Security news round-up: Cisco fixes UC security flaws, new Windows zero-day

A round up of the major secuity news from over the last seven days

Cisco Systems has issued updates to close security holes in its Cisco Unified CallManager (CUCM) and Cisco Unified Presence Server (CUPS) products. According to an advisory from Danish vulnerability clearinghouse Secunia, attackers could exploit the flaws to cause a denial of service.

One problem is an unspecified error within the handling of large amounts of ICMP Echo packets. This can be exploited to crash various CUCM or CUPS services by sending a lot of ICMP Echo packets, Secunia said. Meanwhile, an unspecified error exists within the IPSec Manager service for CUCM or CUPS. This can be exploited to stop certain services like call forwarding by sending a specially crafted UDP packet to port 8500.

The vulnerabilities affect CUCM 5.0 versions prior to 5.0(4a)SU1, and CUPS 1.0 versions prior to 1.0(3).

Microsoft warns of Windows zero-day
Attackers are using a new, unpatched flaw in Internet Explorer to compromise machines running a number of versions of Windows, including Vista. Microsoft confirmed the attacks on 29 March in an advisory on its Web site. The security hole affects Internet Explorer 7, Vista and other versions of the operating system.

"Microsoft is investigating new public reports of targeted attacks exploiting a vulnerability in the way Windows handles animated cursor (.ani) files," the company said in its advisory. "In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted email message or email attachment sent to them by an attacker."

The French Security Incident Response Team (FrSIRT) said the problem is a memory corruption error that surfaces when the operating system renders malformed cursors, animated cursors or icons. Attackers could exploit this to run malicious commands on a victim's machine.

Microsoft investigates Vista flaw
Microsoft is investigating reports of a Windows Vista flaw attackers could exploit to compromise PCs by tricking the user into opening a malicious email attachment. The problem reportedly affects Windows Mail on all versions of Vista.

Cupertino, Calif.-based antivirus giant Symantec warned customers of its DeepSight threat management service that Vista's native email client will execute any script or program file that has an associated folder by the same name.

"An attacker can deliver an email message containing a malicious link that references a local executable," Symantec said in an email advisory. "If the victim clicks on this link the native program is executed with no further action required."

The vendor said an attacker could potentially exploit the design flaw to delete files or shut down the victim's computer. Other attacks are also possible. However, Symantec noted that the flaw can only be used to execute programs or scripts that natively reside on a computer and also have a folder in place by the same name.

"There is the possibility that an attacker could execute custom malicious binaries, yet they would have to first ensure that a malicious file is placed on a target system by some means," the company said. "To exploit this issue, an attacker must entice an unsuspecting user to click a malicious link in an email."

Read more on Hackers and cybercrime prevention