October 16, 2006 - Current Activity

Proof-of-Concept Code for Unpatched Vulnerability in Microsoft PowerPoint

We are aware of publicly available proof-of-concept code for an unpatched vulnerability in Microsoft PowerPoint. The complete impact of this vulnerability is not yet known.

More information is available at the Microsoft Security Response Center Blog!

Until an update, patch, or more information becomes available, we recommend the following actions to help mitigate the security risks:

• Do not open attachments from unsolicited email messages.
• Install anti-virus software, and keep its virus signature files up-to-date.
• Save and scan any attachments before opening them.

We strongly encourage users not to open unfamiliar or unexpected email attachments, even if sent by a known and trusted source. Users may wish to read Cyber Security Tip ST04-010 for more information on working with email attachments.

We will continue to monitor this issue and provide additional information as it becomes available.

Support Ends for Windows XP Service Pack 1

We are reminding users that as of today, October 10th, 2006, Microsoft has ended public assisted support for Windows XP Service Pack 1 (SP1). According to Microsoft, incident support options and security updates will no longer be available for this retired service pack as defined by the Microsoft Support Lifecycle Policy . Microsoft recommends that users upgrade to Windows XP Service Pack 2 (SP2) to receive security updates.

For more information, please see End of support for Windows 98, Windows Me, and Windows XP Service Pack 1 .

Microsoft Releases October Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for October 2006.

We strongly encourage users to review the bulletins and follow best-practice security policies to determine what updates should be applied.

Additionally, more information about these vulnerabilities can be found in the Vulnerability Notes Database and Technical Cyber Security Alert TA06-283A .

Mozilla Posts Statement Regarding Firefox JavaScript Vulnerability

At the recent Toorcon conference, two presenters claimed to have discovered a new vulnerability in the Mozilla Firefox JavaScript engine that could allow malicious code execution. The report was never confirmed and just yesterday, one of the presenters issued a statement to Mozilla that they had not successfully exploited the vulnerability, nor did they know of anyone who had.

Mozilla has released additional information regarding this report and is continuing to investigate the issue.

• Update: Possible Vulnerability Reported at Toorcon

Updates for Multiple Apple OS X Vulnerabilities

Apple has released Security Update 2006-006 to address multiple vulnerabilities in Apple products. The impacts of these vulnerabilities include execution of arbitrary code, bypassing security restrictions, and denial of service. This security update also addresses previously known vulnerabilities in Adobe Flash Player for Apple OS X.

More information about these vulnerabilities can be found in the following:

• Technical Cyber Security Alert: TA06-275A - Multiple Vulnerabilities in Apple and Adobe Products
• Apple Security Update 2006-006
• Adobe Security Bulletin APSB06-11

Apple has also released Mac OS X 10.4.8 Update (Intel). This update includes security fixes for Intel-based Apple systems.

We recommend the following actions to help mitigate the security risks:

• Apply the appropriate updates as prescribed in the Apple Security Update 2006-006.
• Intel-based Apple users should upgrade to Mac OS X 10.4.8.

We will continue to monitor this issue and provide additional information as it becomes available.