Microsoft re-issues two patches

Patches from Ubuntu, Debian, Gentoo, others Microsoft: We took out Storm botnet CNN site hit by China attack, and other interesting reading

Critical holes newly fixed for Internet Explorer and Windows
Microsoft has re-issued two patches. One patch, originally issued during the April Patch Tuesday, is rated critical and affects all recent version of Internet Explorer. The vulnerability is known as the "data stream handling memory corruption vulnerability." It could enable remote code execution because of the way that IE processes data streams. If a user visits a Web page that exploits the vulnerability, it could allow the attacker to gain the same user rights as the logged-in user. Microsoft Subnet, 04/23/08.

Updated patch bulletins:

Vulnerabilities in .NET Framework Could Allow Remote Code Execution

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Critical holes newly fixed for Internet Explorer and Windows
Microsoft has re-issued two patches. One patch, originally issued during the April Patch Tuesday, is rated critical and affects all recent version of Internet Explorer. The vulnerability is known as the "data stream handling memory corruption vulnerability." It could enable remote code execution because of the way that IE processes data streams. If a user visits a Web page that exploits the vulnerability, it could allow the attacker to gain the same user rights as the logged-in user. Microsoft Subnet, 04/23/08.

Updated patch bulletins:

Vulnerabilities in .NET Framework Could Allow Remote Code Execution

Cumulative Security Update for Internet Explorer
**********

Asterisk patches critical flaw
A flaw in the way the Asterisk PBX handle certain handshake sequences could be exploited to hijack calls. A fix is available.
**********

Two new updates from Ubuntu:

Gnumeric (buffer overflow, code execution)

Firefox (javascript flaw, code execution)
**********

Three new patches from Debian:

iceweasel (javascript flaw, code execution)

roundup (code injection)

ikiwiki (cross-site forgery)
**********

Four new fixes from Gentoo:

Openfire (denial of service)

VLC (buffer overflow, code execution)

DBmail (information disclosure)

CUPS (integer overflow, code execution)
**********

Today's malware news:

Microsoft: We took out Storm botnet
Microsoft today took credit for crushing the Storm botnet, saying that the malware search-and-destroy tool it distributes to Windows users disinfected so many bots that the hackers threw in the towel. Computerworld, 04/22/08.

Hackers jack thousands of sites, including UN domains
Large numbers of legitimate Web sites, including government sites in the U.K. and some operated by the United Nations, have been hacked and are serving up malware, a security researcher said today as massive JavaScript attacks last detected in March resume. Computerworld, 04/23/08.
**********

From interesting reading department:

FAQ: Windows XP SP3 ships - finally
Microsoft Monday finally slapped a "Done" sticker on Windows XP Service Pack 3 (SP3) and pushed it out the door. The designation of SP3 as RTM, for "release to manufacturing," wasn't much of a surprise, given how the company's schedule leaked last week. Computerworld, 04/21/08.

PayPal denies plan to block Safari
PayPal has denied claims it plans to lock Safari users out of its online payments service as it reinforces its protections against online credit fraud. Mac World, 04/21/08.

Obama site hacked, redirects clicks to Clinton's site
A cross-site scripting vulnerability in the social networking section of Sen. Barack Obama's campaign site was exploited over the weekend to redirect users to the URL of rival Sen. Hillary Clinton (D-N.Y.), researchers claimed today. Computerworld, 04/21/08.

Mac hack contest bug had been public for a year
When Charlie Miller won $10,000 for hacking into a Macbook Air laptop last month, he exploited a flaw that had been publicly disclosed nearly a year before the contest. IDG News Service, 04/22/08.