X

This week in software flaws

From Windows bugs to Kerberos problems to Cisco flaws, it wasn't a pretty week for software security.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
See full bio
Steven Musil
2 min read
It wasn't a pretty week in software security.

Hackers are actively exploiting two serious security vulnerabilities in Windows, Microsoft warned as it released "critical" alerts about the flaws. One of the problems affects the Microsoft Color Management Module, a component of Windows that handles colors. The other relates to the JView Profiler, part of Microsoft's Java Virtual Machine.

The vulnerabilities could be used to commandeer a PC. An intruder could take advantage of the JView Profiler flaw by crafting a malicious Web page and persuading a user to visit the site. As for the Color Management Module vulnerability, people could fall victim to an attack by viewing a malicious image.

Meanwhile, two serious security flaws in a technology widely used for network authentication could expose a swath of software products to hacker attack, experts have warned. The flaws could allow an online intruder to crash or gain access to computers running Kerberos, a freely available authentication technology that was developed by the Massachusetts Institute of Technology.

MIT rates both flaws "critical," according to two advisories. The university also made available patches to fix the problems and stated that exploitation of the bugs by attackers "is believed to be difficult." Several software makers have already released updates to their products to address the problem.

Several vulnerabilities were identified in Cisco Systems' products this week that could lead to denial-of-service attacks. The most noteworthy flaw was reported Tuesday when Cisco warned that hackers could cripple its IP telephony networks by exploiting flaws in its CallManager software, an essential component of Cisco's IP telephony technology, which is used for call signaling and call routing.

By exploiting the discovered vulnerabilities, an attacker can trigger an overflow in memory within a critical CallManager process. This can result in a denial-of-service condition, which will cause the CallManager server to shut down and reboot. Cisco has issued a patch for the vulnerability.