Patches from Microsoft, Adobe, Cisco and more

Security: Threat Alert This newsletter is sponsored by Blue Coat Get the latest on Web Acceleration Tools Discover how to significantly improve document delivery times for users that are physically away from your centralized data center. A document that takes 80 minutes to delivery to a user across the globe could be delivered in three minutes with Web acceleration. Learn how your IT organization can benefit from this technology. Listen to this Webcast now. Network World's Security: Threat Alert Newsletter, 10/11/07 Patches from Microsoft, Adobe, Cisco and more By Jason Meserve Today's bug patches and security alerts: Microsoft's Patch Tuesday updates should be well underway or completed by now on your systems. Here is a roundup of what got fixed: IE, Outlook, Word get critical bug fixes Webcast: Get the latest on NAC Learn the latest on Network Access Control in Network World's Perspectives Editorial Webcast. Discover how IT professionals can leverage this hot security technology in their networks, while also learning about key management areas that have not yet been perfected. To learn more click here. Microsoft has released six security updates for its products, fixing critical flaws in Word, Outlook Express, Internet Explorer (IE) and the Kodak image viewer that ships with Windows. IDG News Service, 10/10/07. Microsoft advisories: Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution Security Update for Outlook Express and Windows Mail Cumulative Security Update for Internet Explorer Vulnerability in Microsoft Word Could Allow Remote Code Execution Vulnerability in RPC Could Allow Denial of Service  Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site Other related posts: Review of Microsoft's Patch Tuesday (Symantec Security Response blog) Patch Tuesday/Exploit Wednesday? (Symantec Security Response blog) Patch Tuesday Again, Folks... (F-Secure blog) US-CERT advisory ********** Adobe admits PDF exploit, posts workaround Adobe has confirmed that there's a critical bug in its most popular programs, but it doesn't yet have a patch that protects Windows XP users against attacks arriving as PDF files. Computerworld, 10/08/07. Adobe advisory ********** Cisco warns of default password in Wireless Control System Conversion Utility According to the Cisco advisory, "Customers who use the CiscoWorks Wireless LAN Solution Engine (WLSE) may use a conversion utility to convert over to a Cisco Wireless Control System (WCS). This conversion utility creates and uses administrative accounts with default credentials. Because there is no requirement to change these credentials during the conversion process, an attacker may be able to leverage the accounts that have default credentials to take full administrative control of the WCS after the conversion has been completed. Customers who have converted their CiscoWorks WLSE to a Cisco WCS are advised to set strong passwords for all accounts on their Cisco WCS." ********** Buffer overflow in Asterisk voicemail system The Asterisk development team is warning of a buffer overflow in the IMAP interface to its voicemail system. An attacker could exploit the overflow remotely. ********** Eight new patches from Gentoo: NX 2.1 (integer overflow, code execution) KOffice (stack overflow) Tk (buffer overflow) OpenSSL (multiple flaws) QGit (non-secure temp files, code execution) libsndfile (buffer overflow) libvorbis (multiple flaws) PHP (multiple flaws) ********** Today's malware news: Botnetters unleash mini-swarms Botnets are being split into smaller "swarms" to evade detection, analysis from two security vendors has suggested. Last week, F-Secure's Mika Stahlberg was reported as saying that the company had noticed the emergence of smaller botnets, a trend that ran counter to the previous tendency to run huge numbers of hijacked machines as single entities. TechWorld, 10/08/07. ********** From the interesting reading department: IE 7 bug reopens debate over patch responsibilities Security researchers are again arguing over who is responsible -- Microsoft or third-party developers -- for protocol-handling bugs after a researcher on Friday said Internet Explorer 7 can be used to trick users into launching malware. Computerworld, 10/08/07. Commerce Bank says hacking damage was limited A regional bank in the U.S. said it was able to deflect most of a hacking attempt on its database, but not before some customer information was divulged. IDG News Service, 10/10/07. Hacker breaks into eBay server, locks users out A malicious hacker broke into an eBay server on Friday and temporarily suspended the accounts of a "very small" number of members, the company said. IDG News Service, 10/08/07. E-mail boosts productivity; IM poses threats, survey says When it comes to communicating during the workday, a majority of enterprise users find e-mail and phone calls conducive to productivity, while unified communications technologies such as instant messaging, blogs and softphones distract them from the work at hand and pose a threat to enterprise security. Network World, 10/10/07. Hackers at Microsoft?! Now wait a minute ... For the record, there are hackers at Microsoft. Just don't call them hackers. In August, a blogger using the handle "Techjunkie" started a Microsoft Developer Network blog called Hackers @ Microsoft that, he claimed, would introduce the world to some of the ethical "white hat" hackers working there. IDG News Service, 10/08/07. How Gullible Can You Get? Most of the new phishing we see is done with phishing kits, like the Rock Phish kit. But every now and then we run into "old skool" phishing. Like the site we're looking at today, servicecenter-us-eu.dk. This domain was registered to Mr. "Asger Trier Bing" in Copenhagen three weeks ago. Quite surprisingly, the site is even hosted in Denmark. F-Secure blog, 10/08/07. We will, we will - mislead you In the ever-expanding world of misleading applications, you might wonder how each new application can stand out from the crowd and get itself noticed. Symantec Security Response blog, 10/10/07. Phishers won’t stop as long as users continue to click Carnegie Mellon University is researching the best ways to educate e-mail users about the dangers of phishing, such as how to distinguish the URL of a fraudulent Web site from a legitimate one. Not exactly rocket science ... or is it? Network World, 10/09/07.   What do you think? Post a comment on this newsletter

MOST-READ STORIES: 1. Pinging through first full 'Internet census' in years 2. Top 10 strategic technologies for 2008 3. Salary survey: IT pay falls short 4. Ballmer claims Red Hat violates Microsoft IP 5. iPod Nano catches fire in man's pocket 6. 10 best Cisco videos on YouTube 7. Two schools flunk Cisco switches 8. 10G Ethernet tests show promise for data centers 9. Why Google's GPhone won't kill iPhone 10. The Wi-Fi T-shirt MOST E-MAILED STORY: Two schools say Cisco switches don't make the grade

Contact the author: Jason Meserve is Network World's Multimedia Editor and writes about streaming media, search engines and IP Multicast. Check out his Multimedia Exchange Weblog. Check out Jason Meserve and Keith Shaw's weekly podcast "Twisted Pair" This newsletter is sponsored by Blue Coat Get the latest on Web Acceleration Tools Discover how to significantly improve document delivery times for users that are physically away from your centralized data center. A document that takes 80 minutes to delivery to a user across the globe could be delivered in three minutes with Web acceleration. Learn how your IT organization can benefit from this technology. Listen to this Webcast now. ARCHIVE Archive of the Security: Threat Alert Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007