Vulnerabilities have been reported within Adobe Reader and Acrobat. Some of the vulnerabilities could allow an attacker to compromise the user’s system. Other vulnerabilities have an unknown risk. Adobe is currently working on an update. It is recommended that all users of Adobe Reader to upgrade to version 8.1.2.
Backup Exec System Recovery Manager version 7.0 and 7.0.1 have been found to be vulnerable to a flaw that allows attackers to upload files without authentication. This can lead to the execution of arbitrary code. The attack vector is a specially crafted HTTP post. Symantec has released an advisory and update at: http://www.symantec.com/avcenter/security/Content/2008.02.04.html
WS_FTP Server version 6.1 has been found to have a vulnerability in the WS_FTP Server Manager. Successful exploitation gives access to the log viewing interface and may disclose sensitive information. Other versions may also be vulnerable.
An undisclosed flaw has been discovered in HP’s Storage Essentials SRM. Exploitation can allow some unauthorized remote access and may lead to the execution of arbitrary code. All versions prior to 6.0.0 are vulnerable. HP’s original advisory is here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01316132
Two vulnerabilities in the Java Runtime Environment have been announced. These may allow an applet to gain elevated privileges and could allow for the execution of arbitrary code. The affected releases are:
JDK and JRE 6 Update 1 and earlier
JDK and JRE 5.0 Update 13 and earlier
We recommend that you update your systems. The original advisory is at:http://sunsolve.sun.com/search/document.do?assetkey=1-66-231261-1
A new release of the Adobe PDF reader is available. It is purported to fix several security vulnerabilities and improve the user experience. While the security issues have not been disclosed you can read about the update at Adobe’s site:http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403079&sliceId=1
A new version of Skype for Windows was released today. It addresses the cross site scripting issue that has been getting press lately. For more details see: http://www.skype.com/security/skype-sb-2008-001-update2.html
Updates for the Ubuntu kernel and for the apache2 server have been released. The kernel update fixes multiple vulnerabilities whihc could result in the corruption of the file system, Denial of Service conditions, bypassing certain security restrictions and the disclosure of sensitive information. Versions 6.10, 7.04 and 7.10 are vulnerable. The apache2 update addresses Cross Site Scripting and Denial of Service vulnerabilities on versions 6.06, 6.10, 7.04 and 7.10.
IBM’s DB2 UDB has been reported to have several new vulnerabilities. Successful exploitation could allow for privilege escalation, the bypassing of some security restrictions or Denial of Service conditions. A “FixPak” is available from IBM at: http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21256235. Details on the specific vulnerabilities can be found at: ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT
A vulnerability has been identified in IpSwitch’s WS_FTP Server with SSH software. The vulnerability is a buffer overflow. It is possible to exploit this issue to cause a denial of server condition, and it may be possible to execute code. The vulnerability is confirmed in IpSwitch WS_FTP Server with SSH version 6.1. Other versions may also be affected.