August 12, 2009 - Current Activity

Apple Releases Safari 4.0.3

Apple has released Safari 4.0.3 for Windows and Mac OS X to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof a website.

US-CERT encourages users and administrators to review Apple article HT3733 and upgrade to Safari 4.0.3 to help mitigate the risks.

Microsoft Releases August Security Bulletin

Microsoft has released an update to address vulnerabilities in Microsoft Windows, Office, Visual Studio, ISA Server, BizTalk Server, Remote Desktop Connection Client for Mac, and .NET Framework as part of the Microsoft Security Bulletin Summary for August 2009. These vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, or cause a denial-of-service condition.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied. Additional information regarding these vulnerabilities can be found in US-CERT Technical Cyber Security Alert TA09-223A.

Apple Releases Mac OS X v10.5.8 and Security Update 2009-003

Apple has released Mac OS X v10.5.8 and Security Update 2009-003 to address multiple vulnerabilities in a number of applications. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, bypass security mechanisms, operate with escalated privileges, or obtain sensitive information.

US-CERT encourages users and administrators to review Apple article HT3757 and apply any necessary updates to help mitigate the risks. Additional information can be found in US-CERT Technical Cyber Security Alert TA09-218A.

Microsoft Releases Advance Notification for August Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that the August release cycle will contain nine bulletins, five of which will have a severity rating of critical. The notification states that these critical bulletins are for Microsoft Office, Visual Studio, ISA Server, BizTalk Server, Windows, and Client for Mac. There will also be four important bulletins for Microsoft Windows and .NET Framework. Release of these bulletins is scheduled for Tuesday, August 11.

US-CERT will provide additional information as it becomes available.

Sun Releases Update 15 for Java SE 6

Sun has released update 15 for the Java SE JDK 6 and the Java SE JRE 6 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, or bypass authentication methods.

US-CERT encourages users and administrators to review the Java SE 6 Update 15 release notes and apply any necessary updates to help mitigate the risks.

Mozilla Releases Firefox 3.0.13 and Firefox 3.5.2

The Mozilla Foundation has released Firefox 3.0.13 and Firefox 3.5.2 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, display misleading SSL information about a web page, intercept and modify encrypted communication, execute arbitrary JavaScript with chrome privileges, or cause a denial-of-service condition.

US-CERT encourages users to review the Mozilla Foundation security advisories for Firefox 3.0 and Firefox 3.5 and apply any necessary updates or workarounds to help mitigate the risks.

US-CERT will provide more information as it becomes available.

Apple Releases iPhone OS 3.0.1

Apple has released iPhone OS 3.0.1 to address a vulnerability in the CoreTelephony component. By sending a specially crafted SMS message to a user, an attacker may be able to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users review Apple article HT3754 and apply any necessary updates to help mitigate the risk.

Adobe Releases Security Updates for Reader and Acrobat

Adobe has released Reader 9.1.3 and Acrobat 9.1.3 to address a vulnerability. By convincing a user to open a PDF document embedded with a specially crafted SWF file, an attacker may be able to execute arbitrary code.

US-CERT encourages users and administrators to review Adobe security bulletin APSB09-10 and apply any necessary updates to help mitigate the risks. Additional information regarding this vulnerability can be found in US-CERT Technical Cyber Security Alert TA09-204A.

Adobe Releases Shockwave Player Update and Flash Player Update

Adobe has released Shockwave Player 11.5.1.601 because previous versions used a vulnerable version of the Microsoft Active Template Library (ATL). Additionally, Adobe has released Flash Player 10.0.22.87 and 9.0.246.0 to address the ATL issue and additional vulnerabilities in Flash Player. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Adobe security bulletins APSB09-11 and APSB09-10 and apply any necessary updates to help mitigate the risks. Additional information can be found in the Adobe PSIRT blog and in Adobe security advisory APSA09-04.

Cisco Releases Security Advisory for IOS Software Vulnerabilities

Cisco has released a security advisory to address multiple vulnerabilities in IOS Software. Exploitation of these vulnerabilities may allow an attacker to cause a denial-of-service condition when handling specific Border Gateway Protocol (BGP) updates. The advisory indicates that these vulnerabilities affect only Cisco IOS Software with support for four-octet AS number space and BGP routing configured.

US-CERT encourages users and administrators to review Cisco Security Advisory cisco-sa-20090729-bgp and apply any necessary updates to help mitigate the risks.