| |||
|
|
||
|
|||
| |
|
Home > Security News > Security Bytes: Cisco addresses multiple vulnerabilities |
| |
|
|
|
|
| Security News: |
|
||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|
|||||||||||||||||||
Cisco addresses multiple vulnerabilities
The first vulnerabilities occur in CiscoWorks Wireless LAN Solution Engine (WLSE) 2.x. A vulnerability in the WLSE appliance Web interface "can be exploited to execute arbitrary HTML and script code in a user's browser session," according to an advisory posted by Danish vulnerability clearing house Secunia. Another vulnerability, in a CLI application, can be exploited to gain a shell account with root privileges. Malicious users can perform these actions remotely. Cisco suggests updating to version 2.13 or later. The second group of vulnerabilities is in Cisco IOS XR. All three vulnerabilities involve processing Multiprotocol Label Switching (MPLS) packets. Malicious users can exploit this locally to cause a denial of service. Cisco has patched the issue. The final vulnerability affects Cisco Ethernet Subscriber Solution Engine (ESSE), CiscoWorks2000 Service Management Solution (SMS), Cisco Wireless LAN Solution Engine (WLSE), Cisco Hosting Solution Engine (HSE), and Cisco User Registration Tool (URT). According to Secunia, malicious local users can exploit the vulnerability to gain escalated privileges. Cisco has fixes for Cisco WLSE, Cisco HSE, and Cisco URT. However, Cisco ESSE and CiscoWorks SMS are end-of-life products and Cisco will not provide fixes, according to its advisory. Apple fixes five Java vulnerabilities
More specifically, Sun's Java Web Start software contains a flaw that can allow untrusted applications to elevate their own privileges, including reading and writing arbitrary local files. Sun describes Java Web Start as technology that makes full-featured applications available via Web server. A specially crafted application could circumvent security restrictions and allow access and control by intruders. The flaw is in Java 2 Platform Standard Edition (J2SE) 5.0 Update 5 and earlier 5.0 releases. In addition, several vulnerabilities in the Java Runtime Environment can permit untrusted applets to elevate their own privileges. This could also allow attackers to evade security and gain control of an affected system. Finally, an issue with event handling can, for example, cause secure fields -- such as passwords -- to appear as normal text in the same window. Sun first disclosed the vulnerabilities on Feb. 7. Customers are advised to upgrade to the Java 2 Standard Edition 5.0 Release 4 update (J2SE version 1.5.0_06). F-Secure discovers first J2ME Trojan
A J2ME-based Java midlet, Redbrowser masquerades as a WAP browser, using free SMS messages to send the WAP pages. Redbrowser's claim to send free SMS messages is intended to fool a user into permitting the application to use Java SMS capabilities. When given permission, Redbrowser actually starts sending SMS messages to one specific number in an infinite loop. Each message is charged to the user's account, which may cause financial losses to the user. Redbrowser's text is in Russian, which F-Secure said should limit the Trojan to Russian-speaking countries. In addition to using its own removal tools, F-Secure said users can eradicate the Trojan by uninstalling it with the Symbian application manager. Edmund X. DeJesus is a freelance writer in Norwood, Mass. |
|
|
|
|||||||||||||||||
| ||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
| |||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
