June 13, 2007 - Current Activity

Microsoft Releases June Security Bulletins

Microsoft has released updates to address vulnerabilities in Windows, Internet Explorer, Outlook Express, Windows Mail, Visio, and the Windows Schannel Security Package as part of the Microsoft Security Bulletin Summary for June 2007.

More information about these vulnerabilities is located in the Vulnerability Notes Database and Technical Cyber Security Alert TA07-163A.

US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine what updates should be applied.

Publicly Available Exploit for Yahoo! Messenger IM Client ActiveX Control Vulnerabilities

US-CERT is aware of publicly available exploit code for vulnerabilities in the Yahoo! Messenger Webcam Upload (ywcupl.dll) and Webcam Viewer (ywcvwr.dll) ActiveX controls that may allow an attacker to execute arbitrary code on a user's machine.

More information about the vulnerabilities can be found in the following:

• Vulnerability Note VU#932217
• Vulnerability Note VU#949817
• Yahoo! Webcam ActiveX Controls Security Update.

• Apply the update as described in the Yahoo! Webcam ActiveX Controls Security Update.
• Disable the ActiveX controls listed in the Yahoo! Webcam ActiveX Controls Security Update.
• Disable ActiveX as described in the Securing Your Web Browser document.
  

Microsoft Releases Advance Notification for June Security Bulletins

Microsoft has issued a Security Bulletin Advance Notification indicating that their June release cycle will contain six bulletins, four of which have a maximum severity rating of Critical. The notification further states that the four Critical bulletins are for Windows, Internet Explorer, and Outlook Express.  There will also be two non-critical bulletins for Visio and Windows as well as an updated version of the Microsoft Windows Malicious Software Removal Tool.  The release is scheduled for Tuesday, June 12, 2007.

US-CERT will provide additional information as it becomes available.

Computer Associates Release Security Notice for Anti-Virus Engine

The Computer Associates Anti-Virus engine fails to properly process CAB archives.  These vulnerabilities may allow an unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition.

More information can be found in the following:

• Vulnerability Note VU#105105
• Vulnerability Note VU#739409
• Computer Associates Security Notice

Sun Microsystems Releases Security Advisory for Java Runtime Environment Image Parsing Code

Sun Microsystems released a Security Advisory for the Java Runtime Environment Image Parsing Code.  This vulnerability may allow an applet to read and write local files or execute local applications. 

US-CERT encourages users to examine the resolutions that are described in the Sun Security Advisory as soon as possible and follow the steps in the Securing Your Web Browser document.

More information can be found in Vulnerability Note VU#138545

Microsoft Windows GDI+ ICO Vulnerability

Microsoft Windows Graphics Device Interface is vulnerable to an integer division-by-zero error.  This vulnerability may lead to a denial-of-service condition due to the introduction of a specially crafted icon file.

It may be possible for a malformed icon file to be embedded in an executable or other file.

More information can be found in the following:

• Vulnerability Note VU#290961
• Cyber Security Tip ST04-010

PHP Vulnerabilty

US-CERT is aware of a publicly reported vulnerability in PHP.  PHP version 5.2.3 may be vulnerable to an integer overflow within the chunk_split() function.

More information can be found in the following PHP Security Blog.

US-CERT will provide additional information as it becomes available.