Vulnerabilities


Cisco Patches Vulnerabilities in Data Center and Web Conferencing Products

Cisco is warning its customers about a remote command execution vulnerability in its Cisco Prime Data Center Network Manager.The product manages Ethernet and storage networks and troubleshoots for performance issues on Cisco products running NX-OS software. Versions prior to 6.1.1 are vulnerable to remote exploits on the underlying system that hosts the application, Cisco said.

Patch Available for Broadcom Mobile Device Firmware DoS Vulnerability

Older versions of Broadcom firmware found in a number of mobile devices from major vendors including the Apple iPhone, iPad, Samsung Galaxy S and HTC Droid Incredible are vulnerable to a denial of service attack.Researchers Andres Blanco and Matias Eissler of Core Security Technologies reported the vulnerability in August, and this week published details on proof-of-concept exploit code.


Patches released this week by database and mobile management vendor Sybase did not completely repair serious privilege escalation and remote code execution vulnerabilities in versions 15.0.3 and later of its Adaptive Server Enterprise (ASE) product.Researchers at Application Security Inc., which specializes in database security, reported a dozen vulnerabilities to the SAP company in July. AppSec also sent along proof-of-concept exploit code with details of the vulnerabilities.

Software security, code quality and the iea of building security into applications from the design phase forward have become touchstones for any conversation about how to improve the security of the Web and the general IT infrastructure. But it wasn’t always thus. In fact, it wasn’t too many years ago that the idea of software security took a back seat to the more traditional security disciplines. That’s changed of late, and one of the groups that’s been in the middle of the transformation is SAFECode, the industry organization comprising Microsoft, Adobe, SAP, EMC and others, that’s designed to advance software security methods and practices.

A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would.

More than 50 million users of the Steam gaming and media distribution platform are at risk for remote compromise because of weaknesses in the platform’s URL protocol handler, a pair of researchers at ReVuln wrote in a paper released this week.Luigi Auriemma and Donato Ferrante discovered a number of memory corruption issues, including buffer and heap overflows that would allow an attacker to abuse the way the Steam client handles browser requests. Steam runs on Windows, Linux and Mac OSX.