I'n Blog 之萬象真藏

US-CERT is aware of multiple vulnerabilities that affect CA BrightStor ARCserve Backup.  These vulnerabilities may allow a remote, unauthenticated attacker to execute arbitrary code, escalate privileges or cause a denial-of-service condition.

More information regarding these vulnerabilities can be found in the CA BrightStor ARCserve Backup Security Notice.

Security people deal with the scenario all the time: An organization's internal IT people find a vulnerability, or a third-party security assessment firm finds a vulnerability, but there's no leverage to get upper management to approve a fix.

The lack of legal obligation to fix known vulnerabilities is enough to get your blood boiling, particularly were you to have read a recent discussion on this topic on the blog of WhiteHat Security's Jeremiah Grossman.

When it comes to data leaks, most of the talk is about hackers breaking into networks or employees e-mailing and downloading sensitive information. But some vendors are paying more attention to the preproduction environment, where there are often security holes big enough to push a hard drive through.

"The development environment and quality assurance environment have always been…significantly more open and free," said Louis Carpenito, former vice president of information security business strategy at Symantec.

Microsoft says it has fixed an Excel bug, which caused the spreadsheet to display erroneous calculation results, even though it performed the calculation correctly and stored it in Excel's memory.

In an Oct. 9 posting on the Excel section of MSDN [Microsoft Developer Network,] the Excel Team served notice that, "as of today, fixes for this issue in Excel 2007 and Excel Services 2007 are available for download. Microsoft acknowledged the problem about two weeks ago on MSDN involving the calculation of numbers in its ever-popular Excel software program.

A critical patch update from Oracle planned for next Tuesday includes 51 security fixes affecting numerous Oracle products.

According to an advisory posted on the application vendor's Web site, 27 of the fixes address issues in Oracle's database products, five of which concern vulnerabilities that can be exploited remotely without user authentication.

2007 年「網際空間：資安、犯罪與法律社會」
學術研究暨實務研討會

(Cyberspace2007: Cybersecurity, Cybercrime and Cyberlaw)

近日，位於珠海的反病毒監測中心監測到一種名為「殺軟剋星」的惡性病毒。該病毒入侵用戶電腦後，會自行修改文件夾選項，並將隱藏文件夾選項中隱藏文件和文件夾菜單下正常的顯示替換成「禽獸尚且有半點憐憫之心，而我一點沒有，所以我不是禽獸」。

　　

Adobe公司最近在一份在線安全諮詢文檔上提到一個代碼執行漏洞被包含在Adobe Reader V8.1以及其它版本例如 Adobe Acrobat Standard、Adobe Acrobat Professional、Adobe Acrobat Elements 8.1和Adobe Acrobat 3D中，這個漏洞將會影響微軟的Windows XP和Internet Explorer 7。Adobe目前還沒有發佈安全補丁，不過已經提出了緊急應對措施。

　　Adobe同時在文檔中表示，目前正在準備升級 Adobe Reader V8.1和Acrobat V8.1，並儘可能在10月底前發佈補丁。

    據國外媒體報導，微軟公司發佈了十月份的月度安全補丁包，一共七個補丁修補了九個軟件漏洞。

　　微軟此次一共發行了七個補丁程序，其中一個為重發過去的補丁。七個補丁中有六個針對視窗操作系統，另外一個針對Office辦公軟件。其中四個補丁修補的漏洞被微軟公司列入了「緊急」級別。

    Sun公司日前面向用戶發佈警告稱，Sun Solaris系統存在多個遠程代碼執行漏洞，因此建議用戶提高警惕，在必要的情況下可關閉Font服務器。

    據國外媒體報導，Sun公司系統工程師團隊中的艾蘭·庫珀史密斯在自己的博客中證實，前端服務器存在漏洞，並指出該漏洞不僅僅影響Solaris，在大多數默認情況下其影響會波及整個網絡。

據國外媒體報導，eBay週一宣佈，由於有黑客週五惡意侵入其服務器，已暫時禁用了少量用戶帳號。

　　eBay發言人尼古拉·夏普(Nichola Sharpe)表示：「我們很快就阻斷了惡意黑客的入侵，他還沒來得及給我們造成永久性的破壞。這名黑客並沒有獲得訪問財務信息或其它敏感信息的機會。」同時稱，eBay已經恢復了受到黑客入侵影響的帳號，並通知了相關用戶。不過，她並未透露黑客究竟訪問和修改了多少帳號。