Here’s a collection of recent security vulnerabilities, alerts, and news, which covers a new version of VLC media player, a Sun Solaris network library vulnerability that is as yet unpatched, a new update from VMware that fixes two vulnerabilities, a free security configuration for VMware’s ESX product, and news of a nuclear power plant shutdown attributed to a single computer.

  • New version of VLC media player fixes security vulnerabilities

A new version of VLC Media Player have been released which fixes multiple known security vulnerabilities in the media player. Its Web site noted that it is a bug-fix release.

Excerpt from blog post on its site:

VLC media player 0.8.6g (a source code release) and earlier versions suffer from security vulnerabilities in the GnuTLS, libgcrypt and libxml2 libraries. VLC media player 0.8.6f and earlier versions suffer from security vulnerabilities in the Mozilla and ActiveX plugins, in the libpng, libid3tag, libvorbis libraries and in the Speex codec.

You can check out more details from its security advisory page.

VLC users are strongly recommended to download and upgrade to version 0.8.6h as soon as possible. Changelog file can be found here.

  • Network vulnerability in Sun Solaris still unpatched

A vulnerability in Solaris which could allow logged-in users to crash or even compromise the system was left unpatched for months. According to security site heise Security, the issue arises from a buffer-overflow in the inet_network function found in various system libraries. The inet_network function furnishes the core functionality of resolving domain names into IP addresses — and vice versa.

While other vendors such as IBM and Red Hat have rectified this problem some time ago, Sun Microsystems have yet to do so. There are also no suggested workarounds at the moment. You can read the Sun Microsystem security advisory that was just released today.

  • VMware releases update that fixes two vulnerabilities

Critical holes have been identified in VMware’s shared folders implementation which is called Host Guest File System (HGFS). While shared folders are not enabled by default, this flaw affects a range of VMware products such as VMware Workstation, VMware Player, VMware ACE and even the Mac-based VMware Fusion. Leveraging the flaw could potentially allow an attacker to break out of a guest virtual machine and execute malicious code directly on the host system.

The latest fix also resolves flaws in the experimental Virtual Machine Communication Interface (VCMI). Implemented by later versions of VMware Workstation, Player and ACE products, it suffers from a vulnerability which allows attackers to inject and execute arbitrary code.

For more details about the vulnerability in VMware’s HGFS shared folders, you can read the security bulletin here.

You can download the latest version of the respective products from VMware’s download page.

  • Free configuration tool to audit VM security configuration

Tripwire Inc and VMware have jointly released a free utility that compares configurations in active virtual server against guidelines developed by the virtualization vendor. Called ConfigCheck, it is a lightweight version of the Tripwire Enterprise for VMware ESX Server by Tripwire.

By offering “immediate insights in virtual environment” as well as recommending the necessary steps to rectify discovered issues, ConfigCheck is designed to help IT managers to manage the security aspect of their ESX servers better. You can download the best practice guidelines which you can find here (pdf).

Excerpt from Computerworld:

“This isn’t just about security,” said Dan Schoenbaum, senior vice president of marketing and business development at Tripwire. “Virtual machines can be brought online or offline in matter of seconds, and many customers are challenged with configuring and managing these environments. Tracking configurations will deliver a greater integrity in the virtual environment and help customers harden their virtual servers.”

VMware administrators will probably do well to check it out for themselves at Tripwire’s ConfigCheck Web site.

  • Nuclear power plant shutdown attributed to a single computer

A nuclear power plant went into emergency shutdown in March this year over a software update that was traced to a single computer. What happened was that a computer system tasked with monitoring various diagnostic data as well as to synchronize data between two system was restarted due to an update.

Excerpt from the Washington Post:

According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant’s radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown.

In a nutshell: The emergency systems performed as designed, and performed a shutdown in the presence of the erroneous data. It is a somber reminder indeed that even a single compromised machine is one too many.

I once worked in a manufacturing environment where a single RTOS Linux system was used to time and control critical machinery. Because it has to draw data from an ERP-linked database, it was put on the main network. Do you have such systems on your corporate network? What steps do you suggest to protect them?