July 02, 2009 - Current Activity

Mozilla Foundation Releases Firefox 3.5

Mozilla Foundation has released Firefox 3.5. The Mozilla Foundation lists multiple security enhancements including improved anti-phishing, anti-malware, and privacy protection.

US-CERT encourages users and administrators to review the Firefox 3.5 release notes and  features and upgrade to Firefox 3.5 as necessary.

Spam, Phishing, and Malicious Code Related to Recent Celebrity Deaths

US-CERT is aware of public reports of an increased number of spam campaigns, phishing attacks, and malicious code targeting the recent deaths of Michael Jackson and Farrah Fawcett. These email messages may attempt to gain user information through phishing attacks or by recording email addresses if the user replies to the message. Additionally, email messages may contain malicious code or may contain a link to a seemingly legitimate website containing malicious code.

US-CERT would like to remind users to remain cautious when receiving unsolicited email. Users are encouraged to take the following measures to protect themselves from these types of attacks:

• Do not follow unsolicited web links received in email messages.
• Install and maintain up-to-date antivirus software.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Adobe Releases Update for Shockwave Player

Adobe has released Shockwave Player 11.5.0.600 to address a vulnerability. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review Adobe security bulletin APSB09-08 and update to Shockwave Player 11.5.0.600 to help mitigate the risks.

Foxit Reader Contains Multiple Vulnerabilities

Foxit Reader has released updates for multiple vulnerabilities. By convincing a user to open a malicious PDF file, an attacker may be able to execute code or cause a vulnerable PDF viewer to crash. The PDF could be emailed as an attachment or hosted on a website.

US-CERT encourages users to review the Foxit Security Bulletin and Vulnerability Note VU#251793 and apply any necessary updates.

Apple Releases iPhone OS 3.0

Apple has released iPhone OS 3.0 to address multiple vulnerabilities across many packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, bypass security restrictions, or conduct cross-site scripting attacks.

US-CERT encourages users to review Apple article HT3639 and upgrade to iPhone OS 3.0 to help mitigate the risks.

Apple Releases Java Updates for Mac OS X 10.4 and 10.5

Apple has released Java for Mac OS X 10.4 Release 9 and Java for Mac OS X 10.5 Update 4 to address multiple vulnerabilities in Java. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Apple articles HT3633 and HT3632 and apply any necessary updates to help mitigate the risks.

Mozilla Foundation Releases Firefox 3.0.11

Mozilla Foundation has released Firefox 3.0.11 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, mislead users, or obtain sensitive information. The Mozilla Foundation Security Advisories also indicate that many of these vulnerabilities also affect Thunderbird and SeaMonkey; however, updated versions of those packages are not currently available.

US-CERT encourages users to review the Mozilla Foundation Security Advisories released on June 11, 2009 and apply any necessary updates or workarounds to help mitigate the risks.

Adobe Releases Security Updates for Adobe Reader and Acrobat

Adobe has released security updates to address multiple vulnerabilities that affect versions of Reader and Acrobat up to and including Reader 9.1.1 and Acrobat 9.1.1. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Adobe Security Bulletin APSB09-07 and apply any necessary updates to help mitigate the risks. Additional information regarding these vulnerabilities can be found in Technical Cyber Security Alert TA09-161A.

Microsoft Releases June Security Bulletin

Microsoft has released an update to address vulnerabilities in Microsoft Windows, Office, and Internet Explorer as part of the Microsoft Security Bulletin Summary for June 2009. These vulnerabilities may allow an attacker to execute arbitrary code, operate with elevated privileges, or obtain sensitive information.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied. Additional information regarding these vulnerabilities can be found in Technical Cyber Security Alert TA09-160A.

Apple Releases Safari 4.0

Apple has released Safari 4.0 for Windows and Mac OS X to address multiple vulnerabilities in CFNetwork, CoreGraphics, ImageIO, International Components for Unicode, libxml, Safari, Safari Windows Installer, and WebKit. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, bypass security restrictions, or conduct cross-site scripting attacks.

US-CERT encourages users and administrators to review Apple article HT3613 and upgrade to Safari 4.0 to help mitigate the risks.