AusCERT Week in Review for 4th May 2012

Date: 04 May 2012 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=15795 Greetings, As you're probably aware, registration is currently open for the 11th Annual AusCERT Information Security Conference, which is taking place 13th - 18th May at the RACV Royal Pines Resort on Queensland's Gold Coast. We've got a great programme this year and we'd love to see you there! Registration is available at: AusCERT 2012 Conference Registration Page Here's a quick round-up of some of the more interesting vulnerabilities and bulletins from the week: VMware has been busy this week, releasing two bulletins covering a multitude of vulnerabilities in VMware ESX, VMware ESXi, VMware Workstation, and VMware Player. Some of the impacts of these vulnerabilities include code execution, denial of service and even a root compromise! Oracle released an out-of-band update for Oracle Database 10g and 11g, addressing a critical remote code execution vulnerability for which proof of concept code exists. The vulnerability was originally reported to Oracle back in 2008, and was unpatched until now. It wouldn't be a normal week without an obligatory browser update, this week's coming from Google Chrome. This update corrects five vulnerabilities in Chrome which could potentially allow for code execution and denial of service. The most interesting of vulnerabilities this week, was a 0-day vulnerability identified in PHP's CGI. New versions of PHP 5.3.12 and 5.4.2 have been released which the vendor has stated correct the issue, however there has been some chatter stating that the patches don't actually fix the problem. It has been advised that administrators apply both the patches and the relevant mitigations available. Have a great weekend! Jonathan