CA patches flaws affecting multiple products
Computer Associates [CA] released patches to fix three security holes in its Message Queuing software. The Islandia, New York-based company said in an advisory that a variety of its products are affected by the vulnerabilities. Specifically, the problems are:
- An unspecified error in the CAM messaging sub-component that leaves the program vulnerable to a denial-of-service attack.
- Buffer overflow conditions in the Message Queuing server attackers could use to remotely launch malicious code with elevated privileges.
- Attackers could launch arbitrary commands with elevated privileges because of an unspecified error in the CAFT application.
The glitches affect all versions of Message Queuing software prior to version 1.07 Build 220_13 and version 1.11 Build 29_13. Affected platforms are AIX, DG Intel, DG Motorola, DYNIX, OSF1, HP-UX, IRIX, Linux Intel, Linux s/390, Solaris Intel, Solaris Sparc, UnixWare, Windows, Apple Mac, AS/400, MVS, NetWare, OS/2 and OpenVMS. CA said patches are available for all affected products, which are listed in the advisory.
Air Force: Security breach may affect 33,000
The Air Force said it has notified more than 33,000 airmen that their personal information may have been compromised by a security breach in its online Assignment Management System (AMS). The notification comes after Air Force Personnel Center (AFPC) officials told Air Force and federal investigators about "unusually high" activity on a single user's AMS account in June.
AMS, used for assignment preferences and career management, contains career information on officers and enlisted members and such personal information as birth dates and Social Security numbers, Col. Lee Hall, director of assignments at AFPC, said in a statement. It does not contain personal addresses, phone numbers or specific dependent information, he said. Lt. Col. John Clarke, AFPC's deputy director of Personnel Data Systems, said in the same statement that a malicious user accessed approximately half the officer force's individual information while only a handful of noncommissioned officers were affected.
Earthlink acquires antispyware company One of the biggest Internet service providers said Monday it is buying privately held Aluria Software LLC, the Orlando, Fla., maker of the Spyware Elminator software. Details of the financial transaction, expected to be completed next month, were not disclosed, according to Reuters. Aluria, which has about 50 employees, has sold 20 million copies of its popular antispyware software to consumers. Atlanta-based Earthlink has more than 5 million subscribers for its Internet services. The company had earlier announced plans to license Aluria's antispyware software.
Eight new companies take their OATH seriously
The consortium Open Authentication [OATH] added eight new security companies and two financial institutions to its membership. They include The Apache Software Foundation; Encentuate; Identia; Iovation, Inc.; Portwise; Renesas Technology America; TriCipher; Safehouse; Spyrus; and Vocent. In addition, two unnamed financial institutions joined as users, bringing total membership in OATH to 46 companies. Users primarily are interested in working with OATH-member companies on open and royalty-free specifications for strong authentication. OATH promotes collaborations between device, platform and application providers and the customers they serve. The non-profit is seeking participants. Details are available on the organization's Web site.