Flash exploit or not?

Patches from Mandriva, Gentoo, rPath, others Motorola Razr Vulnerability Six hours to hack the FBI (and other pen-testing adventures), and other interesting reading

Flash exploit?
There's been some debate about the seriousness of an exploit and flaw found in Adobe's Flash player. F-Secure is reporting there is a SQL injection attack in the wild exploiting a flaw found earlier this month, while Symantec is backing off claims of a newer exploit. Either way, stay tuned for an update from Adobe to Flash Player.

F-Secure: Flash w/ SQL

Symantec backtracks on Adobe Flash warning
**********

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Flash exploit?
There's been some debate about the seriousness of an exploit and flaw found in Adobe's Flash player. F-Secure is reporting there is a SQL injection attack in the wild exploiting a flaw found earlier this month, while Symantec is backing off claims of a newer exploit. Either way, stay tuned for an update from Adobe to Flash Player.

F-Secure: Flash w/ SQL

Symantec backtracks on Adobe Flash warning
**********

Apple updates Leopard, issues 68 fixes
More than three months after it last updated Mac OS X, Apple Inc. today released 10.5.3, an upgrade for its Leopard operating system that boasts nearly 70 stability, compatibility and security improvements and fixes. Apple did not include patches for two of three iCal vulnerabilities that were made public a week ago, however. Computerworld, 05/28/2008.

Apple advisory
**********

Cisco patches CiscoWorks Common Services
A flaw in the CiscoWorks Common Services, found in many of the company's unified communication products, is vulnerable to a flaw that can be exploited by remote attackers to run malicious code. A free update is available.
**********

Mozilla makes Firefox 3.0 bug-fix decision
Mozilla decided Tuesday to roll out a second release candidate for Firefox 3.0 that will include fixes for about 40 bugs. The alternative was to declare the open-source browser good "as is," then patch the problems with a later update. Computerworld, 05/27/2008.

Firefox 3.0 status update
**********

Two new fixes from Mandriva:

OpenSSL (multiple flaws in key generation)

gnutls (denial of service, code execution)
**********

Three new patches from rPath:

php (multiple flaws)

emacs (malicious code execution)

evolution (format string code execution)
**********

Two new updates from Gentoo:

Roundup (permission bypass)

GnuTLS (denial of service, code execution)
**********

Today's malware news:

Motorola Razr Vulnerability
TippingPoint has reported a JPEG Processing Stack Overflow Vulnerability affecting firmware based Motorola Razr phones. The vulnerability was discovered last summer. New Razr shipments will not be affected as Motorola has produced a fix for the issue. The vulnerability allows remote attackers to execute arbitrary code on vulnerable Motorola Razr firmware based cell phones. 05/28/2008.

Content Match OVERLOAD
You've seen it a thousand times before in malware infections. A Trojan Downloader that installs another Trojan Downloader which installs blah blah blah until you have a Russian Doll scenario. By the time you notice your being attacked, its probably already too late. The trojan in question here is called Trojan.Bind. The SpywareGuide Greynets Blog, 05/28/2008.

"Dear Google AdWords Customer"
Sometimes it can be quite hard to spot a phishing site on the first glance. F-Secure, 05/27/2008.

Romanian Whack-A-Mole and Linux Bots
It doesn't always have to be the latest and greatest zero-day exploit that causes you to lose control of your computer or server to external attackers. Today's example comes in the relatively ancient form of brute force SSH. F-Secure, 05/27/2008.