October 12, 2007 - Current Activity

OpenSSL Security Advisory

OpenSSL has released a security advisory to address two vulnerabilities in OpenSSL. These vulnerabilities may allow a remote, unauthenticated attacker to execute arbitrary code on an affected system, other impacts are unknown at this time.

More information regarding this vulnerability can be found in the OpenSSL security advisory.   

US-CERT strongly encourages users to review the OpenSSL security advisory and follow best-practice security policies to determine what updates should be applied.

Microsoft Updates Security Bulletin MS05-004

Microsoft has released an update to Security Bulletin MS05-004 adding Windows Server 2003 Service Pack 2 and Windows Vista to the affected software. This ASP .NET path validation vulnerability may allow a remote, unauthenticated attacker to gain access to secure website content by using a specially crafted URL.

More information regarding this vulnerability can be found in Vulnerability Note VU#283646.

US-CERT recommends users update to the latest version of .NET Framework.  

CA BrightStor ARCserve Backup Vulnerabilities

US-CERT is aware of multiple vulnerabilities that affect CA BrightStor ARCserve Backup.  These vulnerabilities may allow a remote, unauthenticated attacker to execute arbitrary code, escalate privileges or cause a denial-of-service condition.

More information regarding these vulnerabilities can be found in the CA BrightStor ARCserve Backup Security Notice.

US-CERT recommends that users apply vendor supplied patches to help mitigate the security risks.

Adobe Acrobat and Adobe Reader Vulnerability

Adobe has issued a Security Advisory to address a vulnerability in Adobe Acrobat and Adobe Reader. By convincing a user to open a specially crafted pdf file in Microsoft Internet Explorer 7, an attacker may be able to execute arbitrary code.

US-CERT recommends that users apply the workaround found in the Adobe Security Advisory.

Microsoft Releases October Security Bulletins

Microsoft has released updates to address vulnerabilities in Windows, Outlook Express, Windows Mail, Internet Explorer, and Office as part of the Microsoft Security Bulletin Summary for October 2007.

More information about these vulnerabilities is located in Technical Cyber Security Alert TA07-282A.

US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine what updates should be applied.

Microsoft Releases Advance Notification for October Security Bulletins

Microsoft has issued a Security Bulletin Advance Notification indicating that its October release cycle will contain seven bulletins, of which four have a maximum severity rating of Critical. The notification further states that the bulletins are for Windows, Outlook Express, Windows Mail, Internet Explorer, and Office. The release is scheduled for Tuesday, October 9, 2007.

US-CERT will provide additional information as it becomes available.

Apple QuickTime Security Update

Apple has released a Security Update to address a vulnerability in QuickTime 7.2 for Microsoft Windows. This vulnerability may allow an attacker to execute applications with arbitrary command line arguments by enticing a user to open a crafted QTL file.

More information regarding this vulnerability can be found in Vulnerability Note VU#751808.

To mitigate the security risk, US-CERT recommends that users update to the latest version as described in the Apple QuickTime Security Update document.