Security Patch Watch: Sun Java, Symantec, Cisco

By Chris Preimesberger  |  Posted 2005-11-30 Print this article Print

Sun patches JRE and the Java SDK, Symantec patches its PCAnywhere telecommute software and Cisco patches a vulnerability in Cisco Security Agent.

Sun Microsystems Inc. on Wednesday released fixes for vulnerabilities discovered in the Sun Java Runtime Environment and in the Java Software Development Kit, which could be exploited by remote attackers to place and execute malicious files on a vulnerable system. Security alerts aggregator Secunia Inc. rates the issue as "highly critical" and said malicious hackers could exploit the exposure to "compromise a users system."
For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.
An unspecified error may be exploited by a malicious, untrusted applet to read and write local files or execute local applications, Secunia said. The vulnerability has been reported in JDK/JRE 5.0 Update 3 and prior on Windows, Solaris and Linux platforms. SDK/JRE 1.4.2_xx and prior, and 1.3.1_xx releases are not affected, the security firm said. Suns suggestion for administrators is to upgrade all versions of the development kit and accompanying runtime. JDK/JRE 5.0 Update 4 or later can be downloaded here; SDK/JRE 1.4.2_09 or later is available here; and SDK/JRE 1.3.1_16 or later can be obtained here. Symantec corrects flaw that could lead to DoS Enterprise security vendor Symantec Corp. has issued new patches for its PCAnywhere PC management software, which could be exploited to cause a DoS (Denial of Service), the company said. PCAnywhere is a telecommuting tool that provides remote software control for consumers and large organizations. The software is also used for help desk applications and troubleshooting PC problems at remote offices. The exposure is caused by an unspecified boundary error that can be exploited to create a buffer overflow prior to authentication, which crashes the PCAnywhere component, Symantec said. The vulnerability has been found in versions 11.0.1, 11.5.1 and all 32-bit versions. Earlier non-supported versions may also be affected, Symantec said, so it recommends that users of all versions prior to 11.0.1 to upgrade to a supported version. The upgrade to the consumer version of Symantec PCAnywhere can be found here and the update to the enterprise version can be obtained here. Cisco systems reports hole in its own security software A vulnerability has been reported in Cisco Systems Inc.s own Cisco Security Agent, which can be exploited by malicious local users to gain escalated privileges on a compromised system, Secunia reported. The vulnerability is due to an unspecified error in CSA versions that run on Windows systems. This can be exploited by malicious users to gain high-level administrative privileges on vulnerable systems, Secunia said. According to the companys Web site, Cisco Security Agent provides threat protection for server and desktop computing systems, also known as endpoints. It provides host intrusion prevention, spyware/adware protection, protection against buffer overflow attacks and malicious mobile code protection, Cisco said. The vulnerability has been reported in the following versions:
  • Cisco CSA Version 4.5.0 (all builds) managed and stand-alone agents.
  • Cisco CSA Version 4.5.1 (all builds) managed and stand-alone agents.
  • Cisco CSA Version 4.5.0 (build 573) for CallManager.
  • Cisco CSA Version 4.5.1 (build 628) for CallManager.
  • Cisco CSA Version 4.5.1 (build 616) for ICM (Intelligent Contact Management), IPCC Enterprise and IPCC Hosted.
  • Cisco CSA Version 4.5.0 ( build 573) for CVP (Cisco Voice Portal) 3.0 and 3.1. Cisco and Secunia recommend that all systems using the above CSA builds update to version That patch can be obtained here. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
    Chris Preimesberger Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel