Today's bug patches and security alerts:
Apple fixes serious QuickTime flaws
Apple has patched a number of critical flaws in its QuickTime media player. With the 7.2 update, users can now view videos on the full screen with the QuickTime player, but the software also contains a number of critical security fixes. In total, Apple has addressed eight security vulnerabilities with the release, which was made public on Wednesday. IDG News Service, 07/11/07.
**********
Adobe fixes critical Flash bugs
Three critical vulnerabilities in Flash Player that could let hackers infect Windows, Mac OS X and Linux systems, were patched yesterday by Adobe Systems Inc. The most dangerous of the trio was described by Adobe as an input validation error that could be exploited by attackers who duped users into visiting a Web site and fed them malicious Flash content there. "[This] could lead to the potential execution of arbitrary code," Adobe said in a security advisory posted late yesterday. Computerworld, 07/11/07.
**********
Active Directory flaw patched in Microsoft's July updates
Microsoft released six sets of security patches Tuesday that address critical flaws in its products, including a bug in Active Directory software. The software vendor also fixed critical vulnerabilities in Excel and the .Net Framework as well as less-critical bugs in Microsoft Office Publisher, Internet Information Services (IIS) and the Vista Firewall. The six updates addressed a total of 11 bugs. IDG News Service, 07/10/07.
Microsoft advisories:
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
Vulnerability in Windows Active Directory Could Allow Remote Code Execution
Vulnerabilities in .NET Framework Could Allow Remote Code Execution
Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution
Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution
Vulnerability in Windows Vista Firewall Could Allow Information Disclosure
**********
Cisco patches Unified Communications Manager and Presence Server
According to the Cisco advisory, "Cisco Unified Communications Manager (CUCM), formerly CallManager, and Cisco Unified Presence Server (CUPS) contain two vulnerabilities that could allow an unauthorized administrator to activate and terminate CUCM / CUPS system services and access SNMP configuration information. This may respectively result in a denial of service (DoS) condition affecting CUCM/CUPS cluster systems and the disclosure of sensitive SNMP details, including community strings." An update is available.
Cisco patches overflows Unified Communications Manager
According to Cisco, "Cisco Unified Communications Manager (CUCM), formerly CallManager, contains two overflow vulnerabilities that could allow a remote, unauthenticated user to cause a denial of service (DoS) condition or execute arbitrary code." A patch is available.
**********
Today's malware news:
Phishing tool constructs new sites in two seconds
Software developers like to make installation of their programs simple and quick. So do hackers. Analysts at RSA Security early last month spotted a single piece of PHP code that installs a phishing site on a compromised server in about two seconds, the vendor noted in its monthly online fraud report for June, released Tuesday. IDG News Service, 07/10/07.
The same gang that has been sending out malicious links in e-mail messages appearing to be greeting cards or 4th of July greetings have now added a new look and feel to their e-mail. Now they might also look like malware, Trojan, or spyware alerts from a Customer Support Center and the e-mail speaks about abnormal activity that has been seen from your IP address. All you supposedly have to do is to click on the link and run the file to fix it or else your account will get blocked. Needless to say the downloaded file is malicious. F-Secure blog, 07/09/07.
**********
From the interesting reading department:
EEye: Sun update system exposes users
Sun is putting millions of Java users at risk by staggering the release of security patches for the software, security vendor eEye Digital Security said Monday. To illustrate the problem, eEye points to a recent flaw in the Java Runtime Environment, used to run programs that are written in Java. IDG News Service, 07/10/07.
Who's to blame for browser bug? IE or Firefox?
A security researcher has found a security bug that could be attacked in Internet Explorer. Mozilla said it plans to patch the problem in its next Firefox software update. IDG News Service, 07/11/07.
Average zero-day bug has 348-day lifespan, exec says
The average zero-day bug has a lifespan of 348 days before it is discovered or patched, but some vulnerabilities live on for much longer, according to security vendor Immunity's CEO. IDG News Service, 07/09/07.
As image spam continues its decline, the July State of Spam Report highlights more new techniques for delivering spam images, including PDF spam. This is spam that contains no real text in the body of the message (although it may contain word salad), but that has a PDF attachment. When opened, the PDF file is an ad or some other spam message. Symantec Security Response blog.
With Postini, a business case for security at Google
Google believes that its consumer-grade Web applications represent the future of enterprise IT. But while Google is quick to trumpet its products' innovative features, the search giant hasn't said much about their security. Until recently, that is. IDG News Service, 07/09/07.
Opinion: Hackers keep an eye out for mobile opportunities
Mobile devices are slowly becoming the targets of hackers, but a more serious threat could be the arrival of the intriguing software-defined radio, which uses software instead of circuitry. Computerworld, 07/11/07.
Rogue DBA Steals, Sells Personal Info
Fidelity National Information Services says a database administrator responsible for enforcing data access rights at one of its subsidiaries sold the personal information of about 2.3 million consumers to a data broker. Computerworld, 07/09/07.
CAPTCHA Cracked
It looks like the spammers and scammers have found a way around CAPTCHA, that system used to authenticate a human by requesting them to enter text that they see in an image.
Gang blamed for credit card fraud losses nabbed
Four members of a south Florida-based criminal gang believed to have been responsible for more than $75 million in credit card fraud losses have been arrested by the U.S. Secret Service. Computerworld, 07/09/07.