Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Security Threat Watch 138
From: Security Threat Watch Newsletter (NetworkComputingupdate.networkcomputing.com)
Date: Wed Jul 05 2006 - 11:06:10 CDT
Security Threat Watch
Monday, July 3, 2006
Created for you by Network Computing & Neohapsis
Consumer and employee privacy have been a hot topic in recent months. It seems that scarcely a week goes by without a report of at least one large privacy breach, many of these in government agencies. In fact, government breaches have reached such a peak lately that a memo was released giving government agencies 45 days to comply with certain security standards, including the encryption of classified data and increased standards for authentication with remote systems. The most severe of these recent breaches involved the loss of information on 26.5 million people when the laptop of a Department of Veterans Affairs employee was stolen from his home.
This week, however, brings a bit of good news. The VA laptop was recovered. Apparently, the system was turned in to the FBI. And, the FBI reports that initial forensic analysis of the system suggests the classified data does not appear to have been accessed while the laptop was unaccounted for. A more comprehensive analysis is reportedly underway, and the results will be made public soon. No arrests have been made.
Until next issue,
- The Neohapsis Security Threat Watch Team
Join InformationWeek for a FREE, live TechWebCast on Data Center
of the Future: An Adaptable and Cost Optimized Physical Infrastructure.
Discover the CIO balancing act; a need for integrated IT Facilities
planning teams, as well as the real cost drivers in the data center
and the strategies to migrate.
Tuesday, July 11, 2006 -9:00 -10:00 AM PST/ 12:00- 1:00 PM ET
--- TechCareers: The Job Hunt And Age Discrimination
By Rusty DAversa, TechCareers.com
Fighting discrimination is all about proving your value to the hiring
manager, says a career expert.
Listen to Network Computing's editors talk about today's most pressing
enterprise challenges with some of the IT industry's leading experts.
Tune in as we cover topics including security, collaboration,
convergence and more.
--- New Vulnerabilities
Below is a list of new vulnerabilities announced this week.
Vulnerabilities considered to be 'critical' involve highly-deployed
software, or carry a high-risk of system compromise. Note that
vulnerabilities not highlighted may still be of critical severity
to your environment.
**** Highlighted critical vulnerabilities ****
Apple iTunes 6.0.3: local overflow
OpenOffice.org 2.0.2: local overflow
**** Newly announced vulnerabilities this week ****
Windows Live Messenger 8.0: local overflow
eTrust Antivirus 8: local format string
eTrust Integrated Threat Management 8: local format string
eTrust PestPatrol 8: local format string
Mac OS X 10.4: local format string
Cisco Access Point HTTP Interface: authentication bypass
Siemens Speedstream 2624: authentication bypass
AzDGDatingPlatinum 1.1.0: SQL tampering
BLOG CMS 4.0.0: SQL tampering
BotDetect ASP.NET CAPTCHA 22.214.171.124: verification bypass
Claroline 1.7.7: XSS
Cpanel 10: XSS
CrisoftRicette 1.0: remote file inclusion
DeluxeBB 1.06: multiple vulnerabilities
DeluxeBB 1.07: insecure session management
Jaws 0.6.2: SQL tampering
MF Piadas 1.0: remote file inclusion
MKPortal 1.0.1: remote file inclusion
MoniWiki 1.1.1: XSS
MyBB 1.1.3: multiple vulnerabilities
MyBB 1.1.4: XSS
MyMail 1.0: multiple vulnerabilities
Namo DeepSearch 4.5: XSS
OpenGuestbook 0.5: multiple vulnerabilities
PatchLink Update Server 6: multiple vulnerabilities
Smartsite CMS 1.0: remote file inclusion
Softbiz Banner Exchange 1.0: XSS
Softbiz Dating 1.0: SQL tampering
Web-Agora 4.2.0: remote file inclusion
Winged Gallery 1.0: XSS
Zen-Cart 126.96.36.199: path disclosure
ezWaiter 3.0: XSS
phpBlueDragon CMS 2.9.1: multiple vulnerabilities
phpRaid 3.0.6: multiple vulnerabilities
Apple iTunes 6.0.3: local overflow
Cisco Wireless Control System 3.2: multiple vulnerabilities
Hobbit client 4.2: local privilege escalation
Libwmf 0.2.8.4: local overflow
Lotus Domino 6.5.4: remote DoS
OpenOffice.org 2.0.2: local overflow
Opera 8.54: SSL certificate stealing weakness
PrivateWire Gateway 3.7: remote overflow
Quake 3 Engine 1.32: multiple vulnerabilities
--- Patches and Updates
The following contains a list of vendor patches and updates released
Debian > DSA 1102-1: pinball
Debian > DSA 1103-1: kernel
Debian > DSA 1104-1: OpenOffice.org
Gentoo > GLSA200606-25: Hashcash
Gentoo > GLSA200606-26: EnergyMech
Gentoo > GLSA200606-27: mutt
Gentoo > GLSA200606-28: Horde Web Application Framework
Gentoo > GLSA200606-29: Tikiwiki
Gentoo > GLSA200606-30: Kiax
Mandriva > MDKSA-2006:111: MySQL
Mandriva > MDKSA-2006:112: gd
Mandriva > MDKSA-2006:113: tetex
Mandriva > MDKSA-2006:114: libwmf
Mandriva > MDKSA-2006:115: mutt
SuSE > SUSE-SA:2006:037: freetype2
Ubuntu > USN-304-1: gnupg
Ubuntu > USN-305-1: OpenLDAP
Ubuntu > USN-306-1: MySQL
Ubuntu > USN-307-1: mutt
HP Tru64 > SSRT061105: Perl
HP Tru64 > SSRT061158: Mozilla
Join InformationWeek and Nokia for a FREE, live TechWebCast
and learn how to Build a Mobility Strategy. You will hear
how to address your company’s current and future mobility
needs while leveraging its investment in mobile devices.
And Intellisync Mobile Suite by Nokia helps make it happen.
Wednesday, July 19,2006 - 9:00-10:00 AM PT/12:00-1:00 PM ET
--- Sign Off
If this e-mail was passed to you, and you would like to begin receiving
our free security e-mail newsletter on a weekly basis, we invite you to
subscribe today by forwarding this message to [subscribe_stwupdate.networkcomputing.com].
Or you can subscribe directly here:
To manage all aspects of your subscription and newsletter account,
simply use the URL below. You'll need your e-mail address and
password to log in. If you don't have your password, you can generate
a new one using the same URL. Once logged in, you can change your
e-mail address and password as well as select specific platforms for
which you'd like to receive information on patches and vulnerabilities.
If you have any questions regarding this system, please don't hesitate
to e-mail us at stwnwc.com.
Put Us On Your White List
Don't let an over-eager e-mail filter bounce the Network Computing
Security Threat Watch newsletter! Our address:
needs to be in your address book or on your anti-spam white list. Ask your
admin or ISP how to do this, or check your anti-spam utility documentation.
Important subscription contacts:
CMP Media LLC
600 Community Drive
Manhasset, NY 11030
Unsubscribe to Network Computing's newsletters.
Sign up for your own issue of this newsletter.
Subscribe to Network Computing's newsletters.
Still not receiving your own FREE subscription to Network Computing
ADDITIONAL SUBSCRIPTION CONTACT:
Please send an e-mail message to mailto:newsletterscmp.com if you need
assistance changing your e-mail address, unsubscribing from this
newsletter, or require additional assistance with your subscription.
Please be sure to include the name of this newsletter in your message.
Missed an issue? You can find all back issues of Security Threat Watch
(as well as Security Alert Consensus and Security Express) online.
Note: To better serve you we use dynamic URLs within our advertisments,
which allow us to see how many readers click on a given ad. We do not
share this information, or your personal information, with any outside
party. Concerned about the privacy of your information relative to these
We'd like to know what you think about the newsletter and what
information you'd like to see in future editions. E-mail your comments
To unsubscribe from this newsletter, forward this message to
Copyright (c) 2006 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com). Powered by Neohapsis Inc., a
Chicago-based security assessment and integration services consulting
group (infoneohapsis.com | http://www.neohapsis.com/).
This message powered by DARTmail