Google closes security hole
Red Hat fixes ImageMagick flaw
Red Hat recommends users upgrade to newly available ImageMagick packages that fix a .bmp loader vulnerability. ImageMagick, an image display and manipulation tool for the X Window system, was found to contain a heap-overflow flaw in the image handler. "An attacker could create a carefully crafted .bmp file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image," Red Hat said in its advisory. "Users of ImageMagick should upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue."
Red Hat updates gaim package
Red Hat has updated gaim, fixing various bugs and making a number of enhancements for Red Hat Enterprise Linux 3. The gaim application, a multi-protocol instant messaging client, was found to contain a buffer-overflow flaw in the MSN protocol handler. "When receiving an unexpected sequence of MSNSLP messages, it is possible that an attacker could cause an internal buffer overflow, leading to a crash or possible code execution," Red Hat said in an advisory. "This updated gaim package also fixes multiple user interface, protocol and error handling problems, including an ICQ communication encoding issue. Additionally, these updated packages have compiled gaim as a PIE (position independent executable) for added protection against future security vulnerabilities."
Denial-of-service flaw in Linux kernel
Researcher Richard Hart has found a vulnerability in Linux Kernel 2.6.x an attacker could use to cause a denial of service. Danish security firm Secunia said in an advisory that the problem is "an integer-underflow error within the iptables firewall logging rules. This can be exploited to crash a vulnerable system via a specially crafted IP packet." Successful exploitation requires that firewalling is enabled, Secunia said. The company recommends users update to version 2.6.8 or later.
Cisco to acquire Perfigo
San Jose, Calif.-based Cisco Systems announced Thursday it is acquiring San Francisco-based Perfigo Inc. The network giant described this as another move to address the increased threat and impact of worms and viruses to networked businesses. Perfigo produces packaged network access control products with endpoint policy analysis, compliance and access enforcement capabilities. "Perfigo's CleanMachines solution extends the offerings in Cisco's Network Admission Control (NAC) program, an effort designed to enforce endpoint policy compliance and help customers implement self-defending networks," Cisco said in a statement. "Perfigo enables organizations to intelligently provide trusted access to 'clean' endpoints, thereby increasing the availability and integrity of customer networks and critical business applications." Cisco will pay $74 million in cash for Perfigo. The acquisition is subject to various standard closing conditions and is expected to close in the second quarter of Cisco's fiscal year 2005, which ends Jan. 29, 2005.
Cell phones vulnerable to Java flaws
Two difficult-to-exploit flaws have been identified in the cell phone version of Sun Microsystems' Java software that could allow a malicious program to read private information or render a phone unusable. The flaws are mitigated because the exploit must be tailored to a specific model of cell phone and then must be downloaded by the user, said Adam Gowdiak, a security researcher with the Poznan Supercomputing and Networking Center who discovered the vulnerabilities. Sun won't be issuing a patch, according to ZDNet, but said any such malicious programs can be deleted by the user.