Mozilla patches JavaScript flaw in Firefox

Patches from Apple, Oracle, Gentoo, others Podcast: Better security for your applications Malicious microprocessor opens new doors for attack, and other interesting reading

Mozilla patches Firefox JavaScript bug
Mozilla on Wednesday patched a single critical security vulnerability in the JavaScript engine of Firefox, updating the open-source browser to Version 2.0.0.14. Computerworld, 04/16/08.

Note: As of this writing, none of the three machines I run with Firefox have received the new update.

Mozilla advisory
**********

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Mozilla patches Firefox JavaScript bug
Mozilla on Wednesday patched a single critical security vulnerability in the JavaScript engine of Firefox, updating the open-source browser to Version 2.0.0.14. Computerworld, 04/16/08.

Note: As of this writing, none of the three machines I run with Firefox have received the new update.

Mozilla advisory
**********

Cisco warns of NAC shared secret vulnerability
According to a Cisco advisory, "A vulnerability exists in the Cisco Network Admission Control (NAC) Appliance that can allow an attacker to obtain the shared secret that is used between the Cisco Clean Access Server (CAS) and the Cisco Clean Access Manager (CAM)." A free update is available.
**********

Apple patches $10,000 prize-winning bug
Apple has issued a security patch for its Safari Web browser, fixing the flaw that earned one security researcher US$10,000 at the CanSecWest security conference. The flaw was exploited by Independent Security Evaluators Researcher Charlie Miller to gain access to a MacBook Air computer three weeks ago. It lies in the WebKit open-source HTML rendering engine used by Safari and several other Mac OS X programs. IDG News Service, 04/16/08.

Apple advisory
**********

Oracle patches 41 security flaws in database and other products
Oracle released 41 security fixes for its flagship database and several other products Tuesday, including 15 patches for vulnerabilities that can be exploited remotely without a username or password. Oracle database products account for 17 security patches, two of which could be exploited remotely over a network without authentication. The rest of the fixes are spread across Oracle's Application Server, Collaboration Suite and E-Business Suite products, as well as Oracle’s PeopleSoft and Siebel software. Network World, 04/15/08.

Oracel advisory
**********

VMWare updates packages
VMWare has patched flaws in its pcre, net-snmp, and OpenPegasus modules, all of which could impact its ESX server system. Attackers could exploit the vulnerabilities to launch denial-of-service attacks or potentially run malicious code.
**********

FreeBSD releases OpenSSH patch
A flaw in the way OpenSSH passes information between IPv4 and IPv6 connections could be exploited to steal infomration passing through the flawed connection. FreeBSD has released an update for this issue.
**********

Two new fixes from Mandriva:

Kernel for Corporate 4.0 (multiple flaws)

python (buffer overflow, code execution)
**********

Three new patches from Gentoo:

libpng (code execution)

Opera (multiple flaws)

Asterisk (multiple flaws)
**********

From the interesting reading department:

Podcast: Better security for your applications
Application security is more than erecting a firewall around your corporate applications. Sanjay Mehta, vice president of sales and marketing at Breach Security, talks about how application security is different from your typical hacker countermeasures. Network World.

Malicious microprocessor opens new doors for attack
For years, hackers have focused on finding bugs in computer software that give them unauthorized access to computer systems, but now there's another way to break in: Hack the microprocessor. IDG News Service, 04/15/08.