Oct262009

Truecrypt 6.3 released

Published by hirantha at 1:15 PM under Security

from their version history notes:

  • Full support for Windows 7.
  • Full support for Mac OS X 10.6 Snow Leopard.
  • The ability to configure selected volumes as 'system favorite volumes'.

TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device).

More information here: http://www.truecrypt.org/docs/?s=version-history



  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags:

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses

Oct202009

Oracle Critical Patch Update Advisory - October 2009

Published by hirantha at 3:20 PM under Oracle | Security

There are lots of vulnerabilities DBAs must act upon ASAP, although it "only" addresses 38 vulnerabilities...

  • 16 fixes address flaws in the Oracle database (six can be exploited remotely without user interaction)
  • 3 fixes address flaws in the Oracle Application Server (two can be exploited remotely without user interaction)
  • 8 fixes address flaws in the Oracle Applications Suite (five can be exploited remotely without user interaction)

More (advance) information in the pre-release announcement : http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html



  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags: ,

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses

Aug272009

Cisco over-the-air-provisioning skyjacking exploit

Published by hirantha at 3:44 PM under Cisco | Security

Cisco issued a security advisory for its  1100 and 1200 Series access lightweight points. The advisory is based on work done by wifi IDS firm AirMagnet. Cisco uses an Over-The-Air-Provisioning (OTAP) protocol that uses multicast data to find a controller. During this initialization phase, a rogue controller could respond and send a bad configuration to the access point, disabling the device.

Cisco provides an advisory here: http://tools.cisco.com/security/center/viewAlert.x?alertId=18919 .

The quick summary: Establish basic configuration options like encryption keys and preferred controller lists before deploying the device.



  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags: ,

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses

Aug242009

Vulnerability in Pidgin

Published by hirantha at 10:00 AM under Security | Instant Messaging

CORE security technologies published a vulnerability in libpurple.  Libpurple is the backend frame work to many Instant Messenger clients.

Pidgin, Finch, Adium, Meebo, and Gaim among others.  Although CORE only specifically mentions GAIM, Libpurple, Pidgin, and Adium specifically, the other libpurple based ones may be vulnerable as well.

Versions of Libpurple <= 2.5.8 (Pidgin <=2.5.8 and Adium <=1.3.5) are vulnerable.  The vulnerability is an exploit in the function msn_slplink_process_msg() which handles instant messages from the MSN network. 

All it takes to exploit this vulnerability is to receive a message from another MSN user.  They do not have to be on your buddy list.  Unless your buddy list states that you only allow specific users to contact you, it's the only mitigation step.  (Other than patching or logging off of the MSN network.)

Solution:

Upgrade to a version of your respective IM client that is based off of pidgin.  Non vulnerable versions of Libpurple are >=2.5.9.



  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags: ,

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses

Aug242009

Updates to VMWare Products

Published by hirantha at 9:04 AM under Security | VMWare

VMware has released the following new security advisory, VMSA-2009-0010

This advisory results in updates to

VMware Workstation
VMware Player
VMware ACE


  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags: ,

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses