Apple patches iTunes flaw

Security: Threat Alert This newsletter is sponsored by Nevis Networks Webcast: Cut Through NAC Hype Over the past few years, network access control has evolved to encompass a large number of endpoint security compliance, malware detection, access control and authentication products with very different focuses. Cut through the hype and confusion to find real-world NAC answers. Network World's Security: Threat Alert Newsletter, 09/10/07 Apple patches iTunes flaw By Jason Meserve Today's bug patches and security alerts: Apple updates iTunes security update According to the Apple advisory, "A buffer overflow exists in iTunes when processing album cover art. By enticing a user to open a maliciously crafted music file, an attacker may trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing proper bounds checking." Users should upgrade to iTunes 7.4 to fix the flaw. Network World Buyer's Guides Find the right products for your enterprise - fast. With seven categories - security, storage, convergence and VoIP, network infrastructure, network applications, wireless and LAN/WAN management - you can quickly pinpoint the hardware or software you need. With the side-by-side comparison tool you can evaluate product features and make the best purchase decisions for your enterprise. Click here to go to the Buyer's Guides now. ********** Four new updates from Mandriva: MySQL (privilege escalation, denial of service) konqueror (multiple flaws) eggdrop (buffer overflow, code execution) krb5 (stack overflow, denial of service) ********** Three new fixes from Debian: Gforge (SQL injection) librpcsecgss (buffer overflow, code execution) krb5 (stack overflow, denial of service) ********** Three more Kerberos 5 (krb5) updates As reported last week: MIT advises, "The krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow in the RPCSEC_GSS authentication flavor of the RPC library. Third-party applications using the RPC library provided with MIT krb5 may also be affected." New updates: Ubuntu Foresight Linux rPath ********** Microsoft Patch Tuesday this week: Microsoft cooks up five patches Microsoft on Tuesday plans to release five security updates targeting flaws in Windows, SharePoint, Visual Studio and Microsoft's instant messaging clients. Of the five bulletins expected Sept. 11, only one will be labeled "critical," Microsoft's highest rating, although of the remaining four -- all ranked "important" -- two could result in remote code execution if successfully exploited. Details were spelled out in the prepatch notification that Microsoft posted Thursday morning. Computerworld, 09/06/07. ********** Today's malware news: Storm and the NFL Today we started seeing new Storm mails and the web pages changed layouts completely. Now the theme is National Football League (NFL) which is timely considering the 2007 NFL season started on the 6th of September. F-Secure Antivirus Research Weblog, 09/09/07. ********** From the interesting reading department: Financially motivated malware thrives Financially motivated malware attacks are on the rise, with automated software packages making it easy for unskilled hackers to earn a living by sending out spam, researchers at messaging security vendor Secure Computing say. Network World, 09/06/07. E-Greeting Card Giant Unaffected By Storm Worm It's been nearly three weeks since I first wrote about the Storm worm authors using fake online greeting cards to trick people into clicking on links to Web sites that try to download and install malicious software. Since then, it looks like the Storm worm authors have adopted a number of other ruses, but they don't appear to have abandoned the greeting card scam. So I phoned American Greetings, which owns without a doubt the biggest e-greetings company around. According to AG spokesperson Frank Cirillo, the incessant attacks have had little measurable impact on the company's click-through rates. Security Fix blog, 09/06/07.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. Verizon smokes out another family 2. Vista’s IPv6: Not an easy upgrade 3. Engineers rescue aging satellites 4. Why do AdblockPlus users hate my kids? 5. Why .pdf spam went pffft 6. Open source proponents denounce MCPP 7. Microsoft buying RIM (Blackberry)? 8. Apple offers $100 refund to iPhone buyers 9. Judge strikes down part of Patriot Act 10. Cisco consumer move afoot, leaders suggest MOST DOWNLOADED PODCAST: Twisted Pair: Sleepless in the 'Twisted Lair'

Contact the author: Jason Meserve is Network World's Multimedia Editor and writes about streaming media, search engines and IP Multicast. Check out his Multimedia Exchange Weblog. Check out Jason Meserve and Keith Shaw's weekly podcast "Twisted Pair" This newsletter is sponsored by Nevis Networks Webcast: Cut Through NAC Hype Over the past few years, network access control has evolved to encompass a large number of endpoint security compliance, malware detection, access control and authentication products with very different focuses. Cut through the hype and confusion to find real-world NAC answers. ARCHIVE Archive of the Security: Threat Alert Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007