Security

Security news roundup: November 9

Here's a collection of recent security vulnerabilities and alerts, which covers vulnerabilities discovered in Sun Solaris, the availability of official documentation from Apple on Leopard's firewall, and multiple overflow vulnerabilities inan ActiveX control associated with AOL Radio.

Here's a collection of recent security vulnerabilities and alerts, which covers vulnerabilities discovered in Sun Solaris, the availability of official documentation from Apple on Leopard's firewall, and multiple overflow vulnerabilities in an ActiveX control associated with AOL Radio.

  • Sun Solaris Mozilla JavaScript Engine Command Execution Vulnerabilities

French security site FrSIRT have an advisory about multiple vulnerabilities that affect Sun Solaris. They are caused by errors in Mozilla. A successful exploit could result in malicious Web sites being able to execute arbitrary commands.

Solaris 8, 9 and 10 are affected.

A solution to the problem is pending completion.

  • Apple releases full documentation on its firewall

Apple has released documentaton on its firewall that confirms a number of its characteristics observed by various security analysts and sites.

Excerpt from heise Security:

Apple emphasises that the new firewall no longer makes decisions based on the properties of individual packets (source and target addresses and ports), but instead filters the network activities of programs. Technically this means it is not a packet filter in the TCP/IP stack but is instead hooks a part of the Mac OS X networking API. Although the original lower level ipfw packet filter firewall is still in operation, Mac OS X no longer offers a front end for controlling it. Only the "stealth mode" in the advanced settings still uses ipfw to suppress status reports via ICMP.

You can read about Apple's Application Firewall here.

  • Multiple buffer overflow vulnerabilities discovered in AOL Radio's ActiveX control

AOL's AmpX ActiveX control has multiple vulnerabilities that can be exploited via a malicious Web site.  This ActiveX control is associated with AOL Radio.  A successful attacker will be able to execute arbitrary code in the context of the user viewing the malicious Web page.  No further interaction is necessary.

An updated version of AOL Radio with enhanced security is now available.  You can get it here.

About Paul Mah

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

Editor's Picks

Free Newsletters, In your Inbox