ZDI: It’s time for Microsoft and Ipswitch flaws now

This is interesting. Immediately after the recent discussion about new policy of Zero Day Initiative program they published information about the following unpatched vulnerabilities:

– clip –
ZDI-CAN-060 IBM High 2006.08.31, 1 days ago
ZDI-CAN-072 Microsoft High 2006.08.31, 1 days ago
ZDI-CAN-089 Microsoft High 2006.08.31, 1 days ago
ZDI-CAN-078 Ipswitch High 2006.09.01, 0 days ago
ZDI-CAN-087 GraceNote High 2006.09.01, 0 days ago

Three Microsoft issues listed on Thursday 31th Aug, one Ipswitch issue listed on Friday and one GraceNote (aka CDDB) issue listed on Friday too.

All of these are rated as ‘High’ severity.

  • http://www.os-cubed.com Lee DRake

    Ipswitch fixed the vulnerability in 2006.1. Here are the (very brief) patch notes about the vulnerability:

    Fixed a vulnerability that allowed remote attackers to execute arbitrary code within the SMTP daemon.This vulnerability was processed through the Zero Day Initiative (ZDI), an initiative launched by TippingPoint, a division of 3Com.

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    Lee: ZDI-CAN-078 is NOT the vulnerability patched in 2006.1. Look at the “Reported On” date for ZDI-CAN-078 (09/01/2006) and compare it with the vendor disclosure date in ZDI-06-028 which is 06/22/2006. The vulnerability patched today is far older, and dates back to June.

  • http://networksecurity.typepad.com/ Juha-Matti

    Thanks Matthew for sharing this basic type information. Yes, at time of blog entry that vulnerability was the newest one.