While it was typically slow on the security front for
August, a few vulnerabilities still managed to sneak through here and there.
Most newsworthy this week are new vulnerabilities in Internet Explorer and HP-UX
systems. In addition, online scams about hurricane relief efforts are already
emerging.

Details

Fortunately, hackers apparently take some time off in the
summer. Perhaps they’re looking to vacation like the rest of us because there
are seldom any big new threats discovered or exploited in August.

However, there are always new threats cropping up, and this
issue does have a few critical notes to share. Most of the news this week comes
from the commercial French security firm that runs the French Security Incident
Response Team (FrSIRT), a group that apparently didn’t take off this week.

A new critical remotely exploitable vulnerability has
surfaced in newer
versions of Microsoft Internet Explorer
. At this time, there doesn’t appear
to be a patch for the remote code execution threat. No details are currently
available, and the threat doesn’t appear to have produced any actual real-world
attacks as yet.

According to FrSIRT’s report,
the threat applies to IE 6 for Windows XP and Windows XP Service Pack 1—but
apparently not to Windows XP SP2. Of course, this is just preliminary
information, and I can’t make my own assessment without more details.

However, the original report appears to stem from a site
called Security
Protocols
, which does indicate that the threat affects IE 6 on a fully
patched version of Windows XP SP2. According to the Web site, Microsoft has
received reports of the vulnerability.

According to FrSIRT, the vulnerability also affects IE 5.01
SP4 and IE 6 SP1 on Windows 2000 SP4, IE 6 on all versions of Windows Server
2003, and IE 6 on Windows XP Professional x64 Edition.

A critical vulnerability has also surfaced in HP-UX B.11.00,
HP-UX B.11.11, HP-UX B.11.22, and HP-UX B.11.23. This is a remotely exploitable
threat related to a
fault in the Java Runtime Environment (JRE)
, which can allow an attacker to
run commands in applications on the vulnerable systems as well as read and
write files. The solution is to upgrade to
JRE versions 1.4.2.09.00 or 5.0.01.00
.

FrSIRT has also reported another critical,
remotely exploitable threat
to HP UX B.11.11 and B.11.23. The threat originates
in the Java Web Start launcher. The solution is the same: Upgrade to newer JRE
versions, and kill two birds with one stone.

Although these may grow to become significant threats, they
aren’t very big deals at this time. IT security departments should be able to
get a few well-deserved days of rest before the usual surge in malware and new
vulnerability discoveries that regularly appear about the time the leaves start
turning in New England and a touch of frost first makes an appearance in the
northern United States.

Final word

In this time following the major disaster in the southern United
States, I just want to wish those along the Gulf Coast well, and I hope that
they—and the people who are anxious to help them—don’t fall prey to too many of
the Internet scams that are certain to surface in the next few days. Reports of
the first
online scams
have already emerged.

To make sure their generosity isn’t wasted, remind your
users that it’s always best to work through established, reputable charities
such as the Red Cross and The Salvation Army—rather
than respond to the many bogus e-mail pleas that will soon flood inboxes.

According to a report on The Register Web site, one
corporation is trying to do the right thing. T-Mobile has announced that it
will offer free
Wi-Fi access to people
in New Orleans as well as other hurricane-stricken
areas of Louisiana, Mississippi, and Alabama. But the company apparently wasn’t
paying attention to any newscasts or was simply looking to garner a little free
publicity since very few Starbucks in New Orleans or along the Mississippi Gulf
Coast are actually serving lattes—or have a working Internet server and access
point.

I do want to remind members that there are some excellent
search tools available that can help locate individuals. I have a free
skip-trace guide on my HelpDotCom research
site
, which a resourceful Netizen will find has many uses if you’re in a
position to help some of those caught up in the disaster.

In addition, there are already reconstruction jobs posted
for the disaster area. Some are professional jobs, so if you’re looking for
work, you may be able to help yourself and the people of the Gulf Coast at the
same time.

The Clusty Job Web site
offers an excellent free job-listing service, which combines online and print
job openings. You can search the site by ZIP code, city, and keywords related
to the job.

And by the way, not surprisingly, HP has cancelled its Technology
Forum 2005, scheduled for mid-September in New Orleans. It’s asking airlines to
show some consideration about previously purchased nonrefundable tickets.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.