The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.
OpenSSL has released OpenSSL 1.0.0b to address a vulnerability that may allow an attacker to execute arbitrary code.
US-CERT recommends that users and administrators of this product update to OpenSSL version 1.0.0b or apply the workaround provided in the OpenSSL security advisory. Because OpenSSL is often packaged in larger applications or operating system distributions, users and administrators should check with their software vendors for updated versions.
Adobe has released security updates for Reader and Acrobat for Windows and Macintosh. These updates address multiple vulnerabilities including those described in security advisory APSA10-05, a recent Adobe PSIRT blog entry, and security bulletin APSB10-26. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition. Adobe has indicated that these updates for UNIX will be available on November 30, 2010.
Apple has released Mac OS X v10.6.5 and Security Update 2010-007 to address multiple vulnerabilities affecting a number of packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, conduct cross-site scripting attacks, cause a denial-of-service condition, or bypass security restrictions.
Systems using PGP WDE should not be updated. Public reports indicate that a compatibility issue exists between PGP WDE and the Mac OS X v10.6.5 update. Applying the Mac OS X v10.6.5 update to a system running PGP WDE will prevent the system from successfully booting. Additional information about this issue can be found in PGP knowledgebase article 2288.
Adobe has released Flash Media Server 4.0.1, 3.5.5, and 3.0.7 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code.
US-CERT encourages users and administrators to review Adobe security bulletin APSB10-27 and apply appropriate updates to help mitigate the risks.
US-CERT is aware of a class of vulnerabilities related to how some Windows applications may load external dynamic link libraries (DLLs). When an application loads a DLL without specifying a fully qualified path name, Windows will attempt to locate the DLL by searching a defined set of directories. If an application does not securely load DLL files, an attacker may be able to cause the affected application to load an arbitrary library.
By convincing a user to open a file from a location that is under an attacker's control, such as a USB drive or network share, a remote attacker may be able to exploit this vulnerability. Exploitation of this vulnerability may result in the execution of arbitrary code.
Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#707943. US-CERT encourages users and administrators to review the vulnerability note and consider implementing the following workarounds until fixes are released by affected vendors:
Microsoft has released updates to address vulnerabilities in Microsoft Office and Forefront United Access Gateway as part of the Microsoft Security Bulletin Summary for November 2010. These vulnerabilities may allow an attacker to execute arbitrary code or operate with elevated privileges.
US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.