Security

Security News Roundup: Long-running Internet porn pop-up case finally comes to an end

This week's security events include news of a security update for the popular Trillian instant messenger; the release for version 5.2.7 of PHP, which greatly improves stability and security; a vulnerability in WireShark 1.0.4 that could result in a DoS attack; and the closure of a long-running court case against a teacher over Internet porn pop-ups.

Security update for Trillian instant messenger

Three vulnerabilities in the multi-instant messenger (IM) client Trillian have been identified.  According to the Zero Day Initiative (ZDI), the three flaws are related to the processing and generation of XML data - of which two are specific to the AIM plugin.

Various problems could result from the trio of bugs, including buffer overflows as well as memory corruption.  Trillian is a relatively popular multi-IM client, and the vulnerabilities could result in unauthenticated users can execute arbitrary code.

You can read about them at ZDI here, here, and here.

Version 5.2.7 of PHP for improved stability and security; new update to WordPress released

Version 5.2.7 of the extremely popular Web-based programming language has been released late in the week.  This new version focuses on improving the stability of the PHP 5.2.x branch, and has been described as the most stable version in the 5.2.x development branch.  Indeed, it comes packed with over 170 bug fixes in total, according to the release announcement.

All users should upgrade to this latest version, and can see the full changelog here.

In other news, a new version of PHP-based WordPress blog engine was also released.  Version 2.6.5 fixes an XSS exploit found in the wp-includes/feed.php and wp-includes/version.php files.  The problem affects only IP-based virtual servers on Apache 2.x.  Another three small fixes are also contained in WordPress 2.6.5.

You can read the announcement for WordPress 2.6.5 here.  Alternatively, you can visit the download page for the latest version of WordPress here.

Vulnerability in WireShare 1.0.4 could lead to DoS attack

A vulnerability has been discovered in WireShark 1.0.4.  The flaw is found in a function processing the SMTP dissector, where can be exploited as simply as sending a large SMTP content to port 25.  According to the disclosure, the result is that WireShark will enter into a large loop, unable to do anything else.

The vulnerability has already been fixed in the SVN repository, though it could also affect prior versions.

Long-running Internet porn pop-up case finally comes to an end

Four long years in the running, the case against former Connecticut schoolteacher Julie Amero finally closed a couple of weeks ago when she accepted a plea agreement.  Amero will pay a US$100 charge as well as have her teaching credentials revoked in return for State prosecutors dropping four felony charges against her.

The story was bizarre enough, and started in October 2004 when Amero was assigned to a seventh-grade class in a school in Norwich.

According to Times Online:

She [Amero] returned from the lavatory to find two students viewing a hairstyle site.  Shortly afterwards, she says, pornographic advertisements flooded the screen. She says she tried to click them off, but they kept popping up, and the barrage lasted all day. She tried to stop the students looking at the screen, but several saw sexually explicit photographs. It was school policy not to turn off computers.

Amero was consequently arrested two days later.  A computer crimes police officer, Mark Lounsbury did admit that the software he used to analyze the computer is not able to distinguish between redirects from malicious software from deliberate clicks.  Indeed, the school also admitted that the computer had no firewall as it did not pay the bill.

On the failure to check for failure of spyware, Alex Eckelberry, the president of a Florida software company said:

"That is a blunder akin to not checking for fingerprints at the crime scene.  When a pop-up occurs on a computer, it will get shown as a visited website."

Amero initially faced up to 40 years in prison for endangering minors, and she was initially convicted of the felony charges in January 2007.  However, the presiding judge set aside that verdict some months later, in effect giving Amero a new trial.

Her supporters are adamant that Amero was an innocent victim of a spyware program, and that she panicked when the pornography started appearing.  Others also showered their sympathies that her life has been destroyed by factors outside her control.

As IT professionals, do you have anything to say about this case?

Do you have any comments or feedback on the security news roundup this week?

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

Editor's Picks