News Stay informed about the latest enterprise technology news and product updates.

Security Bytes: Google battens its hatch

Google fixes flaw in it's Desktop Search tool; multiple vendors announce flaws; Cisco acquires Perfigo.

Google closes security hole
Google has closed a security hole attackers could have used to alter its pages and scam visitors into offering up their credit card numbers. The Mountain View, Calif.-based company announced that the problem had been fixed after a posting to the Bugtraq security mailing list identified the vulnerability, in which Google's Desktop Search tool failed to prevent a would-be attacker from inserting JavaScript into the Web address of its main page. Malicious users could have used the flaw to alter the look of Google's Web page to ask visitors for credit card numbers and other personal information. "Google was recently alerted to a potential security vulnerability affecting users of our Web site," a company representative told CNET "We have since fixed this vulnerability, and all current and future users are protected."

Red Hat fixes ImageMagick flaw
Red Hat recommends users upgrade to newly available ImageMagick packages that fix a .bmp loader vulnerability. ImageMagick, an image display and manipulation tool for the X Window system, was found to contain a heap-overflow flaw in the image handler. "An attacker could create a carefully crafted .bmp file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image," Red Hat said in its advisory. "Users of ImageMagick should upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue."

Red Hat updates gaim package
Red Hat has updated gaim, fixing various bugs and making a number of enhancements for Red Hat Enterprise Linux 3. The gaim application, a multi-protocol instant messaging client, was found to contain a buffer-overflow flaw in the MSN protocol handler. "When receiving an unexpected sequence of MSNSLP messages, it is possible that an attacker could cause an internal buffer overflow, leading to a crash or possible code execution," Red Hat said in an advisory. "This updated gaim package also fixes multiple user interface, protocol and error handling problems, including an ICQ communication encoding issue. Additionally, these updated packages have compiled gaim as a PIE (position independent executable) for added protection against future security vulnerabilities."

Denial-of-service flaw in Linux kernel
Researcher Richard Hart has found a vulnerability in Linux Kernel 2.6.x an attacker could use to cause a denial of service. Danish security firm Secunia said in an advisory that the problem is "an integer-underflow error within the iptables firewall logging rules. This can be exploited to crash a vulnerable system via a specially crafted IP packet." Successful exploitation requires that firewalling is enabled, Secunia said. The company recommends users update to version 2.6.8 or later.

Cisco to acquire Perfigo
San Jose, Calif.-based Cisco Systems announced Thursday it is acquiring San Francisco-based Perfigo Inc. The network giant described this as another move to address the increased threat and impact of worms and viruses to networked businesses. Perfigo produces packaged network access control products with endpoint policy analysis, compliance and access enforcement capabilities. "Perfigo's CleanMachines solution extends the offerings in Cisco's Network Admission Control (NAC) program, an effort designed to enforce endpoint policy compliance and help customers implement self-defending networks," Cisco said in a statement. "Perfigo enables organizations to intelligently provide trusted access to 'clean' endpoints, thereby increasing the availability and integrity of customer networks and critical business applications." Cisco will pay $74 million in cash for Perfigo. The acquisition is subject to various standard closing conditions and is expected to close in the second quarter of Cisco's fiscal year 2005, which ends Jan. 29, 2005.

Cell phones vulnerable to Java flaws
Two difficult-to-exploit flaws have been identified in the cell phone version of Sun Microsystems' Java software that could allow a malicious program to read private information or render a phone unusable. The flaws are mitigated because the exploit must be tailored to a specific model of cell phone and then must be downloaded by the user, said Adam Gowdiak, a security researcher with the Poznan Supercomputing and Networking Center who discovered the vulnerabilities. Sun won't be issuing a patch, according to ZDNet, but said any such malicious programs can be deleted by the user.

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.