Nine patches from Microsoft

Security: Threat Alert This newsletter is sponsored by Meru Networks Get Up to Speed on the Latest in WLANs Easily stay on top of the latest developments and issues in WLAN technology, standards, security, telephony, management and more with Network World's latest Executive Guide, "Keeping Up With the Wireless Whirlwind." Click here to download! Network World's Security: Threat Alert Newsletter, 08/16/07 Nine patches from Microsoft By Jason Meserve Today's bug patches and security alerts: Microsoft releases super bundle of security patches Microsoft has released what security experts are calling one of it most significant security fixes this year. The software maker pushed out nine sets of patches, called updates in Microsoft parlance, fixing a total of 14 bugs in its software. Six of these updates are rated critical by Microsoft, meaning that attackers could exploit the flaws with no user action required. The other three updates are rated important. Network World, 08/14/07. Network World Security Buyer's Guide Find the right security products for your enterprise - fast. From anti-spam to wireless LAN security, our Buyer's Guides have detailed information on hundreds of products in more than 20 categories. With the side-by-side comparison tool you can evaluate product features to make the best decision for your enterprise. Click here to go to the Security Buyer's Guide now. Microsoft advisories: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution Vulnerability in OLE Automation Could Allow Remote Code Execution Vulnerability in Microsoft Excel Could Allow Remote Code Execution Cumulative Security Update for Internet Explorer Vulnerability in GDI Could Allow Remote Code Execution Vulnerability in Vector Markup Language Could Allow Remote Code Execution Vulnerability in Windows Media Player Could Allow Remote Code Execution Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege New URI browser flaws worse than first thought A little-known feature in the Windows operating system can lead to big problems for Web surfers. Security researchers Billy Rios and Nathan McFeters say they've discovered a new way that the Uniform Resource Identifier (URI) protocol handler technology, used by Windows to launch programs through the browser, can be misused to steal data from a victim's computer. IDG News Service, 08/15/07. ********** Cisco warns of flaw in VPN Client According to a Cisco advisory, "Two vulnerabilities exist in the Cisco VPN Client for Microsoft Windows that may allow unprivileged users to elevate their privileges to those of the LocalSystem account." A workaround and update are available. ********** Vulnerability uncovered within Yahoo Messenger A new vulnerability in Yahoo's instant messenger program can potentially cause unwanted code to run on a PC, according to security researchers. Details of the vulnerability were first posted on a Chinese-language security forum and was later confirmed with Yahoo security officials, wrote Wei Wang, a researcher with McAfee's Avert lab in Beijing, on a company blog. IDG News Service, 08/15/07. McAfee advisory ********** Five patches from rPath: dovecot (privilege escalation) OpenOffice.org (heap overflow, code execution) Firefox and Thunderbird (multiple flaws) OpenSSL (key disclosure) CUPS (multiple flaws) ********** Two new updates from Ubuntu: Xfce Terminal (command execution) Poppler (code execution) ********** Eleven new fixes from Debian: kdegraphics (integer overflow, code execution) GPDF (integer overflow, code execution) tcpdump (integer overflow, code execution) pdfkit.framework (integer overflow, code execution) bochs (buffer overflow, privilege escalation) tetex-bin (integer overflow, code execution) libextractor (integer overflow, code execution) Poppler (integer overflow, code execution) xpdf (integer overflow, code execution) Iceape (multiple flaws) Xulrunner (multiple flaws) ********** Today's malware news: Greetings! Someone has sent you an e-card virus Think you got a cheery greeting card from a friend via e-mail? Well, think again, and be careful before opening it. A new form of fake e-card notification e-mails are unleashing nasty viruses and virus-carrying Trojan horses on unsuspecting users. Computerworld, 08/15/07. Buzzblog: I delete all e-cards unopened. ... You? Honestly, does anyone bother -- or even dare -- to open these things anymore given all the spam and reports of viruses? Vote in our poll. As for the e-card companies, they don't seem to want to talk about it. Record-breaking 'Storm' linked to spam surge Storm, the Trojan that Hoovers PCs into hacker-controlled botnets, roared back into life last month in several waves, security researchers said Monday, and has blown by 2005's Sober to become the most prolific e-mail-borne malware ever. Computerworld, 08/14/07. ********** From the interesting reading department: Warning: 'Clpwn' cavorting on unguarded sites A Web-defacement crew has been making loud crowing noises about their allegedly skills, stirring up trouble on sites such as CNN and Playboy Casino. Security researchers say "clpwn" isn't the elite hacking crew it thinks it is, but notes a disturbing trend in their antics. Computerworld, 08/15/07. Spam surge sways stock market Last week saw the Internet's biggest-ever spam surge in a single day, and also offered a lesson on why "pump and dump" stock-market spam campaigns have become so prevalent, according to Postini. TechWorld, 08/13/07. Also: Unusual pump-and-dump spam run continues 'Hackers' deface U.N. site "Hackers" defaced the United Nations Web site early Sunday with messages accusing the U.S. and Israel of killing children. As of late afternoon, some sections, including the area devoted to Secretary General Ban Ki-Moon, remained offline. Computerworld, 08/13/07. TJX pegs data breach tab at $118M In a filing with the Securities & Exchange Commission made yesterday, TJX Companies stated its estimated cost for the computer intrusions it disclosed earlier this year has now reached a total of $118 million. Network World, 08/15/07.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. Verizon vs. the Needham Fire Department 2. Microsoft's super bundle of security patches 3. 10 claims that scare security pros 4. Citrix acquires XenSource in a $500M deal 5. Nude publisher Perfect 10 sues Microsoft 6. Cool chips promise more powerful computers 7. Facebook users easy identity theft targets 8. SCO claim to Unix dead in the water 9. VMware IPO flies out of the gate 10. Rove quits to spend more time with iPhone MOST-READ REVIEW: WAN acceleration offers huge payoff

Contact the author: Jason Meserve is Network World's Multimedia Editor and writes about streaming media, search engines and IP Multicast. Check out his Multimedia Exchange Weblog. Check out Jason Meserve and Keith Shaw's weekly podcast "Twisted Pair" This newsletter is sponsored by Meru Networks Get Up to Speed on the Latest in WLANs Easily stay on top of the latest developments and issues in WLAN technology, standards, security, telephony, management and more with Network World's latest Executive Guide, "Keeping Up With the Wireless Whirlwind." Click here to download! ARCHIVE Archive of the Security: Threat Alert Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007