Security

Yahoo! IM, Kerberos, Firefox, and Kaspersky AV vulnerabilities

This week, we will see five or more Microsoft security bulletins, which I will cover in my monthly IT Locksmith column as well as the newsletter. There is no real word yet as to the content except that there will be one or more security patches and some non-security patches.

But, while we are waiting for those to be released on Tuesday, we have several other things to worry about — starting off with a new Kerberos vulnerability for UNIX systems. (Microsoft uses a proprietary version of Kerberos.)

Kerberos 

The MIT krb5 Telnet daemon reportedly has a vulnerability that would allow a remote attacker to gain root access without a password (CVE-2007-0956). The details had not been posted when I last checked.

FrSIRT's list of advisories connected with CVE-2007-0956, http://www.frsirt.com/english/CVE-2007-0956.php, includes: Mandriva, Turbolinux, Ubuntu, Red Hat, Fedora, Debian, Gentoo, and more.

Kasperski antivirus product threats

A number of vulnerabilities have been discovered in Kaspersky products, including:

  • Anti-Virus for Windows Workstation version 6.0 and earlier
  • Anti-Virus for Windows Server version 6.0 and earlier
  • Internet Security version 6.0 and earlier
  • Anti-Virus version 6.0 and earlier

Those using Kasperski products should note that the worst of the four newly reported vulnerabilities are remote code execution threats and should update to the latest version (6.0.2.614): http://www.kaspersky.com/productupdates

Also, see:

Firefox

There is a remote code execution vulnerability in versions of Firebug prior to 1.01. The fix is to update to Firebug version 1.02: https://addons.mozilla.org/en-US/firefox/addon/1843

Yahoo! Messenger

The popular IM service has a buffer overflow vulnerability in an ActiveX control used in versions 5.x through 8.x of Yahoo! Messenger that can let an attacker run arbitrary code on users' systems if the innocently surf past malicious HTML code on a Web site while IM is loaded. See:
http://messenger.yahoo.com/security_update.php?id=031207

This affects any Yahoo! Messenger version installed prior to March 13, 2007, and users must update their program to protect against this critical threat in the ActiveX Audio system.

So, I guess it's all quiet while we await the big bombs this month from Microsoft (AHH... sarcasm). 

Editor's Picks

Free Newsletters, In your Inbox