Bad security week for Microsoft, Apple, and Blizzard
Another zero-day threat hits Microsoft Internet Explorer 5 and 6 just after Microsoft issued an emergency out-of-cycle patch for the VML threat. This new critical threat had been known for 2 months but missed September's patch Tuesday. Microsoft is expected to patch it next Tuesday but attacks are already being seen in the wild.
Apple on Friday issued patches for 15 vulnerabilities most of which are remotely exploitable. Issues such as Safari, Flash Player, code-executing JPEG2000 images, privilege escalations in the kernel, code-executing PICT images, and other components in Mac OS X were patched.
[UPDATE October 3: This was mostly a prank] At Toorcon 8 in San Diego, Joris Evers is reporting that two hackers are claiming to have 30 exploits for Mozilla Firefox. They disclosed one of the issues with enough detail that it could probably be reproduced by other hackers. Mozilla's security chief Window Snyder is taking the threat seriously and was upset by the fact that the exploit was released to the public without any notification to Mozilla. A security staffer from Mozilla attempted to "persuade the presenters to responsibly disclose flaws via Mozilla's bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets". Unfortunately, the hackers do not plan to disclose them. Evidence for the other 29 exploits were not shown. The hackers stated it was problem in Firefox's implementation of JavaScript and that it was a "complete mess". Snyder admitted that "if it is in the JavaScript virtual machine, it is not going to be a quick fix". [UPDATE October 3: This was mostly a prank]
Oh, and Blizzard and their WOW customers aren't having a good week either. It would seem that a lot of World of Warcraft players are being targeted for their passwords through Malware and keyloggers. Once the password thieves have the passwords, they can turn around and sell off virtual goods for real money.