Security Patch Watch: Skype, Cisco, FreeBSD

eBay-owned Skype corrects a bug that caused the application to be misread as a potential security threat; Cisco and FreeBSD also ships security-centric upgrades.

A new version of the popular Skype VOIP application has been released to correct a bug that caused Skype to be misread as a potential security threat.

The Skype for Windows update fixes a flaw that triggered a DEP (Data Execution Protection) warning on systems running Windows XP SP2 with DEP-enabled Intel or AMD processors.

DEP is a set of hardware and software technologies that perform additional checks on memory to help prevent buffer overflow attacks.

The Skype bug meant that users running new computers had to manually configure the application as an exception to turn off the DEP warnings.

This, however, created a scenario where users were being lulled into ignoring DEP warnings because of the Skype bug.

/zimages/2/28571.gifClick here to read more about Skypes efforts to patch security holes.

"Until now, Skype always crashed with DEP, even though there was nothing bad in it—it was simply a bug in Skype thats now squashed," the eBay-owned company said in a notice accompanying the software upgrade.

"If you added Skype to some DEP exception list before this release, feel free to upgrade to and then remove it from the exceptions list," the company said.

Cisco Patches DoS Vulnerabilities

Routing and switching giant Cisco System has shipped three separate security alerts to notify users of denial-of-service vulnerabilities in multiple products.

The first advisory deals with three separate bugs in Cisco Call Manager, the software-based call-processing component of the Cisco IP telephony service.

The company said the problem occurs because all Cisco CallManager versions do not manage TCP connections and Windows messages aggressively, leaving some well-known, published ports vulnerable to denial-of-service attacks.

/zimages/2/28571.gifRead more here about Cisco patching a "Black Hat" IOS flaw.

Cisco also warned of a separate CallManager vulnerability that can be exploited by malicious users to gain escalated privileges.

The flaw is caused due to an error in the CCMAdmin Web page and can be exploited by administrative users with read-only privileges to gain full administrative access via a specially crafted URL.

Successful exploitation requires that MLA (Multi Level Administration) is enabled.

The third advisory included patches for a Cisco IOS flaw that could cause denial-of-service conditions.

/zimages/2/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The vulnerability is caused due to an error in the handling of the SGBP (Stack Group Bidding) protocol.

The company warned that the flaw could be exploited to cause a vulnerable device to become unresponsive and trigger a hardware reset by sending a specially crafted UDP datagram to port 9900.

The vulnerability affects all Cisco products running the Cisco IOS software and has enabled support for the SGBP protocol.

FreeBSD Vulnerable to WiFi Flaw

The open-source FreeBSD Project has shipped an update to patch a potentially serious flaw in the way the IEEE 802.11 wireless protocol is implemented.

In an advisory, the flaw is described as an integer overflow error in the "net80211" module when handling corrupt IEEE 802.11 beacons or probe response frames during scanning for existing wireless networks.

This can result in a buffer overflow and may allow execution of arbitrary code on a vulnerable system scanning for wireless networks.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.