SECUNIA ADVISORY ID: SA26176

VERIFY ADVISORY: http://secunia.com/advisories/26176/

CRITICAL: Highly critical

IMPACT: DoS, System access

WHERE: >From remote

SOFTWARE:
Mozilla SeaMonkey 1.0.x - http://secunia.com/product/9126/
Mozilla SeaMonkey 1.1.x - http://secunia.com/product/14383/

DESCRIPTION: Some vulnerabilities have been reported in SeaMonkey, which can potentially be exploited by malicious people to compromise a vulnerable system.
 Read More...

SECUNIA ADVISORY ID: SA26131

VERIFY ADVISORY: http://secunia.com/advisories/26131/

CRITICAL: Highly critical

IMPACT: System access

WHERE: >From remote

SOFTWARE:
Microsoft DirectX 9.x - http://secunia.com/product/1915/
Microsoft DirectX SDK - http://secunia.com/product/14831/
Microsoft DirectX 8.x - http://secunia.com/product/1914/
Microsoft DirectX 7.x - http://secunia.com/product/1913/

DESCRIPTION: A vulnerability has been reported in Microsoft DirectX, which can be exploited by malicious people to compromise a user's system.
 Read More...

SECUNIA ADVISORY ID: SA26066

VERIFY ADVISORY: http://secunia.com/advisories/26066/

CRITICAL: Moderately critical

IMPACT: System access

WHERE: >From remote

SOFTWARE: Yahoo! Messenger 8.x - http://secunia.com/product/12122/

DESCRIPTION: Rajesh Sethumadhavan has reported a vulnerability in Yahoo! Messenger, which can be exploited by malicious people to compromise a user's system.
 Read More...

nb1 writes:  

An Italian security researcher this week has developed the first Web-based e-mail worm capable of taking advantage of cross site scripting(XSS) vulnerabilities in multiple Web-mail services. Rosario Valotta described the new form of worm on his blog. The proof of concept, called Nduja Connection, could spread faster than one targeting only a single Web-mail provider, he said. E-mail worms propagate by extracting contact information from the address book of each infected user, and then sending out an e-mail with the worm payload to each contact -- a user needs only to open an infected e-mail message to spread the worm. Prior concept e-mail worms have been restricted to affecting only one e-mail client, however, the Nduja Connection worm has the potential to spread faster due to it's ability to infect users of four different Web e-mail clients.

Full story

nb1 writes:  

Users could face a "highly critical" risk if they have both IE and Firefox version 2.0, or later, loaded on their computer. The trouble begins when browsing a malicious site while using IE and it registers a "firefoxurl://" URI (uniform resource identifier) handler, which allows the browser to interact with specific resources on the Web. As a result, users may find their systems remotely compromised.

"It's a little bit of both," said Oliver Friedrichs, director of Symantec's Security Response Center. "You have two very complex applications that are not playing well together and leading to a security issue. The components themselves are secure as stand-alone products but not together."

"Firefox is the current attack vector, but Internet Explorer is to blame for not escaping...characters when passing on the input to the command line," said Larholm, in response to a reader's comments. "I agree that Firefox could have registered its URL handler with pure DDE (dynamic data exchange, the protocol for information exchange) instead and thereby have avoided the possibility of a command-line argument injection, but IE should still be able to safely launch external applications."

News Source

SECUNIA ADVISORY ID: SA25915

VERIFY ADVISORY: http://secunia.com/advisories/25915/

CRITICAL: Moderately critical

IMPACT: Manipulation of data, Exposure of sensitive information

WHERE: >From remote

SOFTWARE: phpEventCalendar 0.x - http://secunia.com/product/4567/

DESCRIPTION: Iron has discovered a vulnerability in phpEventCalendar, which can be exploited by malicious people to conduct SQL injection attacks.
 Read More...