• United States

Patch-free month? No so fast

Dec 15, 20034 mins

* Delayed patch ends Microsoft's patch-free month early * NGSSoftware warns of Sybase vulnerabilities * Cisco declines to address security issue highlighted in our Tester's Challenge, and other interesting reading

Today’s bug patches and security alerts:

Delayed patch ends Microsoft’s patch-free month early

A glitch in Microsoft’s Windows Update automated patching service caused a security fix that was released last month to be delivered to computer users on Tuesday, the same day Microsoft proclaimed December would be a patch-free month. IDG News Service, 12/11/03.

Original Microsoft advisory:


NGSSoftware warns of Sybase vulnerabilities

NGSSoftware Insight Security Research is warning of a number of vulnerabilities in Sybase’s Adaptive Server Anywhere, the rational database core of SQL Anywhere Studio 8. Issues found include format string, buffer overflow, denial-of-service and other vulnerabilities. For more, go to:


Gentoo, Slackareware patch cvs

A flaw in versions of the cvs server prior to 1.11.10 could be exploited to create directories and files at the root level of the affected machine. For more, go to:




Gentoo patches gnupg

A flaw in the way gnupg deals with type 20 ElGamal sign+encrypt keys could allow for an unauthorized user to recover private keys from a signature. For more, go to:


Mandrake Linux patches net-snmp

According to an alert from Mandrake Linux, “A vulnerability in Net-SNMP versions prior to 5.0.9 could allow an existing user/community to gain access to data in MIB objects that were explicitly excluded from their view.” For more, go to:


Today’s roundup of virus alerts:

Scold.A — A worm that’s designed to “collapse computers and networks”, Scold.A spreads via e-mail and creates copies of itself on the infected machines. (Panda Software)

Alphx.B — Spreads via AOL Instant Messenger. It contacts everyone in the infected machine’s buddy list inviting them to visit a Web page, where the malicious code is downloaded to the target machine. (Panda Software)

W32/Agobot-BM — A backdoor Trojan that connects to an IRC server to listen for commands from an attacker. The virus disguises itself as the Windows Media Player application. (Sophos)


From the interesting reading department:

Tester’s Challenge: Dumb defaults update

Our inaugural Tester’s Challenge called on vendors, particularly Cisco, to address why their products still support unsecure access and management protocols – such as earlier versions of Secure Shell, SNMP and HTTP – out of the box. Network World, 12/15/03.

Review: ArcSight’s flexibility and interface helps it lead the pack of security data organizers 

We test security event management tools from ArcSight, e-Security, Network Intelligence, Tenable Network Security and netForensics. Network World, 12/15/03.

Vendors bulk up patch management

Patch management vendors BigFix and LanDesk are upgrading their software to meet corporate demand for more-comprehensive tools that go beyond the discovery and installation of new patches. Network World, 12/15/03.

2004 seen bringing more, worse cyberattacks

The New Year will offer weary network administrators little respite from a new generation of Internet worms, viruses and targeted hacks that appeared in 2003, according to security experts. IDG News Service, 12/11/03.

Remote access finds another option

IP Dynamics is announcing an enterprise network version of its carrier-class software that creates secure connections over the Internet – an alternative to Secure Sockets Layer and IP Security remote-access technologies. Network World, 12/15/03.

Microsoft readies Windows XP Service Pack 2 beta

Microsoft is gearing up for the first beta test of a set of updates for Windows XP designed to bolster the operating system’s security and add features such as support for the latest version of Bluetooth and a new wireless LAN client. IDG News Service, 12/11/03.

InfoSecurity Conference focuses on management, mobility

“Management” and “mobility” were words on the tips of many attendees’ tongues at the InfoSecurity 2003 Conference and Exhibition in New York, as leading security technology vendors displayed products for managing security devices, combating spam and securing mobile devices. IDG News Service, 12/12/03.