Thursday, August 30, 2007

Cisco patches CallManager/Unified Communications Manager

Network World

Security: Threat Alert




Network World's Security: Threat Alert Newsletter, 08/30/07

Cisco patches CallManager/Unified Communications Manager

By Jason Meserve

Today's bug patches and security alerts:

Cisco patches CallManager/Unified Communications Manager

According to the Cisco advisory, "Cisco CallManager and Unified Communications Manager are vulnerable to cross-site Scripting (XSS) and SQL Injection attacks in the lang variable of the admin and user logon pages. A successful attack may allow an attacker to run JavaScript on computer systems connecting to CallManager or Unified Communications Manager servers, and has the potential to disclose information within the database." A free update is available.

Network World Security Buyer's Guide

Find the right security products for your enterprise - fast. From anti-spam to wireless LAN security, our Buyer's Guides have detailed information on hundreds of products in more than 20 categories. With the side-by-side comparison tool you can evaluate product features to make the best decision for your enterprise.

Click here to go to the Security Buyer's Guide now.

**********

Apple updates AirPort Extreme Base Station

A flaw in the way Apple's AirPort Extreme Base Station wireless router handles certain IPv6 packets has been fixed in a new update from the company. Older versions of the software could be exploited to limit bandwidth on an affected network. Users should upgrade to firmware Version 7.2.1.

**********

Four new patches from Ubuntu:

tar (file overwrite)

Vim (input sanitization, code execution)

Emacs (denial of service)

Thunderbird (multiple flaws)

**********

Five new updates from Debian:

lighttpd (multiple flaws)

postfix-policyd (buffer overflow, code execution)

rsync (buffer overflow, code execution)

dovecot (directory traversal)

Asterisk (multiple flaws)

**********

Two new fixes from Mandriva:

kernel 2.6 (multiple flaws)

gimp (multiple flaws)

**********

Today's malware news:

Old worm Slammer threatens again

An old worm known as Slammer, which originated back in January 2003, is still going strong according to Gunter Ollmann, director of security strategy at IBM's Internet Security Systems. TechWorld, 08/24/07.

UN serves keylogger, Trojan after online attack

The United Nations (UN) is the latest victim in a string of hacking attacks aimed at identity and credit card theft, and building botnet hordes. The attack on the UN Asia Pacific Web site is believed to originate from the same group responsible for attacks on the U.S.-based Biotechnology Information Organization and the prominent Indian Syndicate Bank. Computerworld, 08/28/07.

PDF spam levels plummet

Having reached its peak volume on Aug. 7 at nearly 30 % of all spam messages sent, PDF spam today is hardly registering on e-mail security vendors’ spamometers. Network World, 08/29/07.

IM threats double in August

In the month of August to date, there have been 38 malicious-code attacks on instant-messaging networks, double the number experienced in July. Network World, 08/29/07.

'Storm' Trojan horse taps into YouTube fever

Hackers bent on spreading the Storm Trojan horse have changed tactics again and are now trying to dupe users into clicking on links posing as YouTube videos, security vendors warn. Computerworld, 08/27/07.

Deja vu: Sony uses rootkits, charges F-Secure

A line of USB drives sold by Sony Electronics installs files in a hidden folder that can be accessed and used by hackers, a Finnish security company charged Monday, raising the specter of a replay of the fiasco that hit Sony's music arm two years ago when researchers discovered that its copy protection software used rootkit-like technologies. Computerworld, 08/27/07.

[F-Secure: Sony's USB Rootkit vs Sony's Music Rootkit]

IRS warns of new phishing scam

The Internal Revenue Service today warned taxpayers of a new phishing scam where an e-mail purporting to come from the IRS advises taxpayers they can receive $80 by filling out an online customer satisfaction survey. Network World, 08/28/07.

**********

From the interesting reading department:

Canonical downplays Ubuntu hacks

Canonical Ltd., the commercial sponsor of the Ubuntu Linux, said that recent compromises of most of its local community servers do not reflect on the distribution's security or corporate-readiness. TechWorld, 08/28/07.

The Monster.com mess

The last thing you need when you're unemployed is a bank account that's suddenly emptied. But that's exactly what some unwary users of employment search site Monster.com faced after identity thieves made off with the personal information of more than a million people looking for jobs. Computerworld, 08/28/07.

Monster outlines antifraud measures

One week after hackers stole personal information from millions of people who had posted their resumes to the job-searching site Monster.com, the company has warned its users to be vigilant about online fraud because the breach was not an isolated incident. IDG News Service, 08/29/07.

You don't want to hear it: 10 pieces of lousy security advice

Sometimes a few words from a software vendor, potential partner or consulting security expert tell you everything you need to know about whose advice is worthwhile -- when it's best to smile and nod, or whether you need to interrupt and challenge someone who's seriously off the rails. Here are 10 telltale phrases that signal troublesome advice. Computerworld, 08/27/07.


  What do you think?
Post a comment on this newsletter

TODAY'S MOST-READ STORIES:

1. Airline puts Linux PC in every seat
2. iPhone unlocking video hits Web
3. iPhone unlocker trades phone for 'sweet' car
4. Deja vu: Sony uses rootkits, F-Secure says
5. The metal-whisker menace
6. How close is World War 3.0?
7. Metal whiskers: a visual tour
8. Meltdown raises doubts about Microsoft reliability
9. Is the bloom off municipal Wi-Fi?
10. Motorola slaps Aruba with WLAN lawsuit

MOST E-MAILED ARTICLE:

Airline puts Linux PC in every seat


Contact the author:

Jason Meserve is Network World's Multimedia Editor and writes about streaming media, search engines and IP Multicast. Check out his Multimedia Exchange Weblog.

Check out Jason Meserve and Keith Shaw's weekly podcast "Twisted Pair"



ARCHIVE

Archive of the Security: Threat Alert Newsletter.


BONUS FEATURE

IT PRODUCT RESEARCH AT YOUR FINGERTIPS

Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details.


PRINT SUBSCRIPTIONS AVAILABLE
You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today.

International subscribers, click here.


SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here.

This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription.


Advertising information: Write to Associate Publisher Online Susan Cardoza

Network World, Inc., 118 Turnpike Road, Southborough, MA 01772

Copyright Network World, Inc., 2007

No comments:

Post a Comment