Yahoo IM, Kerberos, Firefox, and Kaspersky AV vulnerabilities

This week will see five or more Microsoft Security Bulletins which I will cover in my monthly Locksmith column and newsletter.

There is no real word yet as to the content except that there will be one or more security patches and some non-security patches.

But, while we are waiting for those to be released on Tuesday, we have several other things to worry about, starting off with a new Kerberos vulnerability for *nix systems. (Microsoft uses a proprietary version of Kerberos.)

Kerberos

The MIT krb5 telnet daemon reportedly has a vulnerability which would allow a remote attacker to gain root access without a password, see CVE-2007-0956. The details had not yet been posted when I last checked.

FrSIRT’s list of advisories connected with CVE-2007-0956, http://www.frsirt.com/english/CVE-2007-0956.php

includes:

Mandriva

Turbolinux

Ubuntu

Redhat

Fedora

Debian

Gentoo

And more.



Kasperski AV product threats


A number of vulnerabilities have been discovered in Kaspersky products including:

Anti-Virus for Windows Workstation version 6.0 and earlier

Anti-Virus for Windows Server version 6.0 and earlier

Internet Security version 6.0 and earlier

Anti-Virus version 6.0 and earlier



Those using Kasperski products should note that the worst of the four newly reported vulnerabilities are remote code execution threats and should update to the latest version (6.0.2.614).

http://www.kaspersky.com/productupdates

Also, see:

http://www.kaspersky.com/technews?id=203038694
http://www.kaspersky.com/technews?id=203038693





Firefox

There is a remote code execution vulnerability in versions of Firebug prior to 1.01.

The fix is to update to Firebug version 1.02

https://addons.mozilla.org/en-US/firefox/addon/1843



Yahoo! Messenger

The popular IM service has a buffer overflow vulnerability in an ActiveX control used in versions 5.x through 8.x of Yahoo! Messenger which can let an attacker run arbitrary code on user’s systems if the innocently surf past malicious HTML code on a web site while IM is loaded.

See:
http://messenger.yahoo.com/security_update.php?id=031207

This affects ANY Yahoo! Messenger version installed prior to March 13, 2007 and users mush update their program to protect against this critical threat in the ActiveX Audio system.



So, I guess it’s all quiet while we await the big bombs this month from Microsoft (AHH sarcasm).