Security Bytes: Cisco patch available for ACNS flaws

Cisco issues fix for four holes that could lead to DoS attacks
Cisco Systems has released security updates to fix four vulnerabilities in its Cisco Application and Content Networking System (ACNS) 4.x and 5.x that could be remotely exploited to cause a denial of service. One flaw related to TCP connection processing can be manipulated to force the ACNS cache process to restart. Another related to how IP packets are processed could exhaust CPU resources, as can a third error related to network packet processing for RealServer RealSubscriber. Finally, a fourth flaw in devices processing IP packets can be exploited to continuously forward copies of a specially crafted packet. In addition to the patch, Cisco reminds admins to change the default passwords on administrative accounts. Vulnerability monitor Secunia rates these flaws as moderately critical.

Workaround issued for new phpWebSite security issue
A "highly critical" vulnerability in phpWebSite currently lacks a patch but can be resolved by editing source code to ensure filenames of uploaded images are properly verified. Danish security provider Secunia said a security researcher known as nst reported the flaw, which can be exploited remotely. The problem comes from an error in the uploading of images when submitting an announcement. Crackers may upload arbitrary PHP scripts to a directory instead of the Web root. The flaw impacts versions 1.10.0 and prior, according to Secunia's Web site.

Bank of America loses tapes holding info on bank card customers
Bank of America on Friday admitted it lost computer tapes containing private information on federal employees who used government-issued credit cards to cover expenses. The missing data includes Social Security numbers, home addresses and other sensitive information on an untold number of federal workers who collectively used 1.2 million Visa cards issued by Bank of America. The bank apologized publicly on Friday for the mishap, which occurred in December while the tapes were being shipped to a backup data center. The bank said it could cover any losses due to fraud.

News reports indicate 900,000 of the victims work at the Pentagon and others include members of Congress. The cards were used to cover business expenses. Computerworld said one senator believes the tapes were taken by baggage handlers during a commercial air flight. BoA maintains the tapes are still only lost. The news report also noted the bank went public with the December incident after pressure from law enforcement. Earlier this month, a Miami man filed a lawsuit against the financial giant for not doing enough to protect his online bank account after his PC was infected with malicious code that allowed $90,000 to be diverted to a Latvian bank.

PayMaxx shuts down site to investigate security holes
Online payroll service provider PayMaxx shut down a Web site last week after a former customer reported security issues that exposed client W-2 forms for the last five years. Aaron Greenspan, president of a software startup, said he found the glitch in how requests were processed after he was notified his W-2 tax form was available for downloading. With a few keystrokes, he realized he could potentially access more than 25,000 forms dating back to 2000. Greenspan told CNET's News.com that he then contacted PayMaxx, which declined detailed comment. It did, however, take the site offline while it investigated claims, and accused Greenspan of holding back details so the company would hire him. Greenspan countered he provided PayMaxx several suggestions to fix the problem. "It's not my job to go around and fix problems for free," he told a reporter.

High-risk IBM DB2 flaw revealed; patch available
IBM released a fix Friday for a "high-risk" vulnerability in its DB2 Universal Database version 8.1 and earlier. Users are advised to install Fixpak 8 for DB2 UDB 8.1 to correct the flaw. The vulnerability was identified by researchers at U.K.-based NGSSoftware. The company says it will withhold details about this flaw for three months and then will publish a detailed advisory on May 9. "This three month window will allow DB2 database administrators the time needed to test and apply the Fixpak before the details are released to the general public," said the NGSSoftware advisory. "This reflects NGSSoftware's new approach to responsible disclosure."