FTP Flaw Could Disable Wide Range of Servers

FTP Flaw Could Disable Wide Range of ServersAn easily exploitable flaw exists that could enable an anonymous hacker to cause a denial of service on many common FTP server platforms , including some public FTP servers run by software giants Adobe and HP, according to a report published by SecurityReason.. The vulnerability affects a wide range of FTP servers, including those by  OpenBSD (V 4.7), NetBSD (V 5.0.2), FreeBSD (V 7.3/8.1), Oracle’s Sun Solaris 10 and GNU Libc, used by some leading software vendors.The vulnerabilityexists in the glob() function, which is used to enable wildcard searches by file names. When exploited the hole can cause servers to become slow, unresponsive and even crash. Acccording to the report ( from Maksymilian Arciemowicz, a security researcher with SecurityReason, the error boils down to a problem with GLOB_LIMIT, a component created in 2001 to help reduce memory used by glob(). The faulty GLOB_LIMIT clogs up memory with errant patterns that leads to the attack.Arciemowicz said well trafficked sites such as,,,, and are all vulnerable to denial of service attacks using the glob() function. Those sites often allow anonymous logins, making attacks even easier.Unlike previous FTP attacks like Gumblar, which remotely steals credentials, the GLOB flaw does not allow remote code to be executed on the affected system and does not appear to be widespread. A patch has yet to be issuedThe H Security has more details about the flaw.An easily exploitable flaw exists that could enable an anonymous attacker to cause a denial of service on many common FTP server platforms, according to a report published by SecurityReason.

Sun About Face: Out-of-Cycle Java Update Patches Critical Flaw

In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped song lyrics Web site.

Just days after Google researcher Tavis Ormandy released details on a dangerous new Java vulnerability, malicious hackers have pounced and are exploiting the flaw in the wild to launch drive-by download attacks.

By George V. Hulme

Not so surprising, the state elders of cryptography had a few things to say about the security of cloud computing — but with little agreement.
Whitfield Diffie, chief security officer at Sun Microsystems, kicked off the cloud security discussion, stating that while securing the cloud computing model will have its challenges, they’ll be overcome in due time, and that ultimately cloud computing will become as pervasive as, well, clouds. “Cloud computing will come to where no real program and data will be ran on the computers of the company that is using the program,” he says.

The rumored acquisition of Sun Microsystems by IBM could have far-reaching consequences for the identity-management market. Both companies have long histories in the IAM market, but have taken different paths over the years, with Sun focusing on open-source development and IBM sticking with the commercial model. So integrating the two portfolios could prove to be a major challenge, writes Steve Coplan of The 451 Group.

Is your Java up to date?

For a long time, the experience of patching Sun’s Java software has been less than pleasant. The updates were huge and time consuming, the patching instructions were a mess and, even worse, Sun never removed older, vulnerable versions from the patched machine.

Now it appears that things have been fixed. For starters, the company is offering this very important link that allows users to run a quick scan to determine whether the Java environment installation is up to date.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.