February 16th, 2007
Think 'Patch Tuesday' is just for Microsoft? Think again!
Multiple Cisco vulnerabilities affecting IPS functionality in routers, PIX/ASA/FWSM firewalls, Switches. Multiple Cisco vulnerabilities affecting SIP/FTP/HTTP inspection in PIX/ASA products. While the patches are available, most Cisco devices are rarely if ever patched. For example, here is a long list of issues within the last three months that many people are unaware of. The common assumption for too many people is that network devices are plumbing and that you don't really have to think about them. This list should scare you enough to patch every Cisco device on your network to the latest stable software release. You should get in to a permanent monthly "patch Tuesday" frame of mind for your Cisco equipment.
Cisco Firewall Services Module SIP DoS and ACL Corruption
Cisco IOS IPS Security Bypass and Denial of Service
Cisco IOS SIP Packet Handling Reload Denial of Service
Cisco IOS VTP Denial of Service Vulnerability
Cisco IOS Multiple Vulnerabilities
Cisco Products SSL/TLS and SSH Validation Security Issue
Cisco IOS DLSw Denial Of Service Vulnerability
Cisco Multiple Products JTapi Gateway Denial Of Service
Cisco Secure ACS Multiple Vulnerabilities
Cisco Clean Access Predictable Snapshots Filename
Cisco Clean Access Unchangeable Secret Security Issue
Cisco Secure Desktop Multiple Vulnerabilities
Cisco Products OpenSSL Vulnerabilities
Cisco Products OpenSSL Vulnerabilities
Cisco Security Agent LDAP Authentication Bypass
Microsoft had a relatively large batch of patches for the month of February to clear out a backlog of zero-day Microsoft Office exploits (Office 2007 exempt). The first Vista remote exploit is ironically in the software that's suppose to be scanning for Malware.
If you're running Trend Micro, you have two critical flaws to worry about so far this month. There's a critical flaw in an ActiveX component from today and a critical UPX parsing flaw from last week.
Apple patches multiple critical vulnerabilities. Many of these issues were zero-day exploits released during the MoAB (Month of Apple Bugs).
Firefox had a moderately critical flaw from today for this month though it isn't nearly as bad as the nine highly critical flaws last month.
There was a critical zero-day exploit for the Solaris Telnet Daemon for those who are unfortunately still using Telnet. Sun did a great job and released an emergency patch within a day though I wish the patch would simply delete the Telnet Daemon
uTorrent (a superb BitTorrent Client) suffered its first security vulnerability when opening .Torrent files and it's a critical issue. The stable version of 1.6.1 which has been patched for this vulnerability is available for download on the uTorrent website.
Aruba which makes Wireless Switch controllers and light weight access points suffered its first two critical vulnerabilities it its controller. Patches are available on Aruba's support site.
Avaya VoIP products had two critical vulnerabilities this month. There were several other less critical to moderately critical vulnerabilities in Avaya products this months and flaws of every severity level in every previous month. Get use to the idea of doing a monthly "patch Tuesday" for Avaya products if you don't want your phone system to go down or worse, get hacked.
So what's the moral of the story? The hardware and software industry needs to start doing some serious code auditing and patch Tuesday isn't just for Microsoft.
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
