2009-11-16T09:21:36-05:00 US-CERT info@us-cert.gov http://www.us-cert.gov http://www.us-cert.gov/ The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT. Copyright 2009 Carnegie Mellon University http://www.us-cert.gov/current/index.html#microsoft_releases_security_advisory_977544 2009-11-16T09:21:36-05:00 2009-11-16T09:21:36-05:00 Microsoft has released security advisory 977544 to address a vulnerability in the Server Message Block (SMB) protocol. This vulnerability may allow an attacker to cause a denial-of-service condition. This vulnerability only affects Windows 7 and Server 2008 software.<br><br>US-CERT encourages users and administrators to review Microsoft security advisory <a href="http://www.microsoft.com/technet/security/advisory/977544.mspx" target="_self">977544</a> and apply the workarounds. http://www.us-cert.gov/current/index.html#ssl_and_tls_vulnerable_to 2009-11-06T19:01:52-05:00 2009-11-16T08:57:34-05:00 US-CERT is aware of reports of publicly available exploit code for a vulnerability within the SSL and TLS protocols. Reports indicate that exploitation of this vulnerability may allow an attacker to conduct a man-in-the-middle attack, allowing an attacker to inject plaintext into the beginning of the application protocol stream.<br><br>US-CERT encourages OpenSSL users and administrators to review the <a href="http://www.openssl.org/source/" target="_self">OpenSSL 0.9.8l</a> release and apply any updates.<br><br>US-CERT has not received any reports of active exploitation and will continue to provide additional information as it becomes available. http://www.us-cert.gov/current/index.html#apple_releases_safari_4_03 2009-11-12T08:08:48-05:00 2009-11-12T08:08:48-05:00 Apple has released Safari 4.0.4 to address multiple vulnerabilities in a number of components. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, conduct cross-site request forgery, or obtain sensitive information. These vulnerabilities affect Safari running on both the Mac OS X and Windows platforms.<br><br>US-CERT encourages users and administrators to review Apple article <a href="http://support.apple.com/kb/HT3949" target="_self">HT3949</a> and upgrade to Safari 4.0.4 to help mitigate the risks. http://www.us-cert.gov/current/index.html#microsoft_releases_november_security_bulletin1 2009-11-10T13:50:33-05:00 2009-11-10T13:50:33-05:00 Microsoft has released an update to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for <a href="http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx" target="_self">November 2009</a>. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or operate with escalated privileges.<br><br>US-CERT encourages users and administrators to review the <a href="http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx" target="_self">bulletins</a> and follow best-practice security policies to determine which updates should be applied.&nbsp; http://www.us-cert.gov/current/index.html#apple_releases_mac_os_x2 2009-11-10T08:02:17-05:00 2009-11-10T08:02:17-05:00 Apple has released Mac OS X v10.6.2 and Security Update 2009-006 to address multiple vulnerabilities in a number of applications. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, conduct a man-in-the-middle attack, operate with escalated privileges, or obtain sensitive information.<br><br>US-CERT encourages users and administrators to review Apple article <a href="http://support.apple.com/kb/HT3937" target="_self">HT3937</a> and apply any necessary updates to help mitigate the risks. http://www.us-cert.gov/current/index.html#microsoft_releases_advance_notification_for28 2009-11-05T16:17:12-05:00 2009-11-05T16:17:12-05:00 Microsoft has issued a <a href="http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx" target="_self">Security Bulletin Advance Notification</a> indicating that its November release cycle will contain six bulletins, three of which will have a severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows. There will also be three important bulletins for Microsoft Windows and Microsoft Office. Release of these bulletins is scheduled for Tuesday, November 10.<br><br>US-CERT will provide additional information as it becomes available. http://www.us-cert.gov/current/index.html#blackberry_desktop_manager_vulnerability 2009-11-05T08:45:35-05:00 2009-11-05T08:45:35-05:00 Research in Motion has released Security Advisory <a href="http://www.blackberry.com/btsc/search.do?cmd=displayKC&amp;docType=kc&amp;externalId=KB19701" target="_self">KB19701</a> to address a vulnerability in BlackBerry Desktop Manager. This vulnerability may allow an attacker to execute arbitrary code.<br><br>US-CERT encourages users to review BlackBerry Security Advisory <a href="http://www.blackberry.com/btsc/search.do?cmd=displayKC&amp;docType=kc&amp;externalId=KB19701" target="_self">KB19701</a> and apply any necessary updates. http://www.us-cert.gov/current/index.html#sun_releases_update_17_for 2009-11-04T09:04:38-05:00 2009-11-04T09:04:38-05:00 Sun has released update 17 for Java SE JDK 6 and Java SE JRE 6 to address multiple vulnerabilities. The impacts of these vulnerabilities include arbitrary code execution, privilege escalation, denial of service, and information disclosure.<br><br>US-CERT encourages users and administrators to review the Java the Java SE 6 Update 17 <a href="http://java.sun.com/javase/6/webnotes/6u17.html" target="_self">release notes</a> and apply any necessary <a href="http://java.sun.com/javase/downloads/index.jsp" target="_self">updates</a> to help mitigate the risks. http://www.us-cert.gov/current/index.html#adobe_releases_update_for_shockwave1 2009-11-04T09:04:34-05:00 2009-11-04T09:04:34-05:00 Adobe has released Shockwave Player 11.5.2.602 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to run malicious code on the user's machine.<br><br>US-CERT encourages users and administrators to review Adobe security bulletin <a href="http://www.adobe.com/support/security/bulletins/apsb09-16.html" target="_self">APSB09-16</a> and update to Shockwave Player 11.5.2.602 to help mitigate the risks.<br> http://www.us-cert.gov/current/index.html#mozilla_releases_firefox_3_01 2009-10-28T09:13:33-04:00 2009-10-28T09:13:33-04:00 Mozilla has released Firefox 3.0.15 and Firefox 3.5.4 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, execute arbitrary JavaScript with chrome privileges, or cause a denial-of-service condition. As described in the Mozilla Foundation Security Advisories, some of these vulnerabilities may also affect SeaMonkey.<br><br>US-CERT encourages users to review the Mozilla Foundation security advisories for <a href="http://www.mozilla.org/security/known-vulnerabilities/firefox30.html" target="_self">Firefox 3.0</a> and <a href="http://www.mozilla.org/security/known-vulnerabilities/firefox35.html" target="_self">Firefox 3.5</a> and apply any necessary updates or workarounds to help mitigate the risks.