Today's bug patches and security alerts:
Adobe releases first set of patches for cross-site scripting vulnerability
Adobe late Tuesday released the first set of security patches to address the cross-site scripting vulnerability disclosed by European researchers late last year. The flaw allows Acrobat Reader v.7.0.8 and earlier versions to be exploited by hackers. Network World, 01/10/07.
**********
Microsoft patches Office, IE flaws
Microsoft Tuesday released its first four patches of 2007 as part of its monthly security update cycle including three rated critical that effect Office and Windows. Network World, 01/09/07.
Microsoft advisories:
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
Vulnerability in Vector Markup Language Could Allow Remote Code Execution
**********
Cisco warns of flaws in Unified Contact Center and IP Contact Center JTapi Gateway Vulnerability
According to an advisory from Cisco, "Cisco Unified Contact Center Enterprise, Cisco Unified Contact Center Hosted, Cisco IP Contact Center Enterprise, and Cisco IP Contact Center Hosted editions are affected by a vulnerability that may result in the restart of JTapi Gateway process. Until this process restarts, no new connections can be processed. Existing connections will continue to work. Cisco Unified Contact Center Express and Cisco IP Contact Center Express are not affected by this vulnerability." A free update is available.
Cisco warns of DLSw vulnerability
According to an advisory, "A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device." Workarounds are available.
**********
US-CERT warns of MIT Kerberos flaws
According to the advisory, "The MIT Kerberos administration daemon contains two vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code."
**********
Four new updates from rPath:
OpenOffice.org (buffer overflow, code execution)
fetchmail (passwords in cleartext)
bzip2 (race condition, code execution)
**********
Latest patch from Debian:
OpenOffice.org (buffer overflow, code execution)
**********
Four new updates from Mandriva:
OpenOffice.org (buffer overflow, code execution)
OpenOffice.org (buffer overflow, code execution)
**********
Today's virus news:
F-Secure warns of Saddam Hussein malware
An e-mail virus is spreading with an attachment claiming to be the video of Saddam Hussein's hanging. The attachment is called "video_sadan.exe" and, obviously, should not be opened.
**********
From the interesting reading department:
Malware now hiding in search results
Victims of malware infection often have little chance of researching what has hit them using search engine results, security company Prevx has discovered. TechWorld, 01/10/07.
Free hacker scan for universities, nonprofits
Web application security vendor Acunetix Wednesday announced it would make available for free a Web site security scan and reporting service to universities and nonprofit organizations. Network World, 01/10/07.
New PayPal key to help thwart phishers
Over the next few months, Ebay will be offering its PayPal users a new tool in the fight against phishers: a $5 security key. IDG News Service, 01/10/07.
Two charged with hacking LA traffic lights
Two men have been charged with illegal computer access after they allegedly hacked in to the Los Angeles city traffic center to turn off traffic lights at four intersections last August. IDG News Service, 01/10/07.