Monday, July 23, 2007

Daily Highlights

Information Week reports a former U.S. Marine and FBI analyst was sentenced to 10 years in federal prison for espionage charges in connection with stealing classified national defense documents from the White House, the FBI, the Department of Defense, and the U.S. Department of State. (See item 27)
·
The Associated Press reports the blast that made New York skyscrapers tremble on Wednesday, July 17, came from an 83−year−old steam pipe and sent a powerful message that the miles of tubes, wires, and iron beneath New York and other U.S. cities are getting older and could become dangerously unstable. (See item 37)
·
Information Technology and Telecommunications Sector

31. July 20, VNUNet — 'Critical' BitTorrent flaw hits Opera. A "highly critical" vulnerability has been found in the Opera Web browser which could be exploited to remotely compromise a user's system. The flaw is caused when Opera uses already freed memory to parse BitTorrent headers, and can lead to an invalid object pointer being de−referenced. This can be exploited to execute arbitrary code if the user is tricked into clicking on a specially−crafted BitTorrent file and then removes it from the download pane by right−clicking. The vulnerability is reported in version 9.21 of Opera on Windows, but security monitoring Website Secunia, which rated the flaw "highly critical," said that other versions may also be affected. The problem can be fixed by upgrading to Opera 9.22.
Source: http://www.vnunet.com/vnunet/news/2194683/highly−critical−bi ttorrent−flaw

32. July 20, InformationWeek — Spammers exploiting new Simpson's movie. Security researchers reported spotting a spam campaign that is preying on interest in the upcoming Simpson's movie. The spammed e−mails try to lure unsuspecting users to a Website, where their e−mail address will be harvested for later spamming attacks, according to researchers at Sophos. To get users to visit the site, the spam claims recipients will be given a $500 Visa gift card if they click on a link and participate in an online survey about the movie. Each e−mail contains a graphic of Homer Simpson sitting on his sofa wearing a Superman crop−top and tighty−whities. A message in the image asks: "Will you go see the movie The Simpsons? Take our short survey now."
Source:
http://www.informationweek.com/security/showArticle.jhtml;jsessionid=OKODGNODVOEWEQSNDLPSKHSCJUNN2JVN?articleID=201200171

33. July 19, U.S. Computer Emergency Readiness Team — US−CERT Technical Cyber Security Alert TA07−200A: Oracle releases patches for multiple vulnerabilities. Oracle has released patches to address numerous vulnerabilities in different Oracle products. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial−of−service. Systems Affected: Oracle Database; Oracle Application Server; Oracle Collaboration Suite; Oracle E−Business Suite and Applications; Oracle PeopleSoft Enterprise and JD EnterpriseOne. Solution: Apply the appropriate patches or upgrade as specified in the Critical Patch Update −− July 2007. Note that this Critical Patch Update only lists newly corrected vulnerabilities. As noted in the update, some patches are cumulative, others are not. Oracle E−Business Suite and Applications patches are not cumulative, so E−Business Suite and Applications customers should refer to previous Critical Patch Updates to identify previous fixes they want to apply. Vulnerabilities described in the July 2007 CPU may affect Oracle Database 10g Express Edition (XE). According to Oracle, Oracle Database XE is based on the Oracle Database 10g Release 2 code. Known issues with Oracle patches are documented in the pre−installation notes and patch readme files. Please consult these documents and test before making changes to production systems.
Oracle Critical Patch Update: http://www.oracle.com/technology/deploy/security/critical−patch−updates/cpujul2007.html
Oracle Database 10g Express Edition (XE):
http://www.oracle.com/technology/products/database/xe/index. html
Source: http://www.us−cert.gov/cas/techalerts/TA07−200A.html