Three Software Bugs You May Have Missed
We know it’s hard to keep up with the constant bombardment of software news in the tech world. In this roundup, we present you with three software bugs that you should probably be aware of, especially if you are a Microsoft or CloudStack user.
Microsoft Patches Twenty Vulnerabilities
If you’re a Microsoft-product user, you’ve got some software patches coming your way. Computerworld reports that the Redmond, WA software stalwart patched up twenty vulnerabilities found in the company’s products, including Word, Office, and Windows. Apparently, if you are using Word, now would be the best time to run those updates as one of the most critical vulnerabilities affects Word 2003, 2007, and 2010. TechTarget explained a bit more about the vulnerabilities saying that “The critical bulletin, MS12-064, addresses vulnerabilities in Microsoft Word that could allow remote code execution.”
Apache Software Foundation Tells Users to Update CloudStack
The Apache Software Foundation told users of its CloudStack software service to make a necessary configuration change to the CloudStack database in order to prevent malicious attempts to hijack a user’s computer. The folks at ThreatPost wrote that while the vulnerability is critical, users can follow the Apache Software Foundation’s updating directions to offset the problem.
From the CloudStack security announcement:
Addressing this issue is especially important for anybody using CloudStack in a public environment.
Mitigation:
1) Login to the CloudStack Database via MySQL $ mysql -u cloud -p -h host-ip-address (enter password as prompted)
2) Disable the system user and set a random password: mysql> update cloud.user set password=RAND() where id=1;
3) Exit MySQL mysql> \q
Alternatively, users can update to a version of CloudStack based on the git repository on or after October 7th, 2012.
Software Bugs for Sale on the Black Market
For an entertaining read about the black market world of “software bug” trading, check out Antone Gonsalves’s recent post over at ReadWriteWeb. Gonsalves describes a shady world in which government agencies are making deals with willing parties like security researchers who are more than happy to sell “exclusive details on exploitable flaws in software and operating systems.” The problem, Gonsalves writes, is that there is not enough monitoring to ensure that the folks who are selling the goods aren’t simply handing them over to any interested party (think terrorist organizations or criminal syndicates).
From ReadWriteWeb:
A number of companies buy bugs and then sell them back to software makers on a subscription basis. Examples include iDefense and Zero Day Initiative, which pay from $500 to $20,000 for vulnerabilities.
But the big money is chased by companies like Endgame Systems, Netragard, and Vupen Security. They focus on the more lucrative market of selling bugs to government agencies that use the information to hack computers and phones of crime suspects and intelligence targets. However, their customers also can include large corporations.
