A new release of the Adobe PDF reader is available. It is purported to fix several security vulnerabilities and improve the user experience. While the security issues have not been disclosed you can read about the update at Adobe’s site:http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403079&sliceId=1
A new version of Skype for Windows was released today. It addresses the cross site scripting issue that has been getting press lately. For more details see: http://www.skype.com/security/skype-sb-2008-001-update2.html
Updates for the Ubuntu kernel and for the apache2 server have been released. The kernel update fixes multiple vulnerabilities whihc could result in the corruption of the file system, Denial of Service conditions, bypassing certain security restrictions and the disclosure of sensitive information. Versions 6.10, 7.04 and 7.10 are vulnerable. The apache2 update addresses Cross Site Scripting and Denial of Service vulnerabilities on versions 6.06, 6.10, 7.04 and 7.10.
IBM’s DB2 UDB has been reported to have several new vulnerabilities. Successful exploitation could allow for privilege escalation, the bypassing of some security restrictions or Denial of Service conditions. A “FixPak” is available from IBM at: http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21256235. Details on the specific vulnerabilities can be found at: ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT
A vulnerability has been identified in IpSwitch’s WS_FTP Server with SSH software. The vulnerability is a buffer overflow. It is possible to exploit this issue to cause a denial of server condition, and it may be possible to execute code. The vulnerability is confirmed in IpSwitch WS_FTP Server with SSH version 6.1. Other versions may also be affected.
Microsoft reported today that a previously unknown vulnerability in Excel is being actively exploited. According to the release the issue affects older versions of Excel, including Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for OS X. The exploit requires the victim to open a malicious Excel file in order for the exploit to execute.
There is currently no fix for this issue, other than being very careful about which Excel files are opened. Microsoft said that they are working on a fix that may come out before the next patch cycle.
Microsoft’s advisory is at: http://www.microsoft.com/technet/security/advisory/947563.mspx
The hits just keep coming! Apple has released another version of Quicktime this time around multiple vulnerabilities that may allow arbitrary code execution have been addressed. These include:
An error in the processing of embedded Macintosh Resource records within QuickTime movies.
Parsing errors of malformed Image Descriptor (IDSC) atoms.
A boundary error in the processing of compressed PICT images.
We recommend that everyone upgrade to QuickTime 7.4
See Apple’s full advisory at:
http://docs.info.apple.com/article.html?artnum=307301
As apart of their ongoing security program, Oracle has released their latest round of critical patches. Most versions of Oracle from 9i through 12 are affected in some manner and the vulnerabilities are unspecified. For full details visit their original advisory at:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html
We’re seeing reports of a new round of storm virus emails. This time they’re using valentine’s day to lure users to a site to download and run the malware. Otherwise it is essentially the same attack as before. We advise that you ensure all your email and virus defenses are running with the latest updates and that your users are reminded to ignore emails from unknown entities. They should also never download attachments from emails or web sites that are not explicitly trusted. There are plenty of potentially intriguing subjects that could be used to dup unsuspecting users. Things like winning Super Bowl tickets, checking out the latest American Idol videos, or even the latest news on the presidential campaign.
Apple released an update to Quicktime yesterday, and attackers wasted no time coming up with a new exploit for it. Already in the public is a proof of concept exploit for Quicktime 7.3.1.70. It seems that Apple still hasn’t fixed the root cause of the RTSP vulnerability.
In other news, a survey over the past year on Oracle admins found that only 1 in 3 Oracle database admins bother to patch their databases. 68% of the admins admitted to never applying any patches at all. If that is true, it’s rather frightening.