Patches from Mozilla, Apple and Drupal

Virus and Bug Patch Alert This newsletter is sponsored by Meru Networks Get Up to Speed on the Latest in WLANs Easily stay on top of the latest developments and issues in WLAN technology, standards, security, telephony, management and more with Network World's latest Executive Guide, "Keeping Up With the Wireless Whirlwind." Click here to download! Network World's Virus and Bug Patch Alert Newsletter, 08/02/07 Patches from Mozilla, Apple and Drupal By Jason Meserve Today's bug patches and security alerts: Mozilla rushes out second Firefox patch this month Mozilla has patched a pair of nasty flaws in its Firefox browser, two weeks after security researchers first started posting code that showed how the flaws could be exploited in attacks. The 2.0.0.6 version of Firefox, released Monday, fixes a pair of related flaws in the URL protocol handler component of Firefox, which is used to launch programs when a user clicks on certain specially crafted Web links. IDG News Service, 07/31/07. Network World Security Buyer's Guide Find the right security products for your enterprise - fast. From anti-spam to wireless LAN security, our Buyer's Guides have detailed information on hundreds of products in more than 20 categories. With the side-by-side comparison tool you can evaluate product features to make the best decision for your enterprise. Click here to go to the Security Buyer's Guide now. Mozilla advisory ********** Apple issues mega patch batch Apple Inc. yesterday released a security update for Mac OS X that patched 45 vulnerabilities, including several in the open-source Samba file-sharing code that researchers recently warned still threatened users more than 10 weeks after the discovery of critical bugs. Computerworld, 08/01/07. Apple advisory Security update seeks out, erases modifications to iPhone A security update for Apple's iPhone does more than just fix critical flaws in the handset. It also looks for and wipes out any modifications that users make to the firmware on their phones, according to hackers looking to unlock the phone. IDG News Service, 08/01/07. Apple advisory ********** New Drupal 5.2 update fixes multiple flaws According to the Drupal advisory, "Several parts in Drupal core are not protected against cross site request forgeries due to improper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site." Users should upgrade to Version 5.2. Drupal Core update available A flaw in the way certain variables are handled by the Drupal Core could be exploited by an attacker to inject malicious script into a Web page. Drupal 5.x users should upgrade to Version 5.2 while 4.7.x users should download Version 4.7.7. ********** Today's malware news: Bad Bunny ... was the case that they gave me. Specifically, SB.Badbunny, a fairly novel OpenOffice macro virus that attempts to spread via IRC. Symantec Security Response Weblog, 07/30/07. Testing a Bluetooth worm against the E90 Communicator I'll be delivering presentations on the current state of mobile malware this week in Black Hat Briefings and next week in Usenix Security. One of the new findings I'll be announcing in these presentations is that in the latest Symbian-based smartphones the Bluetooth user interface has been changed to be more malware-resistant. F-Secure Antivirus Research Weblog, 07/30/07. Peacomm Postcards Are Not Randomly Appearing I decided to look at the sources of postcard spams related to Peacomm that I had measured. I honestly expected less variance in the arrival dates and a lot more variance in the download locations. I don't see any patterns like "Don't spam on a weekend" afoot here, or anything suggesting they're avoiding any specific countries. This is only a subset of the data, just based on my inboxes and nothing else. Arbor Networks Security Blog, 07/30/07. The Simpsons Movie sparks spam blast A recent spam attack has been launched with the Simpsons as the bait. But all this attack attempts to do is validate e-mail addresses. NetworkWorld.com, 07/30/07. From the interesting reading department: Botnets identified and blocked with new hosted service A hosted anti-botnet security service is released by Trend Micro. The product targets a growing security threat that has affected more than 1 million victims. Network World, 07/30/07. Single group behind ransomware Trojans The two most prominent ransomware Trojans of recent times could be the work of the same people, or a related group of criminals, an analysis has suggested. TechWorld, 07/30/07, Vulnerability Disclosure: Do the Right Thing It has been almost 14 years since Scott Chasin began BugTraq to discuss computer security vulnerabilities in detail. Since then, it has grown from a small email list to become a top industry source for vulnerability information and, along the way, helped advanced many of the changes in the industry through its full disclosure policy. What a long and strange trip it has been since then. But one thing remains the same, the constant struggle to do what is right in a field full of moral landmines. Symantec Security Response Weblog, 08/01/07. Podcast: Should security companies pay for vulnerability research? TippingPoint's Terri Forslof says yes. McAfee's Dave Marcus says no. In an elegant battle of words, the two duke it out over this contentious topic. When a recent hacking contest won a security researcher a $10,000 cash prize, it renewed the firestorm over this issue. Should security researchers be paid for their work to find vulnerabilities? Or are such payments an ethical violation? Forslof is manager of security response for TippingPoint. Marcus is security research and communications manager for McAfee. Researchers: Web apps over Wi-Fi puts data at risk Users who access Google's Gmail or the Facebook social-networking site over Wi-Fi could put their accounts at risk of being hijacked, according to research from Errata Security Inc., a computer security company. IDG News Service, 08/01/07. Web browser attack skirts corporate firewall A 10-year-old security problem has come back to haunt corporate IT, a security researcher told an audience at the Black Hat conference in Las Vegas Wednesday. IDG News Service, 08/01/07. Mozilla to give away own security testing tools A JavaScript fuzzer that's found a number of vulnerabilities in the Firefox browser will be the first of a series of homegrown security tools Mozilla will release to the open-source community, the company's head of security said Wednesday. Computerworld, 08/02/07. Editor's Note: Starting Aug. 13, this newsletter will be renamed "Security: Threat Alert" to better reflect the focus of the newsletter. We thank you for reading Network World newsletters!   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. IBM saves $250M with Linux-run mainframes 2. Nortel lands huge $300M VoIP win 3. Cisco muffles Linksys death knell 4. NAC alternatives hit the mark 5. Grid pays handsome dividends for HR firm 6. AT&T, IBM among winners of $50B federal deal 7. Online gamers' dirty little secrets exposed 8. IBM supercomputer more powerful than before 9. Hogwarts IT director quits 10. Apple iPhone battery complaints mounting MOST-READ REVIEW: NAC alternatives hit the mark

Contact the author: Jason Meserve is Network World's Multimedia Editor and writes about streaming media, search engines and IP Multicast. Check out his Multimedia Exchange Weblog. Check out Jason Meserve and Keith Shaw's weekly podcast "Twisted Pair" This newsletter is sponsored by Meru Networks Get Up to Speed on the Latest in WLANs Easily stay on top of the latest developments and issues in WLAN technology, standards, security, telephony, management and more with Network World's latest Executive Guide, "Keeping Up With the Wireless Whirlwind." Click here to download! ARCHIVE Archive of the Virus and Bug Patch Alert Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007