Today's bug patches and security alerts:
New Cisco advisory outlines fix for ARP storms on wireless LANs
Cisco has just released a new security advisory that details what caused the address storms that recently afflicted Duke University's wireless net. The advisory, posted on the company’s Web site, says that Cisco’s wireless LAN controllers have "multiple vulnerabilities in the handling of Address Resolution Protocol (ARP) packets." These vulnerabilities "could result in a denial of service (DoS) in certain environments." The vendor is offering free software to patch this problem, and notes that "there are workarounds to mitigate the effects of these vulnerabilities."
**********
Users urged to patch serious hole in BIND 9 DNS server
A security researcher has reported a serious vulnerability in BIND 9, the software widely used in the Internet's DNS addressing system. The vulnerability in BIND 9 could allow an attacker to force the DNS server to return an incorrect Web site to a user, a trick known as DNS cache poisoning, or pharming. IDG News Service, 07/25/07.
SANS Internet Storm Center advisory
Patches:
**********
Researchers claim first iPhone vulnerability; exploit steals data, operates phone
Three security researchers claimed Sunday that they have found the first exploitable vulnerability in Apple's iPhone, a flaw that allows them to steal any data from the device or even to turn it into a remote surveillance tool. Computerworld, 07/23/07.
Also:
Consumer Reports: iPhone Hacking Raises Security Concerns for all Smartphone Users
**********
Researcher publishes attack code for Mozilla flaw
Mozilla is working on patching its Firefox browser after a hacker posted details of a flaw that could let criminals run unauthorized software on a victim's machine. The flaw lies in Firefox's URL handler component, which was the source of another bug, disclosed Tuesday by Mozilla. IDG News Service, 07/25/07.
Blog: Remote Command Execution in FireFox et al
**********
Five new updates from Gentoo:
MPlayer (multiple buffer overflows, code execution)
MIT Kerberos 5 (code execution, root privileges)
Festival (privilege escalation)
GIMP (multiple integer overflows, code execution)
**********
Two new patches from Debian:
tcpdump (integer overflow, code execution)
**********
Five new fixes from Debian:
**********
Today's malware news:
There's a fairly large seeding of Trojan-Downloader.Win32.Agent.brk going on. The e-mail messages that are sent typically contain funny.zip as the attachment. E-mail subjects vary but are typically "spammy" in nature. F-Secure Blog, 07/25/07.
Poisoned Web sites soar sixfold, Sophos says
The number of infected Web pages has soared nearly sixfold since the first of the year, according to security company Sophos. Detailed in a just-released threat report, the spike shows just how widespread Web attacks have become, Sophos said today. In June, the company detected an average of almost 30,000 newly-infected pages each day; earlier in the year, the tally was as low as only 5,000 new pages daily. Computerworld, 07/25/07.
**********
From the interesting reading department:
Black Hat/Defcon hackfests next week promise rollicking action
Rigorous and sometimes raw disclosure of network vulnerabilities will all be part of the action at next week’s back-to-back hackfests, Black Hat and Defcon in Las Vegas. Network World, 07/23/07.
Study: Largest vendors account for fewer software flaws
The top 10 most vulnerable software vendors are contributing a smaller percentage of all vulnerability disclosures per year compared to five years ago, a study by IBM's Internet Security Systems X-Force team has found. Computerworld, 07/25/07.
Free security tool ferrets out unpatched software
A Danish security vendor is offering a free tool designed to inform users when their applications need patching. IDG News Service, 07/24/07.
McAfee sets Rootkit Detective free
The freeware program promises the ability to find and remove so-called rootkits -- self-cloaking malware attacks that install themselves as kernel modules or drivers and are most often used to hide other types of threats such as keyword-logging programs -- and send data about the attacks that are discovered back to McAfee. Computerworld, 07/25/07.
'Dangling pointers' more dangerous than thought, says security vendor
An issue largely ignored because the security risk was deemed only theoretical might soon become a significant and dangerous security risk, according to Web application security vendor Watchfire. Computerworld, 07/23/07.
Ransomware
How do you protect yourself? Keep your data backed up -- often -- in a manner that cannot be infected by ransomware. Keep multiple backup sets so you can restore your data to some point in the past, not just the last time a backup was made (your last backup may contain the infection). Gibbsblog, 07/23/07.
Fox News server found unsecured
Security analysts spotted a gaping security hole in Fox News Network's Web site on Monday, revealing file directories and sensitive content, although it appears the problem has been fixed. IDG News Service, 07/23/07.
Online communities a godsend for IT managers, survey says
Study shows IT managers who participate in online communities for troubleshooting, systems and security management, and application deployment benefit professionally by saving time when solving IT problems. Network World, 07/23/07.
A lesson from an answering machine: the importance of input anchoring in password recognition
I recently made a discovery that shows the importance of anchoring the input when trying to match a password. By this I mean that there should be no extra characters accepted either before or after the password (i.e., no extra characters that could be part of the password). Unanchored matching greatly weakens the defense against brute forcing the password. Symantec Security Response Weblog, 07/24/07.
Black Hat: Researchers say forensics software can be hacked
The software that police and enterprise security teams use to investigate wrongdoing on computers is not as secure as it should be, according to researchers at iSec Partners Inc. Network World, 07/25/07.