Here’s a collection of recent security vulnerabilities, alerts, and news, which covers the release of patches by Oracle for 41 security vulnerabilities, a new patched version of rsync, a warning that older insecure WordPress blogs are becoming a vector for the propagation of spam, and news that some spam filtering services are now throttling Gmail.
- Oracle announces patches for 41 security holes
Database juggernaut Oracle has announced patches to fix a whopping 41 security holes across the majority of its products. Updates are scheduled to be released on Tuesday, April 15, 2008.
A list of the products affected are as follows, according to Oracle’s critical patch update pre-release announcement.
- Oracle Database 11g, version 188.8.131.52
- Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
- Oracle Database 10g, version 10.1.0.5
- Oracle Database 9i Release 2, versions 184.108.40.206, 220.127.116.11DV
- Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.1.0, 10.1.3.3.0
- Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
- Oracle Application Server 10g (9.0.4), version 18.104.22.168
- Oracle Collaboration Suite 10g, version 10.1.2
- Oracle E-Business Suite Release 12, versions 12.0.0 - 12.0.4
- Oracle E-Business Suite Release 11i, versions 11.5.9 - 11.5.10 CU2
- Oracle PeopleSoft Enterprise PeopleTools versions 8.22.19, 8.48.16, 8.49.09
- Oracle PeopleSoft Enterprise HCM versions 8.8 SP1, 8.9, 9.0
- Oracle Siebel SimBuilder versions 7.8.2, 7.8.5
Scant details are available at this stage though administrators of the various products are urged to update at their earliest convenience once the patches are available.
- Security hole in rsync closed
A buffer overflow vulnerability in the popular rsync file transfer tool has been closed with the release of version 3.0.2. Versions 2.6.9 to 3.0.1 were affected and could result in remote injection and execution of arbitrary code if the xattr function is enabled.
A workaround would be to disable xattrs functionality from the /etc/rsyncd.conf configuration file. Alternatively, you should just install the update. You can read the original security advisory here.
- Older WordPress blogs vector for spam propagation
The widely-used WordPress blogging platform has become the target of a large-scale compromise for the purpose of propagating spam links. A likely cause would be an XMLRPC vulnerability that afflicts versions of WordPress version 2.3.2 and earlier.
Blogs that have been compromised will exhibit links to spam destinations in the rendered blog page. These links might be completely invisible to casual observations, having been obscured by the presence of either style attributes or IFrames.
As such, users still using an older version are strongly urged to upgrade to a non-vulnerable version such as WordPress 2.5, which was just released at the end of March. A forced database update might be necessary to completely eliminate; some reported inconsistency when updating.
The situation is severe and some sites such as Technorati have started to delist WordPress blogs exhibiting symptoms of being compromised. Note that the above issue only affects manually installed WordPress and does not affect the hosted accounts at WordPress.com.
- Spam filtering services starts throttling Gmail
The growing abuse of Webmail services have resulted in some spam filtering services throttling messages from services such as Gmail and Yahoo! Free Webmail services are attractive targets for spammers as e-mails originating from these domains are highly unlikely to be blacklisted in a blanket fashion.
As a result, The Register is reporting that anti-spam filtering services such as MessageLabs have started throttling or slowing down the connection. MessageLabs security analyst Paul Wood explained: “We’re seeing more spam coming from Gmail and Yahoo!. Where a service is widely abused its reputation goes down and it’s held back in the queue. This happens automatically.”
While it was thought initially that spammers are coming out with more sophisticated automated tools to beat CAPTCHAs, the suspicion has now shifted to cybercriminals employing sweatshops in India for as little as $4 a day to defeat this anti-spam measure.