DarkFiber Consulting – IT Managed Services

Microsoft has released an update to address vulnerabilities in Microsoft Windows, Silverlight, Internet Explorer, .NET Framework, Office, SQL Server, Developer Tools, and Forefront as part of the Microsoft Security Bulletin Summary for October 2009. These vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, cause a denial-of-service condition, or spoof an end user or website.

DarkFiber Consulting encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.

DarkFiber Consulting is aware of a public report describing how MD5 collisions can be leveraged to generate rogue SSL CA certificates. A rogue CA certificate could be used by an attacker to generate valid SSL certificates for arbitrary web sites. Using these certificates in DNS redirection attacks, an attacker could spoof an SSL protected web site and obtain sensitive information.  

DarkFiber Consulting will provide additional information as it becomes available.

Apple has released OS 2.2 for the iPhone and iPod touch to address multiple vulnerabilities. These vulnerabilities affect CoreGraphics, ImageIO, Networking, Office Viewer, Password Lock, Safari, and Webkit. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, place arbitrary calls, cause a denial-of-service condition, spoof user interface,  and obtain sensitive information.

DarkFiber Consulting encourages users to review Apple Article HT3318 and apply any necessary updates.

VMware has released a Security Advisory indicating it has updated the ESX packages to address vulnerabilities in libxml2, ucd-snmp, and libtiff. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, spoof authenticated SNMPv3 packets, or cause a denial-of-service condition.

DarkFiber Consulting encourages users and administrators to review VMware Security Advisory VMSA-2008-0017 and apply any necessary updates to help mitigate the risks.

Apple has released iPhone v2.1 to address multiple vulnerabilities in Application Sandbox, CoreGraphics, mDNSResponder, Networking, Passcode Lock, and Webkit. These vulnerabilities may allow an attacker to execute arbitrary code, conduct DNS cache poisoning attacks, spoof or hijack TCP sessions, bypass Passcode Lock, obtain sensitive information, or cause a denial-of-service condition.

DarkFiber Consulting encourages users to review Apple document HT3129 and upgrade to iPhone v2.1.

Apple has released four security updates to address multiple vulnerabilities in iTunes, QuickTime, iPod touch, and Bonjour for Windows. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, conduct DNS cache poisoning attacks, spoof or hijack TCP sessions, access the system with escalated privileges, or obtain sensitive information.

DarkFiber Consulting encourages users and administrators to review the following Apple Security Articles and apply any necessary updates:

• iTunes 8.0 (Article: HT3025)
• QuickTime 7.5.5 (Article: HT3027)
• iPod Touch v2.1 (Article: HT3026)
• Bonjour for Windows 1.0.5 (Article: HT2990)