Linux vendors issue multiple patches

Virus and Bug Patch Alert This newsletter is sponsored by Hitachi Data Systems The First True Enterprise-Class Blade Server Go inside Hitachi's BladeSymphony 1000, which combines virtualization technology, integrated management capabilities, and reliable, scalable system resources to consolidate infrastructure, optimize workloads and run mission-critical apps. Click here to download this exclusive whitepaper. Network World's Virus and Bug Patch Alert Newsletter, 06/07/07 Linux vendors issue multiple patches By Jason Meserve Today's bug patches and security alerts: Ubuntu patches Thunderbird flaws Multiple flaws in the Thunderbird mail client have been patched in this update for Ubuntu users. One flaw could allow an attacker to pose as a mail server to steal passwords. Network World Security Buyers Guide Find the right security products for your enterprise - fast. From anti-spam to wireless LAN security, our Buyers Guides have detailed information on hundreds of products in more than 20 categories. With the side-by-side comparison tool you can evaluate product features to make the best decision for your enterprise. Click here to go to the Security Buyers Guide now. ********** Debian updates Samba, again A previous update for Debian's implementation of Samba contains a regression error, "which broke connection to domain member servers in some scenarios." ********** Eight new patches from Mandriva: lha (non-secure temp files) libpng (denial of service) ClamAV (denial of service) file (buffer overflow, code execution) mutt (multiple flaws) mplayer (buffer overflow, code execution) util-linux (authentication bypass) php-pear (backdoor installer) ********** Three new fixes from Gentoo: ELinks (code execution) Evolution (code execution) libexif (integer overflow) ********** Three new updates from rPath: Firefox/Thunderbird (multiple flaws) mutt (multiple flaws) libexif (integer overflow) ********** Today's malware news: Real News with Real Malware The latest malware spam run is using gripping news headlines as e-mail subjects to hook in unsuspecting victims. And while this is not something new, the use of actual news headlines can make it more difficult to distinguish it as malicious. F-Secure Blog, 06/05/07. The Beginning of the Arabic Virus Era If a virus uses a language other than English, it is most often Chinese, German, Spanish, Portuguese or Russian, and sometimes Indonesian/Malay, Japanese or Thai. It is rare to find an Arabic-aware virus. At least we've thought so until now. Security Response Weblog, 06/06/07. Stealthy attack serves malicious code only once A new hacking method is causing concern for the lengths it goes to avoid detection by security software and researchers. The attack involves a Web site that has been hacked to host malicious code, an increasingly common trap on the Internet. If a user visits one of the sites with an unpatched machine, it's possible that the computer can become automatically infected with code that can record keystrokes and steal financial data typed into forms. IDG News Service, 06/04/07. ********** From the interesting reading department: How secure is your security software? Think that commercial software you just bought has been adequately tested and is ready for deployment? Think again. According to a panel of vulnerability research experts who spoke at the Gartner IT Security Summit held here this week, enterprises should test vendor software for vulnerabilities before deploying, much like they should be testing their home-grown applications. Network World, 06/05/07. Google: Attack code more likely on Microsoft IIS Web sites running Microsoft's Web server software are twice as likely to be hosting malicious code as other Web sites, according to research from Google. IDG News Service, 06/05/07. Firefox 3.0 may block sites fingered by Google Mozilla Corp. is considering adding a tool to Firefox 3.0 that would automatically block Web sites thought to harbor malicious downloads, but the company's security chief refused to spell out details, saying Mozilla is "not ready to talk about the feature." Computerworld, 06/05/07. McAfee: Search results can be dangerous The odds of a search engine directing you to a risky Web site are getting slimmer, but some companies are better at filtering out bad links than others, McAfee reported Monday. IDG News Service, 06/04/07. IBM to acquire Watchfire IBM Tuesday announced its intent to acquire vulnerability-assessment security firm Watchfire for an undisclosed price. Network World, 06/06/07. Firefox flaws raise Mozilla security doubts The Mozilla Foundation said last week it has patched several serious security flaws in the popular Firefox browser, bugs that also affect the SeaMonkey browser and the Thunderbird e-mail application. TechWorld, 06/04/07. Study: U.S. government still lacking data protection More than half of U.S. government employees unofficially work at home on nights or weekends, raising concerns about the security of the data they're working on, according to a study released Monday. IDG News Service, 06/04/07. The Slingbox Pro: Information Leakage and Variable Bitrate (VBR) Fingerprints To address viewer privacy, the Slingbox Pro uses encryption. But does the use of encryption fully protect the privacy of a user's viewing habits? We studied this question at the University of Washington, and we found that the answer to this questions is No -- despite the use of encryption, a passive eavesdropper can still learn private information about what someone is watching via their Slingbox Pro. Freedom to Tinker blog.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. 5 new ways to authenticate users 2. FAQ: What Avaya going private is all about 3. What Google bought in the past 12 months 4. Churn in the VoIP market? 5. Will Cisco suffer IBM's fate? 6. Firefox flaws raise Mozilla security doubts 7. Adult filmmakers taking their lumps on ‘Net? 8. Avaya goes private in $8.2B deal 9. Slideshow: 5 new ways to authenticate users 10. Stealthy attack serves malicious code only once MOST-READ REVIEW: How low can your data go with virtual tape libraries?

Contact the author: Jason Meserve is Network World's Multimedia Editor and writes about streaming media, search engines and IP Multicast. Check out his Multimedia Exchange Weblog. Check out Jason Meserve and Keith Shaw's weekly podcast "Twisted Pair" This newsletter is sponsored by Hitachi Data Systems The First True Enterprise-Class Blade Server Go inside Hitachi's BladeSymphony 1000, which combines virtualization technology, integrated management capabilities, and reliable, scalable system resources to consolidate infrastructure, optimize workloads and run mission-critical apps. Click here to download this exclusive whitepaper. ARCHIVE Archive of the Virus and Bug Patch Alert Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007