Thursday, June 7, 2007
Daily Highlights
The FBI's investigation is pointing to an outside hacker who broke into the computer network at the Illinois Financial and Professional Regulation in January and accessed a server that held information on about 1,200,000 people who have licenses or applied for licenses with the department. (See item 9)
·
CBC News reports Canada's skies are vulnerable to another attack against passenger travel unless tougher cargo controls are implemented on the ground, according to an aviation security expert who testified at the Air India inquiry Wednesday, June 6. (See item 16)
·
Information Technology and Telecommunications Sector
33. June 06, US−CERT — Computer Associates release security notice for anti−virus engine. The Computer Associates Anti−Virus engine fails to properly process CAB archives. These vulnerabilities may allow an unauthenticated attacker to execute arbitrary code or cause a denial−of−service condition. US−CERT encourages users to apply the updates as described in the Computer Associates Security Notice: http://supportconnectw.ca.com/public/antivirus/infodocs/caantivirus−securitynotice.asp
Source: Computer Associates Release Security Notice for Anti−Virus Engine
34. June 06, US−CERT — Sun Microsystems releases security advisory for Java Runtime Environment Image Parsing Code. Sun Microsystems released a Security Advisory for the Java Runtime Environment Image Parsing Code. This vulnerability may allow an applet to read and write local files or execute local applications. US−CERT encourages users to examine the resolutions that are described in the Sun Security Advisory as soon as possible:
http://www.sunsolve.sun.com/search/document.do?assetkey=1−26 −102934−1
More information can be found in US−CERT Vulnerability Note VU#138545:
http://www.kb.cert.org/vuls/id/138545
Source: http://www.us−cert.gov/current/index.html#sun_microsystems_releases_security_advisory
35. June 06, US−CERT — Vulnerability Note VU#290961: Microsoft Windows GDI+ ICO InfoHeader Height division by zero vulnerability. Microsoft Windows Graphics Device Interface (GDI+) is an application programming interface (API) that provides programmers the ability to display information on screens and printers. GDI+ includes the ability to process ICO (icon) image files. There is an integer division by zero vulnerability in the way the ICO parsing component of GDI+ (Gdiplus.dll) handles ICO files with a Height value of zero in the InfoHeader section of the ICO file. By introducing a specially crafted ICO file to the vulnerable component, a remote attacker could trigger an integer division by zero denial−of−service condition. Windows Explorer has been shown to be vulnerable, however any application that uses the GDI+ library may be vulnerable. US−CERT is currently unaware of a practical solution to this problem.
Source: http://www.kb.cert.org/vuls/id/290961
36. June 06, eWEEK — Mozilla plugs Thunderbird security hole. On June 4, Mozilla released a security−fix Version 1.5.0.12 of its Thunderbird e−mail client, after updating its Firefox browser, a Firefox Google toolbar extension and its SeaMonkey Web application suite. The new Thunderbird 1.5.0.12 replaces 1.5.0.10. The most important fixes include a flaw in APOP authentication (which also affects the Mail & Newsgroups component of SeaMonkey) and a memory corruption bug (which also affects Firefox and SeaMonkey), a spokesperson said. Thunderbird 1.5.0.12 can be downloaded (10.2MB for Linux users) from the older Thunderbird releases Web page or via Thunderbird's built−in software update system:
http://www.mozilla.com/en−US/thunderbird/all−older.html
More details are available in the Thunderbird 1.5.0.12 release notes:
http://www.mozilla.com/en−US/thunderbird/releases/1.5.0.12.h tml
Source: http://www.eweek.com/article2/0,1895,2142213,00.asp
skip to main |
skip to sidebar
Subscription to the full report on a daily basis can be obtained: Send an eMail to dhsdailyadmin@mail.dhs.osis.gov with the subject "DHS Daily Open Source Infrastructure Report" and the following line in the body...subscribe. To obtain a complete copy of the current report proceed to the DHS link below. To obtain reports more than 10 business days old, send an eMail to DHS_Reports@e-computer-security.com. Be specific as to the reports you wish to receive.
Blog Archive
- ► 2016 (256)
- ► 2015 (254)
- ► 2014 (255)
- ► 2013 (244)
- ► 2012 (260)
- ► 2011 (250)
- ► 2010 (248)
- ► 2009 (254)
- ► 2008 (252)
- ▼ 2007 (233)
Links
About Me
- BobJ
- U.S. Army Retired Chief Warrant Officer with more than 40 years in information technology and 35 years in information security. Became a Certified Information Systems Security Professional in 1995 and have taught computer security in Asia, Canada and the United States. Wrote a computer security column for 5 years in the 1980s titled "for the Sake Of Security", penname R. E. (Bob) Johnston, which was published in Computer Decisions. Motto: "When entrusted to process, you are obligated to safeguard"
No comments:
Post a Comment