January 14, 2008 - Current Activity

Attack Vector Targets UPnP

US-CERT is aware of an attack vector targeting networking devices that support UPnP (Universal Plug and Play). This specific attack occurs via a maliciously crafted SWF file that is contained in a web site. When the web site is visited, changes may occur to a router's configuration via UPnP. This may allow an attacker to change any parameter on the router or device that can be set by UPnP.

US-CERT recommends that users consider disabling UPnP. (Note: Disabling UPnP may cause applications that rely on UPnP to fail or operate with reduced functionality.)

US-CERT will provide more information as it becomes available.

QuickTime Real Time Streaming Protocol Vulnerability

US-CERT is aware of a public report of a vulnerability in Apple QuickTime. The flaw is in the way that QuickTime handles Real Time Streaming Protocol (RTSP) Response message headers. By persuading a user to access a specially crafted QuickTime file, or RTSP stream, a remote attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system.

More information regarding this security risk may be found in Vulnerability Note VU#112179.

Widespread SQL Injection Attacks Compromising Websites

US-CERT is aware of widespread SQL injection attacks compromising websites across all sectors.  The compromised sites have been modified to include a reference to a malicious JavaScript file. When a user unknowingly visits a compromised site, they are silently re-directed to a series of malicious web pages that attempt to exploit multiple client-side vulnerabilities in a number of applications, including Internet Explorer and RealPlayer.

More information regarding this security risk may be found in the following:

• Vulnerability Note VU#871673
• Sans.org Mass exploits with SQL Injection Document

• Update RealPlayer to the latest version
• Disable ActiveX as described in the Securing Your Web Browser document

New iPhone Trojan Spreading

US-CERT has received reports of a new Trojan horse program that affects the Apple iPhone. This Trojan claims to be a tool used to prepare the device for an upgrade to firmware version 1.1.3. When a user installs the Trojan, other application components are altered. If the Trojan is uninstalled, the affected applications may also be removed.

US-CERT strongly encourages users to install updates and application software only from trusted sources. 

Microsoft Releases January Security Bulletin

Microsoft has released updates to address vulnerabilities in Windows as part of the Microsoft Security Bulletin Summary for January 2008.

More information about these vulnerabilities can be found in Technical Cyber Security Alert TA08-008A and in the Vulnerability Notes Database.

US-CERT strongly encourages users to review the bulletins and follow best-practice security policies to determine which updates should be applied.

Microsoft Releases Advance Notification for January Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that its January release cycle will contain 2 bulletins, one of which have a severity rating of Critical. The notification states that both of the bulletins are for the Windows operating system. The release is scheduled for Tuesday, January 8, 2008.

US-CERT will provide additional information as it becomes available.

Flash File Cross-Site Scripting Vulnerabilities

US-CERT is aware of reported vulnerabilities in Flash (SWF) files that may allow a remote, unauthenticated attacker to conduct cross-site scripting attacks on a vulnerable system. The flaws exist in the way that input is validated when passed to embedded ActionScript and JavaScript in the SWF file. Authoring tools that automatically generate Flash files may introduce these vulnerabilities.
 
More information regarding these vulnerabilities can be found in: 

• Vulnerability Note VU#249337
• Web site document "XSS Vulnerabilities in Common Shockwave Flash Files"