This would normally be the time when a copy of my Locksmith column and newsletter goes out to cover Microsoft Security Bulletins but there won’t be any this month (at least not on the regular patch Tuesday) so I will cover other security threats here in the security blog.
Actually it has been a pretty quiet week all around as far as new threats go.
The last major problem was the announcement of multiple vulnerabilities in Apple’s QuickTime.
The vulnerabilities, which apply only to Apple QuickTime 7.x but both Windows and Mac versions) have a cumulative threat level rating of critical to highly critical.
The fix is to update both Windows and Mac OS X versions to 7.1.5.
41M Macintosh QuickTime Download.
18M Windows QuickTime Download.
A reminder – you can find the original CVEs by inserting the correct number in:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-XXXX
AirPort Extreme Patch
Apple has also released a patch to fix the denial of service vulnerability which was causing system crashes. This is the second security-related patch for AirPort Extreme this year (the initial 2007 patch was January 25 and fixed a wireless frame flaw.)
Apple has bundled the new 6.5M patch in with the earlier patch and recommends it for all Intel-based Macs which use AirPort Extreme.
AirPort Extreme Update 2007-002 posted March 8, 2007.
There is a new, low-level, KHTML cross-site scripting vulnerability in Gentoo Linux.
The vulnerability is in kde-base/kdelibs 3.5.5-r8 and earlier.
See Gentoo Security for more information.
al-Qaida Net Threat
Agence France-Presse has reported that British police recently discovered a plot by al-Qaida to disrupt Internet service by disabling the main London Internet hub that passes most data in and out of Britain. That would most likely include financial data from London which is a critical financial hub.
This wasn’t an electronic attack, rather it was a plan to explode a bomb in the facility. That sort of physical damage could take a considerable time to repair – probably longer than a software attack and would not require any particular sophistication.
Although there is no step individual ISP managers or IT security departments can take to prevent such an attack, the incident does demonstrate the necessity of preparing to operate your department even without Internet access. Is the loss of Internet access to some or all of your vendors, clients, and remote offices a part of your emergency planning?
New Firefox Spoofing Threat
Heise Security has published information about a new spoofing vulnerability in the current versions of Firefox.
The vulnerability relates to how Firefox 1.5 and 2.0 open popup windows as a new page with a blank address line.
Disable JavaScrip to avoid the problem.