|
|
Microsoft has provided a link specifically for dialup users who wish to order
the new Service Pack 2 on CD. Microsoft will ship the CD, which contains the
same Service Pack 2 software that is available for download from its Windows
Update site, free of charge:
http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx
Internet Explorer users are urged to immediately apply Microsoft's latest cumulative critical security update (MS04-025). This update, which includes corrections for Windows XP users who are running Windows Update Version 5, addresses three serious vulnerabilities in Internet Explorer. 5.x and 6 that may allow attackers to execute malicious code on a victim's computer.
References:
In late August, Secunia's security team reported an "extremely critical" flaw affecting Winamp that can be exploited to compromise users' systems without their knowledge. Internet Explorer users are particularly vulnerable. For details, see http://secunia.com/advisories/12381/
To search for patches for Microsoft products, go to the Microsoft Download
page at
http://www.microsoft.com/downloads/search.aspx?opsysid=
1&search=Keyword&value='security_patch'&displaylang=en
In late July, MyDoom-O made headlines when it caused big headaches for Google, Yahoo, and Lycos. This particular worm, which scanned domains of the major search engines for email addresses, had the effect of a DDoS attack, disrupting Google service worldwide and infecting vulnerable PCs with its malicious executable files.
Since then, there have been more than a half dozen new variants of the worm, all of which affect only Windows PCs (95/98/Me/NT/XP). One of the variants (MyDoom-Q) runs a backdoor trojan called Backdoor.Nemog, which allows an infected computer to be used as an email relay and HTTP proxy.
Users should be aware that these worms may also be distributed via P2P (peer-to-peer networks), IM (Instant Messenger) channels, and the like.
Current information on MyDoom and other viruses is available at Symantec's Security Response site: http://securityresponse.symantec.com/avcenter/vinfodb.html
Hundreds of thousands of emails containing the word "price" flooded inboxes with record speed as the latest variant of the Beagle (aka Bagle) virus hit the networks in August.
Like the MyDoom worms, Beagle may also be distributed via P2P and IM resources. Also like MyDoom, Beagle attacks only Windows machines, underscoring the need for Windows users to be scrupulous in keeping their virus definitions up-to-date.
Removal tools for W32.Beagle variants are on Symantec's Security Response site at http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html
A serious flaw in AOL Instant Messenger's "Away" message handling system leaves users open to attack, allowing intruders to hijack a user's system and run malicious code. For details, see Secunia Advisory SA12198 at http://secunia.com/advisories/12198/
In mid-August, Yahoo issued a security patch to fix a vulnerability in its latest version of Instant Messenger (IM). At issue is the way its Instant Messenger software handles PNG graphics, potentially allowing malicious programs to be executed when a vulnerable application loads an image. Information about the patch is available from the Yahoo Messenger site at http://messenger.yahoo.com/security/update5.html
For more details, see http://zdnet.com.com/2100-1105-5309129.html
This vulnerability in Adobe Acrobat/Acrobat Reader can allow attackers to execute arbitrary code and take control of the affected system. To learn more, see the iDEFENSE Security Advisory at http://www.uniras.gov.uk/niscc/docs/br-20040817-00480.html
Systems running versions of Kerberos 5 libraries prior to krb5-1.3.5 are vulnerable to several kinds of attack, the worst of which could allow arbitrary code execution by an intruder, compromising an entire Kerberos realm.For details, see US-CERT Alert TA04-247A at http://www.us-cert.gov/cas/techalerts/TA04-247A.html
Victims of exploits of Bluetooth technology in mobile phones could have their privacy seriously violated: address books, calendars, text messages, and even private phone conversations could all be exposed to the prying eyes and ears of attackers. The Nokia 6310 and 8910 series and the Sony Ericsson T610 are particularly vulnerable to attack because of their popularity. Manufacturers are aware of the problem and are taking steps to improve the security of their products.
For details, see Wired's August 6 article, "Security Cavities Ail Bluetooth," at http://www.wired.com/news/privacy/0,1848,64463,00.html
In August, six vulnerabilities were reported in common code supporting the portable network graphics (PNG) format. If left unpatched, the most critical of these could trick victims into visiting a malicious website and trigger a buffer overflow. For more information about the problem and its fixes, see
PuTTY, a free Telnet and SSH client for Win32 and Unix platforms, has a serious security hole that may allow attackers to spoof server identities to run malicious code. Users are urged to update to PuTTY 0.55 to correct the problem. The update was released August 3. UO users may download it from Public, the public software server maintained by Microcomputer Services at http://public.uoregon.edu/software/Network Software/SSH/
Look for the file putty.zip
Multiple vulnerabilities have been found in Mozilla packages for Red Hat Linux 1.4.3 and, most recently, in Netscape 7.2 for Windows and Netscape 7.x Most of the attacks are perpetrated by tricking users into visiting malicious web pages.
In August, Red Hat issued fixes for nearly a dozen of these flaws (see http://www.linuxsecurity.com/advisories/redhat_advisory-4640.html ). The Netscape 7.x vulnerabilities are related to flaws affecting Mozilla software. For details, see http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1006326,00.html
Windows users: Instructions for updating Mozilla, Firefox, and Thunderbird are available at http://mozilla.org/security/shell.html
Mplayer, which comes with many Linux distributions, contains a serious vulnerability in its graphical user interface (GUI) that could allow attackers to execute malicious code on a Linux or Unix system.
Users are advised to upgrade to the latest version of Mplayer, while system
administrators are being urged to switch off Mplayer's GUI altogether.
For details, see
http://open.itworld.com/4909/040803linuxbug/page_1.html
Preliminary research suggests that MD5, an algorithm embedded in common security applications, may be too flawed to remain the "gold standard" in encryption programming.
Some experts are recommending that programmers discontinue the use of MD5
now, before successful attacks are devised. For details, see
http://zdnet.com.com/2100-1105-5313655.html
On September 17, US-CERT reported a series of vulnerabilities affecting the following Mozilla products, the most serious of which could allow attackers to execute malicious code:
See http://www.us-cert.gov/cas/techalerts/TA04-261A.html
Windows users are advised to install the patch for a security loophole that could allow graphics to be vectors of malicious code. Those who have already installed XP S2 "should not be complacent." For details, see the BBC News report, "Image flaw exposes Windows PCs" at http://news.bbc.co.uk/1/hi/technology/3661678.stm
For some interesting insights into the privacy pitfalls of wireless, tune in to NPR's September 17 broadcast, "Wireless Internet Keeps Stat Fans Happy at Ballparks" at http://www.npr.org/features/feature.php?wfId=3924653
Don't press any 'click to remove' links included with a spam message because they could trigger malicious code to run on vulnerable PCs. For details, go to http://www.theregister.co.uk/2004/09/22/opt-out_exploit/
Microsoft's recent security improvements to IE are available only to XP users. If you run an earlier version of Windows, you'll have to pay to upgrade. See http://news.com.com/Microsoft+to+secure+IE+for+XP+only/2100-1032_3-5378366.html