January 21, 2008 - Current Activity

Skype Releases Security Bulletin to Address Cross Zone Scripting Vulnerability

Skype has released Security Bulletin SKYPE-SB/2008-001 to address a cross zone scripting vulnerability. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on an affected system.

As per Security Bulletin SKYPE-SB/2008-001, Skype has temporarily disabled users' ability to add videos from Dailymotion gallery until an official fix has been made available.

US-CERT will provide more information as it become available.

Citrix Releases Update to Address Vulnerability

Citrix has released Knowledge Center Article CTX114487 to address a vulnerability in Citrix Presentation Server's IMA Service. This vulnerability may allow an attacker to execute arbitrary code on an affected system.

US-CERT encourages users to review Citrix Knowledge Center Article CTX114487 and apply the appropriate hotfix as soon as possible.

US-CERT will continue to investigate and provide additional information as it becomes available.

Adobe Releases Security Bulletins to Address Multiple Cross-Site Scripting Vulnerabilities

Adobe has issued Security Bulletin APSB08-01 and Security Bulletin APSB08-02 to address multiple vulnerabilities in Adobe Dreamweaver, Adobe Contribute, and Adobe Connect Enterprise Server. These software packages may contain cross-site scripting vulnerabilities that could allow a remote, unauthenticated attacker to execute arbitrary code on an affected system.

US-CERT encourages users to review Security Bulletin APSB08-01 for the Adobe Dreamweaver and Adobe Contribute updates and Security Bulletin APSB08-02 for the Adobe Connect Enterprise Server update. Users are also encouraged to apply the appropriate updates as soon as possible.

US-CERT will continue to investigate and provide additional information as it becomes available.

Oracle Releases Critical Patch Update for January 2008

Oracle has released their Critical Patch Update (CPU) for January 2008 to address 26 vulnerabilities across several products. This CPU contains eight security fixes for Oracle Database products; six for Oracle Application Server; one for Oracle Collaboration Suite; seven for Oracle E-Business Suite; and four for Oracle PeopleSoft Enterprise PeopleTools.

US-CERT strongly encourages users to review the January CPU and follow best-practice security policies to determine which updates to apply.

More information regarding these vulnerabilities can be found in Technical Cyber Security Alert TA08-017A.

Cisco Releases Security Advisory to Address Vulnerability in Cisco Unified Communication Manager

Cisco has released Security Advisory cisco-sa-20080116-cucmctl to address a heap overflow in the Certificate Trust List (CTL) Provider service in Cisco Unified Communications Manager (CUCM). This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service condition on an affected system.

More information regarding this vulnerability can be found in the Cisco Security Advisory: Cisco Unified Communications Manager CTL Provider Heap Overflow.

US-CERT strongly recommends that administrators review the Cisco Security Advisory above and follow best-practice security policies to determine what updates or workarounds should be applied.

Apple Releases Security Updates to Address Multiple Vulnerabilities

Apple has released QuickTime 7.4, iPhone v1.1.3, and iPod touch v1.1.3 to address multiple vulnerabilities in these products. The impacts of these vulnerabilities include arbitrary code execution, application termination, authentication bypass, and cross-site scripting.

US-CERT encourages users to review Apple Article 307301 for the QuickTime update and Apple Article 307302 for the iPhone and iPod touch updates. Users are also encouraged to apply the appropriate updates as soon as possible.

More information regarding the QuickTime vulnerabilies can be found in Technical Cyber Security Alert TA08-016A.

US-CERT will continue to investigate and provide additional information as it becomes available.

Microsoft Office Excel Remote Code Vulnerability

Microsoft has released Security Advisory 947563 to address a vulnerability in Excel. Successful exploitation could allow a remote, unauthenticated attacker to execute arbitrary code with the privileges of the local user.

According to Security Advisory 947563:

• This vulnerability cannot be exploited on Microsoft Office Excel 2003 Service Pack 3, Microsoft Office Excel 2007, Microsoft Office Excel 2007 Service Pack 1, or Microsoft Excel 2008 for Mac.
• This vulnerability does not affect customers who are running Microsoft Office Excel 2003 Service Pack 2 and have deployed Microsoft Office Isolated Conversion Environment (MOICE).

• Do not open unfamiliar or unexpected email attachments
• Review the workarounds described in Microsoft Security Advisory 947563