Telstra has revealed the addition of almost one million new mobile services in the six months to December 2011, but Sensis revenues plummeted 24 percent in 12 months.
Yet another critical cross-site scripting vulnerability has been reported, this time impacting those using Sun's Java System Communications Express application.
Sun Microsystems was probably hoping that all the media attention this week would be focused on Project Vector which according to CEO Jonathan Schwartz could create the world's largest app store.
To be fair, the Sun situation is not quite so bad, although I am not sure that users of Sun's Java System Communications Express Web-based communications and collaboration application will see it that way.
Core Security Technologies has issued an advisory which discloses critical vulnerabilities that could potentially impact upon large numbers of end users as well as organisations using the application.
Consultants working with the company research arm, CoreLabs, have unearthed what they say are "multiple vulnerabilities" in the application which is a remote access element of Sun's Java Communications Suite. If leveraged, these could enable attackers to target users through exploiting cross-site scripting.
The first XSS vulnerability, resident in the product's Personal Address Book "add contact" functionality, an affected URL is accessed thru a POST request, and the flaw can then be exploited both with a GET and with a POST request. The contents of the variables involved in a potential attack are not encoded at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code.
The second vulnerability does not encode the contents of the URL at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code. This vulnerability can be exploited through a GET request, and the user does not need to be logged into the web application.
CoreLabs has alerted the Sun Security Coordination Team, and is working on a synchronised effort to create patches.
"Cross-Site Scripting bugs are popular among attackers attempting to coax Web applications into providing control of end users' Web browsers to carry out a wide range of malicious schemes" said Ivan Arce, CTO of Core Security Technologies. "It is very important that organizations take the necessary steps to ensure that the applications they build or license from third parties are not susceptible to these types of exploits."
David Bass
| For the fourth year in a row, IDC has placed content security provider Websense (NASDAQ: WBSN) at the top of the IDC Worldwide Web Security 2011 –…
How to Make Business Discovery Work for Your Business
Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more
Try an easy-to-use set of web-enabled
tools for business-class productivity services. Office 365 provides
anywhere-access to email, important documents, contacts, and calendars
on almost any device.