SECUNIA ADVISORY ID: SA37769

VERIFY ADVISORY: http://secunia.com/advisories/37769/

CRITICAL: Highly Critical

DESCRIPTION: Some vulnerabilities and weaknesses have been reported in Google Chrome, where some have unknown impacts and others can be exploited by malicious people to disclose potentially sensitive information, bypass certain security restrictions, or compromise a user's system.  Read More...

Posted by Ryan Naraine @ 11:45 am, 03-Dec-2009

Just two weeks after the release of exploit code for a critical (remotely exploitable) security hole in its Internet Explorer browser, Microsoft says a fix will be included in this month’s batch of Patch Tuesday updates. Microsoft has already issued an advisory to confirm the severity of the issue, which affects users of Internet Explorer 6 and Internet Explorer 7 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. In all, Microsoft plans to release six security bulletins next Tuesday (December 8, 2009) to fix security flaws affected IE, Microsoft Office and the Windows operating system. Three of the six bulletins will be rated “critical,” Microsoft’s highest severity rating.  A critical vulnerability could result in remote code execution if a user opens a rigged file or simply surfs to malicious Web site.

Microsoft urged customers to pay special attention to the IE update because of the availability of public exploit code and the fact that attackers could launch malware attacks to take complete control of a Windows machine running a vulnerable browser.

Read entire article

SECUNIA ADVISORY ID: SA37412

VERIFY ADVISORY: http://secunia.com/advisories/37412/

DESCRIPTION: Multiple vulnerabilities have been reported in PHP, some of which have unknown impact and others that can be exploited by malicious users to bypass certain security restrictions.

1) Input validation errors exist in the processing of exif data. This is related to vulnerability #3 in: SA36791
2) An error in "tempnam()" can be exploited to bypass the "safe_mode" feature.
3) An error in "posix_mkfifo()" can be exploited to bypass the "open_basedir" feature.

SOLUTION: Update to version 5.3.1.

PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2, 3) Grzegorz Stachowiak

ORIGINAL ADVISORY: PHP: http://www.php.net/releases/5_3_1.php
Grzegorz Stachowiak:
http://securityreason.com/securityalert/6600
http://securityreason.com/securityalert/6601

OTHER REFERENCES: SA36791: http://secunia.com/advisories/36791/

webservant writes:  

Originally Posted by Dancho Danchev on Tuesday November 17, 2009 @ 12:12 pm LINK: http://blogs.zdnet.com/security/?p=4947&tag=col1;post-4947

Security researchers have detected a massive blackhat SEO (search engine optimization) campaign consisting of over 200,000 compromised web sites, all redirecting to fake security software (Inst_58s6.exe), commonly referred to as scareware.

More details on this campaign: Read More...

papamike writes:  

Adobe Reader: Multiple vulnerabilities Multiple vulnerabilities in Adobe Reader might result in the execution of arbitrary code, or other attacks. See GLSA 200910-03 for more information.