Cisco security woes continue
Cisco Systems had to reset the passwords of all its registered users after its Web site search engine was compromised, leaving the passwords exposed. But the San Jose, Calif.-based networking giant said it has nothing to do with the IOS exploit uncovered amid a media firestorm at last week's Black Hat conference.
Users logging on to the Web site were greeted with this message:
* Cisco has determined that Cisco.com password protection has been compromised.
* As a precautionary measure, Cisco has reset your password. To receive your new password, send a blank e-mail, from the account which you entered upon registration, to firstname.lastname@example.org. Account details with a new random password will be e-mailed to you.
* If you do not receive your new password within five minutes, please contact the Technical Support Center.
* This incident does not appear to be due to a weakness in Cisco products or technologies.
The last line led SANS Internet Storm Center handler Tom Liston to say half-jokingly, "It reinforces that old security maxim: All the technology in the world won't save you from doing something dumb."
High-risk flaw patched in CA's BrightStor ARCserve Backup system
Computer Associates has patched what it calls a high-risk security hole in the BrightStor ARCserve Backup system, which delivers backup and restore protection for all Windows server systems as well as Windows, Linux, Mac OS X and Unix client environments.
According to Reston, Va.-based iDefense [now part of VeriSign], the problem is that "remote exploitation of a buffer overflow in the backup agent for Microsoft SQL Server within Computer Associates' BrightStor ARCserve Backup Agent for SQL allows an attacker to execute arbitrary code with system privileges. This allows for complete system compromise including the installation or removal of software and access to any file on the system."
iDefense confirmed the flaw in BrightStor ARCserve Backup Agent for Microsoft SQL Server version 11.0. "It is suspected that all versions are vulnerable," the firm said.
As workarounds, iDefense recommended users restrict remote access at the network boundary unless remote parties require service; filter access to the affected host at the network boundary if global accessibility is not required; and restrict access to only trusted hosts and networks.
eEye reports new Windows flaw
Attackers could exploit a flaw in multiple versions of Microsoft Windows to launch malicious code, according to an advisory from Aliso Viejo, Calif.-based eEye Digital security.
"A vulnerability in default installations of the affected software allows malicious code to be executed," iDefense said. The firm wouldn't divulge additional details, but said it is of high severity and could be exploited remotely.
The issue affects Internet Explorer, Windows 2000 and 2003; Windows XP and Windows XP SP1.
Marc Maiffret, chief hacking officer at eEye, told CNET News.com that since no action on the users' part is required, the flaw could easily be exploited to launch a worm attack. Making matters worse, he said a workaround for the unpatched security hole is unlikely. "You can't turn this [vulnerable] component off," Maiffret said. "It's always on. You can't disable it. You can't uninstall."
A Microsoft representative told CNET News.com that it will issue a comment once it has had a chance to review the eEye advisory.