DHS Daily Open Source Infrastructure Report

Thursday, April 12, 2007

Daily Highlights

The Georgia Department of Community Health said Tuesday that a CD containing the names, addresses, birth dates and Social Security numbers of 2.9 million Medicaid recipients went missing while being transported by a private carrier. (See item 11)
·
The Director of National Intelligence on Wednesday unveiled a broad new program to enhance collaboration between agencies. (See item 25)
·
Information Technology and Telecommunications Sector

27. April 10, eWeek — Symantec patches flaw in Enterprise Security Manager. Symantec has patched a security hole in its Enterprise Security Manager (ESM) tool that allows attackers to take control of infected machines. The company cautioned users in an advisory that all versions of ESM, except version 6.5.3, are vulnerable to a remote code execution attack. The problem, officials at the anti−virus vendor reported, is that the ESM agent remote upgrade interface does not authenticate the source of remote upgrade requests −− a vulnerability that can be exploited to launch malware via a specially crafted upgrade request. "The ESM agent accepts remote upgrade requests from any entity that understands the upgrade protocol," according to the advisory. "The ESM agent does not currently verify that upgrades are from a trusted source. An attacker with knowledge of the agent protocol could deploy a piece of software that allows the attacker to control the host computer. The ESM agent runs with administrative privileges."
Source: http://www.eweek.com/article2/0,1895,2112727,00.asp

28. April 10, CNET News — Office zero−day bugs spoil Patch Tuesday. A trio of what appear to be new, yet−to−be−patched flaws in Microsoft Office has surfaced, according to security researchers at McAfee. The vulnerabilities were reported in online security forums on Monday, April 9, according to a posting on the McAfee Avert Labs blog on Tuesday. All but one of the flaws results in denial−of−service, meaning the application would crash, according to the blog post. "There is one heap−overflow flaw that might be exploited for code execution," Karthik Raman, a McAfee researcher wrote on the blog on Tuesday. Typically such flaws are exploited by tricking a targeted victim into opening a rigged Office document. Microsoft is investigating the bug reports as well, a company representative said in an e−mailed statement. Microsoft is not aware of any attacks that exploit any of the issues at this time, the representative said. Word of the flaws comes on the day that Microsoft issued five security bulletins as part of its monthly patch cycle.
McAfee blog: http://www.avertlabs.com/research/blog/?p=253
Source: http://news.com.com/Office+zero−day+bugs+spoil+Patch+Tuesday/2100−1002_3−6175011.html?tag=nefd.top

29. April 10, CNET News — Oracle patches to fix 37 flaws. Oracle next week plans to release fixes for 37 security flaws across all its products, the company said Tuesday, April 10. The fixes will be delivered April 17 as part of Oracle's quarterly patch cycle. Seven of the bugs are serious and could allow a system running the vulnerable Oracle software to be compromised remotely, the company said in a note on its Website. This is the second time Oracle is giving a heads−up on patches.
Source: http://news.com.com/Oracle+patches+to+fix+37+flaws/2100−1002_3−6175041.html?tag=nefd.top