Patch Tuesday Lite on tap from Microsoft

Patches from Microsoft, VMware, Ubuntu, others Hackers launch PDF attacks, exploit just-patched Reader bug Android may not need antivirus software, researcher says, and other interesting reading

Microsoft plans puny patch slate next week
Microsoft Thursday said it will release only two security updates on Tuesday -- down from the 11 issued in October's mammoth Patch Tuesday -- to fix bugs in Windows and Office. One of the two will be rated "critical," Microsoft's highest threat ranking, while the other will be tagged as "important," the next-lowest rating. Both of the updates will address vulnerabilities that can be used to execute remote code, a description that generally means hackers could leverage the bugs in order to plant their own malicious code on vulnerable PCs, often by convincing users to open a file attachment or tricking them into visiting a rogue Web site. Computerworld, 11/06/2008.

Microsoft advanced advisory
**********

VMware patches Hosted products and ESX/ESXi
According to the VMware advisory, "VMware Hosted products and patches for ESX and ESXi resolve multiple security issues. A flaw in the CPU hardware emulation may allow for a privilege escalation on virtual machine guest operating systems. In addition a directory traversal issue is resolved."
**********

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Microsoft plans puny patch slate next week
Microsoft Thursday said it will release only two security updates on Tuesday -- down from the 11 issued in October's mammoth Patch Tuesday -- to fix bugs in Windows and Office. One of the two will be rated "critical," Microsoft's highest threat ranking, while the other will be tagged as "important," the next-lowest rating. Both of the updates will address vulnerabilities that can be used to execute remote code, a description that generally means hackers could leverage the bugs in order to plant their own malicious code on vulnerable PCs, often by convincing users to open a file attachment or tricking them into visiting a rogue Web site. Computerworld, 11/06/2008.

Microsoft advanced advisory
**********

VMware patches Hosted products and ESX/ESXi
According to the VMware advisory, "VMware Hosted products and patches for ESX and ESXi resolve multiple security issues. A flaw in the CPU hardware emulation may allow for a privilege escalation on virtual machine guest operating systems. In addition a directory traversal issue is resolved."
**********

Three new patches from Ubuntu:

Dovecot (denial of service)

Netpbm (buffer overflow, code execution)

Tk (buffer overflow, code execution)
**********

Two new updates from Debian:

net-snmp (multiple flaws)

mysql-dfsg-5.0 (bypass authorization)
**********

Two new fixes from Mandriva:

Ruby (multiple flaws)

kernel 2.6 (multiple flaws)
**********

Today's malware news:

Hackers launch PDF attacks, exploit just-patched Reader bug
Attackers are exploiting one of the vulnerabilities in Adobe Reader that was patched earlier this week, a security researcher warned Friday as he urged users to update as soon as possible. Computerworld, 11/07/2008.

Thousands hit in broad Web hack
Hackers have launched a massive Web hacking campaign, putting malicious links on as many as 10,000 servers, security vendor Kaspersky Lab warned Friday. IDG News Service, 11/08/2008.
**********

From the interesting reading department:

Rape Support Site Hacked, Becomes A Home For Phishers
This is a particularly thoughtless and poor-taste hack. This is Rapecrisiscenter.org, a support site for people in the Central Massachusetts area. Unfortunately, the site has apparently suffered multiple attacks which may or may not be related. The SpywareGuide Greynets Blog, 11/6/2008.

Stopping PDF Malware At The Network
Because of the ease and low level of attacker interaction required, exploiting a system through the web browser and active browser plugins is a drastically rising trend. Keeping patches and AntiVirus products updated is a must. Keeping your NIPS devices properly tuned for your environment is often another effective and efficient way to prevent these exploits before protection via software patch or AV signatures are available. IBM Internet Security Systems Frequency X blog, 11/5/2008.

Researchers Hijack Storm Worm to Track Profits
A single response from 12 million e-mails is all it takes for spammers to turn annual profits of millions of dollars promoting knockoff pharmaceuticals, according to an unprecedented new study on the economics of spam. Washington Post Security Fix, 11/6/2008.