July 11, 2007 - Current Activity

Cisco Releases Security Advisories for Multiple Vulnerabilities in Unified Communications Manager

Cisco has published two separate advisories, cisco-sa-20070711-cucm and cisco-sa-20070711-voip, describing several vulnerabilities affecting Cisco Unified Communications Manager. The impacts of these vulnerabilities vary, the most severe of which may allow a remote attacker to execute arbitrary code on an affected system.

US-CERT recommends that administrators of this product apply the updates described in the Cisco Security Advisories listed above, and will continue to investigate and provide additional information as it becomes available.

Adobe Flash Player Multiple Vulnerabilities

Adobe Systems has released a Security bulletin to address multiple vulnerabilities in their Flash Player, some of which may allow an unauthenticated attacker to execute arbitrary code on an affected system.  The Adobe Security bulletin further states that all operating systems with a vulnerable version of Flash Player are affected.

Microsoft Releases July Security Bulletins

Microsoft has released updates to address vulnerabilities in Windows, Excel, Office Publisher, and .NET Framework as part of the Microsoft Security Bulletin Summary for July 2007.

US-CERT will provide additional information as it becomes available.

US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine what updates should be applied.

SAP Products Contain Vulnerabilities

US-CERT is aware of vulnerabilities that exist in the SAP Message and DB Web Servers. These vulnerabilities may allow an unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition.

More information regarding this vulnerability can be found in Vulnerability Note VU#305657  and VU#679041.

To help mitigate the security risk, US-CERT recommends users upgrade their SAP server to the latest version as soon as possible.

Web Browser Code Execution Vulnerability

US-CERT is aware of a public exploit code for a new vulnerability targeting Microsoft Internet Explorer. The public exploit code demonstrates the vulnerability using the Mozilla Firefox firefoxurl:// URL protocol. To trigger this vulnerability, an attacker must persuade a user who has Firefox installed to access a specially crafted web page with Internet Explorer.

US-CERT will provide additional information as it becomes available.

Microsoft Releases Advance Notification for July Security Bulletins

Microsoft has issued a Security Bulletin Advance Notification indicating that their July release cycle will contain six bulletins, three of which have a maximum severity rating of Critical. The notification further states that the three Critical bulletins are for Windows, Office, Excel, and .NET Framework.  There will also be two Important bulletins for Office Publisher and Windows XP Professional as well as one Moderate bulletin for Windows Vista.  Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool.  The release is scheduled for Tuesday, July 10, 2007. 

US-CERT will provide additional information as it becomes available.

Russian Cyber Attacks Reported

US-CERT is aware of reports of cyber attacks occurring in Russian cyber-space. According to reports these attacks may be politically motivated.  It is reported that the attacks are similar to those that affected Estonia in April and May. 

More information can be found in the following:

http://www.washingtonpost.com/wp-dyn/content/article/2007/07/01/AR2007070100009.html