July 07, 2009 - Current Activity

Microsoft Releases Security Advisory 972890

Microsoft has released Security Advisory 972890 to alert users about a vulnerability in Microsoft Video ActiveX Control. Exploitation of this vulnerability may allow an attacker to execute arbitrary code. The advisory also indicates that Microsoft is aware of attacks attempting to exploit the vulnerability.

US-CERT encourages users and administrators to review Microsoft Security Advisory 972890 and implement the workaround listed in the advisory. This workaround will help mitigate the risks until a patch or update is released by the vendor.

Additional information regarding this vulnerability can be found in Technical Cyber Security Alert TA09-187A. US-CERT will provide additional information as it becomes available.

FCKeditor Releases Version 2.6.4.1

The FCKeditor project has released FCKeditor version 2.6.4.1 to address a vulnerability. This vulnerability is due to improper verification of input passed to the "CurrentFolder" parameter. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

Additionally, FCKeditor is part of Adobe ColdFusion 8 and is enabled by default. The Adobe Product Security Incident Response Team (PSIRT) has posted a blog entry indicating that they are aware of public reports of ColdFusion websites being targeted for exploitation of this vulnerability.

US-CERT encourages users and administrators to upgrade to FCKeditor version 2.6.4.1 to help mitigate the risks. ColdFusion 8 users may implement the workarounds listed in the Adobe PSIRT blog entry.

Mozilla Foundation Releases Firefox 3.5

Mozilla Foundation has released Firefox 3.5. The Mozilla Foundation lists multiple security enhancements including improved anti-phishing, anti-malware, and privacy protection.

US-CERT encourages users and administrators to review the Firefox 3.5 release notes and  features and upgrade to Firefox 3.5 as necessary.

Spam, Phishing, and Malicious Code Related to Recent Celebrity Deaths

US-CERT is aware of public reports of an increased number of spam campaigns, phishing attacks, and malicious code targeting the recent deaths of Michael Jackson and Farrah Fawcett. These email messages may attempt to gain user information through phishing attacks or by recording email addresses if the user replies to the message. Additionally, email messages may contain malicious code or may contain a link to a seemingly legitimate website containing malicious code.

US-CERT would like to remind users to remain cautious when receiving unsolicited email. Users are encouraged to take the following measures to protect themselves from these types of attacks:

• Do not follow unsolicited web links received in email messages.
• Install and maintain up-to-date antivirus software.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Adobe Releases Update for Shockwave Player

Adobe has released Shockwave Player 11.5.0.600 to address a vulnerability. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review Adobe security bulletin APSB09-08 and update to Shockwave Player 11.5.0.600 to help mitigate the risks.

Foxit Reader Contains Multiple Vulnerabilities

Foxit Reader has released updates for multiple vulnerabilities. By convincing a user to open a malicious PDF file, an attacker may be able to execute code or cause a vulnerable PDF viewer to crash. The PDF could be emailed as an attachment or hosted on a website.

US-CERT encourages users to review the Foxit Security Bulletin and Vulnerability Note VU#251793 and apply any necessary updates.

Apple Releases iPhone OS 3.0

Apple has released iPhone OS 3.0 to address multiple vulnerabilities across many packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, bypass security restrictions, or conduct cross-site scripting attacks.

US-CERT encourages users to review Apple article HT3639 and upgrade to iPhone OS 3.0 to help mitigate the risks.

Apple Releases Java Updates for Mac OS X 10.4 and 10.5

Apple has released Java for Mac OS X 10.4 Release 9 and Java for Mac OS X 10.5 Update 4 to address multiple vulnerabilities in Java. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Apple articles HT3633 and HT3632 and apply any necessary updates to help mitigate the risks.

Mozilla Foundation Releases Firefox 3.0.11

Mozilla Foundation has released Firefox 3.0.11 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, mislead users, or obtain sensitive information. The Mozilla Foundation Security Advisories also indicate that many of these vulnerabilities also affect Thunderbird and SeaMonkey; however, updated versions of those packages are not currently available.

US-CERT encourages users to review the Mozilla Foundation Security Advisories released on June 11, 2009 and apply any necessary updates or workarounds to help mitigate the risks.

Adobe Releases Security Updates for Adobe Reader and Acrobat

Adobe has released security updates to address multiple vulnerabilities that affect versions of Reader and Acrobat up to and including Reader 9.1.1 and Acrobat 9.1.1. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Adobe Security Bulletin APSB09-07 and apply any necessary updates to help mitigate the risks. Additional information regarding these vulnerabilities can be found in Technical Cyber Security Alert TA09-161A.