Flaw fixes for Firefox, Mac

A couple of notable security fixes to flag this morning:

First, Apple has patched the Safari Web browser flaw that famously earned a researcher $10,000 at the CanSecWest conference last month. Independent Security Evaluators researcher Charlie Miller used the vulnerability to compromise a MacBook Air laptop. The flaw is rooted in the WebKit open-source HTML rendering engine Safari and several other Mac OS X programs use.

Next, Mozilla has released Firefox 2.0.0.14, fixing a critical security hole in the JavaScript engine of Firefox. The advisory said, “Fixes for security problems in the JavaScript engine described in MFSA 2008-15 (CVE-2008-1237) introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.”

Oracle preps CPU for 41 flaws

Oracle said Thursday that it is prepping a Critical Patch Bulletin (CPU) to address 41 security holes across its product line.

According to the database giant’s advance CPU bulletin, attackers could exploit the most severe flaws to compromise the database server or the host operating system. Affected products include Oracle
Database, Oracle Application Server, Oracle E-Business Suite and Applications, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise and Oracle Siebel SimBuilder.

Oracle releases its security patches on a quarterly basis, and the April 2008 installment will be issued Tuesday.

RSA 2008: Firm makes log management a priority for compliance

Ira Hanson-Ralph of EnCana explains why the oil and gas exploration company made log management a priority as part of its compliance program. Hanson-Ralph is EnCana’s group leader of IS compliance and controls monitoring. The interview was conducted at RSA Conference 2008.

RSA 2008: Sourcefire founder Roesch previews Snort 3

In this interview at RSA Conference 2008, Sourcefire founder and Snort creater, Martin Roesch, talks about the sudden departure of the company’s CEO and the future of intrusion defense.

RSA 2008: Verizon, AT&T tout security at RSA (Part 2)

In the conclusion of this two-part video series, Information Security magazine Senior Technology Editor Neil Roiter explores security services in the U.S. telecom market. In an interview at RSA Conference 2008, Stan Quintana, vice president of AT&T Security Services discusses the company’s strategy. He talks about what makes carriers qualified to offer security services and some of the challenges facing the industry.

RSA 2008: Verizon, AT&T tout security at RSA (Part 1)

In part one of a two-part video series, Information Security magazine Senior Technology Editor Neil Roiter explores security services offered in the U.S. telecom market. In an interview at RSA Conference 2008, Kerry Bailey, vice president of business security products at Verizon, discusses the company’s strategy.

Where have all the good RSA talks gone?

Once upon a time, the RSA Conference was known for its deep technical content and the quality of its speakers. But, as the security industry has changed and matured over the last few years, the sessions at the show have become more focused on soft, fuzzy themes such as risk management and compliance. This is probably just a natural evolution and a reflection of the direction of the industry as a whole, but many of the security professionals I’ve talked to here this week have complained about the lack of serious educational content and the proliferation of marketecture-type sessions. And the few really deep sessions have been so crowded that many attendees have been turned away at the door. The hard core cryptographers’ sessions are still here and there are some good ones on new attacks as well, but it seems that the days of walking out of the conference at the end of the week with a notebook full of great ideas are past.

RSA 2008: Financial industry security challenges

(ISC)2 Executive Director Ed Zeitler talks about the unique security challenges facing the financial industry and whether the current turmoil in the financial markets could put a strain on IT budgets. Zeitler has 23 years of experience in developing, implementing and managing information security programs at financial firms. Most recently, he served as chief information security officer (CISO) for Volkswagen Credit, where he created and implemented its information security program. He also served as CISO for Charles Schwab & Co., Inc., Fidelity Investments, Bank of America and Security Pacific National Bank.

RSA 2008: Hacking techniques

Yuval Ben-Itzhak chief technology officer discusses the tools and techniques hackers are using to conduct attacks and some of the latest threats to Web applications.

RSA 2008: Defeating botnets

Ron Teixeira, executive director of the National Cybersecurity Alliance talks about how a mixture of education and technology could defeat the botnet threat.