Expert finds 'stupid' vulnerabilities in Oracle 11g

Security: Threat Alert This newsletter is sponsored by Raritan Computer, Inc. Data Center Build outs Simplified Download this whitepaper, Data Center Transformations, to learn how to make data center build outs, consolidations and acquisitions (BOCA) less complex and time consuming. Discover tools and techniques as well as key questions and topics that should be discussed with the business management side of the house. or more information click here. Network World's Security: Threat Alert Newsletter, 09/03/07 Expert finds 'stupid' vulnerabilities in Oracle 11g By Jason Meserve Today's security alerts: Expert finds 'stupid' vulnerabilities in Oracle 11g The latest version of Oracle Corp.'s flagship database offers better security than earlier versions, but development errors have left vulnerabilities that attackers can use to steal data, an expert warned Monday. "Oracle made big progress with 11g, but some of the vulnerabilities I've found so far in 11g are stupid programming errors," said Alexander Kornbrust, managing director of Red Database Security GmbH, during an interview at the Hack In The Box (HITB) Security Conference 2007 in Kuala Lumpur, Malaysia. IDG News Service, 09/03/07 ********** Network World Security Buyer's Guide Find the right security products for your enterprise - fast. From anti-spam to wireless LAN security, our Buyer's Guides have detailed information on hundreds of products in more than 20 categories. With the side-by-side comparison tool you can evaluate product features to make the best decision for your enterprise. Click here to go to the Security Buyer's Guide now. Four new updates from Ubuntu: Linux Kernel 2.6 for Ubuntu 7.04 (multiple flaws) Linux Kernel 2.6 for Ubuntu 6.10 (multiple flaws) Linux Kernel 2.6 for Ubuntu 6.06 (multiple flaws) tcp-wrappers (flawed access control) ********** Four new patches from Debian: ClamAV (multiple patches) id3lib (symlink attack, denial of service) VIM (multiple flaws) Linux kernel 2.6 (multiple flaws) ********** Today's malware news: New risk: Bogus MSN Messenger video invites Last week, it was a Webcam flaw in Yahoo Messenger that could leave you vulnerable to attack if you clicked a link to a malicious video conversation invitation. Now, researchers have found a similar hole in Microsoft's MSN Messenger. PC World, 08/29/07. ********** From the interesting reading department: Malicious Web: Not just porn sites The New Zealand Honeynet Project, which produced Capture-HPC (mentioned here last week), also produced an excellent white paper about using Capture-HPC to identify malicious Web servers. On the group's Web site, you'll find that paper, the captured data, and the tools for anyone to inspect and replicate. Computerworld, 08/31/07. Free gift offers dupe users into giving personal dataThe personal details of thousands of mostly U.S.-based PC users have been discovered stashed on a server located in France, another indication of use of the Internet to collect personal data on a vast scale. IDG News Service, 09/03/07. Personal info on 150,000 job seekers at USAJobs stolen The identity thieves who ransacked Monster.com's database also made off with the personal information of 146,000 people who use USAJobs, the federal government's official job search site, federal officials said today. Computerworld, 08/31/07. Microsoft sics lawyers on popular AutoPatcher utility On the same day that Microsoft set a date for the delivery of new Vista and XP service packs, it shut down a popular utility built and maintained by Windows enthusiasts for easily installing updates offline. The AutoPatcher utility is described by project manager Antonis Kaladis as an offline Windows Update. It provides an interface to a large collection of updates, common applications and registry tweaks. The collection could be downloaded once, then used to update many computers, saving time and bandwidth. Network World, 08/30/07. Hacks hit embassy, government e-mail accounts worldwide Usernames and passwords for more than 100 e-mail accounts at embassies and governments worldwide have been posted online. Using the information, anyone can access the accounts that have been compromised. IDG News Service, 08/30/07. Bank of India site hacked, distributing malware, security vendor says Bank of India Web site said to be hacked and a source of malware, including rootkits and Trojans, according to Sunbelt Software. Network World, 08/30/07. Note: F-Secure reports the offending iFrame has been removed and the site is safe again.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. Microsoft blames human error for glitch 2. Airline puts Linux PC in every seat 3. MPLS proposal spawns IETF, ITU turf war 4. Psst... Wanna buy a data center? 5. Hacks hit embassy, government e-mail worldwide 6. Secrets of vendors' pricing plans 7. Bank of India site hacked 8. ISPs to rural U.S.: Live with dial-up 9. Notes from OPNETWORK 2007 10. How close is World War 3.0? MOST E-MAILED ARTICLE: Airline puts Linux PC in every seat

Contact the author: Jason Meserve is Network World's Multimedia Editor and writes about streaming media, search engines and IP Multicast. Check out his Multimedia Exchange Weblog. Check out Jason Meserve and Keith Shaw's weekly podcast "Twisted Pair" This newsletter is sponsored by Raritan Computer, Inc. Data Center Build outs Simplified Download this whitepaper, Data Center Transformations, to learn how to make data center build outs, consolidations and acquisitions (BOCA) less complex and time consuming. Discover tools and techniques as well as key questions and topics that should be discussed with the business management side of the house. or more information click here. ARCHIVE Archive of the Security: Threat Alert Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007