I thought I'd post this as a round-up of some of the latest security and privacy issues that I have seen over the past few days, most of the security issues have yet to be patched (except the WMP Super Cookie, which can be turned off, and the CDE vunerability, patch available)...
Internet Explorer Pop-Up OBJECT Tag Bug - The PopUp object allows the insertion of embedded objects; they run in a high privilege space allowing the execution of local applications remotely. (This one looks interesting... Ed.)
News source: SecurityFocus.com's BugTraq
MSIE 6.0 will rollback during XP Pro Install - When upgrading to Windows XP Pro from previous versions of Windows (only Win 98SE validated), IE 6.0 files are overwritten during the operating system software installation process, effectively rolling the browser software back to original release version 6.0.0000.0000 and removing all installed patches, including Q313675 (See MS01-058).
News source: SecurityFocus.com - BugTraq
Internet Explorer SuperCookies bypass P3P and cookie controls - Using simple Javascript code on a Web page, a Web site can grab the unique ID number of the Windows Media Player belonging to a Web site visitor. This ID number can then be used just like a cookie by Web sites to track a user's travels around the Web. You can disable this feature in IE6 and Windows XP (by default it is turned ON in IE/WMP!) by turning off the "Allow Internet Sites to uniquely identify your player" in WMP but this requires the user to manually changing settings in a different program!
News source: SecurityFocus.com - BugTraq and updated info here
And in a rare example of a recently reported vunerability being used, researchers observing a Sun Solaris server for the Honeynet Project (an initiative to develop ways to turn spare computers into digital fly traps to study and document actual Internet attacks), witnessed an attacker using the buffer overflow vunerability in the "Common Desktop Environment (CDE) Subprocess Control Service". The vunerability affects not only Solaris, but also IBM's AIX, HP-UX and other Unix operating systems running this service.
Lance Spitzner, project manager for the Honeynet Project said "The bad guy accessed our system, downloaded a back door, and made it so he could log in anytime he wanted," he said. "Then, he logged in a couple days later and loaded a denial-of-service tool to attack several online chat servers."
News source: CNet News
Internet Explorer Pop-Up OBJECT Tag Bug - The PopUp object allows the insertion of embedded objects; they run in a high privilege space allowing the execution of local applications remotely. (This one looks interesting... Ed.)
News source: SecurityFocus.com's BugTraqMSIE 6.0 will rollback during XP Pro Install - When upgrading to Windows XP Pro from previous versions of Windows (only Win 98SE validated), IE 6.0 files are overwritten during the operating system software installation process, effectively rolling the browser software back to original release version 6.0.0000.0000 and removing all installed patches, including Q313675 (See MS01-058).
News source: SecurityFocus.com - BugTraqInternet Explorer SuperCookies bypass P3P and cookie controls - Using simple Javascript code on a Web page, a Web site can grab the unique ID number of the Windows Media Player belonging to a Web site visitor. This ID number can then be used just like a cookie by Web sites to track a user's travels around the Web. You can disable this feature in IE6 and Windows XP (by default it is turned ON in IE/WMP!) by turning off the "Allow Internet Sites to uniquely identify your player" in WMP but this requires the user to manually changing settings in a different program!
News source: SecurityFocus.com - BugTraq and updated info hereAnd in a rare example of a recently reported vunerability being used, researchers observing a Sun Solaris server for the Honeynet Project (an initiative to develop ways to turn spare computers into digital fly traps to study and document actual Internet attacks), witnessed an attacker using the buffer overflow vunerability in the "Common Desktop Environment (CDE) Subprocess Control Service". The vunerability affects not only Solaris, but also IBM's AIX, HP-UX and other Unix operating systems running this service.
Lance Spitzner, project manager for the Honeynet Project said "The bad guy accessed our system, downloaded a back door, and made it so he could log in anytime he wanted," he said. "Then, he logged in a couple days later and loaded a denial-of-service tool to attack several online chat servers."
News source: CNet News
Grant said the new product is aimed at large enterprise customers and will allow them to make use of any IP-based LAN for telephony services.
It can be used to extend VoIP to remote offices without a PBX, but those end-users will need a broadband connection such as DSL.
Strachman said the NEAX 2400 is still a TDM voice product at heart. "This is a hybrid," Strachman said. "NEC is essentially rigging their traditional PBX to handle IP."
He emphasized, however, that this was an appropriate strategy. "There is no reason to do VoIP just for the sake of doing it. NEC has a solid customer base doing traditional TDM telephony. This is a way for them to migrate to IP where they see a need."
Businesses with lots of small, remote offices might find this appealing, Strachman continued. "You could give all those offices four-digit dialing without having to install a PBX in each one," he said.
Grant said NEC's strategy is to end the debate about pure VoIP vs. TDM. "With our new NEAX 2400 you get to keep all your old PBX functions and still move to VoIP."
According to Strachman, about 15 percent to 20 percent of businesses in the United States are now using some VoIP.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.