October 09, 2007 - Current Activity

Adobe Acrobat and Adobe Reader Vulnerability

Adobe has issued a Security Advisory to address a vulnerability in Adobe Acrobat and Adobe Reader. By convincing a user to open a specially crafted pdf file in Microsoft Internet Explorer 7, an attacker may be able to execute arbitrary code.

US-CERT recommends that users apply the workaround found in the Adobe Security Advisory.

Microsoft Releases October Security Bulletins

Microsoft has released updates to address vulnerabilities in Windows, Outlook Express, Windows Mail, Internet Explorer, and Office as part of the Microsoft Security Bulletin Summary for October 2007.

More information about these vulnerabilities is located in Technical Cyber Security Alert TA07-282A.

US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine what updates should be applied.

Microsoft Releases Advance Notification for October Security Bulletins

Microsoft has issued a Security Bulletin Advance Notification indicating that its October release cycle will contain seven bulletins, of which four have a maximum severity rating of Critical. The notification further states that the bulletins are for Windows, Outlook Express, Windows Mail, Internet Explorer, and Office. The release is scheduled for Tuesday, October 9, 2007.

US-CERT will provide additional information as it becomes available.

Apple QuickTime Security Update

Apple has released a Security Update to address a vulnerability in QuickTime 7.2 for Microsoft Windows. This vulnerability may allow an attacker to execute applications with arbitrary command line arguments by enticing a user to open a crafted QTL file.

More information regarding this vulnerability can be found in Vulnerability Note VU#751808.

To mitigate the security risk, US-CERT recommends that users update to the latest version as described in the Apple QuickTime Security Update document.

Axis IP Camera Vulnerabilities

US-CERT is aware of several publicly reported cross-site scripting and cross-site request forgery vulnerabilities in Axis IP cameras. Currently, these vulnerabilities have not been confirmed by US-CERT.

US-CERT encourages users to implement the following best-practice security policies to reduce the risk of cross-site scripting vulnerabilities:

• Do not save passwords for the affected devices.
  
• Use NoScript to allow only trusted sites to execute JavaScript.
• Restrict device access to only private, trusted networks.
• Do not navigate to other websites while logged into the device.
  
• Filter known cross-site scripting vulnerabilities with an application firewall, intrusion prevention system or reverse proxy.

Google's Gmail XSRF Vulnerability

US-CERT is aware of a publicly reported cross-site request forgery vulnerability in Google's Gmail. A cross-site request forgery vulnerability may allow a request from an attacker to be interpreted as originating from an authenticated user.  Public reports indicate that this vulnerability may allow an attacker to create arbitrary filters for a user's Gmail account.  

More information regarding this vulnerability can be found in Vulnerability Note VU#571584.

Apple Releases Update for iPhone

Apple has released an update to address several vulnerabilities in the iPhone. These vulnerabilities may allow an attacker to execute arbitrary code or commands, cause a denial-of-service condition, or conduct cross-site scripting attacks on an affected device.

More information about these vulnerabilities and the iPhone v1.1.1 update can be found in the Apple update advisory.

US-CERT strongly encourages users to review the advisory and follow best-practice security policies to determine what updates should be applied.