Flaw puts BIND 8 out to pasture; Cisco warns of DoS flaw

Security: Threat Alert This newsletter is sponsored by Raritan Computer, Inc. Data Center Build outs Simplified Download this whitepaper, Data Center Transformations, to learn how to make data center build outs, consolidations and acquisitions (BOCA) less complex and time consuming. Discover tools and techniques as well as key questions and topics that should be discussed with the business management side of the house. or more information click here. Network World's Security: Threat Alert Newsletter, 09/06/07 Flaw puts BIND 8 out to pasture; Cisco warns of DoS flaw By Jason Meserve Question of the week: Now the the iPhone has been out for a while and Apple has just announced the iPod Touch (an iPhone without the phone parts but with 802.11b and g support) what is your company's stance of the devices? Are you allowing them on the network or completely ignoring users' requests to support them? The price drop on the iPhone (now just $399) may mean more showing up on the corporate doorstep between now and Christmas. Send me your thoughts on Apple's wireless intruders. Network World Security Buyer's Guide Find the right security products for your enterprise - fast. From anti-spam to wireless LAN security, our Buyer's Guides have detailed information on hundreds of products in more than 20 categories. With the side-by-side comparison tool you can evaluate product features to make the best decision for your enterprise. Click here to go to the Security Buyer's Guide now. Today's bug patches and security alerts: Serious flaw marks end of life for Bind 8 DNS serverA security researcher has found a serious vulnerability in an aging yet widely used software program used for the Internet's addressing system, prompting the software's maintainers to retire the affected version. The flaw within Berkeley Internet Name Domain 8 (Bind 8) software could misdirect users to a fraudulent Web site even if a user typed in the correct URL, wrote Amit Klein, chief technology officer for security vendor Trusteer Ltd. Klein discovered the problem. Users should upgrade to Bind 9. Computerworld, 09/05/07. Amit Klein's advisory ISC interim patch ********** Cisco warns of DoS flaw in Content Switching Module According to Cisco's advisory, "The Cisco Content Switching Modules (CSM) and Cisco Content Switching Module with SSL (CSM-S) contain two vulnerabilities that can lead to a denial of service (DoS) condition. The first vulnerability exists when processing TCP packets, and the second vulnerability affects devices with service termination enabled." A free update is available. Cisco patches Video Surveillance IP Gateway Cisco is warning of an authentication flaw in its Video Surveillance IP Gateway video encoder and decoder, Services Platform (SP), and Integrated Services Platform (ISP) devices. Attackers could exploit the flaws to gain full administrative control over an affected device. A free update is available. ********** MIT patches kadmind RPC libraryAccording to the MIT advisory, "The krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow in the RPCSEC_GSS authentication flavor of the RPC library. Third-party applications using the RPC library provided with MIT krb5 may also be affected." Related updates: Debian rPath Ubuntu ********** Firefox still vulnerable to attacks from protocol-handling bugs Firefox remains vulnerable to attacks exploiting protocol-handling bugs, even though it was patched twice in July, a pair of security researchers said this weekend. Billy Rios and Nate McFeters, who spelled out design and functionality vulnerabilities in Windows' Uniform Resource Identifier (URI) protocol handling as recently as mid-August, said Saturday that they have uncovered another way hackers could send malicious code to users via browsers. Computerworld, 09/04/07. Rios' blog: Firefox File Handling Woes ********** Critical bugs plague QuickBooks' online service, warns US-CERT The federal government's cyberdefense arm today warned users of the popular QuickBooks small-business accounting software that they risk losing data and control of their PCs to hackers. According to two advisories published by the U.S. Computer Emergency Readiness Team (US-CERT), the ActiveX control that enables Intuit Inc.'s QuickBooks Online Edition contains flaws that attackers can exploit simply by getting users to view an HTML e-mail message or visit a malicious Web site. Computerworld, 09/05/07. US-CERT advisories: Intuit QuickBooks Online Edition ActiveX control stack buffer overflows Intuit QuickBooks Online Edition ActiveX control fails to properly restrict access to methods ********** Two new patches from rPath: Fetchmail (denial of service) gd/PHP (multiple flaws) ********** Two new updates from Mandriva: Tar (arbitrary file overwrite) ClamAV (denial of service) ********** Today's malware news: Storm worm spoils Labor Day for some The Storm worm takes no holidays; over this past long weekend this busy piece of malware emerged as part of a spam campaign that pointed recipients to a Web site wishing them a happy Labor Day, then downloaded an "exploit cocktail." Network World, 09/05/07. Custom-built botnet steals eBay accounts Online auction site eBay has been targeted by identity thieves, who are wielding a botnet that uses brute force to uncover valid account log-in information, a Tel Aviv-based security company said Monday. The brute-force attacks are launched by a large botnet that the identity thieves have built using a sophisticated, multistage campaign that begins with compromised legitimate Web sites. Computerworld, 09/04/07. ********** From the interesting reading department: A Time-to-Patch: Apple 2006 In a study of updates that Apple shipped last year to remedy serious security holes in products such as QuickTime and iTunes, Security Fix found that the company released patches to plug at least 104 critical security vulnerabilities. That is more than twice the number of severe security holes that the company patched in all of 2004 and 2005 combined. Security Fix blog, 09/04/07. E-mail system attack caused no damage, US DOD says A hacking attempt against the U.S. Department of Defense unclassified e-mail system earlier in the year caused minor administrative disruptions and personal inconveniences, but no adverse impact, a military spokesman said Tuesday. IDG News Service, 09/04/07.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. Google: Apps not a Microsoft Office add-on 2. Cisco unveils 802.11n WLAN access point 3. Apple's next-gen iPod speculation 4. Microsoft buying RIM (Blackberry)? 5. IBM stores data on an atom 6. Microsoft ties Windows Live services to OS 7. Why do AdblockPlus users hate my kids? 8. Feds kill $42M data-mining project 9. Cisco plans to blend two NAC schemes 10. Cisco playing network defense MOST-READ REVIEW: IBM Lotus Sametime tops corporate IM platform review

Contact the author: Jason Meserve is Network World's Multimedia Editor and writes about streaming media, search engines and IP Multicast. Check out his Multimedia Exchange Weblog. Check out Jason Meserve and Keith Shaw's weekly podcast "Twisted Pair" This newsletter is sponsored by Raritan Computer, Inc. Data Center Build outs Simplified Download this whitepaper, Data Center Transformations, to learn how to make data center build outs, consolidations and acquisitions (BOCA) less complex and time consuming. Discover tools and techniques as well as key questions and topics that should be discussed with the business management side of the house. or more information click here. ARCHIVE Archive of the Security: Threat Alert Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007