Mozilla patches Firefox JavaScript bug
Mozilla on Wednesday patched a single critical security vulnerability in the JavaScript engine of Firefox, updating the open-source browser to Version 2.0.0.14. Computerworld, 04/16/08.

Note: As of this writing, none of the three machines I run with Firefox have received the new update.

Mozilla advisory
**********

Cisco warns of NAC shared secret vulnerability
According to a Cisco advisory, "A vulnerability exists in the Cisco Network Admission Control (NAC) Appliance that can allow an attacker to obtain the shared secret that is used between the Cisco Clean Access Server (CAS) and the Cisco Clean Access Manager (CAM)." A free update is available.
**********

Apple patches $10,000 prize-winning bug
Apple has issued a security patch for its Safari Web browser, fixing the flaw that earned one security researcher US$10,000 at the CanSecWest security conference. The flaw was exploited by Independent Security Evaluators Researcher Charlie Miller to gain access to a MacBook Air computer three weeks ago. It lies in the WebKit open-source HTML rendering engine used by Safari and several other Mac OS X programs. IDG News Service, 04/16/08.

Apple advisory
**********

Oracle patches 41 security flaws in database and other products
Oracle released 41 security fixes for its flagship database and several other products Tuesday, including 15 patches for vulnerabilities that can be exploited remotely without a username or password. Oracle database products account for 17 security patches, two of which could be exploited remotely over a network without authentication. The rest of the fixes are spread across Oracle's Application Server, Collaboration Suite and E-Business Suite products, as well as Oracle’s PeopleSoft and Siebel software. Network World, 04/15/08.

Oracel advisory
**********

VMWare updates packages
VMWare has patched flaws in its pcre, net-snmp, and OpenPegasus modules, all of which could impact its ESX server system. Attackers could exploit the vulnerabilities to launch denial-of-service attacks or potentially run malicious code.
**********

FreeBSD releases OpenSSH patch
A flaw in the way OpenSSH passes information between IPv4 and IPv6 connections could be exploited to steal infomration passing through the flawed connection. FreeBSD has released an update for this issue.
**********

Two new fixes from Mandriva:

Kernel for Corporate 4.0 (multiple flaws)

python (buffer overflow, code execution)
**********

Three new patches from Gentoo:

libpng (code execution)

Opera (multiple flaws)

Asterisk (multiple flaws)
**********

From the interesting reading department:

Podcast: Better security for your applications
Application security is more than erecting a firewall around your corporate applications. Sanjay Mehta, vice president of sales and marketing at Breach Security, talks about how application security is different from your typical hacker countermeasures. Network World.

Malicious microprocessor opens new doors for attack
For years, hackers have focused on finding bugs in computer software that give them unauthorized access to computer systems, but now there's another way to break in: Hack the microprocessor. IDG News Service, 04/15/08.

Hackers open new front in payment card data thefts
Security managers often describe their efforts to protect corporate data from being compromised as a full-fledged battle of wits against cybercrooks who are continually arming themselves with innovative tools and methods of attack. Computerworld, 04/17/08.

CEO subpoena scam fires up anew
After tricking several thousand executives into downloading malicious software earlier this week, online scammers started up their subpoena phishing scam again Wednesday, but on a much smaller scale. IDG News Service, 04/17/08.

Malware threat lists slammed as 'useless'
Security vendor PC Tools has questioned the usefulness of the threat lists used by many security companies to warn of current malware attacks. TechWorld, 04/16/08.

Myspace: Who Is Watching The Detectives Part 2
A few weeks ago, I wrote about a technique that could be used to track the people hunting bad guys on Myspace. Well, I was curious how long this had been in circulation for. Thankfully, some of the people using this are pretty stupid so of course, wandering through their photo galleries proved particularly useful. The SpywareGuide Greynets Blog, 04/16/08.

MiFare RFID crack more extensive than previously thought
The ubiquitous MiFare Classic RFID chip -- used daily by millions worldwide in access control keys, subway passes and other applications -- is even easier to crack than previously thought, according to security researchers who announced the development Tuesday at EuroCrypt, an international cryptography conference in Istanbul. Computerworld, 04/15/08.

Jason Meserve is multimedia editor at Network World.