The U.S. Computer Emergency Readiness Team has warned of a vulnerability in SAP GUI, the graphical user interface client in the German company's enterprise resource-planning software.
The unspecified flaw can cause Microsoft's Internet Explorer browser to crash in an exploitable manner. The flaw lies in an ActiveX control called MDrmSap, a component of SAP GUI.
US-CERT warned in an advisory, updated on Monday, that if users are fooled into viewing a specially crafted HTML document, external attackers might be able to gain control of their system, with their privileges.
A patch is available from SAP, through SAP Note 1142431. Log-in is required to access the patch.
Work-arounds include disabling the MDrmSap ActiveX control in IE by setting the browser's killbit for CLSID (B01952B0-AF66-11D1-B10D-0060086F6D97), or IT professionals could disable IE ActiveX controls completely.
Security company Secunia warned in an advisory that the flaw was "highly critical." Versions of SAP GUI affected are 6.x and 7.x, according to Secunia.
Tom Espiner of ZDNet UK reported from London.
(Credit:
Andy Purdy)
On Wednesday, HBGary announced that Andy Purdy has joined their advisory board.
Purdy, while a member of the White House, co-drafted the 2003 edition of the National Strategy to Secure Cyberspace, then joined the Department of Homeland Security. There, he served on the tiger team that helped to form the National Cyber Security Division (NCSD) and the U.S. Computer Emergency Readiness Team (US-CERT). He went to head both organizations and was dubbed by the media as the "cyberczar" of the United States until DHS appointed Greg Garcia as assistant secretary for cybersecurity and communications.
In 2006, Purdy oversaw the first large-scale mock cyberattack, code-named Cyber Storm. A second mock attack, under Garcia, was held earlier this year.
In August, HBGary has announced a partnership with McAfee to provide forensic tools for its enterprise offerings. HBGary specializes in monitoring information systems for external and internal threats.
On Wednesday, an exploit code allowing someone to attack the domain name system (DNS) became available. No one has yet used the code, but the advice is simple: Patch. Now. While most of the burden is on the Domain Name System servers and the various systems that support them, the nature of the flaw is such that desktop clients also need to patch their software as well.
First, to determine whether your DNS system is vulnerable, use either of these tests:
If the test returns a message similar to "Your name server, at 2xx.2xx.1xx.1x, appears vulnerable to DNS Cache Poisoning," then you may need to patch your desktop system.
Windows users
If you automatically apply Microsoft Updates to your Windows computer, you should have received Microsoft Security Bulletin MS08-037; if you don't automatically apply updates, you should click the link and apply this patch ASAP.
ZoneAlarm users
If you use ZoneAlarm, however, make sure you are running the latest release, 7.0.48, before installing MS08-037. There is a known incompatibility with the Microsoft patch and older versions of ZoneAlarm.
Mac or Linux users
If you are running Mac OS or Linux, see this US CERT page for the latest patch details. As of Thursday, Apple has not issued a patch for its Mac OS X operating system.
Still, in the end, protection from any DNS exploit also depends on your upstream ISP providers. As of Monday, researcher Neal Krawetz was reporting that servers at several high-profile ISPs remained vulnerable.
- prev
- 1
- next
