Cisco has also released three advisories for vulnerabilities in three of their products.  Patches are now available for the Unified Communications Manager, Digital Media Manager and the Digital Media Player Remote display.

An interesting hardware/software vulnerability has been released for OpenSSL which could allow an attacker to deduce at least parts of the private key.  The technique used to exploit this weakness doesn’t seem very practical for attacking a full size system, but could be practical against embedded devices.

A new release of the TYPO3 Core CMS system has been released to cover a few vulnerabilities (XSS, information disclosure).  Other Open Source projects, PHP and BIND have also been updated with security fixes.

The Zero Day Initiative also has some upcoming advisories for Apple’s Safari browser, which may mean updates from Apple.  The ZDI has rated these as “High” severity.

Last, but never least, VMWare has released and advisory for some of their products, which includes another large list of CVEs covered.  These updates include a long list of third party updates for packages in ESX.

• Microsoft: IE Help Code Execution Vulnerability
• Microsoft: IE Help Code Execution Vulnerability (MS Security Research and Defense blog)
• Microsoft: March 2010 Patch Tuesday Advanced Notification
• Microsoft: Several known vulnerabilities to remain unpatched on forthcoming Microsoft patch day
• Cisco: Unified Communications Manager Denial of Service Vulnerabilities
• Cisco: Multiple Vulnerabilities in Cisco Digital Media Manager
• Cisco: Digital Media Player Remote Display Unauthorized Content Injection Vulnerability
• OpenSSL: Private key disclosure vulnerability
• TYPO3: Security update released
• ISC: BIND 9.6.2 released
• PHP: PHP 5.2.13 released
• Safari: Flaws in Safari Browser
• VMWare: Multiple ESX Service Console and vMA third party updates

Two advisories from Cisco as well this week, covering two different products and a few different vulnerabilities (XSS, SQLi, and escalation of privilege among them).  Updates are also available for the iPhone OS for iPhones and iPod Touch devices which resolve vulnerabilities in different aspects of the OS.  In many cases visiting or viewing malicious content could cause overflows, which may allow for code execution.  An update for VMWare’s vCenter with more than 50 CVE’s covered, is also listed.

Some Open Source applications are also listed, one of the interesting ones is the e107 CMS, which was found to have a backdoor which was later used to compromise the project’s site before they applied their own patch (more details on that here).

• Adobe: Information Disclosure in ColdFusion 9
• Cisco Systems: Multiple Vulnerabilities in Cisco Unified MeetingPlace
• Cisco Systems: Cisco Secure Desktop Remote Cross-Site Scripting Vulnerability
• Apple: Multiple Vulnerabilities in iPhone OS
• VMWare: VMware vCenter update release addresses multiple security issues in Java JRE
• Lighttpd: slow request DoS/OOM attack
• Squid: DoS issue in DNS handling
• Bugzilla: Security Advisory for Bugzilla 3.0.10, 3.2.5, 3.4.4, and 3.5.2
• e107 CMS: Admin Authentication Backdoor