Month: August 2004

Trend Micro wants to borrow the eyes of beta testers to evaluate its new Virus Encyclopedia. The beta version of the encyclopedia includes new search criteria as well as the option for a printer-friendly format. Users who take the time to fill out the survey will receive a free one-year license to PC-cillin 2005 when it is released. Participants are asked to compare the usability of the new beta Web site with the existing Virus Encyclopedia. Each section of the survey is accompanied by screenshots to make comparing the strengths and weaknesses of the two sites more convenient. http://www.betanews.com/article/1092433448

SecurityTracker URL:  http://securitytracker.com/id?1010952Impact:  Execution of arbitrary code via network, User access via network Vendor Confirmed:  Yes    Advisory:  iDEFENSE Version(s): 6.0.2 and prior versions  Description:  iDEFENSE reported a buffer overflow vulnerability in an ActiveX component of Adobe Acrobat. A remote user can execute arbitrary code on the target user’s system. It is reported that a remote user can create a PDF file with a specially crafted embedded HTTP link so that when the file is opened, the buffer overflow will be triggered. If the request is made to a web server (e.g., IIS, Netscape Enterprise Server) that truncates the request at the null … Continue reading Adobe Acrobat Buffer Overflow in ‘pdf.ocx’

Yahoo! has patched a flaw in the open source Portable Network Graphics (PNG) image format that is utilized by its real-time communications product Yahoo! Messenger. Yahoo! spokesperson Terrell Karlsten told BetaNews, “Beginning today, we are notifying users who are currently running Windows versions 6.0 to install the security update. Upon logging into Yahoo! Messenger, users will be prompted with a message window that invites them to update their service.” Users may also download the new release separately. http://www.betanews.com/article/1092447491

EEYEB-20040802-A Days Overdue 0Vendor: Microsoft Severity: Medium (Local Code Execution) Date Reported: August 02, 2004 Days Since Initial Report: 10 Operating Systems Affected:Windows MeWindows XP (SP0-SP2RC2)Windows 2003 http://www.eeye.com/html/research/upcoming/20040802-A.html EEYEB-20040802-B Days Overdue 0Vendor: Microsoft Severity: Medium (Local Code Execution) Date Reported: August 02, 2004 Days Since Initial Report:  10  Operating Systems Affected:Windows 2000Windows XP http://www.eeye.com/html/research/upcoming/20040802-B.html EEYEB-20040802-C Days Overdue 0Vendor: Microsoft Severity: Medium (Local Code Execution) Date Reported: August 02, 2004 Days Since Initial Report: 10   Operating Systems Affected:Windows 2000 http://www.eeye.com/html/research/upcoming/20040802-C.html EEYEB-20040802-D Days Overdue 0Vendor: Microsoft Severity: Medium (Local Code Execution) Date Reported: August 02, 2004 Days Since Initial Report:  10  Operating Systems Affected:Windows MeWindows XP (XP0 – XPSP2 RC2) http://www.eeye.com/html/research/upcoming/20040802-D.html       

RealPlayer Unspecified Flaw Vendor: RealNetworks Description:A vulnerability in default installations of the affected software that allows malicious code to be executed with little user interaction. Severity: High (Remote Code Execution) Operating Systems Affected: RealPlayer Status: Initial report stage Also in http://www.securitytracker.com/alerts/2004/Aug/1010931.html http://www.eeye.com/html/research/upcoming/20040811.html

Just as spam, worms, and viruses have polluted the signal to noise of the e-mail platform, now spyware threatens to cut the legs out from under customer confidence in doing financial transactions on the Web. But, does spyware threaten the economic underpinnings of the Web, or is it an opportunity to turn the problem on its head? What if we turn spyware from a threat into a service, where users accept monitoring of their activities in return for access to a secure, indemnified network of enhanced services? If this transformation were to take hold, the vehicle to carry it forward … Continue reading Spyware as a service

While developers at Microsoft Corp. may be celebrating that they finished work on Service Pack 2 (SP2) for Windows XP, IT departments around the world now face the question of whether they should update their systems, or not.IBM Corp., for one, is holding off on installing the security focused update for Windows XP. In a note headlined “To patch — or not to patch” posted Friday on its corporate intranet, IBM tells its employees not to download SP2 when it becomes available because of compatibility issues. A copy of the note was obtained by IDG News Service. “While this patch … Continue reading IBM tells employees not to install Windows XP update