November 02, 2009 - Current Activity

Mozilla Releases Firefox 3.0.15 and Firefox 3.5.4

Mozilla has released Firefox 3.0.15 and Firefox 3.5.4 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, execute arbitrary JavaScript with chrome privileges, or cause a denial-of-service condition. As described in the Mozilla Foundation Security Advisories, some of these vulnerabilities may also affect SeaMonkey.

US-CERT encourages users to review the Mozilla Foundation security advisories for Firefox 3.0 and Firefox 3.5 and apply any necessary updates or workarounds to help mitigate the risks.

Federal Deposit Insurance Corporation Warns Public of Fraudulent Email

The Federal Deposit Insurance Corporation (FDIC) has released information warning the public about fraudulent email messages purporting to come from the FDIC. These email messages provides a link to a fraudulent FDIC website. Users are then instructed to download their "personal FDIC Insurance File."

More information regarding these messages can be found in the Federal Deposit Insurance Corporation's Consumer Alerts website.

Users are encouraged to take the following measures to protect themselves from this type of phishing scam:

• Do not follow unsolicited web links received in email messages.
• Verify the website by manually typing the URL when attempting to connect to web sites recommended in an email.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

BlackBerry PhoneSnoop Application Used to Spy on Users

US-CERT is aware of public reports of a new software application called PhoneSnoop. This software allows an attacker to call a user's BlackBerry and listen to personal conversations. In order to install and setup the PhoneSnoop application, attackers must have physical access to the user's device or convince a user to install PhoneSnoop.

US-CERT encourages users to only download BlackBerry applications from trusted sources and to password protect and lock BlackBerry devices.

Oracle Releases Critical Patch Update for October 2009

Oracle has released its Critical Patch Update for October 2009 to address 38 vulnerabilities across several products. This update contains the following security fixes:

• 16 for the Oracle Database
• 3 for the Oracle Application Server
• 8 for the Oracle E-Business Suite and Applications
• 4 for the Oracle PeopleSoft and JD Edwards Suite
• 6 for the Oracle BEA Products Suite
• 1 for the Oracle Industry Applications Products Suite

Malware Spam Messages Related to Microsoft Outlook, SSL Certificates

US-CERT is aware of public reports of an increased number of spam messages related to Microsoft Outlook or SSL certificates. These messages contain a malicious file or link that claims to provide an update, but in reality, attempts to launch malware on a user's system. Typically, the messages instruct the user to click on a link to save a file or to open an attachment, either of which could infect the user's system.

To help protect against this type of attack, US-CERT recommends that users avoid opening attachments or links contained in unsolicited email messages. Additional tips regarding email attachments can be found in the US-CERT Cyber Security Tip Using Caution with Email Attachments.

Adobe Releases Security Bulletin for Adobe Reader and Acrobat

Adobe has republished security bulletin APSB09-015 to address multiple vulnerabilities in Adobe Reader and Acrobat. These vulnerabilities may allow an attacker to execute arbitrary code, escalate local privileges, or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Adobe security bulletin APSB09-015 and apply any necessary updates. 

Microsoft Releases October Security Bulletin

Microsoft has released an update to address vulnerabilities in Microsoft Windows, Silverlight, Internet Explorer, .NET Framework, Office, SQL Server, Developer Tools, and Forefront as part of the Microsoft Security Bulletin Summary for October 2009. These vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, cause a denial-of-service condition, or spoof an end user or website.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.

Microsoft Releases Advance Notification for October Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that its October release cycle will contain thirteen bulletins, eight of which will have a severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows, Internet Explorer, Office, Silverlight, SQL Server, Developer Tools, and Forefront. There will also be five important bulletins for Microsoft Windows. Release of these bulletins is scheduled for Tuesday, October 13.

US-CERT will provide additional information as it becomes available.

Adobe Releases Security Bulletin for Critical Vulnerability

Adobe has released security bulletin APSB09-15 to alert users of a critical vulnerability in Adobe Reader and Acrobat. Adobe indicates that it has received reports of active exploitation of this vulnerability. Release of an update for this vulnerability is scheduled for Tuesday, October 13.

US-CERT encourages users and administrators to take the following actions to help mitigate the risks:

• Review Adobe Security Bulletin APSB09-15.
• Disable JavaScript in Adobe Reader and Acrobat. Acrobat JavaScript can be disabled in the General preferences dialog (Edit, Preferences, JavaScript, and un-check "Enable Acrobat JavaScript").
  

Federal Bureau of Investigation Warns Public of Fraudulent Spam Email

The Federal Bureau of Investigation (FBI) has released information warning the public about fraudulent email messages purporting to come from the FBI or the Department of Homeland Security. These email messages contain a malicious attachment that claims to provide an intelligence report or bulletin, but in reality attempts to launch malware on the user's system.

More information regarding these messages can be found in the Federal Bureau of Investigation's New E-Scams and Warnings web site.

To help protect against this type of attack, US-CERT recommends that users avoid opening attachments contained in unsolicited email messages. Additional tips regarding email attachments can be found in the US-CERT Cyber Security Tip - Using Caution with Email Attachments.