Patches from Adobe, Microsoft, Cisco

* Patches from Adobe, Microsoft, Cisco, others * F-Secure warns of Saddam Hussein malware * Malware now hiding in search results, and other interesting reading

Today's bug patches and security alerts:

Adobe releases first set of patches for cross-site scripting vulnerability

Adobe late Tuesday released the first set of security patches to address the cross-site scripting vulnerability disclosed by European researchers late last year. The flaw allows Acrobat Reader v.7.0.8 and earlier versions to be exploited by hackers. Network World, 01/10/07.

Adobe advisory


Microsoft patches Office, IE flaws

Microsoft Tuesday released its first four patches of 2007 as part of its monthly security update cycle including three rated critical that effect Office and Windows. Network World, 01/09/07.

Microsoft advisories:

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

Vulnerability in Vector Markup Language Could Allow Remote Code Execution

Vulnerability in Microsoft Office 2003 Brazilian Portuguese Grammar Checker Could Allow Remote Code Execution

Related US-CERT advisory


Cisco warns of flaws in Unified Contact Center and IP Contact Center JTapi Gateway Vulnerability

According to an advisory from Cisco, "Cisco Unified Contact Center Enterprise, Cisco Unified Contact Center Hosted, Cisco IP Contact Center Enterprise, and Cisco IP Contact Center Hosted editions are affected by a vulnerability that may result in the restart of JTapi Gateway process. Until this process restarts, no new connections can be processed. Existing connections will continue to work. Cisco Unified Contact Center Express and Cisco IP Contact Center Express are not affected by this vulnerability." A free update is available.

Cisco warns of DLSw vulnerability

According to an advisory, "A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device." Workarounds are available.


US-CERT warns of MIT Kerberos flaws

According to the advisory, "The MIT Kerberos administration daemon contains two vulnerabilities that may allow a remote, unauthenticated attacker to execute arbitrary code."


Four new updates from rPath: (buffer overflow, code execution)

fetchmail (passwords in cleartext)

bzip2 (race condition, code execution)

xorg-x11 (denial of service)


Latest patch from Debian: (buffer overflow, code execution)


Four new updates from Mandriva:

xorg-x11 (denial of service) (buffer overflow, code execution) (buffer overflow, code execution)

avahi (denial of service)


Today's virus news:

F-Secure warns of Saddam Hussein malware

An e-mail virus is spreading with an attachment claiming to be the video of Saddam Hussein's hanging. The attachment is called "video_sadan.exe" and, obviously, should not be opened.


From the interesting reading department:

Malware now hiding in search results

Victims of malware infection often have little chance of researching what has hit them using search engine results, security company Prevx has discovered. TechWorld, 01/10/07.

Free hacker scan for universities, nonprofits

Web application security vendor Acunetix Wednesday announced it would make available for free a Web site security scan and reporting service to universities and nonprofit organizations. Network World, 01/10/07.

New PayPal key to help thwart phishers

Over the next few months, Ebay will be offering its PayPal users a new tool in the fight against phishers: a $5 security key. IDG News Service, 01/10/07.

Two charged with hacking LA traffic lights

Two men have been charged with illegal computer access after they allegedly hacked in to the Los Angeles city traffic center to turn off traffic lights at four intersections last August. IDG News Service, 01/10/07.


Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022