Cisco has also released three advisories for vulnerabilities in three of their products.  Patches are now available for the Unified Communications Manager, Digital Media Manager and the Digital Media Player Remote display.

An interesting hardware/software vulnerability has been released for OpenSSL which could allow an attacker to deduce at least parts of the private key.  The technique used to exploit this weakness doesn’t seem very practical for attacking a full size system, but could be practical against embedded devices.

A new release of the TYPO3 Core CMS system has been released to cover a few vulnerabilities (XSS, information disclosure).  Other Open Source projects, PHP and BIND have also been updated with security fixes.

The Zero Day Initiative also has some upcoming advisories for Apple’s Safari browser, which may mean updates from Apple.  The ZDI has rated these as “High” severity.

Last, but never least, VMWare has released and advisory for some of their products, which includes another large list of CVEs covered.  These updates include a long list of third party updates for packages in ESX.

• Microsoft: IE Help Code Execution Vulnerability
• Microsoft: IE Help Code Execution Vulnerability (MS Security Research and Defense blog)
• Microsoft: March 2010 Patch Tuesday Advanced Notification
• Microsoft: Several known vulnerabilities to remain unpatched on forthcoming Microsoft patch day
• Cisco: Unified Communications Manager Denial of Service Vulnerabilities
• Cisco: Multiple Vulnerabilities in Cisco Digital Media Manager
• Cisco: Digital Media Player Remote Display Unauthorized Content Injection Vulnerability
• OpenSSL: Private key disclosure vulnerability
• TYPO3: Security update released
• ISC: BIND 9.6.2 released
• PHP: PHP 5.2.13 released
• Safari: Flaws in Safari Browser
• VMWare: Multiple ESX Service Console and vMA third party updates

• Microsoft Patch Tuesday: OpenType Font file decompression vulnerability
• Adobe: Security update for Flash Media Server
• Adobe: Security updates for Reader and Acrobat
• Oracle: Oracle Critical Patch Update (CPU) – 24 vulns, 3 with no authentication required
• MacOS X: PoC for MacOS X 10.5/10.6 vulnerability
• VMWare: Multiple updates for ESX
• Juniper Networks: JUNOS Malformed TCP Packet DoS
• D-Link (Multiple Routers): HNAP Protocol Security Bypass Vulnerability
• PowerDNS: PowerDNS Recurser Buffer Overflow Vulnerability
• Motorola Droid: Screen Lock bypass

Another interesting story, also from the Android family is about a piece of malware which made its way into the Android Marketplace, specifically a fake mobile banking application which was designed to harvest login credentials.  More coverage can be found at SANS.

Blog post by:  David Shpritz

Anthony Gartner
Chris Mills
Chris Gerling

Chris G rides the Failbus with his FIOS connection

IT Jobs: No “Widespread Worry”

Air Force Cyber Command

Cracking one billion passwords per second with NVIDIA video card

BREAK

Chris G talks about running VM’s in Vista Ultimate 64 bit

The guys discuss home networking

Soekris Box
Netgate m1n1wall firewall 3E 2D3

AIG Executives Blow $440,000 After Getting Bailout

Password Management Systems:

Password Safe
KeePass
Password Gorilla – Works on Mac OS X
1Password
Apple Keychain – Nice, but not portable
TrueCrypt on JungleDisk

New Nevada Law Requiring Businesses to Encrypt Emails with Customers

France required to keep record all connections