HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion


by Carol~ Forum moderator / July 8, 2009 10:52 PM PDT
Symbian's first EPL release

9 July 2009

The Symbian Foundation has announced the availability of the first Symbian package to be released under the open source Eclipse Public License (EPL). In a Symbian Foundation Security Blog post, developer Craig Heath confirmed that the OS Security package source code is the first package to be moved from the closed Symbian Foundation License (SFL) to an open source license. The move has been made for two reasons, one practical and one symbolic.

Heath said the practical reason for the change was that under the previous licensing "it wasn?t feasible to get an export license which permitted the SFL crypto library source code to be exported". According to UK export rules and regulations, where the code is hosted, software that's in the public domain is exempt from export controls. Symbolically the change demonstrates that the Symbian Foundation is very serious about "providing a platform that is both open and secure". It has yet to be confirmed which is the next Symbian package to be moved to the open source licence.

Discussion is locked
You are posting a reply to: VULNERABILITIES\FIXES - July 9,2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES\FIXES - July 9,2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Safari 4.0.2 addresses WebKit vulnerabilities
by Carol~ Forum moderator / July 8, 2009 10:53 PM PDT

9 July 2009

Safari 4.0.2 addresses WebKit vulnerabilities

Apple has closed two vulnerabilities in Safari 4, its web browser built on the open source WebKit browser engine, for Windows and Mac OS X. In addition to stability improvements to the Nitro JavaScript engine, Safari 4.0.2 addresses two WebKit vulnerabilities that could allow for the execution of arbitrary code or lead to a cross-site (XSS) scripting attack.

A critical vulnerability caused by a memory corruption issue in WebKit's handling of numeric character references that could allow for the execution of arbitrary code, has been closed. A second vulnerability caused by an issue with WebKit's handling of the parent and top objects that could have lead to a cross-site scripting attack, has also been fixed. For the attacks to be successful, a victim must first visit a maliciously crafted website.

All users are advised to update their browsers as soon as possible. Safari 4.0.2 is available to download for Windows XP, Vista, Mac OS X 10.4.11 and 10.5.7.


Collapse -
FCKeditor Releases Version to address vulnerability
by Carol~ Forum moderator / July 9, 2009 7:24 AM PDT

July 9, 2009

The FCKeditor project has released FCKeditor version to address a vulnerability. This vulnerability is due to improper verification of input passed to the "CurrentFolder" parameter. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

Additionally, FCKeditor is part of Adobe ColdFusion 8 and is enabled by default. The Adobe Product Security Incident Response Team (PSIRT) has posted a blog entry indicating that they are aware of public reports of ColdFusion websites being targeted for exploitation of this vulnerability.

US-CERT encourages users and administrators to upgrade to FCKeditor version to help mitigate the risks. ColdFusion 8 users should review Adobe security bulletin APSB09-09 and apply the hotfix to help mitigate the risks.

Collapse -
OpenSSH 0day FUD
by Carol~ Forum moderator / July 9, 2009 12:03 AM PDT

Published: 2009-07-09,
Last Updated: 2009-07-09 08:40:37 UTC
by Bojan Zdrnja (Version: 1)

For the last couple of days we've been all witnesses of FUD surrounding a supposed 0-day exploit for OpenSSH skyrocketing.

At this moment, it definitely looks like we're dealing with a hoax ? even more, it's not the first time someone said they have a 0-day exploit for SSH. So, let's see some facts about this.

It appears that the whole story started after a post to the Full-Disclosure mailing list on the 4th of July ( The post supposedly shows a hacker group using a 0-day exploit for SSH to compromise a server. After doing some research here, it appears that this is a long standing argument between two guys (or groups). One of our readers submitted the following URL address (, which shows another hack.


Collapse -
OpenSSH zero day exploit rumours not confirmed
by Carol~ Forum moderator / July 9, 2009 4:39 AM PDT
In reply to: OpenSSH 0day FUD

9 July 2009

After several days, rumours of a possible zero day exploit for a previously unknown security vulnerability in older versions (4.3) of OpenSSH have not been confirmed. The recently observed intrusions into a number of systems instead appear to be the result of successful brute force attacks. Analysis of an attack on one of the affected servers does suggest a brute force attack, rather than exploitation of a vulnerability and the OpenSSH maintainer and developer Damien Miller does not believe that there is a zero day exploit.

Nonetheless, US web host HostGator was sufficiently alarmed by the rumours to block all SSH access to customer servers as a precautionary measure, regardless of whether authentication was by password or public key. The HostGator support team fanned the flames by confirming the existence of the vulnerability on its customer forum and stating that it was working on a patch.


Collapse -
Vulnerabilities in WordPress
by Carol~ Forum moderator / July 9, 2009 4:36 AM PDT

9 July 2009

Security services provider Core Security has warned of an vulnerability in the processing of certain URLs in the popular WordPress blogging software, leading to various security problems. For example, unprivileged but registered users are reportedly able to examine the configuration pages of plug-ins and to change their options.

The "admin.php" plug-in, which doesn't test access rights correctly, is to blame. Core Labs has listed some sample URLs in its report to show how the plug-ins ? including the WP module for the PHPIDS (PHP-Intrusion Detection System) ? can be manipulated.

The "Related Ways To Take Action" plug-in is affected by a number of cross-site scripting vulnerabilities that let an attacker run his own JavaScript in a victim's browser to, for example, read the contents of cookies on a victim's system. Another problem is that the login page handles incorrect user names and passwords differently to correct names and passwords and as a result an attacker might be able to guess a valid user name. The mail interface also acts erratically when a new password is requested.


Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.