copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


The week after Christmas Holidays

Date: 07 January 2011

Click here for printable version

Greetings All,

One more Christmas and New Year down, hopefully many more to go. Thankfully this year seemed to bring with it many fewer incidents of holiday season targeted malware; unless it was just the eggnog being much stronger this year.

If you are anything like me then the storms were more dangerous to your systems than the malware out there. Due to an unfortunate BIOS setting (what to do after a power failure), a short blackout, and a little dash of Christmas cheer, I had not realised that a quick press of the power button would have brought my baby back to life. Instead, I ventured into the unknown, and spent Christmas day OUTSIDE! My pale pasty skin managed to survive the occasional ray of sunshine that snuck through the clouds while I walked along the beach accompanied by four bedraggled dogs and a few people.

Fortunately for me, the holidays also presented vulnerability discoverers with a socially acceptable alternative to fuzzing, eating and sleeping (or NOPing as a friend once said). This resulted in a rather subdued first week back, but I am sure things will pick up.

Of note this week is a Wordpress patch, bringing it up to version 3.0.4. Also keep an eye out for the 3.1 release (currently sitting on RC2).

This week also brought the release of two new Microsoft vulnerabilities, bringing the total number of unpatched vulnerabilities publicly known to four; one for Windows and three for Internet Explorer. Unfortunately, Microsoft has only announced 2 bulletins for next "patch Tuesday", BOTH of which are listed as Windows. So I would stake my BIOS configuration skills on there being known Internet Explorer vulnerabilities not patched this coming Tuesday/Wednesday.

I would mention the Apple Mac OS X 10.6.6 update, but there was only one vulnerability and 10.5 didn't even need an update.

Lastly Debian has released a bulletin(s) for nss, apache2 and openssl that implement the RFC5746 renegotiation extension. Unfortunately they seem to have released it as one bulletin and then two completely different updates to that bulletin. However, with my well trained eagle eyes (and the help of an "undo" button) I managed to recover the first two and send all three for your reading pleasure (or ignoring if you don't run Debian).

Until next week, may the automatic power recovery setting be with you.