July 12, 2007 - Current Activity

Apple Releases Security Update to Address Multiple Vulnerabilities in QuickTime

Apple has released an update to address multiple vulnerabilities in QuickTime. These vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code, execute arbitrary commands, or cause a denial-of-service condition on an affected system.

More information regarding these vulnerabilities can be found in the following:

• Technical Cyber Security Alert TA07-193A
• Vulnerability Notes Database
• Apple Security Update

Adobe Flash Player Multiple Vulnerabilities

Adobe Systems has released a Security bulletin to address multiple vulnerabilities in their Flash Player, some of which may allow an unauthenticated attacker to execute arbitrary code on an affected system.  The Adobe Security bulletin further states that all operating systems with a vulnerable version of Flash Player are affected.

• Technical Cyber Security Alert TA07-192A
• Vulnerability Notes Database
• Adobe Security Bulletin APSB07-12

Cisco Releases Security Advisories for Multiple Vulnerabilities in Unified Communications Manager

Cisco has published two separate advisories, cisco-sa-20070711-cucm and cisco-sa-20070711-voip, describing several vulnerabilities affecting Cisco Unified Communications Manager. The impacts of these vulnerabilities vary, the most severe of which may allow a remote attacker to execute arbitrary code on an affected system.

US-CERT recommends that administrators of this product apply the updates described in the Cisco Security Advisories listed above, and will continue to investigate and provide additional information as it becomes available.

Microsoft Releases July Security Bulletins

Microsoft has released updates to address vulnerabilities in Windows, Excel, Office Publisher, and .NET Framework as part of the Microsoft Security Bulletin Summary for July 2007.

US-CERT will provide additional information as it becomes available.

US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine what updates should be applied.

SAP Products Contain Vulnerabilities

US-CERT is aware of vulnerabilities that exist in the SAP Message and DB Web Servers. These vulnerabilities may allow an unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition.

More information regarding this vulnerability can be found in Vulnerability Note VU#305657  and VU#679041.

To help mitigate the security risk, US-CERT recommends users upgrade their SAP server to the latest version as soon as possible.

Web Browser Code Execution Vulnerability

US-CERT is aware of a public exploit code for a new vulnerability targeting Microsoft Internet Explorer. The public exploit code demonstrates the vulnerability using the Mozilla Firefox firefoxurl:// URL protocol. To trigger this vulnerability, an attacker must persuade a user who has Firefox installed to access a specially crafted web page with Internet Explorer.

US-CERT will provide additional information as it becomes available.

Microsoft Releases Advance Notification for July Security Bulletins

Microsoft has issued a Security Bulletin Advance Notification indicating that their July release cycle will contain six bulletins, three of which have a maximum severity rating of Critical. The notification further states that the three Critical bulletins are for Windows, Office, Excel, and .NET Framework.  There will also be two Important bulletins for Office Publisher and Windows XP Professional as well as one Moderate bulletin for Windows Vista.  Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool.  The release is scheduled for Tuesday, July 10, 2007. 

US-CERT will provide additional information as it becomes available.