October 2003 – CyberSecurity Institute

Security Flaws Make Macs Vulnerable To Attacks

Posted on October 30, 2003December 30, 2021 by admini

The first advisory, “Long argv[] Buffer Overflow,” warns that an attacker could possibly crash Mac OS X and execute commands as root.

The Systemic Insecure File Permissions advisory states some applications on the vulnerable Mac OS X systems are installed with insecure file permissions and are globally writable. This lets attackers with file-system access to an OS X machine replace binaries and obtain additional privileges from unsuspecting users, who may run the replaced version of the binary.

The third vulnerability, Arbitrary File Overwrite via Core Files, enables attackers with certain access rights to overwrite arbitrary files and read certain files.

There is no patch available for these vulnerabilities.

An Apple Computer spokesperson could not say where the company would issue a fix, but Apple is working on a statement about the issue.

More info: [url=http://www.informationweek.com/story/showArticle.jhtml;jsessionid=SJHW4MC3SCD14QSNDBGCKHQ?articleID=15800094]http://www.informationweek.com/story/showArticle.jhtml;jsessionid=SJHW4MC3SCD14QSNDBGCKHQ?articleID=15800094[/url]

Microsoft Tweaks Pair Of Recent Patches

Posted on October 30, 2003December 30, 2021 by admini

The retooled patches apply to the Windows Messenger Service vulnerability in Windows NT, 2000, XP, and Server 2003, and to a problem in Windows 2000’s implementation of the Windows Troubleshooter ActiveX control.

Microsoft’s original security bulletins for the two vulnerabilities were made public on Oct. 15, and were rated as ‘critical,’ Microsoft’s highest warning level.
More info: [url=http://www.techweb.com/wire/story/TWB20031030S0007]http://www.techweb.com/wire/story/TWB20031030S0007[/url]

XML: A Growing Security Threat?

Posted on October 29, 2003December 30, 2021 by admini

Gartner says almost 70 percent of companies view security as a barrier to Web services deployment.

To assess the state of XML security today as it pertains not only to Web services but also to the latest Office software, Security Strategies spoke with John Lilly, the chief technology officer of Reactivity, which just announced the latest generation of its XML firewall.

And though customers are using them, as you know, in security, people don’t like to talk about what they’re doing.

The cost reductions and revenue enablement are so steep that some companies are going in without any security.

The good news is that because Microsoft moved to a mostly open standard for XML documents, you can be a bit more proactive about pulling those documents apart and seeing if there’s anything malicious or not.

Also Microsoft’s use of XML for sharing, collaboration, and updates will create more accidental XML traffic—the organization doesn’t necessarily know it’s there until they look.

More info: [url=http://www.esj.com/news/article.asp?EditorialsID=748]http://www.esj.com/news/article.asp?EditorialsID=748[/url]

Microsoft To Switch Off Spam-Plagued Windows Messenger

Posted on October 29, 2003December 30, 2021 by admini

Not to be confused with the instant messaging service with a similar name, Windows Messenger Service is used primarily by enterprises to send pop-up text messages to alert users of such events as impending server shutdowns.

Service Pack 2 for Windows XP, which is expected by the middle of 2004, will turn off the service by default.

Current editions of Windows XP have it enabled.

Windows Messenger Service has been exploited by spammers, and security vulnerabilities that can be exploited by attackers have been recently noted by Microsoft.

More info: [url=http://www.securitypipeline.com/news/showArticle.jhtml;jsessionid=V2GPYY5VZ1PW2QSNDBCSKHQ?articleId=15800063]http://www.securitypipeline.com/news/showArticle.jhtml;jsessionid=V2GPYY5VZ1PW2QSNDBCSKHQ?articleId=15800063[/url]

First bank hit in Iran

Posted on October 29, 2003December 30, 2021 by admini

An Iranian hacker has managed to rob a local bank of some 700-million rials ($83 000) in the first reported case of a bank in the Islamic republic being robbed by computer, according to press reports. More info: [url=http://www.ebcvg.com/news.php?id=1175]http://www.ebcvg.com/news.php?id=1175[/url]

Selling security up corporate ladder an uphill battle

Posted on October 28, 2003December 30, 2021 by admini

As an annoying and inconvenient cost;
As a form of risk management;
And as a strategic enabler.

It’s a fact of life that security professionals may never get the budgets they want to make their organizations secure. But educating management about the value of security will go a long way toward getting the resources they need. Many security pros said getting money to secure a company is an uphill battle — but it used to be worse. Getting management to understand the value of security also means educating them about the many facets of it, including end-user involvement.
More info: [url=http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci933459,00.html ]http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci933459,00.html [/url]