Two denial of service vulnerabilities were reported in Linux kernels prior to 2.6.23.8 this weekend.

The first is caused by a design flaw in the “wait_task_stopped()” function. It is locally exploitable by manipulating the state of a child process. Kernel version 2.6.24-rc1 is also known to be vulnerable. See CVE-2007-5500 for more details.

The second involves a design flaw in the “write_queue_from” which creates a NULL-pointer issue. This vulnerability is remotely exploitable by sending the system a specially crafted ACK packet. See CVE-2007-5501 for more details.

The original advisory can be viewed at:
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23.8

A new samba patch was released yesterday to address two buffer overflows. The first allows for the execution of arbitrary code when the WINS support option is enabled. An attacker would send specially crafted WINS requests to take advantage of this vulnerability. The second d can be exploited by sending a specially crafted GETDC mailslot request. For this second exploit to succeed samba must be configured as a Domain Controller. Samba versions 3.0.0-3.0.26a are know to be vulnerable to these issues.
The original advisory and patches are available at:
http://us1.samba.org/samba/history/security.html

Apple has released new security updates for Mac OS X. The updates address a variety of issues including vulnerabilities in the Adobe Flash Player, AppleRAID, BIND, FTP, the kernel and various sub-systems. Successful exploitation of these issues could lead to system access, privilege escalation, Denial of Service issues, etc.

All users are strongly encouraged to update to Mac OS X 10.4.11 or apply Security Update 2007-008.

Full details can be found in the original Apple advisory:
http://docs.info.apple.com/article.html?artnum=307041

Yesterday was patch Tuesday for Microsoft. This time around only two security fixes were released, one of them fixed a critical issue though. That would be MS07-061, which is known to be exploitable. The exploit allows command execution on the host, so this is a very important update. Make sure all desktop systems are patched immediately. The other updates fixes a potential DNS spoofing issue, described in MS07-062.

Avaya is getting hit again with multiple vulnerabilities. Over the past month, there have been several, so it’s pretty obvious that attackers are digging deep into Avaya’s systems. Fortunately these new vulns are limited to DoS and local information leakage. The DoS affects  Avaya CM 3.0, Intuity, MSS, Message Networking, CCS/SES, and AES. The info leakage issue affects Avaya CMS R12, R13(.1), R14, and Avaya IR 1.3 and 2.0, on Solaris 8, and 2.0 and 3.0 on Solaris 10. All of these issues have already been fixed by Avaya, get the latest versions if you haven’t already.

An exploit has been released into the wild that takes advantage of an Internet Explorer bug described in MS-07-055. The exploit currently only works on Windows 2000 with IE 5.0, 5.5 and 6.0 SP1, but attackers are sure to be working on a version for XP which would cause a much larger issue. Vista is not affected by this vulnerability, so if you’re running on that platform, there’s no cause for alarm here.

Some new tools have also been released into the public. The Metasploit project is continuing to be developed, and causing headaches for system admins everywhere. A new version was released in beta, so look forward to new exploits being developed for that framework. Some new SIP attack tools were also released. SIPVicious is an attackers tool package that’s able to scan, war dial and crack SIP PBX’s. VOIP is still getting hit hard, and we don’t see any calming in the future.

Oracle Database 10g Release 2 is vulnerable to a buffer overflow. This vulnerability is due to an error in the processing of the NAME and OWNER arguments sent to the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure. If the combined length of the two arguments is of a certain length, a buffer overflow will occur and allow the execution of arbitrary code. This vulnerability can only be exploited by authenticated users. Oracle has a fix slated for release in the next Critical Patch Update.

An exploit has been released for an AIX format string vulnerability. The exploit is coded to address CVE-2006-4254. A patch has been available for quite some time. If you’re an admin of an AIX system and haven’t applied any APAR’s lately, now would be the time to consider doing it.