July 09, 2009 - Current Activity

Microsoft Releases Advance Notification for July Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that the July release cycle will contain six bulletins, three of which will have a severity rating of critical. The notification states that these critical bulletins are for Microsoft Windows. There will also be three important bulletins for Microsoft Office, Virtual PC and Virtual Server, and ISA Server. Release of these bulletins is scheduled for Tuesday, July 14.

US-CERT will provide additional information as it becomes available.

FCKeditor Releases Version 2.6.4.1

The FCKeditor project has released FCKeditor version 2.6.4.1 to address a vulnerability. This vulnerability is due to improper verification of input passed to the "CurrentFolder" parameter. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

Additionally, FCKeditor is part of Adobe ColdFusion 8 and is enabled by default. The Adobe Product Security Incident Response Team (PSIRT) has posted a blog entry indicating that they are aware of public reports of ColdFusion websites being targeted for exploitation of this vulnerability.

US-CERT encourages users and administrators to upgrade to FCKeditor version 2.6.4.1 to help mitigate the risks. ColdFusion 8 users should review Adobe security bulletin APSB09-09 and apply the hotfix to help mitigate the risks.

Apple Releases Safari 4.0.2

Apple has released Safari 4.0.2 to address multiple vulnerabilities in the WebKit component of Safari. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, conduct cross-site scripting attacks, or cause a denial-of-service condition. These vulnerabilities affect Safari running on both the Mac OS X and Windows platforms.

US-CERT encourages users to review Apple article HT3666 and upgrade to Safari 4.0.2 to help mitigate the risks.

Microsoft Releases Security Advisory 972890

Microsoft has released Security Advisory 972890 to alert users about a vulnerability in Microsoft Video ActiveX Control. Exploitation of this vulnerability may allow an attacker to execute arbitrary code. The advisory also indicates that Microsoft is aware of attacks attempting to exploit the vulnerability.

US-CERT encourages users and administrators to review Microsoft Security Advisory 972890 and implement the workaround listed in the advisory. This workaround will help mitigate the risks until a patch or update is released by the vendor.

Additional information regarding this vulnerability can be found in Technical Cyber Security Alert TA09-187A. US-CERT will provide additional information as it becomes available.

Mozilla Foundation Releases Firefox 3.5

Mozilla Foundation has released Firefox 3.5. The Mozilla Foundation lists multiple security enhancements including improved anti-phishing, anti-malware, and privacy protection.

US-CERT encourages users and administrators to review the Firefox 3.5 release notes and  features and upgrade to Firefox 3.5 as necessary.

Spam, Phishing, and Malicious Code Related to Recent Celebrity Deaths

US-CERT is aware of public reports of an increased number of spam campaigns, phishing attacks, and malicious code targeting the recent deaths of Michael Jackson and Farrah Fawcett. These email messages may attempt to gain user information through phishing attacks or by recording email addresses if the user replies to the message. Additionally, email messages may contain malicious code or may contain a link to a seemingly legitimate website containing malicious code.

US-CERT would like to remind users to remain cautious when receiving unsolicited email. Users are encouraged to take the following measures to protect themselves from these types of attacks:

• Do not follow unsolicited web links received in email messages.
• Install and maintain up-to-date antivirus software.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Adobe Releases Update for Shockwave Player

Adobe has released Shockwave Player 11.5.0.600 to address a vulnerability. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review Adobe security bulletin APSB09-08 and update to Shockwave Player 11.5.0.600 to help mitigate the risks.

Foxit Reader Contains Multiple Vulnerabilities

Foxit Reader has released updates for multiple vulnerabilities. By convincing a user to open a malicious PDF file, an attacker may be able to execute code or cause a vulnerable PDF viewer to crash. The PDF could be emailed as an attachment or hosted on a website.

US-CERT encourages users to review the Foxit Security Bulletin and Vulnerability Note VU#251793 and apply any necessary updates.

Apple Releases iPhone OS 3.0

Apple has released iPhone OS 3.0 to address multiple vulnerabilities across many packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, bypass security restrictions, or conduct cross-site scripting attacks.

US-CERT encourages users to review Apple article HT3639 and upgrade to iPhone OS 3.0 to help mitigate the risks.

Apple Releases Java Updates for Mac OS X 10.4 and 10.5

Apple has released Java for Mac OS X 10.4 Release 9 and Java for Mac OS X 10.5 Update 4 to address multiple vulnerabilities in Java. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Apple articles HT3633 and HT3632 and apply any necessary updates to help mitigate the risks.