July 22, 2009 - Current Activity

Adobe Reader, Acrobat and Flash Player Vulnerability

Adobe has released a blog post indicating that it is aware of reports of a vulnerability affecting Adobe Reader and Acrobat 9.1.2 and Flash Player 9 and 10.

US-CERT encourages users and administrators to review the blog post and implement the following workarounds until the vendor releases additional information:

• Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".
  

• Disable Flash Player or selectively enable Flash content as described in the Securing Your Web Browser Document.

Mozilla Releases Firefox 3.0.12

The Mozilla Foundation has released Firefox 3.0.12 to address multiple vulnerabilities in Firefox 3.0.x. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or launch cross-site-scripting attacks.

US-CERT encourages users and administrators to review Mozilla Foundation Security Advisories released on July 21, 2009 and upgrade to Firefox 3.0.12 to help mitigate the risks.

WordPress Releases Version 2.8.2

WordPress has released version 2.8.2 to address a cross-site-scripting vulnerability.

US-CERT encourages users and administrators to review the WordPress Blog entry on WordPress 2.8.2 and apply the upgrade to help mitigate the risks.

Mozilla Firefox 3.5 Vulnerability

The Mozilla Foundation has released Firefox 3.5.1 to address a vulnerability. This vulnerability is due to an error in the way the Just-in-Time (JIT) compiler returns from native functions. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Mozilla Foundation Security Advisory 2009-41 and upgrade to Firefox 3.5.1 or apply the suggested workaround provided in the advisory. Additional information can also be found in the Vulnerability Notes Database.

Oracle Releases Critical Patch Update for July 2009

Oracle has released its Critical Patch Update for July 2009 to address 30 vulnerabilities across several products. This update contains the following security fixes:

• 10 for the Oracle Database Server
• 2 for Oracle Secure Backup
• 2 for the Oracle Application Server
• 5 for Oracle Applications
• 2 for Oracle Enterprise Manager
• 3 for the Oracle PeopleSoft and JDEdwards Suite
• 1 for the Oracle Siebel Suite
• 5 for the Oracle BEA Products Suite

Microsoft Releases July Security Bulletin

Microsoft has released an update to address vulnerabilities in Microsoft Windows, Virtual PC, Virtual Server, ISA Server, and Office as part of the Microsoft Security Bulletin Summary for July 2009. These vulnerabilities may allow an attacker to execute arbitrary code or operate with elevated privileges.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.

Microsoft Releases Security Advisory 973472

Microsoft has released Security Advisory 973472 to alert users about a vulnerability in Microsoft Office Web Components. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code. The advisory indicates that Microsoft is aware of attacks attempting to exploit the vulnerability.

US-CERT encourages users and administrators to review Microsoft Security Advisory 973472 and implement the suggested workaround. Additionally, a Microsoft Fix it tool has been released to assist users in mitigating the risks associated with this vulnerability.

US-CERT will provide additional information as it becomes available.

VMware Releases Security Advisory VMSA-2009-0009 and Updates Security Advisory VMSA-2009-0008.1

VMware has released security advisory VMSA-2009-0009 to address multiple vulnerabilities involving the udev, sudo, and curl packages of the ESX Service Console. These vulnerabilities may allow an attacker to execute arbitrary requests to an affected intranet server, read or overwrite files, or gain elevated privileges on the affected system.

Additionally, VMware has updated security advisory VMSA-2009-0008.1. This advisory addresses a vulnerability in the krb5 package of the ESX Service Console. Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review VMware security advisories VMSA-2009-0009 and VMSA-2009-0008.1 and apply any necessary workarounds or updates to help mitigate the risks.

WordPress Releases Version 2.8.1

WordPress has released version 2.8.1 to address multiple vulnerabilities.

US-CERT encourages users to review the WordPress Blog entry related to these issues and upgrade to version 2.8.1 as necessary.

Microsoft Releases Advance Notification for July Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that the July release cycle will contain six bulletins, three of which will have a severity rating of critical. The notification states that these critical bulletins are for Microsoft Windows. There will also be three important bulletins for Microsoft Office, Virtual PC and Virtual Server, and ISA Server. Release of these bulletins is scheduled for Tuesday, July 14.

US-CERT will provide additional information as it becomes available.