Security news round up: Flaws plague IE 7, Apple, BlackBerry and OpenBSD

Bug Bytes: IT administrators had to take action to protect their systems from flaws in several programs that are heavily used in the business world.

IE 7 exposed to phishing attacks
Attackers could exploit a new flaw in Internet Explorer 7 (IE 7) to launch phishing expeditions, Israeli vulnerability researcher Aviv Raff warned in a posting on his blog Wednesday. Microsoft said it is investigating his findings.

Raff said IE 7 running on Windows XP and Vista is susceptible to cross-site scripting attacks. That combined with a design flaw in the browser could allow digital miscreants to launch phishing schemes against users, he added.

"I think it is a serious vulnerability, because it allows a phisher to take advantage of the user without the need to create a look alike URL," Raff said in an instant message exchange. "The user will see the trusted URL in the address bar and the fake content provided by the phisher."

Raff said he is unaware of any exploits in the wild. Microsoft issued a statement saying that it's investigating the flaw but has seen no evidence of active exploits to date.

BlackBerry flaw repaired
IT administrators are being advised to upgrade to BlackBerry Device Software 4.2 Service Pack 1 to fix a flaw in earlier versions attackers could exploit to cause a denial of service. According to the French Security Incident Response Team (FrSIRT), the problem is an error in the BlackBerry browser that fails to properly handle overly long URLs.

Attackers could exploit this to cause a vulnerable device to become slow or to stop responding by tricking a user into following a specially crafted link. The problem affects BlackBerry Device Software version 4.2 and prior. The solution is to upgrade to BlackBerry Device Software 4.2 Service Pack 1.

OpenBSD flaw patched
Several recent versions of the popular OpenBSD operating system contain a remotely exploitable buffer overrun vulnerability that security experts say could give attackers complete control over vulnerable machines.

The flaw was found in OpenBSD's kernel and involves the way the OS handles certain kinds of IPv6 packets, according to the researchers at Core Security Technologies Inc. who discovered the problem. The vulnerability affects versions 3.1, 3.6, 3.8, 3.9, 4.0 and 4.1 of OpenBSD. Also, all other versions that support the IPv6 stack are thought to be vulnerable.

The OpenBSD team has released a patch and a workaround for the flaw . Because this is a kernel-level vulnerability, administrators will need to rebuild their kernels after installing the patch.

In order to exploit the flaw, an attacker need only be able to send fragmented IPv6 packets to a target system. This requires direct access to the target network, however the attacker's machine does not need to have its own IPv6 stack in order to make the exploit work, Core said. Users who don't need to route IPv6 traffic can block those packets using OpenBSD's native firewall.

Apple makes massive Mac fix
Apple Computer Inc. issued a security update Tuesday addressing 45 flaws found within the operating system and some third-party applications.

The Cupertino, Calif.-based company addressed some critical issues with the software maker's software, which were discovered as part of the Month of Apple Bugs and the Month of Kernel Bugs. It also fixes some third-party applications, such as Adobe Systems Flash Player and the MySQL database.

Several flaws could be exploited by an attacker to conduct a denial-of-service DDoS attack or elevate privileges to access data, according to a security alert issued Tuesday by Apple. Other flaws could allow an attacker to gain full control over a victim's computer.

Apple Mac OS X and Mac OS X server versions 10.4.8 and earlier are affected. The software vendor said its automatic update would fix the issues.

Read more on IT risk management