Linux kernel flaw fixed
Linux users are advised to go to Kernel.org for an update that fixes a vulnerability attackers could exploit to access sensitive information in kernel memory. Paul Starzetz, a researcher with Polish firm iSEC Security, found the glitch, outlined in iSEC's advisory. He said the vulnerability is due to race conditions and conversion errors when handling 64-bit file offset pointers. The problem was found in version 2.4.26 and prior and in version 2.6.7 and prior. Starzetz said the best protection is for users to go to Kernel.org for the update.
Trojan hides in message claiming Nick Berg is alive
It has tried to rope in victims with phony messages claiming that Osama Bin Laden and Arnold Schwarzenegger had been found dead. Now, the Trojan horse known as Hackarmy-A is hiding in a fake message claiming to contain video footage showing that American hostage Nick Berg is alive and well in Iraq. The latest message, posted to tens of thousands of Internet newsgroups, claims that Aljazeera has released video footage of Berg alive and well, Lynnfield, Mass.-based antivirus firm Sophos said. The message reads: "Conspiracy theories of Nick Berg being alive and well in Iraq have today been proven true. Aljazeera has released video footage of the supposedly beheaded American captive. The clip was first 'discovered' on an Islamic Web site in Malaysia and has now been released by American journalists collaborating with Aljazeera. The evidence speaks for itself and viewed firsthand here." Nick Berg was beheaded by Iraqi insurgents earlier this year who said they were avenging the Iraqi prisoners abused at Abu Ghraib jail by American soldiers. A video of Berg's horrific death was broadcast on an Arabic Web site.
More flaws in Mozilla, Netscape
Vulnerability in StackDefender
Reston, Va.-based security firm iDefense is warning users of a vulnerability in StackDefender that could be exploited to crash a system. The advisory said the intrusion prevention system for Win32 platforms, produced by Madrid-based Next Generation Security (NGSEC), can be exploited by an attacker who specifies an invalid address for 'ObjectAttributes.' Exploitation requires that an attacker has an exploitation vector to the system that StackDefender attempts to block. iDefense has confirmed the vulnerability in StackDefender 1.10. iDefense said it is unaware of any workarounds, that NGSEC has discontinued support for StackDefender 1.10 and recommended users upgrade to StackDefender 2.10.
Debian fixes SquirrelMail flaws
Debian recommends users update to the latest version of SquirrelMail to guard against multiple vulnerabilities. Its advisory described "multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 that "allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php." Other flaws were described as a cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 that allows remote attackers to insert arbitrary html and script via the content-type mail header and multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier that allow remote attackers to inject arbitrary html or script. Also, a SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements with unknown impact (probably via abook_database.php).