November 10, 2009 - Current Activity

Microsoft Releases November Security Bulletin

Microsoft has released an update to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for November 2009. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or operate with escalated privileges.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied. 

Apple Releases Mac OS X v10.6.2 and Security Update 2009-006

Apple has released Mac OS X v10.6.2 and Security Update 2009-006 to address multiple vulnerabilities in a number of applications. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, conduct a man-in-the-middle attack, operate with escalated privileges, or obtain sensitive information.

US-CERT encourages users and administrators to review Apple article HT3937 and apply any necessary updates to help mitigate the risks.

SSL and TLS Vulnerable to Man-in-the-middle Attacks

US-CERT is aware of reports of publicly available exploit code for a vulnerability within the SSL and TLS protocols. Reports indicate that exploitation of this vulnerability may allow an attacker to conduct a man-in-the-middle attack, allowing an attacker to inject plaintext into the beginning of the application protocol stream.

US-CERT encourages OpenSSL users and administrators to review the OpenSSL 0.9.81 release and apply any updates.

US-CERT has not received any reports of active exploitation and will continue to provide additional information as it becomes available.

Microsoft Releases Advance Notification for November Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that its November release cycle will contain six bulletins, three of which will have a severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows. There will also be three important bulletins for Microsoft Windows and Microsoft Office. Release of these bulletins is scheduled for Tuesday, November 10.

US-CERT will provide additional information as it becomes available.

BlackBerry Desktop Manager Vulnerability

Research in Motion has released Security Advisory KB19701 to address a vulnerability in BlackBerry Desktop Manager. This vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users to review BlackBerry Security Advisory KB19701 and apply any necessary updates.

Sun Releases Update 17 for Java SE 6

Sun has released update 17 for Java SE JDK 6 and Java SE JRE 6 to address multiple vulnerabilities. The impacts of these vulnerabilities include arbitrary code execution, privilege escalation, denial of service, and information disclosure.

US-CERT encourages users and administrators to review the Java the Java SE 6 Update 17 release notes and apply any necessary updates to help mitigate the risks.

Adobe Releases Update for Shockwave Player

Adobe has released Shockwave Player 11.5.2.602 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to run malicious code on the user's machine.

US-CERT encourages users and administrators to review Adobe security bulletin APSB09-16 and update to Shockwave Player 11.5.2.602 to help mitigate the risks.

Mozilla Releases Firefox 3.0.15 and Firefox 3.5.4

Mozilla has released Firefox 3.0.15 and Firefox 3.5.4 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, execute arbitrary JavaScript with chrome privileges, or cause a denial-of-service condition. As described in the Mozilla Foundation Security Advisories, some of these vulnerabilities may also affect SeaMonkey.

US-CERT encourages users to review the Mozilla Foundation security advisories for Firefox 3.0 and Firefox 3.5 and apply any necessary updates or workarounds to help mitigate the risks.

Federal Deposit Insurance Corporation Warns Public of Fraudulent Email

The Federal Deposit Insurance Corporation (FDIC) has released information warning the public about fraudulent email messages purporting to come from the FDIC. These email messages provides a link to a fraudulent FDIC website. Users are then instructed to download their "personal FDIC Insurance File."

More information regarding these messages can be found in the Federal Deposit Insurance Corporation's Consumer Alerts website.

Users are encouraged to take the following measures to protect themselves from this type of phishing scam:

• Do not follow unsolicited web links received in email messages.
• Verify the website by manually typing the URL when attempting to connect to web sites recommended in an email.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

BlackBerry PhoneSnoop Application Used to Spy on Users

US-CERT is aware of public reports of a new software application called PhoneSnoop. This software allows an attacker to call a user's BlackBerry and listen to personal conversations. In order to install and setup the PhoneSnoop application, attackers must have physical access to the user's device or convince a user to install PhoneSnoop.

US-CERT encourages users to only download BlackBerry applications from trusted sources and to password protect and lock BlackBerry devices.