July 27, 2009 - Current Activity

Cisco Releases Security Advisory for Vulnerabilities in Cisco Wireless LAN Controllers

Cisco has released a security advisory to address multiple vulnerabilities in Wireless LAN Controllers. The advisory addresses the following:

• Malformed HTTP or HTTPS authentication response denial-of-service vulnerability.
• SSH connections denial-of-service vulnerability.
• Crafted HTTP or HTTPS request denial-of-service vulnerability.
• Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability.

Microsoft Releases Advance Notification for Out-of-Band Security Bulletins

Microsoft has issued a Security Bulletin Advance Notification indicating that it will be releasing two out-of-band security bulletins. The first bulletin will address issues with Internet Explorer and has the severity rating of critical. The second bulletin will address issues with Visual Studio and has the severity rating of moderate. The notification states that release of these bulletins is scheduled for July 28, 2009.

US-CERT will provide additional information as it becomes available.

Adobe Reader, Acrobat and Flash Player Vulnerability

Adobe has released a security advisory to address a vulnerability in Adobe Reader and Acrobat 9.1.2 and Flash Player 9 and 10. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review the security advisory and implement the following workarounds until a fix is available:

• Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".
  

• Disable Flash Player or selectively enable Flash content as described in the Securing Your Web Browser Document.

Mozilla Releases Firefox 3.0.12

The Mozilla Foundation has released Firefox 3.0.12 to address multiple vulnerabilities in Firefox 3.0.x. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or launch cross-site-scripting attacks.

US-CERT encourages users and administrators to review Mozilla Foundation Security Advisories released on July 21, 2009 and upgrade to Firefox 3.0.12 to help mitigate the risks.

WordPress Releases Version 2.8.2

WordPress has released version 2.8.2 to address a cross-site-scripting vulnerability.

US-CERT encourages users and administrators to review the WordPress Blog entry on WordPress 2.8.2 and apply the upgrade to help mitigate the risks.

Mozilla Firefox 3.5 Vulnerability

The Mozilla Foundation has released Firefox 3.5.1 to address a vulnerability. This vulnerability is due to an error in the way the Just-in-Time (JIT) compiler returns from native functions. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Mozilla Foundation Security Advisory 2009-41 and upgrade to Firefox 3.5.1 or apply the suggested workaround provided in the advisory. Additional information can also be found in the Vulnerability Notes Database.

Oracle Releases Critical Patch Update for July 2009

Oracle has released its Critical Patch Update for July 2009 to address 30 vulnerabilities across several products. This update contains the following security fixes:

• 10 for the Oracle Database Server
• 2 for Oracle Secure Backup
• 2 for the Oracle Application Server
• 5 for Oracle Applications
• 2 for Oracle Enterprise Manager
• 3 for the Oracle PeopleSoft and JDEdwards Suite
• 1 for the Oracle Siebel Suite
• 5 for the Oracle BEA Products Suite

Microsoft Releases July Security Bulletin

Microsoft has released an update to address vulnerabilities in Microsoft Windows, Virtual PC, Virtual Server, ISA Server, and Office as part of the Microsoft Security Bulletin Summary for July 2009. These vulnerabilities may allow an attacker to execute arbitrary code or operate with elevated privileges.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.

Microsoft Releases Security Advisory 973472

Microsoft has released Security Advisory 973472 to alert users about a vulnerability in Microsoft Office Web Components. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code. The advisory indicates that Microsoft is aware of attacks attempting to exploit the vulnerability.

US-CERT encourages users and administrators to review Microsoft Security Advisory 973472 and implement the suggested workaround. Additionally, a Microsoft Fix it tool has been released to assist users in mitigating the risks associated with this vulnerability.

US-CERT will provide additional information as it becomes available.

VMware Releases Security Advisory VMSA-2009-0009 and Updates Security Advisory VMSA-2009-0008.1

VMware has released security advisory VMSA-2009-0009 to address multiple vulnerabilities involving the udev, sudo, and curl packages of the ESX Service Console. These vulnerabilities may allow an attacker to execute arbitrary requests to an affected intranet server, read or overwrite files, or gain elevated privileges on the affected system.

Additionally, VMware has updated security advisory VMSA-2009-0008.1. This advisory addresses a vulnerability in the krb5 package of the ESX Service Console. Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review VMware security advisories VMSA-2009-0009 and VMSA-2009-0008.1 and apply any necessary workarounds or updates to help mitigate the risks.