System Update(tm) "helps you reduce the time, effort, and expense required to support and maintain the latest drivers, BIOS, and other applications for Think or Lenovo systems". It enables you to get the latest updates from the Lenovo support site, or to automatically schedule your system to be updated. A vulnerability in the way Lenovo's SystemUpdate works allows attackers to spoof the update process which will then be installed seamlessly into the Lenovo's operating system.
The information has been provided by Security Objectives, Inc..
The original article can be found at: http://www.security-objectives.com/advisories/SECOBJADV-2008-01/
Multiple OpenSSL TLS Vulnerabilities
OpenSSL has two TLS related programming errors which cause it to crash. The first error causes OpenSSL to crash to segmentation fault when it receives TLS 1.0 Client Hello packet which contains server name extension having server_name set to 0x00. The openssl program does not have TLS extension handling enabled by default, it has to be explicitly enabled at compile time. The second error causes the SSL client implementation to crash to segmentation fault caused by NULL pointer dereference when 'Server Key exchange message' is omitted from the TLS handshake. The fault is present when Anonymous Diffie-Hellman key exchange is used.
The information has been provided by CERT-FI.
The original article can be found at: http://cert.fi/haavoittuvuudet/2008/advisory-openssl.html