HP has fixed a serious laptop utility flaw
attackers could exploit to hijack machines running Windows XP.
In a note on its Web site, HP said the newly released package
updates the Help and Support Centre for supported notebook
models and operating systems.
The tool is based on Microsoft and HP technology and provides
product information and maintenance help as well as Web links to
online support.
HP said it fixed a buffer overflow condition that could have
allowed a
malicious Web site to read or write files on the PC; an issue
where there was no ability for the system to detect product
information in some new products; and a missing link in the Arabic
version of the modem diagnostic.
Sun warns of Solaris-Samba glitch
Sun Microsystems has issued a warning about
multiple flaws in Samba software that runs with its Solaris
operating system.
"Multiple security
vulnerabilities in the Samba software for Solaris may allow a
local or remote user to issue unauthorised Samba operations or to
execute arbitrary code or commands with elevated privileges," the
company said in its advisory.
The issues affect Solaris 9 and 10 on the SPARC and x86
platforms if they are being used with Samba 3.0.0 through 3.0.25rc3
and Samba 3.0.23d through 3.0.25pre2. Sun urged users to stop the
Samba service on affected hosts until a patch is available.
Microsoft investigates possible Office flaw
Microsoft confirmed it's investigating a
possible zero-day flaw in Office.
Symantec has warned of a new flaw with exploit code for
Microsoft Office . Attackers could exploit it via Internet Explorer
(IE) to cause a denial of service or run malicious code on targeted
machines. In an email alert to customers of its DeepSight threat
management service, Symantec said researcher Yag Kohha discovered
the flaw and released exploit code.
Specifically, the flaw is in the MSODataSourceControl ActiveX
control within Office. The ActiveX control is prone to a
buffer-overflow condition because the application fails to bounds
check user-supplied data before copying it into an
irregularly-sized buffer. To exploit this issue, Symantec said, an
attacker must trick the user into accessing a malicious Web page.
To prevent successful exploits, Symantec recommended users disable
Active Scripting in Internet Explorer or set the kill bit on
CLSID:{0002E55B-0000-0000-C000-000000000046}.
Apple fixes Safari for Windows flaws
Apple released a security update for three flaws in Safari for
Windows, discovered almost immediately after Apple released the
browser in beta Monday.
According to Apple's bulletin, the update patches a number of
flaws, including a command injection vulnerability, an
out-of-bounds memory read issue and a race condition for cross site
scripting. The issues allow attackers to launch malicious code.
Safari, long a part of Apple's Mac OS X operating system, is often
touted by Mac enthusiasts as a more secure alternative to the
Internet Explorer browser that comes with Windows machines. But
some experts have warned of more exploits against Apple products as
they grow in popularity.
Yahoo fixes Messenger flaws
The latest version of Yahoo Messenger fixes
serious flaws attackers could exploit to run malicious code
on targeted machines.
The update comes as security experts track increased instances
of exploit code in the wild. The Bethesda, Md.-based SANS Internet
Storm Center (ISC) warned of additional Yahoo exploits on its Web
site Sunday. ISC handler Bojan Zdrnja wrote on the site that Yahoo
Messenger users should upgrade as soon as possible.
"Alternatively," he said, "you can set the kill bits for the
affected ActiveX controls."
The flaws first came to light last week, when Aliso Viejo,
Calif.-based eEye Digital Security released an advisory about
"multiple flaws within Yahoo Messenger which allow for remote
execution of arbitrary code with minimal user interaction."