InfoSec News

Adobe has just released a vulnerability advisory for Photoshop Elements for Windows (http://www.adobe.com/support/security/advisories/apsa11-03.html). It is in older versions of the product (8 and earlier) and will not be fixed. The advice from Adobe is to upgrade to version 10, or to avoid opening .grd or .abr files.
It actually poses an interesting question, what should vendors be doing in cases where an issue is identified in a product that is no longer supported, especially products that are likely to be still in use by quite a number of people? In this particular case I think they have probably gone the right path, sure the upgrade advice stings, but at least there is a work around available.
Mark
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
ZABBIX 'popup.php' Information Disclosure Vulnerability
 
Oracle may unveil its own platform-as-a-service offering next week, setting it in competition with Microsoft's Azure, Salesforce's Heroku and many other smaller services, analysts said.
 
MantisBT Cross Site Scripting and SQL Injection Vulnerabilities
 
For more than two years, the U.S. mobile industry has warned of an upcoming spectrum shortage, but two analysts at Citigroup don't buy it.
 
A North Carolina ISP has filed a lawsuit challenging the U.S. Federal Communications Commission's net neutrality rules, with the ISP arguing the regulations aren't strong enough for wireless and mobile broadband providers like itself.
 
Speculation has been running rampant that Oracle may introduce its own NoSQL database at the OpenWorld conference, to be held next week in San Francisco.
 
The ODF 1.2 specification, which aims to perfect the spreadsheet workflow, has been approved by the members of the Organization for the Advancement of Structured Information Standards (OASIS).
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2011-3000 HTTP Response Splitting Vulnerability
 
Cherokee Multiple Unspecified Vulnerabilities
 
Microsoft scrambled earlier today to revise an antivirus definition file that deleted Google's Chrome browser from users' PCs.
 
Microsoft's Security Essentials falsely reports Google Chrome as being a password stealing trojan. Google talks about the problem here, as well as Microsoft commenting on it here. The trojan that Chrome is being flagged as is the Win32/Zbot password stealing trojan. The definition number that has presented the issue is version 1.113.631.0, with users reporting that previous versions did not trigger on Chrome.
More to come.....

Tony Carothers
tony dot carothers at gmail (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Been around a while? You may well be a "Silver surfer" and that makes you an IT hero!
 
Samsung announced the Galaxy Tab 7.0 Plus tablet, an update that is lighter and more powerful than the original, and that runs a 1.2 GHz dual core processor.
 
A U.S. appellate court this week rejected an appeal by Mac clone maker Psystar in a long-running case related to copyright infringement of Apple's Mac OS X operating system.
 
It's a fun ride following the adventures of business users as they attempt to "outwit" their enterprise software with Excel. This week, that ride has led me to a usability survey conducted by IFS, a developer of an extended ERP application suite, in which respondents say the cumbersome nature of enterprise software could drive them out of their jobs.
 
WordPress News Theme 'cpage' Parameter Cross Site Scripting Vulnerability
 
GNOME NetworkManager Local Privilege Escalation Vulnerability
 
Mozilla Firefox CVE-2011-2996 Remote Memory Corruption Vulnerability
 
Mozilla Firefox and SeaMonkey 'loadSubScript()' Security Bypass Vulnerability
 
Google has developed a paid version of its Analytics website usage monitoring service that offers better performance, more sophisticated features and broader technical support than the free product, the company said on Friday.
 
If you're a college student and want to work for Google, you're definitely not alone.
 
Mutt SMTP TLS Certificate Security Bypass Vulnerability
 
Mozilla released Firefox version 7.0.1 today, for both the desktop and mobile browsers, and followed up shortly with a support article regarding the handling of Add-ons. A workaround is available and Mozilla is working on an update for Firefox. One of our readers, Dave, submitted this:
From Mozilla:

Weve identified an issue in which some users may have one or more of their add-ons hidden after upgrading to the latest Firefox version, affecting both desktop and mobile. These add-ons and their data are still intact and havent actually been removed. We paused new updates to Firefox to minimize the potential impact on users and will soon release an update to fix this issue and ensure all your add-ons are visible and usable.

Tony Carothers

tony dot carothers at gmail (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Percona has updated its version of MySQL so that the software's storage engine consumes less working memory, potentially increasing its suitability for tasks requiring an in-memory database, the company announced Friday.
 
Electronics retailer Best Buy plans to hire 200 IT professionals over the next year, and plans to advertise 100 of the positions in the next several weeks.
 
Samsung announced the Galaxy Tab 7.0 Plus tablet, an update that is lighter and more powerful than the original, and runs a 1.2 GHz dual core processor.
 
Platform-as-a-service cloud providers are adding Python, Java, and JRuby development capabilities
 
Nokia has underlined the importance of low-cost smartphones and now it appears that the company is developing a Linux-based OS for smartphones that will cost less than US$100 without subsidies.
 
[SECURITY] [DSA 2313-1] iceweasel security update
 
Is it really best to be on the leading edge?
 
Karl asked if cloud-based backup really makes sense when you're making small, frequent changes to a very large file
 
FreeBSD UNIX Domain Socket Local Privilege Escalation Vulnerabiity
 
Facebook's data retention practices are under investigation by Ireland's Data Protection Commissioner following a series of complaints filed by a European group critical of the social networking site.
 
Wireless networks aren't just a convenience anymore; they've become an essential part of business culture. It's nearly impossible to walk into a workplace that doesn't use Wi-Fi in some fashion. For the millions of portable wireless devices--from traditional laptops to smartphones and tablets (including Apple's iDevices and the ever-expanding menagerie of Android-based gear)--that people carry with them today, Wi-Fi is the great connector, providing an industry-standard communication layer for untethered devices.
 
The success of the Oakland Athletics in using unique performance metrics, as shown in the movie Moneyball, could be repeated in corporate IT shops.
 
Computerworld wants to know: What type of tech gear do you most want to receive as a holiday present this year? Let us know by taking our quick poll. We'll focus on the most popular product types in our 2011 holiday gift guide.
 
Intel has signed an agreement to acquire Telmap, a company focused on mobile navigation and location-based services, search and content, for an undisclosed amount, the company said in a blog post.
 
AmmSoft ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability
 
Dell launched a new ultrathin laptop in China on Friday called the XPS 14z, which is slated to arrive in other markets later this year to take advantage of the coming holiday shopping seasons.
 
Internet Storm Center Infocon Status