Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Chrome update contains Security fixes

Published: 2009-07-18
Last Updated: 2009-07-18 17:13:13 UTC
by Patrick Nolan (Version: 1)
0 comment(s)

On Thursday, July 16, Google Chrome 2.0.172.37 was released, it fixed what Google calls a Critical severity vulnerability, Memory corruption in the browser process, and a High severity vulnerability, Heap overflow with Javascript regular expressions. They report the vulnerabilities were identified by the  "Google Chrome security team".

Stable, Beta update: Bug fixes

0 comment(s)

From the Mailbag - taking Oracle and it's CPU to task

Published: 2009-07-18
Last Updated: 2009-07-18 17:10:53 UTC
by Patrick Nolan (Version: 1)
2 comment(s)

As a follow up to a previous Diary (Oracle Black Tuesday) we had a Storm Center participant, Brian, offer some comments about Oracle's CPU.

Brian said "Regarding your comment on Oracle Black Tuesday, I have several observations that may benefit other ISC readers.

The exposure of Oracle's CPU goes far beyond the database as they have expanded significantly into many other software, including key security management software (Identity Management/Authentication).

As Oracle repackages several open source products, administrators are stuck choosing between security and support.  For example, the recent patches to Apache's http server can't be applied because Oracle repackages that product as Oracle HTTP Server.  Apply the patches and you're no longer supported.

Oracle has got to find a way to make the CPU analysis easier.  The decision matrix an administrator has to go through is obscene.  I conducted an analysis of a recent CPU for our environment and it took me over a week solid to determine what the exposure was and what the pre-requisites for the CPU patches were.  And that doesn't include the support time and outages because Oracle's documentation was incorrect.  As a user community, we need to push Oracle to make this process simpler (think up2date or YaST or even Windows Update)
".

Thanks for the sending in your thoughts Brian. Banding together and working with the vendor is always effective. So if there is already a group of customers that have banded together to work effectively with Oracle, let us know some of the groups specifics and I'll update the diary.

In addition to the previous Diary's comment about the lack of substantial vulnerability information for non-customers, it should be noted that Oracle's public Critical Patch Update Advisory - July 2009 has a section called the Patch Availability Table and Risk Matrices, each products Matrix provides CVSS information that can help both customers and non-customers prioritize Oracle CPU's for deployment.

Keywords:
2 comment(s)

Vulnerability in FireFox 3.5.1 confirmed, exploit PoC, no patch

Published: 2009-07-18
Last Updated: 2009-07-18 15:04:23 UTC
by Patrick Nolan (Version: 1)
5 comment(s)

Various analysts and sites have recently confirmed a vulnerability is present in FireFox 3.5.1 that has had exploit PoC released. When exploited, the vulnerability can lead to system compromise or induce a DOS. No Patch is available.

Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability

CVE-2009-2479

Keywords:
5 comment(s)
Diary Archives