Just like the gnats of summer, small threats are plaguing
security managers: There’s the usual flood of less-than-critical
vulnerabilities as well as serious threats with products that have a smaller
installed base. I’ve included some of the recent highlights this week based on
their severity and the likelihood that they affect TechRepublic members. Of
course, any threat is bad if it compromises your systems.

Details

Microsoft has released a denial of service warning about
Javaprxy.dll (a COM object), which can cause Internet Explorer to unexpectedly
crash without causing other damage. The recommended workaround is to
temporarily set all intranet and Internet security zones to High before running
any ActiveX controls.

According to preliminary reports, the warning affects most
IE versions after 5.01. However, this isn’t a publicly known exploit, and no
actual user reports of problems have emerged. For more information, check out Microsoft
Security Advisory (903144).

A new spoofing
vulnerability has also surfaced in Internet Explorer. But that doesn’t mean
users of other browsers are free to gloat—researchers have also discovered the
Dialog Origin threats in IE for
Macintosh, Opera, Safari, iCab, as well as the Mozilla family of browsers.

While these threats are only moderate, they affect a lot of
browsers. To determine whether your browser is at risk, check out Secunia’s Multiple
Browsers Dialog Origin Vulnerability Test.

Those who complain so endlessly about IE should take note of
a recent report from the Information Security Bulletin Web site, which explains
why not everyone
can switch to Firefox even if they’re desperate to do so: One in 10 Web sites
fails to provide access to non-IE browsers. For example, if you want to do
business online with Lloyds insurance (or about 10 percent of commercial sites
surveyed), you can’t use Firefox because the site developer either doesn’t
support other browsers or includes IE-only code.

Unfortunately, this also means that if Microsoft cut out all
of the non-standard features from IE, it would effectively shut down about one
in 10 commercial Web sites. Of course, you could argue that they deserve what
they get, but remember that these are real businesses that simply went with the
world’s standard browser’s capabilities.

According to a Secunia report, several highly critical
vulnerabilities have emerged in RealPlayer, RealOne, Helix Player, and
Rhapsody that allow a remote attacker to erase local files or even take over a
vulnerable computer. These vulnerabilities involve CAN-2005-1766,
CAN-2005-2052,
CAN-2005-2054,
and CAN-2005-2055.
Patches are available from the various vendors.

Finally, the French Security
Incident Response Team (FrSIRT)—the French equivalent of CERT—has
discovered vulnerabilities
in Adobe Acrobat and Acrobat Reader for Macintosh 7.x. One is an input
validation error, and the other is in the “updater.”

The former is the worse threat because it could allow an
attacker to launch arbitrary programs on the vulnerable machine via a PDF
document containing malicious code. The threat would have serious consequences,
but it’s difficult to exploit because the attacker must know the exact location
of a program—however, that description could include format or other system
commands.

Final word

A column from India Daily might give you pause if your company is thinking
of outsourcing anything to the subcontinent. Apparently, Indian law doesn’t
even consider some cybercrimes an actual crime, nor does it take identity theft
seriously—at least, that’s how I read the story.

As you read the article, consider that Bill Gates recently
told listeners in Tokyo that they should be
wary of the dangers of outsourcing. Perhaps he meant that the Japanese
should only outsource to Redmond, not that Redmond shouldn’t outsource to
India. The last time I checked, Microsoft had done a bit of outsourcing itself,
but I could be wrong.

Much of this week’s remaining security news is either
humorous or horrifying—depending on your point of view. I’ve placed it in the section
below because these aren’t threats you can do much about personally.

Also watch for …

  • “DVD
    Jon,” the hacker who originally broke DVD encryption, took a full day
    to break
    Google’s new Video Viewer    . Apparently, it wasn’t much of a challenge,
    but it could put a crimp in any plans Google had to start charging for
    watching videos.
  • Australia
    is prosecuting
    the first spammer under its new anti-spam law    , which went into effect in
    April 2004. The authorities apparently relied on watchdog Spamhaus’
    spammer list. This is a federal case in Australia, and the maximum penalty
    for sending the alleged 56 million spam messages could run to $220,000 (Australian
    dollars) for every day the company violated the law, which authorities
    allege is about one full year. According to my calculations, that would run
    about $80 million.
  • The
    next time some TV news show touts a new pharmacy or hospital robot as
    being a great thing for patient safety, remember that a robot ran
    riot in San Francisco’s UCSF Medical Center     in June, frightening
    patients and staff—and even interrupting a medical procedure (fortunately
    not in the operating room).
  • The
    Supreme Court has ruled in favor of
    copyright protection and against file-sharing services    . Consequently,
    you should remind users to never install P2P software on company machines,
    or they’ll likely to join the 784 new targets of an
    RIAA suit    . Check out News.com for the
    actual legal opinion    .
    If you want my two cents, the ruling went against file-sharing services
    and said nothing about individual users, but they were already clearly in
    violation of copyrights. I might have more sympathy for the targets of the
    suits if virtually all of my personal property wasn’t intellectual
    property.
  • Finally,
    for the sake of comprehensiveness—and in case you’ve been in a coma—I
    should probably mention that Atlanta-based CardSystems Solutions recently
    allowed the exposure of up to 40
    million personal financial records    . The problem apparently occurred up
    to nine months ago when a hacker penetrated an Arizona record processing
    center, and even MasterCard didn’t become aware of it until May, even
    though they didn’t see fit to share it with the rest of us until early
    June.
    I don’t get it: Do these companies think people won’t notice? Delays in notifying
    people of potential identity theft only compounds the problem.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.