October 10, 2007 - Current Activity

Microsoft Updates Security Bulletin MS05-004

Microsoft has released an update to Security Bulletin MS05-004 adding Windows Server 2003 Service Pack 2 and Windows Vista to the affected software. This ASP .NET path validation vulnerability may allow a remote, unauthenticated attacker to gain access to secure website content by using a specially crafted URL.

More information regarding this vulnerability can be found in Vulnerability Note VU#283646.

US-CERT recommends users update to the latest version of .NET Framework.

Adobe Acrobat and Adobe Reader Vulnerability

Adobe has issued a Security Advisory to address a vulnerability in Adobe Acrobat and Adobe Reader. By convincing a user to open a specially crafted pdf file in Microsoft Internet Explorer 7, an attacker may be able to execute arbitrary code.

US-CERT recommends that users apply the workaround found in the Adobe Security Advisory.

Microsoft Releases October Security Bulletins

Microsoft has released updates to address vulnerabilities in Windows, Outlook Express, Windows Mail, Internet Explorer, and Office as part of the Microsoft Security Bulletin Summary for October 2007.

More information about these vulnerabilities is located in Technical Cyber Security Alert TA07-282A.

US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine what updates should be applied.

Microsoft Releases Advance Notification for October Security Bulletins

Microsoft has issued a Security Bulletin Advance Notification indicating that its October release cycle will contain seven bulletins, of which four have a maximum severity rating of Critical. The notification further states that the bulletins are for Windows, Outlook Express, Windows Mail, Internet Explorer, and Office. The release is scheduled for Tuesday, October 9, 2007.

US-CERT will provide additional information as it becomes available.

Apple QuickTime Security Update

Apple has released a Security Update to address a vulnerability in QuickTime 7.2 for Microsoft Windows. This vulnerability may allow an attacker to execute applications with arbitrary command line arguments by enticing a user to open a crafted QTL file.

More information regarding this vulnerability can be found in Vulnerability Note VU#751808.

To mitigate the security risk, US-CERT recommends that users update to the latest version as described in the Apple QuickTime Security Update document.

Axis IP Camera Vulnerabilities

US-CERT is aware of several publicly reported cross-site scripting and cross-site request forgery vulnerabilities in Axis IP cameras. Currently, these vulnerabilities have not been confirmed by US-CERT.

US-CERT encourages users to implement the following best-practice security policies to reduce the risk of cross-site scripting vulnerabilities:

• Do not save passwords for the affected devices.
  
• Use NoScript to allow only trusted sites to execute JavaScript.
• Restrict device access to only private, trusted networks.
• Do not navigate to other websites while logged into the device.
  
• Filter known cross-site scripting vulnerabilities with an application firewall, intrusion prevention system or reverse proxy.

Google's Gmail XSRF Vulnerability

US-CERT is aware of a publicly reported cross-site request forgery vulnerability in Google's Gmail. A cross-site request forgery vulnerability may allow a request from an attacker to be interpreted as originating from an authenticated user.  Public reports indicate that this vulnerability may allow an attacker to create arbitrary filters for a user's Gmail account.  

More information regarding this vulnerability can be found in Vulnerability Note VU#571584.