Archive for January, 2008
Every three months Oracle release security patches for flaws in its software products. Next Tuesday Oracle will release first Critical Patch Update for 2008 containing 7 security fixes, some of which will affect several products. This fixes are low by Oracle’s standards. Last October the company patched 51 vulnerabilities and none of the database vulnerabilities can be exploited over a network without the attacker first obtaining a username and password for the database. Software included in those fixes are E-Business Suite, Oracle Application Server, PeopleSoft and JD Edwards products and Oracle Enterprise Manager and the Oracle Collaboration Suite.
|
Filed Under ( Windows) by Telix on January-11-2008
 After small number of customer reports Microsoft admitted that is send wrong Vista patch to the wrong users. The update was one of three prerequisites for SP1 unveiled Tuesday and was supposed to go up only on Vista Enterprise and Vista Ultimate machines, since it targeted BitLocker, the full-drive encryption technology bundled with those premium versions of the operating system. Instead, the update was also offered to PCs running Vista Home Basic and Home Premium. As company representatives states customers who installed the initial release of the update on editions other than Ultimate or Enterprise should not be concerned as the update will have no negative impact on their systems.
|
According to McAfee, Microsoft’s Live SkyDrive file sharing service, previously known as Windows Live Folders, have been under spam attack. Apparently spammers have found the way to hide spam URLs into hosted html files. Reason why SkyDrive pages are attached is simply that it is a trusted Microsoft domain and offer of 1GB of file space with no monthly costs. McAfee predicts that the spam link will transform into any one of a number of redirect scams in the near future if left alone. Question is how long will this obviously weak Microsoft’s service last since it has strong competition including Google?
|
Halifax website for managing money online transfers has been phished yesterday. The IP address of the site was changing every second and as analyzes reports that some of random IPs were addresses to sites such as hellosanta2008.com. postcards-2008.com, which suggest this attach can be Storm. As Data Security reported there were evidences of Storm variations using unique security keys. The unique keys will allow the botnet to be segmented allowing “space for rent”. It looks as if the Storm gang is preparing to sell access to their botnet.
|
 As we announced, today Microsoft released two new patches for January 2008. The critical patch resolves two vulnerabilities reported by IBM ISS X-Force. The vulnerability, which involved TCP/IP processing, was critical for XP and Vista, important for Windows Server 2003 and moderate for Windows 2000. And second patch covers a vulnerability that allows an attacker to run “arbitrary code with elevated privileges”. The update is marked as important for Windows 2000, XP and Server 2003.
For more details on these updates, read Microsoft’s Security Bulletin.
|
This weekend were spotted first reports about Trojan software for iPhone. This malicious software package is created for unlocked iPhones and installs as “iPhone firmware 1.1.3 prep”. According to various reports, installing the package doesn’t have much effect on the iPhone. However, uninstalling it may cause problems, as the malicious package overwrites some other applications during the install. Some of the applications it overwrites are “Erica’s Utilities”, a collection of command-line utilities for the iPhone, and OpenSSH. This is technically the first Trojan seen for the iPhone, however it does appear to be more of a prank than an actual threat. iPhone users should be cautious about the packages they choose to install on their phones.
|
 The US-CERT reported waring about possible RealPlayer vulnerability after a Russian security company Gleg claimed to have found a way to exploit a critical flaw in the multimedia software. The flaw affects the latest version 11 of RealPlayer running on Windows XP, service pack 2, according to Gleg. A Flash demonstration of the vulnerability has been posted to the Gleg website, but the company has not released its attack code or any technical details of the flaw. Real spokesman said that company is working to confirm whether the exploit code actually works.
|
 With the growing popularity of social networking sites it was question of time when will hackers find the way to spread their nastiness to all. As FortiGuard reports a Facebook widget called “Secret Crush” that installs adware on users machine, and a Facebook widget that force you to install the Zango adware/spyware. Also, Sunbelt Software and others reported MySpace banners that deliver malware. Meanwhile, these social networking sites feature a nice haul of personal data. Social networking sites are ripe for malicious attacks and it’s likely we’re going to hear a lot more about them in 2008.
|
As Israeli security researcher Aviv Raff reports he has found couple Firefox 2 vulnerabilities that can leave its users susceptible to an identity theft attack. A bug allows spoofing and enables an attacker to conduct phishing attacks, by tricking the user to believe that the authentication dialog box is from a trusted website. The versions affected include Firefox v2.0.0.11 and prior versions. Mr Raff suggests avoiding sites that require password authentication and give you a dialog that looks like this one:
Mozilla developing team has been informed about this vulnerability and we’re expecting some patches soon.
|
For next Patch Tuesday, January 8, Microsoft is preparing a relatively light haul of two security bulletins. The first one is rated critical and covers a remote code execution in Windows Vista and Windows XP Service Pack 2 users. For Windows Server 2003, the bulletin is rated as “important”. Second bulletin is related to local elevation of privilege vulnerability and rated as “important” for Windows 2000 Server Service Pack 4, Windows XP and Windows Server 2003 but doesn’t apply to Vista.
|
|
|
|
