October 15, 2008 - Current Activity

Oracle Releases Critical Patch Update for October 2008

Oracle has released their Critical Patch Update for October 2008 to address 36 vulnerabilities across several products. This update contains the following security fixes:

• 15 updates for Oracle Database Suite
• 6 updates for Oracle Application Server
• 4 updates for Oracle E-Business Suite and Applications
• 5 updates for Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne
• 6 Updates for BEA Product Suite

Microsoft Updates Security Advisory 951306

In April 2008, Microsoft released Security Advisory 951306 to alert users of a vulnerability in Microsoft Windows. This vulnerability may allow local users, or users who can legitimately run code in the context of IIS or SQL Server, to operate with elevated privileges. Recently, Microsoft Security Response Center (MSRC) posted several blog entries indicating that the Security Advisory was updated to reflect the availability of public exploit code. A patch or update is not available to correct this issue.

US-CERT encourages users and administrators to do the following to help mitigate the risks:

• Review the updated Security Advisory 951306 and apply the suggested workarounds.
• Review the MSRC blog entries from October 9, 2008 and October 13, 2008.

Microsoft Releases October Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, Host Integration Server, and Office as part of the Microsoft Security Bulletin Summary for October 2008. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information or operate with elevated privileges.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.

CA ARCserve Backup Vulnerabilities

CA has released a Security Notice to address multiple vulnerabilities in CA ARCserve Backup. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review the Security Notice and apply any necessary updates to help mitigate the risks.

Apple Releases Security Update 2008-007

Apple has released Security Update 2008-007 to address multiple vulnerabilities in a number of applications. These vulnerabilities may allow an attacker to execute arbitrary code, conduct cross-site request forgery or cross-site scripting attacks, cause a denial-of-service condition, or operate with escalated privileges.

US-CERT encourages users and administrators to review Apple Article HT3216 and apply any necessary updates to help mitigate the risks.

Microsoft Releases Advance Notification for October Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that its October release cycle will contain 11 bulletins, four of which will have the severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows, Internet Explorer, Host Integration Server, and Office. There will also be six Important bulletins for Microsoft Windows. The remaining bulletin, for Microsoft Windows, will have the severity rating of Moderate. Release of these bulletins is scheduled for Tuesday, October 14.

US-CERT will provide additional information as it becomes available.

Cisco Releases Advisory for Cisco Unity

Cisco Security Advisory cisco-sa-20081008-unity was released to address a vulnerability in Cisco Unity, a voice and unified messaging platform. This vulnerability may allow an attacker to view and alter configuration parameters of the Cisco Unity server.

US-CERT encourages users to do the following:

• Review Cisco Security Advisory cisco-sa-20081008-unity
• Apply software updates and workaround provided by Cisco
  

Opera Software Releases Opera Version 9.60

Opera Software has released Opera version 9.60 to address two vulnerabilities. The first vulnerability is due to improper validation of URLs. Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. The second vulnerability is due to unsafe storage of cached Java applets. Exploitation of this vulnerability may allow an attacker to obtain sensitive information or escape other normal restrictions.

US-CERT encourages users and administrators to review Opera Advisory 901 and 902 and upgrade to version 9.60 to help mitigate the risks.

Multiple Web Browsers Affected by Clickjacking

US-CERT is aware of public reports of a new cross-browser exploit technique called "clickjacking." According to one of the reports, clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page. A separate report indicates that this flaw affects most web browsers and that no fix is available, but that disabling browser scripting and plug-ins may help mitigate some of the risks.

An additional report suggests that Firefox users consider using the NoScript plug-in as an added preventative measure. Disabling IFRAMEs, active content, and plug-ins by default, as outlined in the Securing Your Web Browser document, may protect against the vulnerability. Note, disabling IFRAMES, active content, and plug-ins may reduce the functionality of some websites.

US-CERT encourages users to review the report and follow the security recommendations as described in the Securing Your Web Browser document to help mitigate some of the risks. Website developers may want to incorporate additional authentication techniques, such as capchas, out-of-band email verification, or other methods to verify sensitive web transactions.

US-CERT will provide additional information as it becomes available.

Bank Acquisitions and Phishing Scams

US-CERT is aware of an increase in public reports of phishing scams related to recent bank acquisitions. Due to an increase in this activity, US-CERT would like to remind users to remain cautious when receiving unsolicited email that could be a potential phishing scam.

Phishing scams may appear as requests for users to verify personal and bank account information, enroll in additional bank services, or activate new security features. The email messages may contain a link that, when clicked, will take the user to a fraudulent web site that appears to be a legitimate bank web site. The users may be asked to provide personal information or that can further expose them to future compromises. Additionally, these fraudulent web sites may contain malicious code.

Users are encouraged to take the following measures to protect themselves from phishing scams:

• Do not follow unsolicited web links received in email messages..
• Install anti-virus software, and keep its virus signature files up-to-date.
• Review the Recognizing and Avoiding Email Scams (pdf) document.
• Review the Avoiding Social Engineering and Phishing Attacks document.