Not that you asked...  
   


« Vacation: Days 6 - 9 | Main | Bloglet to Feedblitz »

August 22, 2005

Feeling Vulnerable

Every week I read my "Vulnerability Summary" from SecurityTracker. It amazes me the nubmer of major open vulnerabilities that are aggregated, summarized and presented. In a way it is a bit overwhelming and alarming.

We all hear and read stories around web security breaches and hacks. Most folks know someone who has been violated, or even is a customer of a major organization in the news for being breached, or losing data, or whatever. Hey, if it can happen to Fred Durst of Limp BizKit, it can happen to you or me.

We also hear tidbits around how quickly an uprotected machine on the Internet picks up dozens if not hundreds of viruses and spyware. Attacks commence within minutes and quickly number in the hundreds to thousands of attempts with numerous successes.

So, I guess I should not be terribly surprised, but each week as I glance through the SecurityTracker Vulnerability Summary, I'm fairly well amazed.

So, I'll close this with a sample snip from this weeks release. Additional information on each listed vulnerability is included as well as a link back to the Security Tracker site with more data.

And if you like or need this type of alert, signup is easy.



In This Week's SecurityTracker Vulnerability Summary

SecurityTracker Alerts: 49

Vendors: Adobe Systems Incorporated - Apple Computer - ATRC
- Cisco - Crossday - Druilhe, Marc - drupal.org - Easy
Software Products - ECW-Shop - EMC - ezUpload.org -
Gonafish.com - HAURI Inc. - HP (Compaq) - ivory.org - Juniper
- KDE.org - kernel.org - Microsoft - miniBB.net -
MoneyMakerGaming.com - Mutt.org - Nortel - PHP Group -
phpadsnew.com - phpfreenews.co.uk - PhpOutsourcing -
phpWebSite Development Team - phpxmlrpc.sourceforge.net -
tor.eff.org - Xerox

Products: Adobe Acrobat - AppKit - Apple Directory Services -
Apple Mail - Apple Weblog Server - ATutor - BBCaffe - Chris
Moneymakers World Poker Championship - Cisco Clean Access -
CoreFoundation - CUPS (Common UNIX Printing System) - Discuz!
- Drupal - ECW-Shop - ezUpload - HIToolbox - HP Ignite-UX -
KDE - Legato NetWorker - Linksys Router - Linux Kernel - Mac
OS X - Microsoft Internet Explorer (IE) - miniBB - Mutt -
Nortel VPN Client - PEAR XML_RPC - phpAdsNew - PHPFreeNews -
phpPgAds - phpWebSite - Ping - ...

Headlines:

1. HAURI ViRobot Input Validation Hole in Processing
Compressed Archive Contents Lets Remote Users Write
Arbitrary Files

2. Tor May Use Weak Diffie Hellman Keys

3. Chris Moneymaker's World Poker Championship Buffer
Overflow Lets Remote Users Execute Arbitrary Code

4. W-Agora Input Validation Flaw in 'site' Parameter
Discloses Files to Remote Users

5. phpPgAds Multiple Bugs Permit SQL Injection and
Local File Inclusion and XML-RPC Bug Lets Remote Users
Execute Arbitrary Code

6. phpAdsNew Multiple Bugs Permit SQL Injection and
Local File Inclusion and XML-RPC Bug Lets Remote Users
Execute Arbitrary Code

7. ECW-Shop Bugs Permit SQL Injection, Cross-Site
Scripting, and Price Modification

8. BBCaffe Input Validation Hole in E-mail Field
Permits Cross-Site Scripting Attacks

9. Nortel VPN Client Entrust Certificate Profile
Implementation Lets Local Users Gain Elevated Privileges

10. ATutor Input Validation Bugs in 'login.php' and
'search.php' Permit Cross-Site Scripting Attacks

11. Whisper 32 Discloses Password to Local Users

12. Mutt Buffer Overflow in 'handler.c' May Let
Remote Users Execute Arbitrary Code

13. Juniper NetScreen ScreenOS Lets Remote Users
Determine Valid VPN Usernames

14. Microsoft 'msdds.dll' COM Object Lets Remote
Users Execute Arbitrary Code

15. PHPFreeNews Input Validation Bugs in
'SearchResults.php' Permits SQL Injection and Cross-Site
Scripting Attacks

16. Zorum Input Validation Hole in 'gorum/prod.php'
Lets Remote Users Include and Execute Arbitrary Code

17. ezUpload 'path' Parameter Include File Bug Lets
Remote Users Execute Arbitrary Code

18. Linux Kernel Memory Leak in
syscall32_setup_pages() May Let Local Users Deny Service

19. Linksys WRT54GS Lets Remote Users Bypass WPA
Wireless Encryption

20. Xerox Document Centre MicroServer Web Server Bugs
Let Remote Users Bypass Authentication, View Files, and Deny
Service

21. Cisco Clean Access API Does Not Use Authentication

22. Linux Kernel ptrace find_target() Lets Local
Users Deny Service

23. phpWebSite Input Validation Hole in 'Module'
Parameter Permits SQL Injection

24. MiniBB Include File Bug in 'includeFooter' Lets
Remote Users Execute Arbitrary Commands

25. Legato NetWorker AUTH_UNIX, Database, and
Portmapper Authentication Can Be Bypassed By Remote Users

26. Adobe Acrobat and Adobe Reader Buffer Overflow in
Core Plug-in Lets Remote Users Execute Arbitrary Code

27. HP-UX Ignite-UX File Permission Flaw May Let
Remote Users Access and Modify Ignite-UX Client Data

28. Apple Safari PDF Link Bug May Let Remote Users
Execute Arbitrary Code

29. Apple Mac OS X Buffer Overflow in servermgrd Lets
Remote Users Execute Arbitrary Code

30. Apple Mac OS X Bug in servermgr_ipfilter May
Prevent Certain Firewall Rules From Being Enforced

31. Apple Mac OS X SecurityInterface May Disclose
Passwords to Authenticated Administrators

32. Apple Safari RTF Link Bug May Let Remote Users
Execute Arbitrary Code and XSL Form Bug May Disclose Data to
the Wrong Site

33. Apple QuartzComposerScreenSaver Lets Physically
Local Users Bypass the Password Mechanism

34. Apple Mac OS X loginwindow Fast User Switching
Lets Certain Local Users Access Accounts on the System

35. Apple Mail Does Not Fully Enforce Remote Image
Access Blocking

36. Apple Mac OS X Buffer Overflow in Traceroute
Yields Elevated Privileges to Local Users

37. Apple Mac OS X Buffer Overflow in Ping Yields
Elevated Privileges to Local Users

38. Apple Directory Services Lets Remote or Local
Users Execute Arbitrary Code and Local Users Create Accounts

39. HItoolbox May Disclose Secure Information via the
VoiceOver Interface

40. CUPS on Mac OS X Lets Remote Users Deny Service
By Submitting Multipe Print Jobs or Partial IPP Requests

41. Apple Mac OS X CoreFoundation Command Line Buffer
Overflow and Date Parsing Error Lets Local Users Execute
Arbitrary Code and Deny Service

42. Apple AppKit Login Window Lets Local Users Create
Additional Accounts

43. Apple AppKit Buffer Overflow in Processing RTF
and Word Documents Lets Remote Users Execute Arbitrary Code

44. Apple Weblog Server Input Validation Hole Permit
Cross-Site Scripting Attacks

45. XML-RPC for PHP Nested Tag Parsing Flaw Lets
Remote Users Execute Arbitrary Code

46. PEAR XML_RPC Nested Tag Parsing Flaw Lets Remote
Users Execute Arbitrary Code

47. KDE langen2kvtml Temporary File Flaw May Let
Local Users Gain Elevated Privileges

48. Drupal XML-RPC Library Bug Lets Remote Users
Execute Arbitrary Code

49. Discuz! Board Input Validation Flaw Lets Remote
Users Upload Scripting Code

Posted by gcrgcr at August 22, 2005 11:09 AM

Comments

Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Remember me?


 

 

 

 
  footer image