With 13 bulletins in October, Microsoft tied their record for most
bulletins in one month.
Because three of them are about Win9x, they are of very
limited interest. Furthermore, two
of them announce patches for the Java Virtual Machine,
so only the most recent of those
patches needs to be applied. However, in the mix was
one of the most serious
vulnerabilities in about a year. The vulnerability was a
failure in Internet Information
Server to properly detect certain Unicode strings in a
URL. The string allows an attacker to
effect a ../ attack and escape out of the web root. This
means an attacker can execute
programs on the web server in the context of the
anonymous web user account. The
patch, discussed in 1.10 below should be immediately
applied to all web servers running
IIS 4 and 5. This month's issue of the SANS Windows
Security Digest also covers several
vulnerabilities in Internet Explorer, and a plethora of
vulnerabilities in third-party products,
including a few very significant problems with Allaire JRun
and a buffer overflow in iPlanet
Web Server.
---
* Origin: [adminz] tech, security, support (192.168.0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:04:56
search: