Vulnerability Roundup

Well, it isn’t Patch Tuesday yet, but that doesn’t mean there isn’t Microsoft news.  A new 0-day has been found which exploits the help system in IE and older versions of windows (2000, XP, 2003).  I’ve included a few links with information about the vulnerability and mitigation steps.  It appears a patch for this (and other known vulnerabilities) will not be included in the Microsoft release on Tuesday, which will include two bulletins, one for Office, and one for windows, which cover 8 vulnerabilities in total.

Cisco has also released three advisories for vulnerabilities in three of their products.  Patches are now available for the Unified Communications Manager, Digital Media Manager and the Digital Media Player Remote display.

An interesting hardware/software vulnerability has been released for OpenSSL which could allow an attacker to deduce at least parts of the private key.  The technique used to exploit this weakness doesn’t seem very practical for attacking a full size system, but could be practical against embedded devices.

A new release of the TYPO3 Core CMS system has been released to cover a few vulnerabilities (XSS, information disclosure).  Other Open Source projects, PHP and BIND have also been updated with security fixes.

The Zero Day Initiative also has some upcoming advisories for Apple’s Safari browser, which may mean updates from Apple.  The ZDI has rated these as “High” severity.

Last, but never least, VMWare has released and advisory for some of their products, which includes another large list of CVEs covered.  These updates include a long list of third party updates for packages in ESX.

Leave a Reply