Computer Tips -Tech Info

Category: Security-Vulnerabilities

  • Ruby on Rails urgent update

    A new version of Ruby on Rails has been released in response to a critical security vulnerability. The link will take you to information at incidents.org. 1.1.5 is the new version and should be compatible with 1.1.4 all previous versions appear to be vulnerable.

  • Clamav 0.88.4 and prior DoS

    According to incidents.org a denial of service vulnerability has been noted in all versions of clamav prior to 0.88.4 (inclusive). At incidents last report the download for 0.88.4 was back after disappearing for a while which seemed to indicate a fix, however. I wasn’t aware 0.88.4 had been released before today (?). It looks as though http://www.clamav.net/ has perhaps a re-release of 0.88.4? that fixes it? Clamav is a popular open source antivirus scanning engine.

    –UPDATED AND CORRECTED – looking at the Secunia advisory version 0.88.3 and 0.88.2 are vulnerable others may be – and I suspect that 0.88.4 is the version that will fix it – so it looks as though 0.88.4 will be the fixed version. AGAIN – it looks as though 0.88.4 FIXES the DoS vulnerability.

  • Vista’s fatal flaw?

    Backwards compatibility. It’s something that many vendors strive for and Microsoft is certainly one that has placed a value on making things backwards compatible for third party software. According to this story at Sci-Tech Today, Symantec thinks this eagerness to be backwards compatible may be a big issue for Vista’s security. They expect several “privilige escalation” vulnerabilities to be found and say that if those such vulnerabilities are discovered in the prompt for user consent…. well essentially all of the systems security precautions could be undermined. The whitepaper on the details talks about several issues that have been patched at this stage in the Vista development process, but the main question is how many are out there?

    (more…)

  • Another WMF exploit??

    Security Focus has a brief that refers to a WMF zero-day vulnerability that affects Windows XP SP2. I suspect this may get a bit of coverage throughout the day. It appears as though there are actually 3 issues cited.

  • Wireless Driver Vulnerabilities

    There are a couple notes to pass along with regards to some pretty serious vulnerabilities in various wireless network adapter drivers. First, Sans has information on some Intel Centrino updates that resolve some vulnerabilities that would affect the Windows Centrino driver and the ProSet management software. F-secure chimes in on this noting that the download is a whopping 129MB.

    (more…)

  • Time for Apple Mac OS X updates again

    From the look of it Apple has released a bunch of updates for OS X. A number of security issues are detailed. As always, SANS has some good details and links to more info on each of the ~13 issues. Many of them are legacy bugs if you will from older *nix-based systems. This is as good a time as any for the now familiar lesson – NO operating system is invulnerable, you must keep any software install updated with current security patches.

    (more…)

  • Another McAfee security product flaw

    Sans has info on a security flaw affect several McAfee security products. It could allow remote code execution. The 2007 versions of the products are not affected and a patch is expected soon. For your information, here are the affected products: McAfee Internet Security Suite 2006, McAfee Wireless Home Network Security, McAfee Personal Firewall Plus, McAfee VirusScan, McAfee Privacy Service, McAfee SpamKiller, McAfee AntiSpyware.

    You may note that antivirus software is increasingly being scrutinized as a means to remotely exploit systems. Be watching for the patch to come from McAfee.

  • WordPress 2.0.4 Update

    It has been a few days now, but I noticed that WordPress 2.0.4 has now been released and is highly recommended due to the fixing of a few security issues. They also list a number of bugfixes as well. So, if you’re running a site based on wordpress it’s time to update. It’s really a fairly painless process. I do recall upgrading ONE site to 2.0.3 and it was quite painFUL…. things went quite wrong and I had to restore the database from a backup. BUT… I’ve now upgraded 5 or so installs to 2.0.4 without a hitch. (One was a 2.0.3 install and the others were (I believe) 2.0.2).

    (more…)

  • Microsoft Issues advisory on Powerpoint flaw

    Here’s the link to Microsoft’s advisory. The main workaround seems to be…. Don’t open or save powerpoint attachments that you receive from untrusted sources, OR that you receive unexpectedly from trusted sources…. So, the only real workaround is what SHOULD be common practice. Whether or not there is a vulnerability in the news you should always be cautious with receiving file attachments. ANYTHING unexpected, even from a trusted source, should be verified “out of channel”.

  • Linux Local kernel vulnerability

    SANS has a story on another local kernel vulnerability for linux. I’ve got to say that I typically haven’t looked as much at “local” vulnerabilities on this site as I have talked about remote vulnerabilities. Usually local vulnerabilities are flaws that allow a user that’s already logged into a system to escalate their user rights to control the system. So, IF you allow logins for various users, you definitely need to pay attention to local vulnerabilities.

    (more…)