January 05, 2007 - Current Activity

Microsoft Releases Advance Notification for January Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that their January release cycle will contain eight bulletins, some of which have a maximum severity rating of Critical. The notification further states that three of the bulletins are for Windows; one for Windows and Visual Studio; one for Windows and Office; and three are for Office. The release is scheduled for Tuesday, January 9th.

We will provide additional information as it becomes available.

Cross-Site Scripting Vulnerability in Adobe Acrobat Plug-In

US-CERT is aware of a cross-site scripting vulnerability in the Adobe Acrobat Plug-In. The Adobe Acrobat Plug-In allows users to view PDF files inside of a web browser. The Adobe Acrobat Plug-In fails to properly validate URI parameters for JavaScript code. This allows user-supplied JavaScript to execute within the context of the web site hosting the PDF file causing a cross-site scripting vulnerability.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#815960 - Adobe Acrobat Plug-In cross domain violation

US-CERT encourages users to upgrade to the latest release of Adobe Acrobat Reader as soon as possible.

If unable to upgrade, then US-CERT recommends that users take the following actions to help mitigate the security risks:

• Disable the displaying of PDF documents in the web browser.
• Disable JavaScript as specified in the Securing Your Web Browser document.

Note: Any website that hosts a PDF file may be used as an attack vector or launch point to exploit this vulnerability. Web site and network administrators may wish to filter JavaScript in both URLs and leaving the network to prevent their websites from being leveraged in attacks. Information on how to filter JavaScript out of URLs is available in VU#815960.

IRS Phishing Scam and Identity Theft

US-CERT continues to receive reports of phishing scams that target online users. Most recently, users have reported receiving emails that appear to be from the Internal Revenue Service (IRS). The phishing email claims to offer a tax refund and requests users to click on a link to provide personal and possibly sensitive information. Identity thieves could use this information to further compromise unsuspecting victims.

A spokesperson for the IRS has confirmed that they do not solicit anything by email.

US-CERT reminds users to remain cautious when receiving unsolicited email that could be a potential phishing email. US-CERT reminds users to remain cautious when receiving unsolicited email. US-CERT encourages users to report phishing incidents based on the following guidelines:

• Federal agencies should report phishing incidents to US-CERT.
• Non-federal agencies and other users should refer to OnGuard Online, a consortium of federal agencies, for information on reporting phishing incidents.

Additionally, users are encouraged to take the following measures to prevent phishing attacks from occurring:

1. Do not follow unsolicited web links received in email messages.
2. Contact your financial institution and file a complaint with the Federal Trade Commission (FTC) immediately if you believe your account or financial information has been compromised.
3. Review FTC's web site on how to protect yourself from identity theft.
4. Review the OnGuard Online practical tips to guard against Internet fraud, secure your computer, and protect your personal information.
5. Refer to the US-CERT Cyber Security Tip on Avoiding Social Engineering and Phishing Attacks.
6. Refer to the CERT Coordination Center document on understanding Spoofed/Forged Email.

Proof-of-Concept Code for a Vulnerability in Apple QuickTime

US-CERT is aware of proof-of-concept code for a buffer overflow vulnerability in Apple QuickTime. The flaw is in the way that QuickTime handles Real Time Streaming Protocol (RTSP) URL strings. By persuading a user to access a specially crafted QuickTime file, a remote attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system.

Note: Apple iTunes installations are also affected by this vulnerability.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#442497 - Apple QuickTime RTSP buffer overflow

Until a security fix or more information becomes available, US-CERT recommends the following action to help mitigate the security risks:

• Do not access QTL files from untrusted sources.
• Disable file association for QTL files.
• Refer to the Securing Your Web Browser document to implement the following workarounds:
• Disable QuickTime in your web browser.
• Disable JavaScript.

Public Exploit Code Available for DoS Vulnerability in Microsoft Windows Workstation

US-CERT is aware of a publicly available exploit code for a buffer overflow vulnerability in Microsoft Windows Workstation. According to Secunia Advisory SA23487, there is a flaw in the way the Workstation service handles large RPC requests. By sending specially crafted data to the Workstation service, a remote attacker could cause a denial-of-service condition on a vulnerable system. Initial analysis indicates that Windows XP and Windows 2000 are vulnerable to this flaw.

Until a security fix from Microsoft becomes available, US-CERT recommends the following action to help mitigate the security risks:

• Block ports 139/tcp and 445/tcp at the firewall.

US-CERT will continue to investigate and will provide additional information as it becomes available.

Proof-of-Concept Code for Vulnerability in Microsoft Windows

US-CERT is aware of publicly available proof-of-concept code for a local privilege escalation vulnerability in Microsoft Windows 2000, Windows Server 2003, Windows XP, and Windows Vista.

More information concerning this flaw is available at the Microsoft Security Response Center Blog.

US-CERT will continue to investigate and will provide additional information as it becomes available.

Mozilla Releases Security Advisories to Address Multiple Vulnerabilities

Mozilla has released Security Advisories to correct multiple vulnerabilities in Firefox, Thunderbird, and SeaMonkey. If successfully exploited, these vulnerabilities may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition on a vulnerable system.

More information about these vulnerabilities can be found in the following:

• Vulnerability Notes Database
• Technical Cyber Security Alert TA06-354A - Mozilla Addresses Multiple Vulnerabilities
• Mozilla Foundation Security Advisories - December 19, 2006

US-CERT strongly encourages users to take the following actions to help mitigate the security risks:

• Upgrade to the latest release of Firefox , Thunderbird and SeaMonkey.
• Disable JavaScript and Java as specified in the Securing Your Web Browser document.
• Do not follow unsolicited links.

Microsoft Publishes New Information on the Three Word Vulnerabilities

Microsoft has published new information on its Security Response Center Blog addressing the latest Word vulnerabilities reported earlier this month.

Until a security fix from Microsoft becomes available, US-CERT recommends that users follow the recommendations in Microsoft Security Advisory 929433 to help mitigate the security risks for all three Word vulnerabilities.