Oracle emergency patch and a Microsoft Dozen

Patches from Oracle, Microsoft, Gentoo, others Fake-CNN spam mutates as attacks Court halts subway hacker talk, and other interesting reading

Oracle issues out-of-cycle patch for flaw
Oracle has released an emergency patch for a flaw the company issued a rare security alert for last week. Administrators should not apply the work-arounds the company previously recommended and apply the patch, Oracle said.

Oracle advisory
**********

A dozen patches from Microsoft this week
Microsoft Corp. today said it will deliver a dozen security updates next week to fix critical vulnerabilities in Windows, Office, Internet Explorer (IE) and the media player bundled with Vista. Of the 12 updates it sketched out in the advance notification issued this morning, Microsoft pegged seven as "critical," its highest threat rating. The remaining five were labeled "important," the second-highest ranking. Computerworld, 08/07/2008.
**********

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Oracle issues out-of-cycle patch for flaw
Oracle has released an emergency patch for a flaw the company issued a rare security alert for last week. Administrators should not apply the work-arounds the company previously recommended and apply the patch, Oracle said.

Oracle advisory
**********

A dozen patches from Microsoft this week
Microsoft Corp. today said it will deliver a dozen security updates next week to fix critical vulnerabilities in Windows, Office, Internet Explorer (IE) and the media player bundled with Vista. Of the 12 updates it sketched out in the advance notification issued this morning, Microsoft pegged seven as "critical," its highest threat rating. The remaining five were labeled "important," the second-highest ranking. Computerworld, 08/07/2008.
**********

ActiveX Vulnerabilities: Even When You Aren't Vulnerable, You May Be Vulnerable
Recently, we came across a rather unfortunate exploit case for the Access Snapshot Viewer ActiveX Vulnerability that took advantage of a property of the ActiveX system to exploit IE users who did not have the vulnerable control installed. How does one exploit a vulnerability that does not exist on a system you say? Sadly, attackers have found a way to install the vulnerable Access Snapshot Viewer ActiveX control through Internet Explorer prior to exploiting it. Symantec Security Response blog, 08/06/2008.
**********

Five new patches from Gentoo:

ISC DHCP (buffer overflow, denial of service)

OpenLDAP (denial of service)

stunnel (authentication bypass)

ClamAV (multiple flaws)

libxslt (heap overflow, code execution)
**********

Four new updates from Mandriva:

Python for Mandriva 2007.1 and greater (multiple flaws)

Python for Corporate 4.0 (multiple flaws)

qemu (multiple flaws)

rxvt (denial of service)
**********

Today's malware news:

SQL Injection Attacks Targeting Chinese-oriented Sites
With all the attention on China these days, especially in conjunction with the Beijing 2008 Olympics Games, and with 'China' being one of the more popular search engine keywords at the moment, it makes sense for malware writers to focus their attention on the Chinese web -- and we've been seeing some interesting examples of SQL injection attacks specifically targeting website designed for a Chinese audience, whether from the mainland or overseas. F-Secure, 08/08/2008.

Fake IE7 Downloads Advertised Via EMail
There seem to be quite a few of these in circulation over the past day or so. Microsoft does not send out EMails asking you to download files from random, non-Microsoft Web sites. The SpywareGuide Greynets Blog, 08/07/2008.

Fake-CNN spam mutates as attacks continue
The massive attack that has infected PCs by tricking users into clicking links in fake messages from CNN.com shows little sign of ending soon, security researchers said Friday. Computerworld, 08/09/2008.
**********

From the interesting reading department:

Researcher: Intel fixed two critical flaws in its chips
A Russian researcher who plans to demonstrate this fall how he could take advantage of flaws in Intel Corp.'s chips, said the chip maker has told him it has fixed two critical bugs. Computerworld, 08/08/2008.