Beware of new Word attack

Patches from Apple, Mandriva, Gentoo, others Targeted malware attacks against pro-Tibet groups FBI looks at Chinese role in Darfur site hack, and other interesting reading

By Jason Meserve, Network World
March 24, 2008 08:22 AM ET

Microsoft warns of new Word attack
Be extra careful when opening documents in Windows, especially if they are Word files. Microsoft on Friday warned that cyber criminals may be taking advantage of an unpatched flaw in the Windows operating system to install malicious software on a victim's PC. IDG News Service, 03/22/08.

Microsoft security advisory
**********

Open source Asterisk IP PBX needs patches to fix flaws
Businesses using open-source Asterisk-based IP PBXs should check whether to update the software version they are using in order to rid themselves of vulnerabilities that could compromise the systems. Network World, 03/21/08.

Asterisk advisory
**********

Related Content

Apple patches Digital Camera RAW Compatibility
Apple has released Digital Camera RAW Compatibility Update 2.0, which fixes a stack-based buffer overflow that could be exploited to run malicious code on an affected system. The update is for anyone that runs Aperture 2 or iPhoto 7.1.2.
**********

Six new patches from Mandriva:

audacity (denial of service)

perl-Net-DNS (denial of service)

kernel (memory access)

krb5 for Multi Network Firewall 2.0, Corporate Server 3.0 (multiple flaws)

krb5 for Mandriva 2007.0, Corporate 4.0 (multiple flaws)

krb5 for Mandriva 2007.1, 2008.0 (multiple flaws)
**********

Three new fixes from Gentoo:

ssl-cert eclass (SSL key disclosure)

ViewVC (multiple flaws)

OpenLDAP (denial of service)
**********

Three new updates from rPath:

bzip2 (denial of service)

unzip (denial of service)

krb5 (multiple flaws)
**********

Two new fixes from Ubuntu:

unzip (denial of service)

MySQL (multiple flaws)
**********

Two new updates from Debian:

asterisk (multiple flaws)

xwine (multiple flaws)
**********

Today's malware news:

Targeted malware attacks against pro-Tibet groups
Groups supporting freedom of Tibet have been attacked with highly targeted and technically advanced attacks. What do these attacks look like in practice? Lets take an example. F-Secure blog, 03/21/08.
**********

From the interesting reading department:

FBI looks at Chinese role in Darfur site hack
The U.S. Federal Bureau of Investigation is looking into a possible China connection in the hack of a nonprofit group created to draw attention to the ongoing genocide in western Sudan's Darfur region. IDG News Service, 03/21/08.

Vista SP1: Threat or Menace?
Popular wisdom says you should wait for SP1 before switching to any new version of Windows. Ironically, the question on the minds of current Vista customers is whether it's the right time to switch to SP1. PC World, 03/22/08.

E-voting vendor's Web site hacked
The Web site for a company whose e-voting machines have come under fire from election officials in New Jersey was hacked Thursday morning, according to an computer scientist who was asked to investigate voting-machine discrepancies in the state's primary election. IDG News Service, 03/20/08.

Another Reason to Patch Microsoft Jet Vulnerabilities
Microsoft does not acknowledge the bug as a critical remote execution vulnerability because .mdb files are considered unsafe and so Outlook is configured to block Access files when received as attachment. However, I doubt that all users aware of that. I also doubt that this mitigation is good enough to avoid patching these vulnerabilities forever. Symantec Security Response blog, 03/20/08.