HP Instant Support Driver Check sdd.dll Buffer Overflow (secunia.com)      

Secunia Advisory:  SA25918    

Release Date:  2007-07-03 

Critical:  Highly critical 

Impact:  System access

Where:  From remote

Solution Status:  Vendor Patch 

Software: HP Instant Support - Driver Check 1.x

 Description:

A vulnerability has been reported in HP Instant Support Driver Check, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error when processing the "queryHub()" function in sdd.dll. This can be exploited to cause a buffer overflow via an overly long string passed to the affected function when a user visits a malicious web page.

Successful exploitation allows execution of arbitrary code.

The vulnerability is reported in versions prior to 1.5.0.3.

 

Solution:

Update to version 1.5.0.3.

Provided and/or discovered by:

The vendor credits John Heasman of NGSSoftware and Carlo Di Dato a.k.a. shinnai.

 

Original Advisory:

HP: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597

HP TCP/IP Services for OpenVMS Two Security Issues  (secunia.com) 

Secunia Advisory:  SA25882    

Release Date:  2007-07-03 

Critical:  Less critical 

Impact:  Brute force

Exposure of sensitive information

Where:  From local network

Solution Status:  Unpatched 

Software: HP TCP/IP Services for OpenVMS 5.x

 

Description:

Two security issues have been reported in HP TCP/IP Services for OpenVMS, which can be exploited by malicious people to disclose sensitive information or to conduct brute force attacks.

1) The security issue is caused due to the POP server returning different responses depending on whether or not a valid user name is supplied and can be exploited to enumerate valid POP user names.

 

2) The problem is that the TCP/IP Services POP3 mail mechanism is not utilising the intrusion detection of OpenVMS properly. This can be exploited to conduct brute force attacks.

The security issues are reported in TCP/IP Services 5.6. Other versions may also be affected.

 

Solution:

Grant only trusted people network access to the POP service.

Firefox "OnKeyDown" Event Focus Weakness

Secunia Advisory:  SA25904   
Release Date:  2007-07-02
Critical: Not critical
Impact:  Exposure of sensitive information
 
Where:  From remote
Solution Status:  Unpatched
Software: Mozilla Firefox 1.x
Mozilla Firefox 2.0.x

Description:
Carl Hardwick has discovered a weakness in Firefox, which potentially can be exploited by malicious people to disclose sensitive information.

The weakness is caused due to a design error within the focus handling of form fields and can potentially be exploited by changing the focus from a "textarea" field to a "file upload" form field via the "OnKeyDown" event.

Successful exploitation allows an arbitrary file on the user's system to be uploaded to a malicious web site, but requires that the user is tricked into typing the file name into a "textarea" input form.

The weakness is confirmed in version 2.0.0.4. Other versions may also be affected.

Solution:
Disable JavaScript support.

Do not enter file names to form fields on untrusted web sites.
Provided and/or discovered by:
Carl Hardwick

大家都喜歡的影片共享平台Youtube
在ID辨識使用的Script程式中出現SQL Injection 弱點
也就是俗稱的資料隱碼攻擊或是隱碼注入攻擊弱點
讓惡意人士可快速穿越認證防線，控制後端資料庫主機

Youtube Script "id" SQL Injection Vulnerability    

    

Secunia Advisory:  SA25922    
Release Date:  2007-07-02 
 
Critical: 
Moderately critical 
Impact:  Manipulation of data
Where:  From remote
Solution Status:  Unpatched 
 
Software: Youtube Script

Description:
t0pP8uZz & xprog has reported a vulnerability in Youtube Script, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in msg.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
t0pP8uZz & xprog

http://feeds.ziffdavis.com/~r/ziffdavis/eweek/Security/~3/128977286/0,1759,2152452,00.asp

當CPU也有弱點時，這…………………該如何是好  換一顆咩@O@

CPU Bugs, Patches and Vulnerability
   
By Larry Seltzer
June 29, 2007

Opinion:
CPUs, like software, have always had bugs.
The security implications of this are a relatively new problem,
and open-source users may be at a disadvantage.
   
It's not your average bug report and patch. It's your CPU that has a problem, and people are debating how serious it is.

CPU bugs are nothing new. Around 1990 I spent a day with an IBM programmer who worked on the company's DOS versions, and he wouldn't shut up about how buggy some of the Intel CPUs were and how they screamed to Intel about them (to no avail). It's all part of the job of writing an operating system, but the security angle on it is a relatively new one.

The outspoken Theo de Raadt's blog on the subject has been widely cited on security lists. de Raadt calls the Core 2 CPU line "buggy as hell" and promises that the problems being patched are not innocuous bugs but security issues that will be exploited, and from userland code at that. This means that an exploit may require local access to run code, but not privileged access.

Intel's "Specification Update" on these processors contains an errata section that has many of the bugs fixed. de Raadt refers to some of the errata as scary. From what I see of them they could lead to processor hangs or "unpredictable system behavior." Let's assume for the moment that Intel is being honest and accurate; these don't seem especially scary to me, even if they are clearly a problem.

As Microsoft's Michael Howard recently said about denial-of-service attacks, crashing someone's system is like ringing a doorbell and running away. You've bothered them, but you haven't accomplished anything and you're a little twerp for doing it too. I thought the hacking for fame thing was out of style years ago, so why would someone bother to spread such an attack?

The fixes are in the form of microcode for the processors. It turns out (I'm just learning this today) that updates to the CPU microcode can be loaded at run-time, although they are not persistent. The usual way they are applied is by the BIOS at boot time, and therefore the CPU updates can be delivered as BIOS flash updates.

But updates can also be applied by the operating system, and in this case Microsoft has done just that. Knowledge Base article 936357 includes links to what it calls a "microcode reliability update" that it says "improves the reliability of systems that use Intel processors."

Yes, as Valdis Kletnieks explains in this message on the funsec list, Intel leaves room in the processor for transient patches to the CPU's microcode.

About 294K of data, currently 125 chunks. Each chunk is basically: family, model, stepping, checksum, length, <random-looking bytes>. There's provisions for stripping it down, so if Dell *knows* that a particular laptop may have one of 6 CPUs, and never one of the other 119, it can include only those 6 CPUs in the BIOS. The Microsoft update would of course need to carry all 294K along.

The fact that Microsoft is delivering fixes like this and being so unclear on what it's about tells me they think it's serious. We'll see if the updates show up on Windows Update or Microsoft Update.

Microprocessor Advances

Writing a patch like this isn't something that companies like Microsoft can do on their own; microcode is not like regular code, and it's apt to change between different versions of the processor or even steppings. Microsoft likely got the various updates from Intel and packaged them up in a single program. Expect similar updates from, for example, Apple, but de Raadt says (and he should know) that "Intel only provides detailed fixes to BIOS vendors and large operating system groups. Open-source operating systems are largely left in the cold."

I'm not afraid that processor bugs will turn into a serious vehicle for exploiting real computers. It sounds like a lot of work for what could be a low return. You're still better off exploiting whatever Microsoft patched last month. But, as de Raadt says, Intel is probably also hiding some errata, and they have a long history of withholding documentation from the public. Who knows how bad the unknown problems are?

http://news.sina.com.tw/tech/sinacn/cn/2007-07-02/100538172081.shtml&cid=1107598567&ei=7q2IRqz7HqGeqwOY3smUCQ

網民使用U盤當心寄生蟲病毒

北京新浪網 (2007-07-02 10:05)

　　本報訊 記者 胥柳曼 實習生 樓寅 越來越多的駭客，開始把目光鎖定在移動硬盤上。昨天，記者從江民獲悉，被譽為『毒王』的『U盤寄生蟲』(Trojan.KillAV.er)，又出了新變種。除了能繞過多款殺毒軟件外，還悄悄篡改電腦程式竊取用戶機密。

 

　　據悉，『U盤寄生蟲』運行後，會修改注冊表。具體在\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL下的CheckedValue值發生改變，用來達到實現隱藏文件的目的。同時修改啟動項，這樣病毒就可以隨Windows系統啟動實現自動運行。

　　與此同時，病毒自動連接網路下載後門，遠端控制用戶電腦，竊取用戶的遊戲帳號、銀行密碼等私密資訊，利用netstop命令關閉防火牆、各種殺毒軟件的安全服務，使用戶的電腦不受殺毒軟件的保護，完全暴露在病毒之中。

　　據瞭解，從5月底以來，『U盤寄生蟲』病毒就以高感染率常居病毒榜前三甲，成為名副其實的『毒王』。因此專家建議用戶：當外來U盤接入電腦時，先不要急於雙擊打開，一定要先經過殺毒處理。同時，給系統打好補丁程式，尤其是MS06-014和MS07-17這兩個補丁，目前絕大部分的網頁木馬都是通過這兩個漏洞入侵到電腦裡面的。

Java Web Startに脆弱性

脆弱性を悪用されると、信頼できないアプリケーションに任意のファイルを上書きされてしまう恐れがある。

　WebからJavaアプリケーションをダウンロードして実行するためのソフト「Java Web Start」に脆弱性が見つかり、Sun Microsystemsが修正パッチをリリースした。

　Java Web Startは、Java Runtime Environment（JRE）と一緒にインストールされるコンポーネント。仏FrSIRTやSecuniaのアドバイザリーによると、脆弱性が原因で、信頼できないアプリケーションに、任意のファイルを上書きできる権限を取得されてしまう恐れがある。これにより、ユーザーの「.java.policy」ファイルを上書きすることも可能になり、信頼できないアプリケーションがアプレットやJava Web Startアプリケーションを起動することが可能になる。

　攻撃者にこの問題を悪用されると、セキュリティチェックをかわされる恐れがある。FrSIRTでは、コマンドを実行されシステムを完全に制御される可能性も指摘している。

　深刻度はFrSIRTが4段階で最も高い「Critical」、Secuniaは5段階で上から2番目に高い「Highly critical」となっている。

　影響を受けるのは、Sun JDK 5.0 Update 11、Sun JRE 5.0 Update 11、Sun JRE 1.4.2_13、Sun SDK 1.4.2_13の各バージョンおよびそれ以前のバージョン。

　問題を修正したJ2SE 5.0と1.4.2のアップデートは、Sunのサイトからダウンロードできる。Sunのアドバイザリーでは回避策として、Internet Explorer（IE）とMozillaブラウザでJava Web Startアプリケーションがブラウザから起動しないようにする設定方法も紹介している。

http://www.sophos.com/pressoffice/news/articles/2007/06/bogusmspatch.html

強烈警告目前出現假冒的「弱點更新通知信件」，會引導無辜使用者點選MS07-0065更新，其實內含木馬連結，會讓使用者遭到木馬感染，所以請大家，千萬不要亂點選不明網頁或信件連結。

Don't download Microsoft Security Bulletin MS07-0065! Malicious spam posing as fake vulnerability patch leads to Trojan horse infection

Experts at Sophos, a world leader in IT security and control, have warned of a widespread attempt to infect email users by sending them a warning about a bogus Microsoft security patch.

The emails, which have the subject line "Microsoft Security Bulletin MS07-0065" pretend to come from Microsoft, and claim that a zero-day vulnerability has been discovered in the Microsoft Outlook email program. They go on to warn recipients that "more than 100,000 machines" have been exploited via the vulnerability in order to promote medications such as Viagra and Cialis.

Users are encouraged by the email to download a patch which, it is claimed, will fix the problem and prevent them from becoming attacked by hackers.

However, clicking on the link contained inside the email does not take computer users to Microsoft's website but one of many compromised websites hosting a Trojan horse. Sophos proactively detects the Trojan, without requiring an update, using Behavioral Genotype® Protection as Mal/Behav-112.

The emails claim to come from Microsoft.（假造的升級信件的樣子：請點選以下連結）
http://www.sophos.com/images/sophoslabs-blog/2007/06/microsoft-update500.jpg

"Security bulletins from Microsoft describing vulnerabilities in their software are a common occurence, and so its not a surprise to see hackers adopting this kind of disguise in their attempt to infect Windows PCs," said Graham Cluley, senior technology consultant for Sophos. "The irony is that as awareness of computer security issues has risen, and the need for patching against vulnerabilities, so social engineering tricks which pose as critical software fixes are likely to succeed in conning the public."

In examples seen by Sophos experts, the emails have contained the recipient's full name, and the company they work for, in an attempt to lull user's into a false sense of security.

"By using people's real names, the Microsoft logo, and legitimate-sounding wording, the hackers are attempting to fool more people into stepping blindly into their bear-trap," continued Cluley. "Users need to be on their guard against this kind of confidence trick or they risk handing over control of their PC to hackers with criminal intentions. They should also ensure that they are downloading Microsoft security updates from Microsoft itself, not from any other website."

• Read more about this Trojan horse and the malicious spam on the SophosLabs blog

Sophos recommends companies protect themselves with a consolidated solution which can defend against the threats of viruses, spyware, spam and hackers.

Check Point VPN-1 UTM Edge Cross-Site Request Forgery Vulnerability  

 
Secunia Advisory:  SA25853    
Release Date:  2007-06-27 
 
Critical: 
Less critical 
Impact:  Cross Site Scripting
Where:  From remote
Solution Status:  Vendor Patch 
OS: Check Point VPN-1 UTM Edge
 
Description:
A vulnerability has been reported in Check Point VPN-1 UTM Edge, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The vulnerability is caused due to the device management interface allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. to add users or change the administrator's password by enticing a logged-in administrator to visit a malicious site.

This may be similar to:SA25822
The vulnerability is reported in Checkpoint VPN-1 Edge X with Embedded NGX version 7.0.33.

Solution:
Update to the latest version.

Provided and/or discovered by:
Henri Lindberg and Jussi Vuokko, Louhi Networks Oy

Original Advisory:
http://www.louhi.fi/advisory/checkpoint_070626.txt

Check Point Products Cross-Site Request Forgery Vulnerability  

 
Secunia Advisory:  SA25822    
Release Date:  2007-06-27 
Critical:  Less critical 
Impact:  Cross Site Scripting
Where:  From remote
Solution Status:  Vendor Patch 
 
OS: Check Point Safe@Office Appliances 7.x
Check Point VPN-1 UTM Edge
Check Point ZoneAlarm Z100G 7.x
 
Description:
A vulnerability has been reported in Check Point products, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The vulnerability is caused due to the device's web interface allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. add users or change the administrator's password by enticing a logged-in administrator to visit a malicious site.

The vulnerability affects products with Embedded NGX versions prior to 7.0.45.

Solution:
Update to Embedded NGX version 7.0.45.

Provided and/or discovered by:
Daniel Weber, Calyptix Security

Nessus Unspecified Cross-Site Scripting Vulnerability  

Secunia Advisory:  SA25856    

Release Date:  2007-06-27 

Critical:  Less critical 

Impact:  Cross Site Scripting

Where:  From remote

Solution Status:  Vendor Patch  

Software: Nessus Vulnerability Scanner 3.x

Description:

A vulnerability has been reported in Nessus, which can be exploited by malicious people to conduct cross-site scripting attacks.

Unspecified input within the Windows GUI is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:

Update to version 3.0.6.

http://www.nessus.org/download/

Provided and/or discovered by:

The vendor credits Japanese CERT.

Original Advisory:                     

http://www.nessus.org/news/

Sun Solaris Kerberos RPC Library Vulnerabilities              
Secunia Advisory:      SA25841     

Release Date:   2007-06-27  c     

Critical: Highly critical

Impact:     DoS

System access

Where:     From remote

Solution Status:          Partial Fix

OS:    Sun Solaris 10 / Sun Solaris 8 / Sun Solaris 9

CVE reference: CVE-2007-2442 (Secunia mirror)

Description:

Sun has acknowledged a vulnerability in Solaris, which can potentially be exploited by malicious people to compromise a vulnerable system.

 

For more information:SA25800

The vulnerability affects Sun Solaris 8, 9, and 10 for both the SPARC and x86 platforms.

Solution:Apply patches.

 

-- SPARC Platform --

Solaris 8:

Apply patch 126928-01.

http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-126928-01-1 

Solaris 9:

Apply T-patch T113318-31.

Solaris 10:

Apply patch 123809-02.

http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-123809-02-1

-- x86 Platform --

 

Solaris 8:

Apply patch 126929-01.

http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-126929-01-1

 

Solaris 9:

Apply T-patch T117468-17.

Solaris 10:

Apply patch 126837-01.

http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-126837-01-1

Preliminary T-patches are available from:

http://sunsolve.sun.com/tpatches

A final resolution is reportedly pending completion.

Original Advisory:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102914-1

Sun Solaris libsldap Denial of Service      

Secunia Advisory:  SA25854    

Release Date:  2007-06-27 

Critical: 

Not critical 

Impact:  DoS

Where:  Local system

Solution Status:  Vendor Patch 

OS: Sun Solaris 10 / Sun Solaris 8 / Sun Solaris 9

Description:

Sun has acknowledged a weakness in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The weakness is caused due to an unspecified error in the libsldap library and can be exploited to disable the Name Service Caching Daemon causing name service lookups to be slower.

 

The weakness affects Solaris 8, 9, and 10 for both the SPARC and the x86 platforms.

NOTE: This issue reportedly only affects hosts, which are configured as LDAP clients.

Solution:

Apply patches.

-- SPARC Platform --

 

Solaris 8:

Apply patch 126373-02 or later.

http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-126373-02-1

Solaris 9:

Apply patch 112960-40 or later.

http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-112960-40-1

Solaris 10:

Apply patch 120036-07 or later-

http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-120036-07-1

-- x86 Platform --

Solaris 8:

Apply patch 126374-02 or later.

http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-126374-02-1

Solaris 9:

Apply patch 114242-27 or later.

http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-114242-27-1

Solaris 10:

Apply patch 120037-07 or later.

http://sunsolve.sun.com/search/docume...setkey=urn:cds:docid:1-21-120037-07-1

Provided and/or discovered by:

Reported by the vendor.

Original Advisory:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102926-1

Symantec Mail Security Executable Attachment Parsing Denial of Service    

Secunia Advisory:  SA24632    

Release Date:  2007-06-26 

Critical:  Less critical 

Impact:  DoS

Where:  From remote

Solution Status:  Vendor Patch 

OS: Symantec Mail Security Appliance 5.0.x

Software: Symantec Mail Security for SMTP 5.x

CVE reference: CVE-2007-1792 (Secunia mirror)

Description:

Secunia Research has discovered two vulnerabilities in Symantec Mail Security, which can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable system.

The vulnerabilities are caused due to boundary errors in the SMS Filter Hub service when parsing executable files attached to filtered emails. These can be exploited to cause unhandled access violations by sending a specially crafted executable file attached to an email.

Successful exploitation causes the service to periodically refuse mails and causes the mail queue to backup.

The vulnerabilities are confirmed in Symantec Mail Security for SMTP version 5.0 patch 176 and also reported in the following versions:

* Symantec Mail Security for SMTP (5.0.0 and 5.0.1 versions prior to 5.0.1 patch 181)

* Symantec Mail Security Appliance (5.0.x versions prior to 5.0.0-36)

Solution:

Apply fixes.

Symantec Mail Security for SMTP:

Update to version 5.0.1 and apply patch 181.

Symantec Mail Security Appliance:

Update to version 5.0.0-36 or later.

Provided and/or discovered by:

Dyon Balding, Secunia Research.

Linux Kernel "sysfs_readdir()" Denial of Service      

Secunia Advisory:  SA25771    

Release Date:  2007-06-26 

Critical: 

Not critical 

Impact:  DoS

Where:  Local system

Solution Status:  Unpatched 

OS: Linux Kernel 2.6.x

CVE reference: CVE-2007-3104 (Secunia mirror)

Description:

A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a Denial of Service (DoS).

The vulnerability is caused due to a NULL pointer dereference within the function "sysfs_readdir()" when handling pointers to inodes. This can be exploited to crash a vulnerable system.

Solution:

Restrict access to trusted users only.

Provided and/or discovered by:

Reported in a Red Hat advisory.

Trend Micro OfficeScan CGI Modules Buffer Overflow and Authentication Bypass      

Secunia Advisory:  SA25778    

Release Date:  2007-06-26 

Critical:  Moderately critical 

Impact:  Security Bypass   System access

Where:  From local network

Solution Status:  Vendor Patch

Software: Trend Micro OfficeScan Corporate Edition 8.x

Description:

Two vulnerabilities have been reported in Trend Micro OfficeScan, which can be exploited by malicious people to bypass certain security restrictions or compromise a vulnerable system.

1) A boundary error within a CGI module can be exploited to cause a buffer overflow and execute arbitrary code.

2) An unspecified error within a CGI module can be exploited to bypass the authentication mechanism of the OfficeScan Management Console via a specially crafted HTTP header.

The vulnerabilities affect OfficeScan Corporate Edition version 8.0.

Solution:

Apply Security Patch - Build 1042:

http://www.trendmicro.com/ftp/product...sce_80_win_en_securitypatch_b1042.exe

Provided and/or discovered by:

Reported by the vendor.

D-Link DPH-540 / DPH-541 Spoofing and Denial of Service Vulnerabilities      

Secunia Advisory:  SA25803    

Release Date:  2007-06-26 

Critical: 

Less critical 

Impact:  Spoofing     DoS

Where:  From remote

Solution Status:  Unpatched 

OS: D-Link DPH-540 Wi-Fi Phone

  D-Link DPH-541 Wi-Fi Phone

CVE reference: CVE-2007-3347

CVE-2007-3348

Description:

Sipera VIPER Lab has reported two vulnerabilities in the D-Link DPH-540 and DPH-541 Wi-Fi phones, which can be exploited by malicious people to conduct spoofing attacks or to cause a DoS (Denial of Service).

1) The SIP stack accepts SIP INVITE messages from source IP addresses other than the Call Server’s IP address. This can be exploited to send messages directly to the phone and e.g. spoof the caller ID.

 

2) An error in the handling of SIP INVITE messages can be exploited to prevent the phone from making or receiving calls via a specially crafted SIP INVITE message containing a malformed SDP header.

The vulnerabilities are reported in firmware 1.00.14. Other versions may also be affected.

Solution:

Use the device in a trusted network environment only.

Provided and/or discovered by:

Sipera VIPER Lab

http://www.pconline.com.cn/pcedu/softnews/yejie/0706/1041895.html&cid=1113916503&ei=Sil_Rsq9HYnSqQPJsZEp

XP最安全?Vista未修復漏洞比XP要多得多

出處：PConline[ 2007-06-25 10:02:50 ]  作者：BlackWing  責任編輯：zhonghongfei

　　微軟稱其Vista作業系統比Linux和OS X要安全得多，詳情見“微軟自稱Vista比Linux和OS X要安全得多”一文，但事實並非那麼簡單。

微軟某安全方面的執行官在上週末公佈的資料顯示，Vista推出六個月後，剩下沒有修復的漏洞數比Windows XP要多。

自Vista從去年11月底上市以來，一共爆出了27個隱患，而微軟只修復了其中的12個。於此對比，在XP推出六個月後總共發現的39個bug中有36個已經被修復。

微軟安全性原則主管上周公佈了這些資料，他表示總的來說Vista比XP表現要好。但是他並沒有對Vista留下大量未修復隱患問題進行解析，只是表示大部分未修復的漏洞都是非高危隱患，只有一個高危隱患未被修復，而在XP的首發六個月後，還剩下兩個高危漏洞未被修復。

于此同時形成對比的是，在XP推出六個月後一共修復了23個高危bug，而Vista中只有一個。

微軟有報喜不報憂的嫌疑，不少企業都認為Vista並不如微軟所說的那麼安全，所以暫時還沒計畫遷移到Vista上。

CA產品後端資料庫 Ingres Database出現多種弱點
已經發現的弱點包括會造成緩衝區溢位等方式，
指向攻擊資料庫通訊模組(iigcc.exe )與資料傳遞模組(iigcd.exe)
進而提升權限，從遠端入侵執行任何程式。

影響範圍包括：
Ingres Database 3.0.3
CA eTrust Secure Content Manager r8  Windows版本

CVE編號：CVE-2007-3334

Public Advisory: 06.21.07 
Ingres Database Multiple Heap Corruption Vulnerabilities

I. BACKGROUND
Ingres is the database backend used by default in several CA products. The SCM (Secure Content Manager) is one of the products that uses Ingres. The SCM use Ingres to store quarantined virii and blocked HTTP requests/replies. For more information visit the following URLs.

http://www3.ca.com/solutions/Product.aspx?ID=1013  

http://www.ingres.com/

II. DESCRIPTION
Remote exploitation of multiple heap overflow vulnerabilities in Ingres Database Server as distributed with Computer Associates International Inc.'s (CA) products may allow attackers to execute arbitrary code with SYSTEM privileges.

The vulnerabilities exist in the Communications Server (iigcc.exe) and Data Access Server (iigcd.exe) components of Ingres. The Communications Server is the main component responsible for receiving and handling requests from the network. The Data Access Server is responsible for handling requests from the Ingres JDBC Driver and .NET data providers. These requests are decoded into Ingres internal formats and passed on to other components of the database server.

The application does not properly validate the length of attacker supplied data before copying it into a fixed size heap buffer. This leads to an exploitable condition.

III. ANALYSIS
Exploitation allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.

In order to exploit this vulnerability an attacker would have to send a malformed request to the database server. This requires the ability to establish a TCP session on port 10916 (iigcc) or 10923 (iigcd).

Exploitation has been demonstrated to be trivial.

IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Ingres Database 3.0.3 as included with CA eTrust Secure Content Manager r8 on Windows. Previous versions may also be affected. In addition, any application that uses the Ingres Database may be vulnerable.

V. WORKAROUND
Employing firewalls or other access control methods can effectively reduce exposure to this vulnerability.

VI. VENDOR RESPONSE
CA has made fixes available for all supported CA products that embed Ingres. For more information consult CA's Security Alert at the following URL.

 

http://supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.Asp

VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-3334 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

怕美國竊密　法國高層官員禁用黑莓機

東森新聞報 更新日期:2007/06/22 10:55 記者:記者詹珝榕／編譯

方便收發電子郵件的黑莓機，遭法國政府禁止總統府及各部會官員使用，以防止美國情報單位攔截政府官員間的簡訊。不過黑莓機廠商表示，黑莓機的加密技術比一般網路銀行還要嚴密，不太可能遭到破解。

黑莓機問世後，成為美國企業中高階主管的熱門配備，但是法國情報部門卻提醒，小心你在收發電子郵件的同時機密資料已經外洩。

法國情報線上雜誌主編指出，「法國資訊安全部門就是負責監督法國政府網路安全性的單位，三年前就建議所有政府員工不要使用PDA，官方所持的理由是，因為這樣容易遭人竊取機密。」

法國政府經過評估後，最近又下令延長18個月前頒布的禁令，總統府以及各部會都不准使用黑莓機，要防範的間諜就是美國國安局。法國世界報報導，黑莓機的資料會經過美國及盟邦英國的伺服器傳輸，讓英美得以輕易取得傳輸的資料。

但是黑莓機廠商否認他們的產品會成為監聽與竊取資料的工具，專家也對法國政府的做法不以為然。法國情報線上雜誌主編說，「我認為私人團體比較會竊取通訊資料，特別是低階的政府通訊，相較之下，要說美國會竊聽每一位法國政府官員，我不認為如此。」

黑莓機具有強大的電子郵件收發功能，掀起一股行動電郵熱，美國尤其風行，但是法國政府卻反其道而行，就有法國公務員私下抱怨，這樣做簡直是把他們打回傳字條的時代。禁了黑莓機，法國政府也在尋找替代裝置，希望解決「燃莓之急」。