• United States

In brief: The patch king

Aug 25, 20035 mins
NetworkingPatch Management SoftwareVulnerabilities

Plus: Oracle warns of hole in Oracle 9i Database Server, will griddy goodness to app server; Citibank warns of bogus e-mail; Engim raises more bucks for wireless chips; FCC lets AOL stream video over IM; Palm to change name to PalmOne.

Seems like every week brings some new Microsoft patches. Last week was no different. The company released a patch for a number of flaws in its Internet Explorer Web browser, including two it rated critical for some versions of the browser, which could let an attacker take control of a user’s computer. It also released a patch for a flaw, rated important, in the Microsoft Data Access Components (MDAC) element of Windows.

 The critical flaws affect Internet Explorer versions 5.01, 5.5, 6.0 and 6.0 SP1 (6.0 with Service Pack 1 installed), and could let an attacker run arbitrary code on a user’s system if the user visited a Web site or read an e-mail message in HTML designed to exploit the flaw, Microsoft said. Microsoft urged systems administrators to install the patch, described in Microsoft Security Bulletin MS03-032. The patch brings together all previously released fixes for the affected versions of Internet Explorer.

In a separate security bulletin, MS03-033,  the company warned of an important vulnerability, its second-highest danger rating, in the MDAC element of Windows. The flaw in MDAC could let an attacker run arbitrary code on a vulnerable system – but to do so, he would need to set up a fake SQL server on the same subnet as the target system, Microsoft said. It encouraged customers to install the patch, which also includes a fix for an earlier vulnerability, reported in security bulletin MS02-040.

Trying to keep up with Microsoft in terms of security flaws discovered on a weekly basis, Oracle last week warned customers about security holes in versions of its Oracle 9i Database Server. The company released a software patch and Security Alert to fix “a set” of buffer overflows in the XML Database component of Oracle9i. The XML Database lets Oracle customers have queries to the Oracle database returned in XML format.

The vulnerability affects Oracle 9i Database Server Release 2. Customers running Release 1 or earlier versions of the 9i Database Server are not affected, the company said. A “knowledgeable and malicious” Oracle user could exploit the vulnerability to launch a denial-of-service attack that disrupts the Database Server’s operation or take control of an active user session on the Database Server, Oracle said. While the company said there were no interim workarounds that could be used before the patch is applied, customers who are not using the XDB features could disable XDB by modifying 9i Database Server configuration.

When it’s not fixing patches, Oracle said last week it would add grid-computing capabilities to a new version of its application server software, part of a broader effort to revamp its entire product line around the utility computing model. Analysts say the goal is worthy but don’t see customers rushing to build grids just yet. Oracle isn’t saying when it plans to ship the upgrade but already has a new name for it: Application Server 10g. Grid computing promises to let businesses treat groups of servers and storage equipment as if they were a single large machine, and to assign computing resources to applications on an as-needed basis. Proponents, which also include HP and IBM, say it will help businesses save money by letting them use computing resources more efficiently.

Citibank last week warned customers about fake e-mail circulating on the Internet that claimed to be from the bank but that was actually an attempt to scam customers into providing sensitive account information. The fake e-mail warned customers that their checking accounts could be blocked if they didn’t provide confidential information. This type of scam – sometimes called phishing – also hit Bank of America recently. Citibank said it’s working with law enforcement to track down the source of the fraudulent e-mail.

Engim, a fabless silicon design start-up that has designed a chipset to boost the capacity of wireless LAN access points by up to 50 times, has raised $18.5 million in a second round of equity financing. The latest cash infusion came from Engim’s existing investors, Matrix Partners and Bessemer Venture Partners, plus two new investors, Benchmark Capital, which led the latest round, and Adams Street Partners. First-round funding in late 2001 netted $16 million. Money from the second-round funding will be used to integrate the Engim chipset with WLAN access points, and to expand the chip technology into unnamed new markets and applications.

The FCC has lifted a restriction preventing AOL Time Warner from offering streaming video services over its instant-messaging software. The restriction “no longer serves the public interest, convenience, or necessity,” the FCC said. The agency noted that AOL Time Warner competitors such as Yahoo and Microsoft have gained ground in the instant-messaging market and have introduced their own advanced video services over instant messaging. The FCC imposed the restriction as a condition of AOL’s January 2001 marriage with Time Warner because it feared that AOL’s dominance in text-based messaging combined with Time Warner’s cable and programming assets would give the merged company an unfair advantage in the advanced instant-messaging services market.

Palm plans to call its handheld computing company PalmOne, following the anticipated spin-off of its operating system business later this year. The handheld computing company is focusing increasingly on converged handheld devices, aided by its proposed acquisition of Handspring. Palm announced its intention to buy the handheld rival in June, saying it planned to merge its Palm Solutions Group with Handspring to form a new company with a new name. That business, now unveiled as PalmOne, will encompass Palm’s Zire and Tungsten brands, and Handspring’s Treo line after the acquisition, Palm said. Palm’s operating system business, dubbed PalmSource, is due to be spun off later this year.