February 08, 2008 - Current Activity

Microsoft to Release Internet Explorer 7.0 via WSUS

Microsoft has issued Knowledge Base article 946202 indicating that on Tuesday, February 12, 2008, they will release Windows Internet Explorer (IE) 7 via Windows Server Update Services (WSUS). This update will only affect users and administrators who use WSUS to manage updates.

Users and administrators of Internet Explorer who do not wish to upgrade to IE 7 should review the "Postponing the Windows Internet Explorer 7 Deployment" section in Knowledge Base article 946202.

Mozilla Releases Updates to Address Vulnerabilities in Multiple Products

Mozilla has released Firefox 2.0.0.12, Thunderbird 2.0.0.12, and SeaMonkey 1.1.8 to address multiple vulnerabilities. The impacts of these vulnerabilities include arbitrary code execution, denial of service, cross-site scripting, directory transversal, and information disclosure.

More information regarding these vulnerabilities and updated products can be found at the Mozilla Foundation Security Advisory web site.

US-CERT will continue to investigate and provide additional information as it becomes available.

Microsoft Releases Advance Notification for February Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that its February release cycle will contain 12 bulletins, seven of which will have a severity rating of Critical.  The notification states that these Critical bulletins are for Microsoft Windows, Office, Visual Basic, VBScript, JScript and Internet Explorer. There will also be five Important bulletins for Windows, IIS, Active Directory, ADAM, Office, Works, and Works Suite. The release is scheduled for Tuesday, February 12, 2008.

US-CERT will provide additional information as it becomes available.

Adobe Reader Update

Adobe has released Adobe Reader 8.1.2 to address multiple unspecified vulnerabilities.

US-CERT encourages users to review Adobe Knowledgebase Article kb403079 and apply the update as soon as possible.

Apple QuickTime Update

Apple has released QuickTime 7.4.1 to address a vulnerability in QuickTime.  By convincing a user to visit a malicious web site, an attacker may be able to execute arbitrary code or cause a denial of service condition.

More information about this vulnerability is located in the Vulnerability Notes Database.

US-CERT encourages users to apply the appropriate updates as soon as possible.

Sun Java SE 6 Update

Sun has released an update for Java SE 6.  This update addresses two vulnerabilities.  These vulnerabilities may allow an untrusted application to execute with elevated privileges on an affected system.

US-CERT encourages users to review the Sun Java SE 6 Update 4 release notes and apply the update.

US-CERT will provide more information as it becomes available.

Fraudulent Microsoft Update Web Site

US-CERT is aware of a fraudulent Microsoft Update web site. This web site contains an "Urgent Install" button that, when clicked, attempts to download and install malicious software on a user's system. The file that attempts to download is not signed by Microsoft and is called "WindowsUpdateAgent30-x86-x64.exe". Of further interest, this web site is using fast flux DNS for its web hosting.

US-CERT urges users and administrators to take the following preventative measures to mitigate the security risks:

• Install anti-virus software, and keep its virus signature files up-to-date.
• Do not follow unsolicited web links received in email messages.
• Verify the web site by manually typing the URL when attempting to connect to web sites recommended in an email.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
• Follow the guidance provided in the Recognize and avoid fraudulent e-mail to Microsoft customers document from Microsoft.
  

Apple Releases Security Update to Address iPhoto Vulnerability

Apple has released iPhoto 7.1.2 to address a vulnerability in this product. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system.

US-CERT encourages users to review Apple Article 307398 and apply the update as soon as possible.

Yahoo! Music Jukebox ActiveX Buffer Overflow Vulnerabilities

US-CERT is aware of publicly available exploit code for vulnerabilities affecting Yahoo! Music Jukebox. These vulnerabilities are caused by buffer overflows in the Yahoo! MediaGrid ActiveX control and the YMP Datagrid ActiveX control. Successful exploitation of these vulnerabilities may allow a remote attacker to execute arbitrary code on a vulnerable system.

More information regarding these vulnerabilities can be found in Vulnerability Notes VU#101676 and VU#340860.

US-CERT encourages users to Disable ActiveX controls as described in the Securing Your Web Browser document.

Publicly Available Exploit for Facebook and MySpace Image Uploader Vulnerability

US-CERT is aware of publicly available exploit code for an unpatched vulnerability affecting an image uploader used by Facebook and MySpace. This vulnerability is caused by a buffer overflow in Aurigma's ImageUploader ActiveX control. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code on an affected system.

More information regarding this vulnerability can be found in Vulnerability Note VU#776931.

US-CERT encourages users to Disable ActiveX controls as described in the Securing Your Web Browser document.

US-CERT will continue to investigate and provide additional information as it becomes available.