News briefs: Cisco IOS security hole surfaces

Also: Nortel’s shake-up continues; hackers give samples of software that could be used to attack an unpatched Windows system; New Orleans to expand its wireless-mesh network; Iron Mountain is buying LiveVault; F-Secure acquiresnetwork-monitoring appliance vendor ROMmon.

• Security researchers last week said they discovered a hole in the Web-server code in Cisco’s IOS software. The vulnerability, as reported by the security organizations Secunia and SecurityFocus, could let a potential attacker view a memory dump of an IOS router via the HTTP server and inject script code into the router through the server. The vulnerability affects only Cisco routers running IOS HTTP servers, which are used as an alternative management interface to the text-based command line for configuring routers. Cisco said it was investigating the issue.

• Nortel’s shake-up continues. The company has dismissed two senior-level executives two weeks after a new CEO took up the reins of the troubled company. Brian McFadden, a 28-year Nortel veteran, and Sue Spradley, who had been at the company 18 years, left the telecom vendor early last week. McFadden had been chief research officer, and Spradley president of global services and operations. Nortel gave no reason for their departures. McFadden and Spradley follow ex-CEO Bill Owens and Enterprise Division President Malcolm Collins out the door. Nortel recently announced that Owens would be replaced by former Motorola COO Mike Zafirovski. Owens’ departure came five months after two ex-Cisco executives whom Nortel had tapped to be COO and CTO left the company after three months, following disputes with Owens. Owens is credited with getting Nortel back on track after an accounting scandal forced the company to restate years of financial results.

• Hackers have given network professionals more reasons to update users’ Windows PCs: samples of software that could be used to attack an unpatched Windows system. The latest examples, posted to the French Security Incident Response Team Web site, take advantage of the same two flaws that were exploited earlier in the week. One of these attacks, which can be used to crash a system, exploits a critical vulnerability in the way that Windows processes files saved in the Windows Metafile graphics format. Microsoft fixed this Metafile bug in its MS05-053 Security Update, released Nov. 8, so only customers who have not yet applied this patch are at risk from this new attack. The second attack targets a flaw in the Microsoft Distributed Transaction Coordinator (MSDTC), which was patched in October’s MS05-051 Security Update. The MSDTC is a component of the operating system that is commonly used by database software to help manage transactions.

• New Orleans officials last week announced an expansion of the city’s existing wireless-mesh network, which supports a system of police surveillance cameras. Using $1 million in donated equipment and software from Tropos, Pronto and Intel, the expanded mesh will eventually blanket the city, supporting a secure net for police and other city employees and offering free Internet access to all residents who have a computer with a wireless card. Its bandwidth will be 512K bit/sec as long as the city remains under a state of emergency. But bandwidth will drop to 128K bit/sec afterward, to comply with a state law restricting municipal broadband nets.

• Data-protection company Iron Mountain last week announced it is buying LiveVault, a provider of online server back-up and recovery services. The companies know each other well. Iron Mountain has been an investor in LiveVault since 2000 and owns nearly 14% of the company. Iron Mountain will pay about $42 million for the rest. The companies also have partnered for the past five years, with Iron Mountain serving as LiveVault’s largest sales channel. LiveVault offers disk-based backup and recovery for small and midsize companies and remote offices of larger companies. The company says it has more than 2,000 corporate customers. The buyout complements Iron Mountain’s acquisition last year of Connected Corp., a provider of PC back-up and recovery offerings.

• Finnish security vendor F-Secure has acquired network-monitoring appliance vendor ROMmon. The deal will give F-Secure a new device to add to its line of security products for ISPs. ROMmon’s product, renamed F-Secure Network Control Appliance, will eventually be integrated into new security products for ISPs. Terms of the deal were not disclosed.