May 06, 2008 - Current Activity

PHP 5.2.6 Released

PHP has released version 5.2.6 to address multiple vulnerabilities. These vulnerabilities include

• an error in FastCGI SAPI which may result stack-based buffer overflow
• an integer overflow in printf()
• an error in init_request_info(), which may result in a buffer overflow
  
• an error in cURL, which may result in safe_mode bypass
• improper handling of input passed to escapeshellcmd()
• a boundary error in the bundled version of the PCRE library
  

Common Data Format Buffer Overflow Vulnerability

NASA has issued an advisory regarding a vulnerability in Common Data Format (CDF) version 3.2 and earlier. This vulnerability is due to a buffer overflow condition in the handling of specially-crafted CDF files. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users to review the NASA advisory and update to CDF 3.2.1 to help mitigate the risk.

US-CERT will provide additional information as it becomes available.

WordPress Vulnerabilities

WordPress has released version 2.5.1 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to bypass security restrictions or conduct a cross-site scripting attack.

US-CERT encourages users to review the WordPress 2.5.1 release notes and apply any necessary updates.

Compromised Websites Hosting Malicious JavaScript

US-CERT is following reports of SQL injection attacks that have compromised a large number of legitimate websites. The compromised websites contain injected JavaScript that attempts to exploit multiple, known vulnerabilities. Users who visit a compromised website may unknowingly execute malicious code.

US-CERT encourages users to do the following to help mitigate the risks of this and similar attacks:

• Regularly apply software updates and patches provided by vendors.
• Disable JavaScript and ActiveX as described in the Securing Your Web Browser document.

HP Software Update Vulnerabilities

US-CERT is aware of reports of multiple vulnerabilities affecting HP Software Update. These vulnerabilities are due to insecure methods in multiple ActiveX controls. Exploitation of these vulnerabilities may allow a remote attacker to execute arbitrary code or view or modify sensitive information.

US-CERT encourages users to do the following to help mitigate the risks:

• Review the HP Support document and update to HP Software Update v4.000.010.008.
• Set the kill bit for the CLSIDs listed in the HP Support document.
• Disable ActiveX as described in the Securing Your Web Browser document.

IRS Rebate Phishing Scam

US-CERT is aware of a public report indicating that a phishing scam is circulating. This scam is related to the U.S. Internal Revenue Service economic stimulus rebate and arrives via email messages that appear to be from the IRS. The messages include text that attempts to convince users to follow a link to a website before a deadline to expedite the rebate process. This website requests that the user provide bank account information.

US-CERT encourages users to do the following to help mitigate the risks:

• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks (pdf) document for more information on social engineering attacks.
• Refer to the Internal Revenue Service Service Suspicious e-Mails and Identity Theft website for more information on current scams.

Apple QuickTime Vulnerability Report

US-CERT is aware of a public report of a new vulnerability in Apple QuickTime. The report indicates that if a user opens a specially crafted QuickTime file, an attacker may be able to execute arbitrary code. This vulnerability may have several attack vectors, such as visiting a malicious or compromised website. US-CERT is currently investigating this report and will provide additional details as needed.

US-CERT encourages users to use caution when opening QuickTime files, and apply the best security practices described in the Securing Your Web Browser document, to help mitigate the risks.

ICQ Vulnerability

US-CERT is aware of public reports of a vulnerability in ICQ 6. This vulnerability is due to a heap buffer overflow condition in the "Personal Status Manager" feature that occurs when processing specially crafted status messages. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

 US-CERT encourages users to update to ICQ 6.0.0.6059 to help mitigate the risks.

Microsoft Releases Security Advisory (951306)

Microsoft has released a Security Advisory to address a vulnerability in Windows. This vulnerability may allow an authenticated attacker to execute code with LocalSystem privileges.

US-CERT encourages users to review Microsoft Security Advisory 951306 and apply the workarounds.

Apple Releases Safari 3.1.1

Apple has released Safari 3.1.1 to address multiple vulnerabilities in Safari and WebKit. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, conduct cross-site scripting attacks, or spoof the contents of the browser address bar.

US-CERT encourages users to review Apple's About the security content of Safari 3.1.1 document and upgrade to Safari 3.1.1 to help mitigate the risks.