Symantec Patches Trio of Scan Engine Flaws

Security Patch Watch: New product versions from Symantec and Mozilla correct serious vulnerabilities. But no fix is available for Winny peer-to-peer code execution flaw.

Anti-virus powerhouse Symantec has released patches for three "moderately critical" security vulnerabilities that could put users at risk of security bypass and information exposure attacks.

In an alert posted online, the vendor, based in Cupertino, Calif., urged users to upgrade to Symantec Scan Engine 5.1 to protect against the threat of improper authentication for Web-based user logins.

Symantec claims there are no known publicly available exploits. However, security researchers warn that proof-of-concept exploit code showing how a remote attacker can change the administrator password has already been published, raising the likelihood of targeted attacks.

The Symantec Scan Engine is a TCP/IP server and programming interface that enables third parties to incorporate support for Symantec content scanning technologies into their proprietary applications. It is a gateway-level product that is not the same as Symantecs desktop product.

/zimages/5/28571.gifClick here to read about Symantecs updated malware lineup.

The flaws, which were discovered and reported by Rapid7, carry a "medium risk" warning from Symantec.

Winny the Flaw, Unpatched

eEye Digital Security has found a gaping code execution hole in Winny, a controversial file-sharing application that enjoys massive popularity in Japan.

The vulnerability is described as a high-risk bug that is very easy to exploit. It affects Winny version 2.0 b7.1 and prior versions running on Windows.

"This vulnerability may allow a remote attacker to overwrite heap memory with user-controlled data and execute arbitrary code in the context of the user who executed the Winny," eEye said in an advisory.

"We chose not to provide detailed information about the location of the vulnerability and how to reproduce it because the author has declined to provide a fix," the company added. In several scenarios, eEye said it has confirmed the ability to execute code easily.

Mozilla Patches 15 Thunderbird Flaws

New versions of Mozillas Thunderbird e-mail client have been released with fixes for more than a dozen security vulnerabilities.

The open-source group shipped Thunderbird and Thunderbird 1.0.8 with the security patches and an assortment of stability fixes.

Thunderbird 1.0.8 is the final release in the Thunderbird 1.0.x product line. Mozilla urges all users to upgrade to the Thunderbird 1.5.0.x product line to ensure continued support.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.