Weekly security news: HP fixes serious laptop utility flaw

In other vulnerability news, Sun warns of a new Solaris flaw, glitches are fixed in Safari and Yahoo Messenger; and Microsoft investigates a possible Office flaw.

HP has fixed a serious laptop utility flaw attackers could exploit to hijack machines running Windows XP. In a note on its Web site, HP said the newly released package updates the Help and Support Centre for supported notebook models and operating systems.

The tool is based on Microsoft and HP technology and provides product information and maintenance help as well as Web links to online support.

HP said it fixed a buffer overflow condition that could have allowed a malicious Web site to read or write files on the PC; an issue where there was no ability for the system to detect product information in some new products; and a missing link in the Arabic version of the modem diagnostic.

Sun warns of Solaris-Samba glitch
Sun Microsystems has issued a warning about multiple flaws in Samba software that runs with its Solaris operating system.

"Multiple security vulnerabilities in the Samba software for Solaris may allow a local or remote user to issue unauthorised Samba operations or to execute arbitrary code or commands with elevated privileges," the company said in its advisory.

The issues affect Solaris 9 and 10 on the SPARC and x86 platforms if they are being used with Samba 3.0.0 through 3.0.25rc3 and Samba 3.0.23d through 3.0.25pre2. Sun urged users to stop the Samba service on affected hosts until a patch is available.

Microsoft investigates possible Office flaw
Microsoft confirmed it's investigating a possible zero-day flaw in Office.

Symantec has warned of a new flaw with exploit code for Microsoft Office . Attackers could exploit it via Internet Explorer (IE) to cause a denial of service or run malicious code on targeted machines. In an email alert to customers of its DeepSight threat management service, Symantec said researcher Yag Kohha discovered the flaw and released exploit code.

Specifically, the flaw is in the MSODataSourceControl ActiveX control within Office. The ActiveX control is prone to a buffer-overflow condition because the application fails to bounds check user-supplied data before copying it into an irregularly-sized buffer. To exploit this issue, Symantec said, an attacker must trick the user into accessing a malicious Web page. To prevent successful exploits, Symantec recommended users disable Active Scripting in Internet Explorer or set the kill bit on CLSID:{0002E55B-0000-0000-C000-000000000046}.

Apple fixes Safari for Windows flaws
Apple released a security update for three flaws in Safari for Windows, discovered almost immediately after Apple released the browser in beta Monday.

According to Apple's bulletin, the update patches a number of flaws, including a command injection vulnerability, an out-of-bounds memory read issue and a race condition for cross site scripting. The issues allow attackers to launch malicious code. Safari, long a part of Apple's Mac OS X operating system, is often touted by Mac enthusiasts as a more secure alternative to the Internet Explorer browser that comes with Windows machines. But some experts have warned of more exploits against Apple products as they grow in popularity.

Yahoo fixes Messenger flaws
The latest version of Yahoo Messenger fixes serious flaws attackers could exploit to run malicious code on targeted machines.

The update comes as security experts track increased instances of exploit code in the wild. The Bethesda, Md.-based SANS Internet Storm Center (ISC) warned of additional Yahoo exploits on its Web site Sunday. ISC handler Bojan Zdrnja wrote on the site that Yahoo Messenger users should upgrade as soon as possible. "Alternatively," he said, "you can set the kill bits for the affected ActiveX controls."

The flaws first came to light last week, when Aliso Viejo, Calif.-based eEye Digital Security released an advisory about "multiple flaws within Yahoo Messenger which allow for remote execution of arbitrary code with minimal user interaction."

Read more on PC hardware