This week's security events include news of yet another new version of Opera to resolve discovered critical vulnerabilities in the Web browser, VMware releasing a patch for ESX Server, news of SonicWall fixing vulnerabilities in its router operating system, and a warning that a looming "Digital Dark Age" may doom some data.
New version of Opera resolves critical vulnerabilities
A new version of Opera has been released which resolves a critical vulnerability discovered by security specialist Aviv Raff.
Apparently, certain parameters passed to Opera's History Search are not properly sanitized. As a result, scripts can be injected into the History Search results page, where they will run with elevated privileges. The result is an arbitrary execution of code. In addition, a Cross Site Scripting vulnerability in the browser was also fixed.
VMware patches ESX Server
VMware have released updates for its flagship ESX Server that eliminates a total of three critical vulnerabilities. Problems include a denial of service flaw, as well as a buffer overflow and arbitrary injection of code.
These include an error in the SNMPv3 implementation that has been known about since the middle of the year. This nullifies the authentication function, enabling attackers to access the Server. The update also eliminates a buffer overflow in the libtiff graphics library through which arbitrary code can be injected and executed by means of crafted TIFF files. Installing the update also eliminates an error in the libxml2 library that can crash applications accessing it.
You can check out the full VMware Security Advisory here.
SonicWall fixes vulnerabilities in its router
SonicWall has released an update for its SonicOS Enhanced router OS for various models of the SonicWALL TZ devices. A number of known issues were resolved, involving content filtering, logging and networking.
The networking issue could result in DNS attacks and cache poisoning while the other critical issue involves user interaction - via means of visiting a malicious Web page to exploit. Due to insufficient sanity checks, an attacker is able to craft a URL that will trigger an error and simultaneously inject a malicious script. The result is that script injection occurs in the security context of the target domain, potentially resulting in further compromise.
You can read more from the Zero Day Initiative advisory here.
Digital Dark Age may doom some data
I came across this article from the News Bureau of the University of Illinois, "'Digital Dark Age' may doom some data." The poser: whether a framed photograph or a 10-megabyte digital phone file stands a better chance of surviving 50 years from now.
Now, the main thrust of the article was the assertion by assistant professor Jerome P. McDonough that the ever changing operating platforms and file formats could result in digital data that could no longer be accessible. This could be as a result of forced obsolescence — due to the influence of proprietary vendors, for example — or simply as a result of too many formats.
What really caught my attention here was the possibility for deliberate destruction of data.
"With the current state of the technology, data is vulnerable to both accidental and deliberate erasure," he said. "What we would like to see is an environment where we can make sure that data does not die due to accidents, malicious intent or even benign neglect."
I leave you with some questions here: As a security professional, what measures do you take against the above scenario? Are you yourself in a position where it is possible to irrecoverably wipe out corporate data? Finally, is deliberate data erasure by disgruntled employees entirely preventable?
Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!