News
Novell's iPrint Open To Attack, Say Researchers
Attackers can exploit bugs in Novell Inc.'s iPrint application to obtain corporate information or hijack computers, security experts said.
By Gregg Keizer, Computerworld
August 26, 2008 — CSO —
Attackers can exploit bugs in Novell Inc.'s iPrint application to obtain corporate information or hijack computers, security experts said Monday.
Novell has issued a patch that plugs multiple holes in the ActiveX control that Novell ships as part of its iPrint product, but according to Copenhagen-based bug tracker Secunia APS, one of the flaws remains unfixed.
Secunia, which reported the bugs to Novell, counted at least eight vulnerabilities in the ActiveX control included with the Windows Vista version of the iPrint client, as well as several other flaws in another Windows Vista iPrint component.
IPrint is Novell's implementation of the Internet Printing Protocol (IPP) and lets users use, install and manage printers through the browser. The Vista version of the application ships with Novell's Open Enterprise Server 2 and NetWare 6.5 Support Pack 7.
Novell posted an update to iPrint last week that patches all but one of the vulnerabilities, said Secunia in an alert it published today. The update takes iPrint to Version 5.06. A fix for the older 4.x edition of iPrint, however, is not yet available.
For its part, Novell's accompanying advisory specified only one of the many vulnerabilities listed by Secunia and lumped the rest under a heading of "Security fixes: Multiple Buffer Overflow Security Vulnerabilities."
This is not the first time that Novell has had to quash bugs in iPrint's ActiveX control. Just two months ago, a researcher at the U.S. Computer Emergency Readiness Team (US-CERT) uncovered several vulnerabilities in the control packaged with iPrint for Windows 2000 and Windows XP. Novell patched those bugs with the iPrint 4.36 update in June.
ActiveX vulnerabilities are commonplace. Earlier this year, in fact, Symantec Corp. reported that the Microsoft Corp. technology accounted for 79% of all browser plug-in bugs in the second half of 2007.
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
The Surest Path to Effective and Efficient Compliance
In this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.
Prudential Financial Protects its Brand with Symantec Data Loss Prevention Solutions
FORTUNE 100 insurance leaders rely on Symantec.Information Security: Data Drains and How to Prevent Loss
Do you know where your confidential data is?Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands
Learn what the thought-leaders at PricewaterhouseCoopers have to say.7 Requirements of Data Loss Prevention
Incorporate best practices from many companies using DLP solutions.Ponemon Study: How Much Does a Data Breach "Cost"?
35 U.S. organizations that lost confidential information and had a regulatory requirement to publicly notify affected individuals are studied in this report.
- How Are Open Source Development Communities Embracing Security Best Practices?
- Using Likewise to Comply with PCI Data Security Standard
- Ponemon Study: How Much Does a Data Breach "Cost"?
- Managing SSL Security in Multi-Server Environments
- Maximizing Site Visitor Trust Using Extended Validation SSL
- The Latest Advancements in SSL Technology
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Data Loss Prevention
-
November 13, 2008The Roosevelt HotelRegister now »
New York, NY 10017
(ISC)2 members can earn up to 6 CPE Credits
Reference priority code ONLINE and attend this program as our guest — that's a $295 savings!
