|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Threat Watch 138
From: Security Threat Watch Newsletter (NetworkComputing
update.networkcomputing.com)
Date: Wed Jul 05 2006 - 11:06:10 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Security Threat Watch
Number 138
Monday, July 3, 2006
Created for you by Network Computing & Neohapsis
Consumer and employee privacy have been a hot topic in recent months. It seems that scarcely a week goes by without a report of at least one large privacy breach, many of these in government agencies. In fact, government breaches have reached such a peak lately that a memo was released giving government agencies 45 days to comply with certain security standards, including the encryption of classified data and increased standards for authentication with remote systems. The most severe of these recent breaches involved the loss of information on 26.5 million people when the laptop of a Department of Veterans Affairs employee was stolen from his home.
This week, however, brings a bit of good news. The VA laptop was recovered. Apparently, the system was turned in to the FBI. And, the FBI reports that initial forensic analysis of the system suggests the classified data does not appear to have been accessed while the laptop was unaccounted for. A more comprehensive analysis is reportedly underway, and the results will be made public soon. No arrests have been made.
Until next issue,
- The Neohapsis Security Threat Watch Team
--- Advertisement
-----------------------------------------------------
Join InformationWeek for a FREE, live TechWebCast on Data Center
of the Future: An Adaptable and Cost Optimized Physical Infrastructure.
Discover the CIO balancing act; a need for integrated IT Facilities
planning teams, as well as the real cost drivers in the data center
and the strategies to migrate.
Tuesday, July 11, 2006 -9:00 -10:00 AM PST/ 12:00- 1:00 PM ET
--- TechCareers: The Job Hunt And Age Discrimination
-----------------------------------------------
By Rusty DAversa, TechCareers.com
Fighting discrimination is all about proving your value to the hiring
manager, says a career expert.
http://www.techcareers.com/content/article.asp?articleid=185303267
--- Advertisement
-----------------------------------------------------
NWC Podcasts
Listen to Network Computing's editors talk about today's most pressing
enterprise challenges with some of the IT industry's leading experts.
Tune in as we cover topics including security, collaboration,
convergence and more.
http://www.networkcomputing.com/podcasts
--- New Vulnerabilities
-----------------------------------------------
Below is a list of new vulnerabilities announced this week.
Vulnerabilities considered to be 'critical' involve highly-deployed
software, or carry a high-risk of system compromise. Note that
vulnerabilities not highlighted may still be of critical severity
to your environment.
**** Highlighted critical vulnerabilities ****
Apple iTunes 6.0.3: local overflow
OpenOffice.org 2.0.2: local overflow
**** Newly announced vulnerabilities this week ****
____Windows____
Windows Live Messenger 8.0: local overflow
http://archives.neohapsis.com/archives/bugtraq/2006-06/0567.html
eTrust Antivirus 8: local format string
http://archives.neohapsis.com/archives/bugtraq/2006-06/0585.html
http://archives.neohapsis.com/archives/bugtraq/2006-06/0589.html
eTrust Integrated Threat Management 8: local format string
http://archives.neohapsis.com/archives/bugtraq/2006-06/0589.html
http://archives.neohapsis.com/archives/bugtraq/2006-06/0585.html
eTrust PestPatrol 8: local format string
http://archives.neohapsis.com/archives/bugtraq/2006-06/0585.html
http://archives.neohapsis.com/archives/bugtraq/2006-06/0589.html
____Mac OS____
Mac OS X 10.4: local format string
http://archives.neohapsis.com/archives/bugtraq/2006-06/0621.html
____Network Devices____
Cisco Access Point HTTP Interface: authentication bypass
http://archives.neohapsis.com/archives/cisco/2006-q2/0017.html
Siemens Speedstream 2624: authentication bypass
http://archives.neohapsis.com/archives/bugtraq/2006-06/0628.html
____CGI____
AzDGDatingPlatinum 1.1.0: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-06/0600.html
BLOG CMS 4.0.0: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-06/0597.html
BotDetect ASP.NET CAPTCHA 1.5.4.0: verification bypass
http://archives.neohapsis.com/archives/bugtraq/2006-06/0508.html
Claroline 1.7.7: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0524.html
Cpanel 10: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0529.html
CrisoftRicette 1.0: remote file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-06/0573.html
DeluxeBB 1.06: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0596.html
DeluxeBB 1.07: insecure session management
http://archives.neohapsis.com/archives/bugtraq/2006-06/0525.html
Jaws 0.6.2: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-06/0566.html
MF Piadas 1.0: remote file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-06/0584.html
MKPortal 1.0.1: remote file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-06/0603.html
MoniWiki 1.1.1: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0646.html
MyBB 1.1.3: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0502.html
http://archives.neohapsis.com/archives/bugtraq/2006-06/0541.html
http://archives.neohapsis.com/archives/bugtraq/2006-06/0620.html
MyBB 1.1.4: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0590.html
MyMail 1.0: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0521.html
Namo DeepSearch 4.5: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0511.html
OpenGuestbook 0.5: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0553.html
PatchLink Update Server 6: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0631.html
Smartsite CMS 1.0: remote file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-06/0588.html
Softbiz Banner Exchange 1.0: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0624.html
Softbiz Dating 1.0: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-06/0517.html
Web-Agora 4.2.0: remote file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-06/0506.html
Winged Gallery 1.0: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0563.html
Zen-Cart 1.3.0.2: path disclosure
http://archives.neohapsis.com/archives/bugtraq/2006-06/0644.html
ezWaiter 3.0: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0640.html
phpBlueDragon CMS 2.9.1: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0509.html
phpRaid 3.0.6: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0626.html
____Cross Platform____
Apple iTunes 6.0.3: local overflow
http://archives.neohapsis.com/archives/bugtraq/2006-06/0649.html
Cisco Wireless Control System 3.2: multiple vulnerabilities
http://archives.neohapsis.com/archives/cisco/2006-q2/0016.html
Hobbit client 4.2: local privilege escalation
http://archives.neohapsis.com/archives/bugtraq/2006-06/0655.html
Libwmf 0.2.8.4: local overflow
http://archives.neohapsis.com/archives/bugtraq/2006-06/0642.html
Lotus Domino 6.5.4: remote DoS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0574.html
OpenOffice.org 2.0.2: local overflow
http://archives.neohapsis.com/archives/vulnwatch/2006-q2/0036.html
Opera 8.54: SSL certificate stealing weakness
http://archives.neohapsis.com/archives/bugtraq/2006-06/0615.html
PrivateWire Gateway 3.7: remote overflow
http://archives.neohapsis.com/archives/bugtraq/2006-06/0520.html
Quake 3 Engine 1.32: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0586.html
--- Patches and Updates
-----------------------------------------------
The following contains a list of vendor patches and updates released
this week.
____Linux____
Debian > DSA 1102-1: pinball
http://archives.neohapsis.com/archives/bugtraq/2006-06/0527.html
Debian > DSA 1103-1: kernel
http://archives.neohapsis.com/archives/bugtraq/2006-06/0571.html
Debian > DSA 1104-1: OpenOffice.org
http://archives.neohapsis.com/archives/bugtraq/2006-06/0641.html
Gentoo > GLSA200606-25: Hashcash
http://archives.neohapsis.com/archives/bugtraq/2006-06/0530.html
Gentoo > GLSA200606-26: EnergyMech
http://archives.neohapsis.com/archives/bugtraq/2006-06/0532.html
Gentoo > GLSA200606-27: mutt
http://archives.neohapsis.com/archives/bugtraq/2006-06/0599.html
Gentoo > GLSA200606-28: Horde Web Application Framework
http://archives.neohapsis.com/archives/bugtraq/2006-06/0627.html
Gentoo > GLSA200606-29: Tikiwiki
http://archives.neohapsis.com/archives/bugtraq/2006-06/0622.html
Gentoo > GLSA200606-30: Kiax
http://archives.neohapsis.com/archives/bugtraq/2006-06/0643.html
Mandriva > MDKSA-2006:111: MySQL
http://archives.neohapsis.com/archives/bugtraq/2006-06/0539.html
Mandriva > MDKSA-2006:112: gd
http://archives.neohapsis.com/archives/linux/mandrake/2006-q2/0156.html
Mandriva > MDKSA-2006:113: tetex
http://archives.neohapsis.com/archives/linux/mandrake/2006-q2/0157.html
Mandriva > MDKSA-2006:114: libwmf
http://archives.neohapsis.com/archives/linux/mandrake/2006-q2/0158.html
Mandriva > MDKSA-2006:115: mutt
http://archives.neohapsis.com/archives/linux/mandrake/2006-q2/0159.html
SuSE > SUSE-SA:2006:037: freetype2
http://archives.neohapsis.com/archives/linux/suse/2006-q2/0161.html
Ubuntu > USN-304-1: gnupg
http://archives.neohapsis.com/archives/bugtraq/2006-06/0528.html
Ubuntu > USN-305-1: OpenLDAP
http://archives.neohapsis.com/archives/bugtraq/2006-06/0570.html
Ubuntu > USN-306-1: MySQL
http://archives.neohapsis.com/archives/bugtraq/2006-06/0569.html
Ubuntu > USN-307-1: mutt
http://archives.neohapsis.com/archives/bugtraq/2006-06/0598.html
____Tru64____
HP Tru64 > SSRT061105: Perl
http://archives.neohapsis.com/archives/bugtraq/2006-06/0633.html
HP Tru64 > SSRT061158: Mozilla
http://archives.neohapsis.com/archives/bugtraq/2006-06/0634.html
--- Advertisement
-----------------------------------------------------
Join InformationWeek and Nokia for a FREE, live TechWebCast
and learn how to Build a Mobility Strategy. You will hear
how to address your company’s current and future mobility
needs while leveraging its investment in mobile devices.
And Intellisync Mobile Suite by Nokia helps make it happen.
Wednesday, July 19,2006 - 9:00-10:00 AM PT/12:00-1:00 PM ET
--- Sign Off
----------------------------------------------------------
If this e-mail was passed to you, and you would like to begin receiving
our free security e-mail newsletter on a weekly basis, we invite you to
subscribe today by forwarding this message to [subscribe_stwupdate.networkcomputing.com].
Or you can subscribe directly here:
http://www.networkcomputing.com/go/stw.jhtml
To manage all aspects of your subscription and newsletter account,
simply use the URL below. You'll need your e-mail address and
password to log in. If you don't have your password, you can generate
a new one using the same URL. Once logged in, you can change your
e-mail address and password as well as select specific platforms for
which you'd like to receive information on patches and vulnerabilities.
If you have any questions regarding this system, please don't hesitate
to e-mail us at stwnwc.com.
http://stwpref.update.networkcomputing.com/CMP/NWC/prefctr.asp
Put Us On Your White List
Don't let an over-eager e-mail filter bounce the Network Computing
Security Threat Watch newsletter! Our address:
NetworkComputingupdate.networkcomputing.com
needs to be in your address book or on your anti-spam white list. Ask your
admin or ISP how to do this, or check your anti-spam utility documentation.
Important subscription contacts:
CMP Media LLC
600 Community Drive
Manhasset, NY 11030
Unsubscribe to Network Computing's newsletters.
http://www.networkcomputing.com/newsletters/unsubscribe.html
Sign up for your own issue of this newsletter.
http://www.networkcomputing.com/newsletters/subscriptions.html
Subscribe to Network Computing's newsletters.
http://www.networkcomputing.com/newsletters/subscriptions.html
Still not receiving your own FREE subscription to Network Computing
magazine?
http://networkcomputingsubscriptions.com/customerservice/
ADDITIONAL SUBSCRIPTION CONTACT:
Please send an e-mail message to mailto:newsletterscmp.com if you need
assistance changing your e-mail address, unsubscribing from this
newsletter, or require additional assistance with your subscription.
Please be sure to include the name of this newsletter in your message.
Missed an issue? You can find all back issues of Security Threat Watch
(as well as Security Alert Consensus and Security Express) online.
http://archives.neohapsis.com/
Note: To better serve you we use dynamic URLs within our advertisments,
which allow us to see how many readers click on a given ad. We do not
share this information, or your personal information, with any outside
party. Concerned about the privacy of your information relative to these
tracking URLs? Please refer to our privacy policy.
http://www.doubleclick.net/us/corporate/privacy
We'd like to know what you think about the newsletter and what
information you'd like to see in future editions. E-mail your comments
to (stwnwc.com).
To unsubscribe from this newsletter, forward this message to
[unsubscribe_stwupdate.networkcomputing.com].
Copyright (c) 2006 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com). Powered by Neohapsis Inc., a
Chicago-based security assessment and integration services consulting
group (infoneohapsis.com | http://www.neohapsis.com/).
This message powered by DARTmail
http://www.doubleclick.net/us/corporate/privacy
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]