Week in Security: Java and RADIUS Vulnerabilities, Klez.e Fizzles


Here's a rundown of some of the events, announcements and other happenings in information security last week:

• Microsoft Monday issued a patch for a security flaw in its Java virtual machine software (Microsoft VM) that attackers could exploit to redirect browser traffic. Microsoft said the vulnerability, which it rated as critical, affects customers using Internet Explorer with a proxy server. For the flaw to be exploited, a user would have to visit a Web site with a malicious Java applet. When the applet is executed on the user's system, an attacker can access the user's session. A patch is available at http://www.microsoft.com/java/vm/dl_vm40.htm.

• The CERT Coordination Center at Carnegie Mellon University warned of multiple vulnerabilities in various implementation of the RADIUS access-control protocol that intruders can remotely exploit to launch denial-of-service attacks or in certain cases, to execute code. CERT recommends applying a vendor patch or upgrade, blocking packets to the RADIUS server at the firewall, or limiting access to the RADIUS server.

• Network Associates has decided not to sell its PGP desktop encryption product line, saying that the offers it got didn't meet the value of the technology. The company last fall put the PGP products and Gauntlet firewall product lines up for sale and sold the Gauntlet line to Secure Computing last month. There will be no development on the PGP desktop and wireless PGP products, according to Network Associates, but the company will provide bug fixes for a year and honor support contracts.

• W32/Klez.e, a variant of last fall's Klez worm, was expected to destroy files last week but the worm created more hype than actual damage. The mass-mailing worm, which first surfaced in late January, is programmed to overwrite .txt, .htm, .html, .doc, .mpeg and other files on the sixth day of odd-numbered months.

• Vigilinx, a Parsippany, N.J.-based security solution provider, said it received an additional $5 million in financing from Thayer Capital Partners. Bruce Murphy, Vigilinx CEO, said in a statement that the company will use the money for sales and marketing and product development. Thayer infused Vigilinx with $75 million when the security firm launched in early 2001.

• Zero-Knowledge Systems, Montreal, Quebec, announced the availability of P3P Analyzer, a Web-based tool that allows companies to test and track Web-site compliance with the Platform for Privacy Preferences (P3P) and its implementation in Microsoft's Internet Explorer 6.