There are lots of vulnerabilities DBAs must act upon ASAP, although it "only" addresses 38 vulnerabilities...

• 16 fixes address flaws in the Oracle database (six can be exploited remotely without user interaction)
• 3 fixes address flaws in the Oracle Application Server (two can be exploited remotely without user interaction)
• 8 fixes address flaws in the Oracle Applications Suite (five can be exploited remotely without user interaction)

More (advance) information in the pre-release announcement : http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html

Cisco issued a security advisory for its  1100 and 1200 Series access lightweight points. The advisory is based on work done by wifi IDS firm AirMagnet. Cisco uses an Over-The-Air-Provisioning (OTAP) protocol that uses multicast data to find a controller. During this initialization phase, a rogue controller could respond and send a bad configuration to the access point, disabling the device.

Cisco provides an advisory here: http://tools.cisco.com/security/center/viewAlert.x?alertId=18919 .

The quick summary: Establish basic configuration options like encryption keys and preferred controller lists before deploying the device.

VMware has released the following new security advisory, VMSA-2009-0010

This advisory results in updates to

VMware Workstation
VMware Player
VMware ACE

A new version of Thunderbird, version 2.0.0.23, is available.  Thus update fixes MFSA 2009-42 (Compromise of SSL-protected communication). 

If you are a Thunderbird user, it is probably best to apply this update as soon as convenient.

Note that, It appears this update, which affects multiple Mozilla products, has changed the rules for security certificates generated with wildcards. More information is available at the Fourmilab Blog.

The Windows SDK for Windows 7 and .NET Framework 3.5 SP1 provides the documentation, samples, header files, libraries, and tools (including C++ compilers) that you need to develop applications to run on Windows 7 and the .NET Framework 3.5 SP1. To build and run .NET Framework applications, you must have the corresponding version of the .NET Framework installed. This SDK is compatible with Visual Studio® 2008, including Visual Studio Express Editions, which are available free of charge.

Please see the Release Notes for the full list of supported platforms, compilers, and Visual Studio versions and any late breaking issues. For detailed information about the content in this SDK, including a description of new content, please see the Getting Started section in the documentation.

Download at Microsoft Download

The Mozilla security blog confirms an exploit against an unpatched vulnerability Firefox 3.5 exists and has been made public.

Do note that Heisse tried to confirm the vulnerability and only managed a crash on Vista and can't seem to make it work on Windows 7 RC1
http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761

The mozilla blog above has a workaround by temporary disabling the javascript.options.jit.content setting in about:config

Alternatively one could install and use NoSCript to disable all javascript by default.

VMWare released a new security advisory about a vulnerability in the krb5 (Kerberos) package. The vulnerability allows a remote attacker to cause a DoS or potentially execute arbitrary code on the ESX server.

According to the advisory available at http://lists.vmware.com/pipermail/security-announce/2009/000059.html all ESX versions are affected (ESXi is not affected), however, the Kerberos package is not installed by default.

This beta is available only to customers in the United States, Israel (English only), People's Republic of China (Simplified Chinese only) and Brazil (Brazilian Portuguese only).Please visit the more information page to learn more about system requirements, our End User License Agreement and other important information.

To get the beta, just click here or on the button on the top of this page. This will take you to Microsoft Connect where you'll answer a few questions and then be able to download the Security Essentials beta.

http://www.microsoft.com/security_essentials/

WOT stands for Web Of Trust, it is a community knowledge based system where information on websites are shared. After installing the add-on, the links from search engines are tagged with extra symbols showing whether the site's "reputation" level. Very simple to understand, red means potentially bad site and green means good site.

WOT is available for both Firefox and IE . If you choose to use it, remember to contribute back to the project back by helping to rate sites as you visit them.

Google has released an update for Chrome, their own web browser. From their advisory here: "Google Chrome's Stable channel has been updated to version 2.0.172.31 to fix two security issues in WebKit." CVE-2009-1690 is a memory corruption which can lead to arbitrary code execution within the sandbox. CVE-2009-1718 is an information leak. Both CVE's name Apple Safari, however they also affect Google Chrome.

A critical vulnerability has been discovered in the JavaScript handling within Adobe Reader and Acrobat versions 9.1 and earlier.  According to the announcement, Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009.  Additionally, there is a second vulnerability specific to Adobe Reader for Unix that will be resolved by this update as well.
In the meantime, you can perform mitigation steps by disabling JavaScript in Reader and Acrobat:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Ref:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1493

A critical vulnerability has been discovered in the JavaScript handling within Adobe Reader and Acrobat versions 9.1 and earlier.  According to the announcement, Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009.  Additionally, there is a second vulnerability specific to Adobe Reader for Unix that will be resolved by this update as well.
In the meantime, you can perform mitigation steps by disabling JavaScript in Reader and Acrobat:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Ref:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1493

The Concord Music Group and Playing for Change has produced this truly wonderful video of street musicians around the world laying down their own unique music tracks on this great classic "Stand by Me" by Ben E. King. All the episodes are available here.

Network Monitor 3.3 is a protocol analyzer. It allows you to capture network traffic, view and analyze it. Version 3.3 is an update and replaces Network Monitor 3.2. Network Monitor 3.x is a complete overhaul of the previous Network Monitor 2.x version.

The Network Monitor core engine has been decoupled from the parser set. To install the full Network Monitor 3.3 product:

• Run the setup.exe for the platform you are installing.
• You will be prompted first to install the core engine. Follow the installation directions. Make sure you close existing instances of netmon.exe, nmcap.exe and any running NMAPI applications.
• Next you will be prompted to install the parser package. Follow the installation directions.

To uninstall the full Network Monitor 3.3 product:

• Go to Add/Remove Programs in Control Panel
• Uninstall both Microsoft Network Monitor 3.3 and Microsoft Network Monitor: Microsoft Parsers 3.3.

Download : Microsoft Downloads

Now you can send instant messages from the Windows Live Hotmail and People pages! This means that, even if you’re on a public computer where Windows Live Messenger isn’t installed, you can still send IMs to your Messenger contacts.

Customers in Brazil, Canada, China, Germany, the Netherlands, Norway, and USA will see this feature for the first time today (as usual, rollout to different individuals is gradual, so if you don’t see it yet, please be patient). This feature rolled out to users in France, Italy, Japan, Mexico, Spain, and the UK last month. Not in your area yet? We will be rolling out web-based Messenger to more locations in the coming months.

Source : windowslivewire.spaces.live.com

There were two new updates were released today.  The first update addresses issues with openssl, vim, and bind; the second update addresses multiple issues.

The first update is for the VMware ESX 3.0.2 and 3.0.3 release, and the second update applies to the following releases:
   VMware Workstation 6.5.1 and earlier,
   VMware Player 2.5.1 and earlier,
   VMware ACE 2.5.1 and earlier,
   VMware Server 2.0,
   VMware Server 1.0.8 and earlier,
   VMware ESXi 3.5 without patches ESXe350-200811401-O-SG, ESXe350-200903201-O-UG
   VMware ESX 3.5 without patches ESX350-200811401-SG, ESX350-200903201-UG
   VMware ESX 3.0.3 without patch ESX303-200811401-BG
   VMware ESX 3.0.2 without patch ESX-1006980

For full details on both updates, please visit the lists.vmware.com website.

The Honeynet Project has discovered an anomaly in Conficker that makes it possible to detect infected hosts with an elaborate fingerprint scan over the network. This is great news if you suspect an infection and have no other means to check, or if you simply want to double-check information that your other defense mechanisms (IDS, AntiVirus, etc) provide.

The write-up and scanning tool are available on the Honeynet Website.

In addition to the "pwn2own" vulnerability used at CanSecWest last week in order to compromise a system with the Firefox web browser, a new vulnerability has been published which involves XSL Transforms.  This vulnerability impacts both the latest Firefox 3.0.7 and Seamonkey 1.1.15 browsers.

Mozilla is working on updates for both packages and they expect the updated versions to be released by April 1

A proof-of-concept exploit for the XSL Transform vulnerability has been released.  If the attack succeeds, arbitrary code can be run in the context of the browser.  If the attack fails, a DoS condition is likely for the browser.

For more information about the XSL Transform issue, see:

BugTraq
Secunia Advisory
VUPEN Advisory
Bugzilla Entry
Mozilla Security Blog

Google will soon be coming to 11 of Canada's largest cities including Halifax, Montreal, Winnipeg and Calgary. The Internet giant will be driving around cities in the coming weeks to map the streets of Canada to include a street-eye view of streets, buildings and their surroundings.

The street view will provide users to help locate meeting spots, buildings and a better idea of their destination. With the added bonus of being able to see your own home on Google, many people raise privacy concerns, which Google is ready to handle. Images of people's faces and licence plates will be automatically blurred out, and any requested offensive images will be removed from the web site.

Google Street View - Canada will be added to the small list of available countries, including Australia, France and Britain. The popular service has been in use on Google for some time on mapping U.S. cities and streets for public view. Some popular street data has already been collected in Canada, where it will be made public soon, along with the 11 new major cities in Canada.

More info : Globe and Mail

Some vulnerabilities have been reported in Sun Java, which can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a user's system.

More Info : http://secunia.com/advisories/34451/