Oracle patches dozens of flaws

Virus and Bug Patch Alert This newsletter is sponsored by DataDirect Networks Enterprise Grade "No-Compromise" Backup/Recovery, DataDirect Networks VTLS Solution DataDirect Networks (DDN) offers the VTLS solution to meet the challenges of ever-stringent requirements for services levels and response times. VTLS leverages the proven DDN S2A storage controller architecture to deliver high performance and availability while emulating leading tape solutions. DataDirect's VTLS is a simple-to-deploy and ease-to-use disk-based backup and restore solution. Network World's Virus and Bug Patch Alert Newsletter, 07/19/07 Oracle patches dozens of flaws By Jason Meserve Today's bug patches and security alerts: Oracle patches 45 bugs Oracle today posted its third security update of the year, patching 45 vulnerabilities in its flagship database and its application server, collaboration suite, e-business line and PeopleSoft software. Computerworld, 07/17/07. Network World Security Buyers Guide Find the right security products for your enterprise - fast. From anti-spam to wireless LAN security, our Buyers Guides have detailed information on hundreds of products in more than 20 categories. With the side-by-side comparison tool you can evaluate product features to make the best decision for your enterprise. Click here to go to the Security Buyers Guide now. Oracle advisory Also: Oracle's less secretive approach to security ********** Cisco warns of WAAS DoS vulnerability According to Cisco's advisory, "The Cisco Wide Area Application Services (WAAS) software contains a denial of service (DoS) vulnerability that may cause some devices that run WAAS software (WAE appliance and NM-WAE-502 module) to stop processing all types of traffic, including data traffic and management traffic." A free update is available to fix the flaw. ********** Firefox update fixes problem with Internet Explorer A new update for the Firefox browser fixes an unusual vulnerability that could cause malicious code to run if the browser is launched by Microsoft's Internet Explorer. The critical vulnerability involves Internet Explorer's ability to launch other applications such as Excel or Firefox after a user clicks on a specially written link in a Web page. Explorer does not properly check the syntax of the link, which could allow a malicious link to attack Firefox if launched, according to Mozilla, the open-source project that develops Firefox. IDG News Service, 07/18/07. Note: Users should be getting Firefox 2.0.0.5 the next time the load the browser, if they haven't gotten the update already. Mozilla advisory Related US-CERT advisory ********** Critical IM bugs hit Yahoo, Trillian Security researchers yesterday disclosed critical vulnerabilities in two popular Windows instant messaging clients, Yahoo Messenger and Trillian. The Yahoo Messenger bug, which was posted to the Full Disclosure mailing list Monday by Rajesh Sethumadhavan, is a buffer overflow flaw that can be exploited with a specially crafted address book entry. Messenger immediately crashes when it encounters the malformed entry, said Sethumadhavan, but it may also be susceptible to code execution, meaning an attacker might be able to inject his own malicious code -- a keystroke stealer or a spam bot, for instance -- into a compromised PC. Computerworld, 07/17/07. US-CERT advisory on Trillian flaw ********** Three new updates for Asterisk VoIP system: Remote Crash Vulnerability in STUN implementation Remote Crash Vulnerability in IAX2 channel driver Remote crash vulnerability in Skinny channel driver ********** Four patches from Ubuntu: mod_perl (denial of service) Dovecot (directory traversal, information disclosure) PHP (multiple flaws) Curl (certificate validation issues) ********** Four new updates from Debian: Gimp (multiple flaws) FreeType (integer overflow, code execution) libcurl3-gnutls (input validation) vlc (multiple flaws) ********** Three new patches from rPath: MySQL (multiple flaws) perl-Net-DNS (multiple flaws) xorg-x11 (code execution) ********** Today's malware news: Mac OS X worm maker raps Apple on security The anonymous researcher who claims to have crafted a Mac OS X worm said today that he (or she) will report his findings to Apple Inc., but added that the Cupertino, Calif.-based company "has a very long way to go" on security. Identified only as the researcher behind the Information Security Sell Out blog, the individual on Sunday announced that a still-unpatched bug in mDNSResponder, a component of Apple's Bonjour automatic network configuring service, could be exploited by a worm. Apple's May security update, dubbed 2007-005, included a fix for the mDNS bug. Also: Mac worm author receives death threats Also: Mac worm hacker vanishes from blogosphere FBI says military names used in e-mail scams The FBI's Internet Crime Complaint Center (IC3) is warning of fraudulent e-mails that appear to come from the FBI and U.S. military. "The IC3 has increasingly received intelligence of fraudulent schemes misrepresenting the FBI and/or Director Robert S. Mueller III," the center said in an alert published Tuesday. "The fraudulent e-mails give the appearance of legitimacy due to the usage of pictures of the FBI Director, seal, letter head, and/or banners." Hacking extortionist resurfaces "Ransomware" last seen in 2006 has reappeared and is trying to extort $300 from users whose files the malware has encrypted, a Russian security researcher said Monday. Computerworld, 07/16/07. Hackers use Brazilian plane crash to push malware Hackers haven't wasted any time exploiting the airplane crash in Sao Paulo, Brazil that claimed nearly 190 lives Tuesday, a U.S. security company said today. Computerworld, 07/18/07. ********** From the interesting reading department: Security firm: Don't use iPhone Web dialer Security researchers at SPI Labs Inc. are warning iPhone users not to use a special feature that lets them dial telephone numbers over the Web using the iPhone's Safari browser. IDG News Service, 07/16/07. SPI Labs advisory Is IT losing the battle against DNS attacks? Few things can strike fear into the heart of the IT department like an attack on a company's Domain Name System servers. That may explain why companies are spending so much time to deploy myriad, complex security measures to keep their DNS protected from malicious attackers. Network World, 07/18/07. Mounting scrutiny for Google security Much as the ubiquity of Microsoft's Windows operating system and Office productivity tools has made the software giant a focal point of security research, search giant Google is facing new scrutiny as it diversifies its products and moves further into the business environment. InfoWorld, 07/16/07. Hackers steal U.S. DOT, corporate data, security firm says Hackers stole information from the U.S. Department of Transportation (DOT) and several corporations by seducing employees with fake job listings on ads and e-mail, a computer security firm said yesterday. Computerworld, 07/17/07. Government, contractors hit in targeted attack Computers belonging to the U.S. government, contractors and companies in the transportation industry were hit by a targeted computer attack in July that yielded password information for hundreds of Internet and intranet Web sites, a computer security vendor said Tuesday. IDG News Service, 07/17/07. Breach, undetected since '05, exposes data on Kingston customers A September 2005 security breach that remained undetected until "recently" may have compromised the names, addresses and credit card details of roughly 27,000 online customers of computer memory vendor Kingston Technology Company Inc. Computerworld, 07/17/07.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. 12 IT skills that employers can't say no to 2. iPhones flood WLAN at Duke University 3. Unmanned aircraft crush worldwide enemies 4. Readers speculate on Duke's iPhone problem 5. 3com on the block? 6. NetApp to unveil new low-end filer appliance 7. Hacking extortionist resurfaces 8. Top 25 iPhonies: the nano edition 9. Security firm: Don't use iPhone Web dialer 10. SunRocket largely a management failure MOST DOWNLOADED PODCAST: LinuxCast: Samba goes GPLv3

Contact the author: Jason Meserve is Network World's Multimedia Editor and writes about streaming media, search engines and IP Multicast. Check out his Multimedia Exchange Weblog. Check out Jason Meserve and Keith Shaw's weekly podcast "Twisted Pair" This newsletter is sponsored by DataDirect Networks Enterprise Grade "No-Compromise" Backup/Recovery, DataDirect Networks VTLS Solution DataDirect Networks (DDN) offers the VTLS solution to meet the challenges of ever-stringent requirements for services levels and response times. VTLS leverages the proven DDN S2A storage controller architecture to deliver high performance and availability while emulating leading tape solutions. DataDirect's VTLS is a simple-to-deploy and ease-to-use disk-based backup and restore solution. ARCHIVE Archive of the Virus and Bug Patch Alert Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007