Mailing Lists & Feeds
Current Activity Calendar
| March 13, 2007 - Current ActivityThis is an archived copy of current activity, if you would like to see the most recent version, please click here.Apple Releases Security Update to Address Multiple Vulnerabilities in Various Productsadded March 13, 2007Apple has released Security Update 2007-003 to address multiple vulnerabilities in various products. The impacts of these vulnerabilities include arbitrary code execution, privilege escalation, SYSTEM level access, cross-site scripting, sensitive data exposure, file manipulation, and denial of service. US-CERT encourages users to apply the appropriate updates as soon as possible. US-CERT will continue to investigate these vulnerabilities and provide additional information as it becomes available. No New Microsoft Security Bulletins for Marchadded March 13, 2007Microsoft released no new security bulletins today. They have, however, released an updated version of the Microsoft Windows Malicious Software Removal Tool. They have also released six non-security, high-priority updates. More information can be found in Microsoft Security Bulletin Summary for March 2007. Mozilla Releases Security Advisory to Address Multiple Vulnerabilitiesadded March 7, 2007Mozilla has released Security Advisory 2007-09 to address vulnerabilities in Firefox and SeaMonkey. More information about this vulnerability is located in the following:
US-CERT strongly encourages users to upgrade to Firefox 2.0.0.2 and SeaMonkey 1.1.1 as soon as possible. Apple Releases Security Update to Address Multiple QuickTime Vulnerabilitiesadded March 6, 2007 | updated March 6, 2007Apple has released QuickTime 7.1.5 Update to address multiple vulnerabilities in QuickTime. The impacts of these vulnerabilities include remote code execution and denial of service. More information about these vulnerabilities is located in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-065A. US-CERT encourages users to apply the appropriate updates as soon as possible. US-CERT will continue to investigate these vulnerabilities and provide additional information as it becomes available. Daylight Saving Time Changes for 2007added March 5, 2007The start and end dates for Daylight Saving Time (DST) will change this year in accordance with the Energy Policy Act of 2005. With the new rules, clocks will be set ahead on March 11th instead of April 1st, and will be turned back on November 4th instead of October 28th. The change will have an effect on and require updates to many computing systems that are time reliant. For example, any organization using software to perform scheduling, billing, transaction logging, and other time-related calculations could be at risk if upgrades are not performed. All organizations should prepare for the DST changeover by analyzing their systems and applying the appropriate updates. While the level of effort will vary widely across systems, platforms, and industries, every computing environment should be assessed for potential impact, as it is likely that most systems will require some pre-changeover action. To find out more about the systems at risk, the scope of impact, and the updates required to avoid complications, visit page 3 and 4 of the most recent Quarterly Trends and Analysis Report. WordPress Releases New Version to Address Vulnerabilitiesadded March 5, 2007WordPress has released a new version to address vulnerabilities introduced into version 2.1.1 by a malicious third party. These vulnerabilities allow remote, unauthenticated users to execute arbitrary system commands or PHP code. More information about these vulnerabilities can be found in the Vulnerability Notes Database and the WordPress Blog. US-CERT urges users who are running version 2.1.1 to upgrade to version 2.1.2 as soon as possible. Vulnerability in Citrix Presentation Server Clientadded March 2, 2007US-CERT is aware of an unspecified vulnerability in Citrix Presentation Server Client for Windows. The vulnerability exists in the way ICA connections are handled through proxy servers. By persuading a user to access a specially crafted HTML document (e.g., a web page or an HTML email message), a remote, unauthenticated attacker may be able to execute arbitrary code with privileges in the context of the client process. More information about this vulnerability is located in the following:
US-CERT recommends that administrators upgrade to version 10.0 and later to mitigate the security risks. Worm Actively Exploits Vulnerability in Sun Solaris Telnet Daemonadded February 28, 2007 | updated March 1, 2007US-CERT is aware of public reports of a worm that is actively exploiting a known vulnerability in the Sun Solaris telnet daemon (in.telnetd). The worm targets Solaris 10 (SunOS 5.10) systems that are not patched to address this vulnerability and have enabled the telnet daemon. When the worm discovers a vulnerable host, it attempts to log into the host using the lp or adm account to invoke one or more of the following malicious actions:
More information about this vulnerability is located in the following:
US-CERT recommends the following actions to help mitigate the security risks:
Proof-of-Concept Code for Vulnerability in Mozilla Firefoxadded February 23, 2007 | updated February 26, 2007US-CERT is aware of proof-of-concept code for a memory corruption vulnerability in Mozilla Firefox. The vulnerability exists due to a flaw in the way Firefox handles freed data structures modified in the onUnload event handler, which may cause a memory corruption error. By persuading a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code or crash the Firefox browser. More information about this vulnerability is located in the following: Until Mozilla issues a security fix for this issue, US-CERT recommends the following workaround to help mitigate the security risk:
Mozilla Releases Security Advisories to Address Multiple Vulnerabilitiesadded February 23, 2007Mozilla has released Security Advisories to address multiple vulnerabilities in Mozilla products, such as Firefox and SeaMonkey. US-CERT encourages users to upgrade to the latest version or implement the workarounds for the affected products as described in the Security Advisories. Additionally, more information about these vulnerabilities can be found in the Vulnerability Notes Database. Exploit Code Posted for XSS Vulnerability in Google Desktop Search Engineadded February 22, 2007 | updated February 23, 2007US-CERT is aware of publicly available exploit code for a cross-site (XSS) scripting vulnerability in the Google Desktop Search engine. The vulnerability exists due to a flaw in the way the Google Desktop Search engine processes malformed user input. By persuading a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), a remote unauthenticated attacker may be able to execute existing arbitrary code, search and view files, or steal sensitive data. Note: Without the presence of another vulnerability, remote exploitation is not possible. Google has addressed this issue in the latest version of Google Desktop, which updates automatically. More information about this vulnerability is located in the following:
US-CERT recommends the following workaround to help mitigate the security risks:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||
Information For
Sign Up
Reporting
DHS Threat Advisory
The threat level in the airline sector is High or Orange. Read more
Get Adobe Reader