A new flaw in Vista

Researchers find vulnerability in Windows Vista Patches from Mandriva, rPath

Researchers have stumbled on yet another vulnerability in a Windows operating system. Vista users could be at risk of having malicious code run on their system if hackers figure out how to exploit a pair of buffer overflow vulnerabilities in Vista's Device IO Controlm, according to researchers at Phion. Microsoft has yet to comment on the findings, but the next scheduled patch cycle is still two weeks away.

Researchers find vulnerability in Windows Vista
An Austrian security vendor has found a vulnerability in Windows Vista that it says could possibly allow an attacker to run unauthorized code on a PC. The problem is rooted in the Device IO Control, which handles internal device communication. Researchers at Phion have found two different ways to cause a buffer overflow that could corrupt the memory of the operating system's kernel. IDG News Service, 11/20/2008.

No updates or workaround available from Microsoft yet.
**********

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Researchers have stumbled on yet another vulnerability in a Windows operating system. Vista users could be at risk of having malicious code run on their system if hackers figure out how to exploit a pair of buffer overflow vulnerabilities in Vista's Device IO Controlm, according to researchers at Phion. Microsoft has yet to comment on the findings, but the next scheduled patch cycle is still two weeks away.

Researchers find vulnerability in Windows Vista
An Austrian security vendor has found a vulnerability in Windows Vista that it says could possibly allow an attacker to run unauthorized code on a PC. The problem is rooted in the Device IO Control, which handles internal device communication. Researchers at Phion have found two different ways to cause a buffer overflow that could corrupt the memory of the operating system's kernel. IDG News Service, 11/20/2008.

No updates or workaround available from Microsoft yet.
**********

Apple patches 12 iPhone bugs, adds Street View, podcast downloads
Apple Inc. early today released iPhone 2.2, the first update to the phone's firmware in more than two months, patching a dozen security vulnerabilities and adding several new features, including Google Street Views to the device's mapping tool. Computerworld, 11/21/2008.

Apple: iPhone OS 2.2 and iPhone OS for iPod touch 2.2
**********

Three new patches from Mandriva:

kernel for 2009.0 (multiple flaws)

libcdaudio (heap overflow, code execution)

kernel for Corporate 4.0 (multiple flaws)
**********

Three new updates from rPath:

httpd mod_ssl for rPath Linux 1 (multiple flaws, denial of service)

httpd mod_ssl for rPath Linux 2 (multiple flaws, denial of service)

gvim (multiple flaws, code execution)
**********

Today's malware news:

Symantec sees spike in dangerous Microsoft attacks
Symantec is warning of a sharp jump in online attacks that appear to be targeting a recently patched bug in Microsoft's Windows operating system, an analysis that some other security companies disputed Friday. IDG News Service, 11/22/2008.

Symantec: Increase in Exploit Attempts Against MS08-067

Three malware types in a single strain
PandaLabs, Panda Security's laboratory for detecting and analyzing malware, has warned about the appearance of a fake email message from Brazil's Federal Police being used to spread Banbra.GDB. This new malware strain has characteristics of thee different types of malicious code: downloader Trojans, banker Trojans and spammer worms. Panda Security, 11/22/08.

Old worm infects Department of Defense computers
Department of Defense computers have been hit with an old worm that the DoD won't discuss other than to say it is taking steps to mitigate its effects. One report identified the virus as W32/SillyFCD-W, which spreads via thumb drives that move from machine to machine. Network World, 11/21/2008.

Read more about security in Network World's Security section.