Tuesday, September 04, 2007

Expert finds 'stupid' vulnerabilities in Oracle 11g

Network World

Security: Threat Alert




Network World's Security: Threat Alert Newsletter, 09/03/07

Expert finds 'stupid' vulnerabilities in Oracle 11g

By Jason Meserve

Today's security alerts:

Expert finds 'stupid' vulnerabilities in Oracle 11g
The latest version of Oracle Corp.'s flagship database offers better security than earlier versions, but development errors have left vulnerabilities that attackers can use to steal data, an expert warned Monday. "Oracle made big progress with 11g, but some of the vulnerabilities I've found so far in 11g are stupid programming errors," said Alexander Kornbrust, managing director of Red Database Security GmbH, during an interview at the Hack In The Box (HITB) Security Conference 2007 in Kuala Lumpur, Malaysia.
IDG News Service, 09/03/07

**********

Network World Security Buyer's Guide

Find the right security products for your enterprise - fast. From anti-spam to wireless LAN security, our Buyer's Guides have detailed information on hundreds of products in more than 20 categories. With the side-by-side comparison tool you can evaluate product features to make the best decision for your enterprise.

Click here to go to the Security Buyer's Guide now.

Four new updates from Ubuntu:

Linux Kernel 2.6 for Ubuntu 7.04 (multiple flaws)

Linux Kernel 2.6 for Ubuntu 6.10 (multiple flaws)

Linux Kernel 2.6 for Ubuntu 6.06 (multiple flaws)

tcp-wrappers (flawed access control)

**********

Four new patches from Debian:

ClamAV (multiple patches)

id3lib (symlink attack, denial of service)

VIM (multiple flaws)

Linux kernel 2.6 (multiple flaws)

**********

Today's malware news:

New risk: Bogus MSN Messenger video invites
Last week, it was a Webcam flaw in Yahoo Messenger that could leave you vulnerable to attack if you clicked a link to a malicious video conversation invitation. Now, researchers have found a similar hole in Microsoft's MSN Messenger. PC World, 08/29/07.

**********

From the interesting reading department:

Malicious Web: Not just porn sites
The New Zealand Honeynet Project, which produced Capture-HPC (mentioned here last week), also produced an excellent white paper about using Capture-HPC to identify malicious Web servers. On the group's Web site, you'll find that paper, the captured data, and the tools for anyone to inspect and replicate. Computerworld, 08/31/07.

Free gift offers dupe users into giving personal dataThe personal details of thousands of mostly U.S.-based PC users have been discovered stashed on a server located in France, another indication of use of the Internet to collect personal data on a vast scale. IDG News Service, 09/03/07.

Personal info on 150,000 job seekers at USAJobs stolen
The identity thieves who ransacked Monster.com's database also made off with the personal information of 146,000 people who use USAJobs, the federal government's official job search site, federal officials said today. Computerworld, 08/31/07.

Microsoft sics lawyers on popular AutoPatcher utility
On the same day that Microsoft set a date for the delivery of new Vista and XP service packs, it shut down a popular utility built and maintained by Windows enthusiasts for easily installing updates offline. The AutoPatcher utility is described by project manager Antonis Kaladis as an offline Windows Update. It provides an interface to a large collection of updates, common applications and registry tweaks. The collection could be downloaded once, then used to update many computers, saving time and bandwidth. Network World, 08/30/07.

Hacks hit embassy, government e-mail accounts worldwide
Usernames and passwords for more than 100 e-mail accounts at embassies and governments worldwide have been posted online. Using the information, anyone can access the accounts that have been compromised. IDG News Service, 08/30/07.

Bank of India site hacked, distributing malware, security vendor says
Bank of India Web site said to be hacked and a source of malware, including rootkits and Trojans, according to Sunbelt Software. Network World, 08/30/07.

Note: F-Secure reports the offending iFrame has been removed and the site is safe again.


  What do you think?
Post a comment on this newsletter

TODAY'S MOST-READ STORIES:

1. Microsoft blames human error for glitch
2. Airline puts Linux PC in every seat
3. MPLS proposal spawns IETF, ITU turf war
4. Psst... Wanna buy a data center?
5. Hacks hit embassy, government e-mail worldwide
6. Secrets of vendors' pricing plans
7. Bank of India site hacked
8. ISPs to rural U.S.: Live with dial-up
9. Notes from OPNETWORK 2007
10. How close is World War 3.0?

MOST E-MAILED ARTICLE:

Airline puts Linux PC in every seat


Contact the author:

Jason Meserve is Network World's Multimedia Editor and writes about streaming media, search engines and IP Multicast. Check out his Multimedia Exchange Weblog.

Check out Jason Meserve and Keith Shaw's weekly podcast "Twisted Pair"



ARCHIVE

Archive of the Security: Threat Alert Newsletter.


BONUS FEATURE

IT PRODUCT RESEARCH AT YOUR FINGERTIPS

Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details.


PRINT SUBSCRIPTIONS AVAILABLE
You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today.

International subscribers, click here.


SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here.

This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription.


Advertising information: Write to Associate Publisher Online Susan Cardoza

Network World, Inc., 118 Turnpike Road, Southborough, MA 01772

Copyright Network World, Inc., 2007

No comments:

Post a Comment