Quarterly Oracle patch bonanza

Security: Threat Alert This newsletter is sponsored by Symantec Stay ahead of stealth security threats Reduce the propagation of malicious code, lower your risk profile, provide greater network availability and much more with Symantec Network Access Control. Network World's Security: Threat Alert Newsletter, 10/18/07 Quarterly Oracle patch bonanza By Jason Meserve Today's bug patches and security alerts: Oracle ships critical update for database, applications Oracle released its latest critical patch update on Wednesday, fixing 51 vulnerabilities in a range of products, including its flagship database line. Oracle's critical patch update fixes holes in Oracle Database Server, Oracle Application Server, Oracle Enterprise Manager, Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Twenty-seven of the patched vulnerabilities are found in Oracle Database Server, including the most serious vulnerability fixed. IDG News Service, 10/17/07. Webcast: Get the latest on NAC Learn the latest on Network Access Control in Network World's Perspectives Editorial Webcast. Discover how IT professionals can leverage this hot security technology in their networks, while also learning about key management areas that have not yet been perfected. To learn more click here. Oracle advisory US-CERT advisory ********** Cisco patches Firewall Services Module Multiple flaws found in the Cisco Firewall Services Module (FWSM) could be exploited in a denial-of-service attack. Cisco has released updates to fix the vulnerabilities. Multiple flaws in Cisco PIX and ASA Appliances According to the Cisco advisory, "Two crafted packet vulnerabilities exist in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. These vulnerabilities are triggered during processing of Media Gateway Control Protocol (MGCP) packets, or during processing of Transport Layer Security (TLS) traffic that terminates on the PIX or ASA security appliance." A free update is available. Cisco Unified Communications Web-based Management Vulnerability According to Cisco, "Unified Contact Center and Intelligent Contact Management products contain a vulnerability that may result in unauthorized access to the web-based reporting and script monitoring tool (Web View) and the web-based configuration tool (Web Admin)." An update is available. ********** Researcher posts unofficial patch for Windows URI bug A researcher beat Microsoft to the patch punch Sunday by publishing an unofficial fix for a critical flaw in Windows XP and Server 2003 on PCs with Internet Explorer 7. Computerworld, 10/15/07. ********** New cross-site scripting attack targets VoIP Security researchers have found a way to execute cross-site scripting attacks through VoIP clients, introducing a dangerous new threat almost no one is guarding against, according to vendor Secure Computing. NetworkWorld.com, 10/17/07. ********** Two new updates from Debian librpcsecgss (buffer overflow, code execution) wesnoth (denial of service) ********** Six new patches from Mandriva: phpMyAdmin (multiple flaws) util-linux (privilege escalation) tar (buffer overflow, denial of service) kernel (multiple flaws) kernel 2.6 (multiple flaws) libvorbis (multiple flaws) ********** Three new fixes from Gentoo: Balsa (buffer overflow, code execution) X.Org X server (privilege escalation) KDM (authentication bypass) ********** Today's malware news: Trojan imitates Skype, steals login credentials Security analysts are warning of another malicious software program masquerading as an installer file for Skype. The program sends the victim's Skype credentials, as well as any other logins or passwords stored in Internet Explorer, to another server, wrote Villu Arak, a Skype spokesman based in Tallinn, Estonia, on a Skype blog. IDG News Service, 10/17/07. F-Secure: Skype Stealer Strengthening Storm - Almost Hurricane? The new Storm worm variants being seen these days have yet again evolved and are gaining strength. Well, at least in encryption technology. The P2P UDP packets (made up of the header and payload) are now encrypted using a 40-byte key. Symantec Security Response blog, 10/16/07. Privilege Escalation Exploit In the Wild During the weekend I found an interesting sample exploiting a possibly new and undocumented vulnerability for Windows XP and 2003. The exploit is a local privilege escalation that allows users with a restricted account to gain a SYSTEM shell with higher privileges. Symantec Security Response blog, 10/16/07. ********** From the interesting reading department: Researcher: Mac OS, Linux probably have URI issues too Microsoft said it would patch Windows to reduce the risk of a new kind of Web-based security vulnerability, but security researchers said that other operating systems are probably at risk, too. IDG News Service, 10/15/07. Beware of hackers targeting storage systems Corporate storage systems and networks are an attractive target for hackers looking to steal sensitive data or launch computer attacks, Alan Lustiger, security architect at TD Ameritrade, told an audience at Computerworld's Storage Networking World user conference in Dallas Monday. Computerworld, 10/16/07. Microsoft switching SharePoint to claims-based authentication Claims-based model linked to Microsoft's Identity Metasystem moving from concept to application layer with SharePoint as the proof point. Network World, 10/16/07. Phishers move beyond eBay, PayPal EBay and PayPal, once the primary lures used by phishers to trick e-mail users into giving up personal information, aren’t as popular as they used to be. NetworkWorld.com, 10/16/07. Rogue Access Points: Back doors into your Network Let's say that an employee in your company gets a new laptop. He's excited about the laptop's WiFi capabilities, but the company he works for doesn't have wireless capabilities. What's he do? Symantec Security Response blog, 10/16/07. Newest Windows Update snafu puzzles Microsoft For the second time in a month, Microsoft has had to defend Windows Update against charges that it upgraded machines without users' permission. So far, it has no explanation for the newest instance of unauthorized updating. Computerworld, 10/16/07. Gartner: Most security threats can be addressed without additional investment IT managers trying to figure out how much money to budget for information security purposes each year might want to take note of some recent advice from Gartner Inc.: Despite the growth in targeted attacks and the continuing discovery of new vulnerabilities, almost 90% of the threats companies face today can be handled without any extra investment in security. Computerworld, 10/15/07. Couple swarmed by SWAT team after 911 'hack' A Washington State teenager is facing 18 years in prison on charges that he used his PC to access Orange County, California's 911 emergency response system and convinced the sheriff's department into storming an area couple's home with a heavily armed SWAT team. IDG News Service, 10/18/07. Cafe Latte attack steals data from Wi-Fi PCs If you use a secure wireless network, hackers may be able to steal data from your computer in the time it takes to have a cup of coffee. IDG News Service, 10/17/07.   What do you think? Post a comment on this newsletter

MOST-READ STORIES: 1. Cisco offices raided, execs arrested in Brazil 2. Swearing at work is a good thing 3. Noncertified IT pros earn more 4. Funniest Microsoft videos on YouTube 5. Top 10 strategic technologies for 2008 6. Security companies to watch 7. Here's what the PC store agreed to pay 8. Gates: Voice software means end of PBX 9. Greenpeace: iPhone is toxic 10. Dell to offer Nortel network products MOST-VIEWED VIDEO: Cool Tools: Charging devices on the go

Contact the author: Jason Meserve is Network World's Multimedia Editor and writes about streaming media, search engines and IP Multicast. Check out his Multimedia Exchange Weblog. Check out Jason Meserve and Keith Shaw's weekly podcast "Twisted Pair" This newsletter is sponsored by Symantec Stay ahead of stealth security threats Reduce the propagation of malicious code, lower your risk profile, provide greater network availability and much more with Symantec Network Access Control. ARCHIVE Archive of the Security: Threat Alert Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007