Language:
switch to room list switch to menu My folders
Go to page: First ... 5 6 7 8 [9] 10 11 12 13 ... Last
[#] Thu Jul 27 2006 16:38:04 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products Contain Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-208A


Mozilla Products Contain Multiple Vulnerabilities

Original release date: July 27, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Mozilla SeaMonkey
* Mozilla Firefox
* Mozilla Thunderbird

Any products based on Mozilla components, specifically Gecko, may also
be affected.


Overview

The Mozilla web browser and derived products contain several
vulnerabilities, the most serious of which could allow a remote
attacker to execute arbitrary code on an affected system.


I. Description

Several vulnerabilities have been reported in the Mozilla web browser
and derived products. More detailed information is available in the
individual vulnerability notes, including the following:


VU#476724 - Mozilla products fail to properly handle frame references

Mozilla products fail to properly handle frame or window references.
This may allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CVE-2006-3801)


VU#670060 - Mozilla fails to properly release JavaScript references

Mozilla products fail to properly release memory. This vulnerability
may allow a remote attacker to execute code on a vulnerable system.
(CVE-2006-3677)


VU#239124 - Mozilla fails to properly handle simultaneous XPCOM events

Mozilla products are vulnerable to memory corruption via simultaneous
XPCOM events. This may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3113)


VU#265964 - Mozilla products contain a race condition

Mozilla products contain a race condition. This vulnerability may
allow a remote attacker to execute code on a vulnerable system.
(CVE-2006-3803)


VU#897540 - Mozilla products VCard attachment buffer overflow

Mozilla products fail to properly handle malformed VCard attachments,
allowing a buffer overflow to occur. This vulnerability may allow a
remote attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-3804)


VU#876420 - Mozilla fails to properly handle garbage collection

The Mozilla JavaScript engine fails to properly perform garbage
collection, which may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3805)


VU#655892 - Mozilla JavaScript engine contains multiple integer
overflows

The Mozilla JavaScript engine contains multiple integer overflows.
This vulnerability may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3806)


VU#687396 - Mozilla products fail to properly validate JavaScript
constructors

Mozilla products fail to properly validate references returned by
JavaScript constructors. This vulnerability may allow a remote
attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-3807)


VU#527676 - Mozilla contains multiple memory corruption
vulnerabilities

Mozilla products contain multiple vulnerabilities that can cause
memory corruption. This may allow a remote attacker to execute
arbitrary code on a vulnerable system.
(CVE-2006-3811)


II. Impact

A remote, unauthenticated attacker could execute arbitrary code on a
vulnerable system. An attacker may also be able to cause the
vulnerable application to crash.


III. Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.5, Mozilla Thunderbird 1.5.0.5, or
SeaMonkey 1.0.3.

Disable JavaScript and Java

These vulnerabilities can be mitigated by disabling JavaScript and
Java in all affected products. Instructions for disabling Java in
Firefox can be found in the "Securing Your Web Browser" document.


Appendix A. References

* US-CERT Vulnerability Notes Related to July Mozilla Security
Advisories -
<http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1505>

* CVE-2006-3081 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801>

* CVE-2006-3677 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677>

* CVE-2006-3113 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113>

* CVE-2006-3803 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803>

* CVE-2006-3804 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804>

* CVE-2006-3805 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805>

* CVE-2006-3806 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806>

* CVE-2006-3807 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807>

* CVE-2006-3811 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811>

* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>

* Known Vulnerabilities in Mozilla Products -
<http://www.mozilla.org/projects/security/known-vulnerabilities.html>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-208A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-208A Feedback VU#239124" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

Jul 27, 2006: Initial release





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRMkgNexOF3G+ig+rAQIFsAgAoWoMkxxhkzb+xgLVCJF7h4k4EBCgJGWa
BSOiFfL4Gs4vv4lNooDRCIOdxiBfXYL71XsIOT4aWry5852/6kyYnyAiXXYj1Uv0
SbPY2sQSZ5EaG+G9i8HDIy3fpJN4XgH3ng1uzUnJihY19IfndbXicpZE+debIUri
qt9NRD2f5FW5feKo1cBpYxtmxQAEePOa2dJHh7I7cnFGtG3MixHx4kVEyuYUutCX
5tHDsfTIdySNkIdCQ4vhk846bErB/kaHiKMQDfMglllb3GOSc07OQ0CDo2eTPVsA
9DtKkiDP1C4dh1mxco8CWlS6327+EB0KXGGoqDF2+j/rrpsW0oc8nA==
=HwuK
-----END PGP SIGNATURE-----

[#] Wed Aug 02 2006 16:25:41 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-214A -- Apple Mac Products Affected by Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-214A

Apple Mac Products Affected by Multiple Vulnerabilities

Original release date: August 02, 2006
Last revised: --
Source: US-CERT

Systems Affected

* Apple Mac OS X version 10.3.9 and earlier (Panther)
* Apple Mac OS X version 10.4.7 and earlier (Tiger)
* Apple Mac OS X Server version 10.3.9 and earlier
* Apple Mac OS X Server version 10.4.7 and earlier
* Apple Safari web browser
* Apple Mail

Overview

Apple has released Security Update 2006-004 to correct multiple
vulnerabilities affecting Mac OS X, Mac OS X Server, Safari web
browser, Mail, and other products. The most serious of these
vulnerabilities may allow a remote attacker to execute arbitrary code.
Impacts of other vulnerabilities include bypass of security
restrictions and denial of service.

I. Description

Apple Security Update 2006-004 resolves a number of vulnerabilities
affecting Mac OS X, OS X Server, Safari web browser, Mail, and other
products. Further details are available in the individual
Vulnerability Notes.

This security update addresses vulnerabilities in a range of different
components, including the handling of a number of different image file
formats, ZIP archive files, and HTML web pages, among others.

II. Impact

The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.

III. Solution

Install an update

Install Apple Security Update 2006-004. This and other updates are
available via Apple Update.

Workaround

Disable "Open 'safe' files after downloading"

For additional protection, disable the Safari web browser option to
"Open 'safe' files after downloading," as specified in "Securing Your
Web Browser."

Note that this workaround will not mitigate all of the vulnerabilities
described in the Apple Security Update, only those which are
exacerbated by the default behavior of the Safari web browser.

Appendix A. References

* Vulnerability Notes for Apple Security Update 2006-004 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple-2006-004>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#Safari>
* Apple Security Update 2006-004 -
<http://docs.info.apple.com/article.html?artnum=304063>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-214A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-214A Feedback VU#566132" in the
subject.
_________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>

_________________________________________________________________

Revision History

August 02, 2006: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRNEIu+xOF3G+ig+rAQKbvwf+N6TRnpwqcmrlUfA7k1yuRCLCf3yo854x
JVy2Uq7Zs5WEqWK1qusPl3thyUS5JYCZzzPQI6pKq5zOOzyu5dqmHLFzstoZAhaz
pMTVX4PmMalFEFQV0o4pOi1/pGgu+2PXN8qo2LjSsFwr6xP9FfBQTI8Jov33cLsb
WjQyfxj/J8+nMQnCUlL84p7CuK4TdPRwuMVNMGYb8b9pB3SQ1XJ0EFt4UvO8VNqp
J32UCJw+LwSKpcBzjQRpw3ZBUpmFgOkZzLux/SiP8+1cyjmbWxxGjW21EfNExOXS
C2UpM+CQmoPMLAhTTPbKWs18qSdwcmeRLTeOW4Ao3oUj0QRD5QCFpA==
=RByX
-----END PGP SIGNATURE-----

[#] Tue Aug 08 2006 17:07:01 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-220A -- Microsoft Windows, Office, and Internet Explorer Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA06-220A

Microsoft Windows, Office, and Internet Explorer Vulnerabilities

Original release date: August 08, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Office (Windows and Mac)
* Microsoft Internet Explorer


Overview

Microsoft has released updates that address critical
vulnerabilities in Microsoft Windows, Office, and Internet
Explorer. Exploitation of these vulnerabilities could allow a
remote, unauthenticated attacker to execute arbitrary code or cause
a denial of service on a vulnerable system.

Note that one of the updates released today addresses a critical
vulnerability in the Microsoft Server Service (MS06-040). We have
received reports that this vulnerability is actively being
exploited.

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-220A.html>


I. Description

Microsoft Security Bulletin Summary for August 2006 addresses
vulnerabilities in Microsoft products including Windows, Office,
and Internet Explorer.

One of the updates released today addresses a critical
vulnerability in the Microsoft Server Service (MS06-040). More
details are available in Vulnerability Note VU#650769.

Note that we have received reports that VU#650769 is actively being
exploited.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system. An attacker may also be able to cause a denial
of service.


III. Solution

Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the
Security Bulletins released on August 8, 2006.

When prioritizing, it is strongly encouraged that the update for
VU#650769 be applied first.

Updates for Microsoft Windows and Microsoft Office XP and later are
available on the Microsoft Update site. Microsoft Office 2000 updates
are available on the Microsoft Office Update site. Apple Mac OS X
users should obtain updates from the Mactopia web site.

System administrators may wish to consider using Windows Server Update
Services (WSUS).


Appendix B. References

* Microsoft Security Bulletin Summary for August 2006 -
<http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx>

* US-CERT Vulnerability Note VU#650769 -
<http://www.kb.cert.org/vuls/id/650769>

* US-CERT Vulnerability Notes -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms06-aug>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>

* Microsoft Office Update - <http://officeupdate.microsoft.com/>

* Mactopia - <http://www.microsoft.com/mac>

* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/defau
lt.mspx>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-220A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-220A Feedback VU#650769" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

Aug 8, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRNj76+xOF3G+ig+rAQK5wwf/Z1yrHq03IODWL747llDlE6qz4vyg9cYa
DZdlRuc7q7kho0fw2lOFXJluuo6V65+n4cWo4ySS5dr+YJLXkr6g8XY/4tR/l/s4
+NJgXN8u8Gd9c3xNSLtpHaPC7ZaIPe092cIuuDV7xV4ktpi3FiAmJ2nAfCEvvaht
djnVQ/OHI7Vh1eFHarcqP0p56FKeTph3qGzaP8nNQexArgyoO6wda6oBt+uuJe3k
3rFr6+JkJ+sqgm5v3pnNqboHXkXyywx8jLZK14KMl7pxIVyXMEgpUg4no5PlyQck
Ny5N4bXzu4y7RvAS17BLrthFTa0PgBkalRJ8y68uxLvYK3ahKXFfiQ==
=h9ZT
-----END PGP SIGNATURE-----

[#] Tue Sep 12 2006 15:42:06 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-255A -- Microsoft Windows and Publisher Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA06-255A


Microsoft Windows and Publisher Vulnerabilities

Original release date: September 12, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Publisher


Overview

Microsoft has released updates that address critical
vulnerabilities in Microsoft Windows and Microsoft
Publisher. Exploitation of these vulnerabilities could allow a
remote, unauthenticated attacker to execute arbitrary code or cause
a denial of service on a vulnerable system.


I. Description

Microsoft has released updates to address vulnerabilities in
Microsoft Windows and Microsoft Publisher as part of the Microsoft
Security Bulletin Summary for September 2006.

Further information will be available in the following
Vulnerability Notes.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system. An attacker may also be able to cause a denial
of service.


III. Solution

Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the
September 2006 Security Bulletins. The security bulletins describe
any known issues related to the updates. Note any known issues
described in the bulletins and test for any potentially adverse
affects in your environment.

Updates for Microsoft Windows and Microsoft Office XP and later are
available on the Microsoft Update site. Microsoft Office 2000
updates are available on the Microsoft Office Update site.

System administrators may wish to consider using Windows Server
Update Services (WSUS).


References

* US-CERT Vulnerability Notes for Microsoft September 2006 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms06-sep>

* Microsoft Security Bulletin Summary for September 2006 -
<http://www.microsoft.com/technet/security/bulletin/ms06-sep.mspx>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>

* Microsoft Office Update - <http://officeupdate.microsoft.com/>

* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/defau
lt.mspx>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-255A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-255A Feedback VU#406236" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

Sep 12, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRQcLhuxOF3G+ig+rAQKohQf/TA/ls8b3CSMAhtYynnHY38ZLT5M7Cahi
YkZHH5ZdoSqaDPa3qsLJfzUxN9qKCp9QMAGT0F2/tZJe8OfipFY8VQBTpzz7c+Pp
9YFF4IFZAKFCAsFyIdAVEmI5KbmcZmErQO8j7131e1rNq2IfkZK4q9eOUxeJ8rXX
VT21RBeAHquav2pWL1HKKWcHoMKXry3g4w3tp+AggxU+GieGN0ThKk+Bh3Ed45aZ
0H2LxBIuQzfZ2bYFNVULZHWepqJhH94OaUq6ia8GMJCxsjYEYWeidHLsABFgTndB
jF89adkO1ayjH9D73M6pBX1JahLk4D48KNLhwTonibu7vrSFE79P6Q==
=pl/O
-----END PGP SIGNATURE-----

[#] Wed Sep 13 2006 13:01:49 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-256A -- Apple QuickTime Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-256A


Apple QuickTime Vulnerabilities

Original release date: September 13, 2006
Last revised: --
Source: US-CERT


Systems Affected

Apple QuickTime on systems running

* Apple Mac OS X
* Microsoft Windows


Overview

Apple QuickTime contains multiple vulnerabilities. Exploitation of
these vulnerabilities could allow a remote attacker to execute
arbitrary code or cause a denial-of-service condition.


I. Description

Apple QuickTime 7.1.3 resolves multiple vulnerabilities in the way
different types of image and media files are handled. An attacker
could exploit these vulnerabilities by convincing a user to access
a specially crafted image or media file with a vulnerable version
of QuickTime. Since QuickTime configures most web browsers to
handle QuickTime media files, an attacker could exploit these
vulnerabilities using a web page.

Note that QuickTime ships with Apple iTunes.

For more information, please refer to the Vulnerability Notes.


II. Impact

These vulnerabilities could allow a remote, unauthenticated
attacker to execute arbitrary code or commands and cause a
denial-of-service condition. For further information, please see
the Vulnerability Notes.


III. Solution

Upgrade QuickTime

Upgrade to QuickTime 7.1.3. This and other updates for Mac OS X are
available via Apple Update.

Disable QuickTime in your web browser

An attacker may be able to exploit this vulnerability by persuading
a user to access a specially crafted file with a web
browser. Disabling QuickTime in your web browser will defend
against this attack vector. For more information, refer to the
Securing Your Web Browser document.


References

* Vulnerability Notes for QuickTime 7.1.3 -
<http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_713>

* About the security content of the QuickTime 7.1.3 Update -
<http://docs.info.apple.com/article.html?artnum=304357>

* Apple QuickTime 7.1.3 -
<http://www.apple.com/support/downloads/quicktime713.html>

* Standalone Apple QuickTime Player -
<http://www.apple.com/quicktime/download/standalone.html>

* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-256A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-256A Feedback VU#540348" in the
subject.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

September 13, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRQg23exOF3G+ig+rAQK7LggAt0RUIz3jewgQYrRYp9bMDBkS61Bvh2OO
8Gp2H472UXA0ucElK/1hAXtPXU2Pmf/EjrCqSImO+srV4i0x5QIFJDo41HtbDo9s
FzQC/rmJ3YWl15L+uIjG0S1wxWwH5GyzQj4xaZCMdNLYEN7LVe31ETDsXJ3kEMMa
m19M4GLOXAFfmjyGgky4Nux0RJU1UE/0w9pZESOXg+7WXFY8skOZ8YfqBvunjqtE
pZa3LWoOcDtP/ORoEn7GY83v/uQqkX8uoAxwe9nuGXbyssvj7BQxDPvnwSWrXzUG
R59/r1NA4i/EtYNV1ONW2Pntqc5/vv0OGcs1JFM9tazV3aRbgHfCVg==
=nQVd
-----END PGP SIGNATURE-----

[#] Tue Sep 19 2006 18:30:25 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-262A -- Microsoft Internet Explorer VML Buffer Overflow

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA06-262A


Microsoft Internet Explorer VML Buffer Overflow

Original release date: September 19, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer


Overview

Microsoft Internet Explorer (IE) fails to properly handle Vector
Markup Language (VML) tags. This creates a buffer overflow
vulnerability that could allow a remote attacker to execute
arbitrary code.


I. Description

Microsoft Internet Explorer contains a stack buffer overflow in
code that handles VML. More information is available in
Vulnerability Note VU#416092 and Microsoft Security Advisory
(925568).

Note that this vulnerability is being exploited.


II. Impact

By convincing a user to open a specially crafted HTML document,
such as a web page or HTML email message, a remote attacker could
execute arbitrary code with the privileges of the user running IE.


III. Solution

We are currently unaware of a complete solution to this
problem. Until an update is available, consider the following
workarounds.

Disable VML support in IE

Microsoft Security Advisory (925568) suggests the following
techinques to disable VML support in IE:

* Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP
Service Pack 2; Windows Server 2003 and Windows Server 2003
Service Pack 1

* Modify the Access Control List on Vgx.dll to be more restrictive

* Configure Internet Explorer 6 for Microsoft Windows XP Service
Pack 2 to disable Binary and Script Behaviors in the Internet
and Local Intranet security zone

Disabling VML support may cause web sites that use VML to function
improperly.

Render email as plain text

Microsoft Security Advisory (925568) suggests configuring Microsoft
Outlook and Outlook Express to render email messages in plain text
format.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often
use URL encoding, IP address variations, long URLs, intentional
misspellings, and other techniques to create misleading links. Do
not click on unsolicited links received in email, instant messages,
web forums, or internet relay chat (IRC) channels. Type URLs
directly into the browser to avoid these misleading links. While
these are generally good security practices, following these
behaviors will not prevent exploitation of this vulnerability in
all cases, particularly if a trusted site has been compromised or
allows cross-site scripting.


IV. References

* Vulnerability Note VU#416092 -
<http://www.kb.cert.org/vuls/id/416092>

* Securing Your Web Browser-
<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Ex
plorer>

* Microsoft Security Advisory (925568) -
<http://www.microsoft.com/technet/security/advisory/925568.mspx>

* CVE-2006-3866 -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3866>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-262A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-262A Feedback VU#416092" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

Sep 19, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRRBphexOF3G+ig+rAQKjKwf/SqhuYNpSDw7n677sSaIPQArefSWbVZOy
oTDVz6Xg9bJ5mMiueAQY+OYDn/kHo3WepBdRjx+Cj36Js+9l2lTF+MO5S3k4AFWW
vG8RHLAvpaxCGWAupy8HjMW3MG+1unioJZYd8Xu916RUjgyVq36V0uSsAhaaBv2h
oRA7fft30VtTlOQ0TQFd+cJSH7uyfXA31e3tVTzDpclXvskm8Rb5h/KFP56i52ld
Uz/SSXPIIoFM0GTMknOSPh32Itp+MJj7ZDKQ2E2GR1GurUC33MObOUeRINrLndfX
9I2bbDcTw5vVnWFWqm45KRZTEvbBXNOXhAtgZmYje2NF4IxxvMiGhw==
=I3e8
-----END PGP SIGNATURE-----

[#] Tue Sep 26 2006 19:04:35 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-262A -- Microsoft Internet Explorer VML Buffer Overflow (Update)

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA06-262A


Microsoft Internet Explorer VML Buffer Overflow

Original release date: September 19, 2006
Last revised: September 26, 2006
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer


Overview

Microsoft Internet Explorer (IE) fails to properly handle Vector
Markup Language (VML) tags. This creates a buffer overflow
vulnerability that could allow a remote attacker to execute arbitrary
code.


I. Description

Microsoft Internet Explorer contains a stack buffer overflow in code
that handles VML. More information is available in Vulnerability Note
VU#416092, Microsoft Security Advisory (925568), and Microsoft
Security Bulletin MS06-055.

Note that this vulnerability is being exploited.


II. Impact

By convincing a user to open a specially crafted HTML document, such
as a web page or HTML email message, a remote attacker could execute
arbitrary code with the privileges of the user running IE.


III. Solution

Apply update from Microsoft

Microsoft has provided an update to correct this vulnerability in
Microsoft Security Bulletin MS06-055.

This update is available on the Microsoft Update site.

System administrators may wish to consider using Windows Server Update
Services (WSUS).

Disable VML support

Microsoft Security Advisory (925568) suggests the following techniques
to disable VML support:

* Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP
Service Pack 2; Windows Server 2003 and Windows Server 2003
Service Pack 1

* Modify the Access Control List on Vgx.dll to be more restrictive

* Configure Internet Explorer 6 for Microsoft Windows XP Service
Pack 2 to disable Binary and Script Behaviors in the Internet and
Local Intranet security zone

Disabling VML support may cause web sites and applications that use
VML to function improperly.

Render email as plain text

Microsoft Security Advisory (925568) suggests configuring Microsoft
Outlook and Outlook Express to render email messages in plain text
format.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use
URL encoding, IP address variations, long URLs, intentional
misspellings, and other techniques to create misleading links. Do not
click on unsolicited links received in email, instant messages, web
forums, or internet relay chat (IRC) channels. Type URLs directly into
the browser to avoid these misleading links. While these are generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if a
trusted site has been compromised or allows cross-site scripting.


IV. References

* Vulnerability Note VU#416092 -
<http://www.kb.cert.org/vuls/id/416092>

* Microsoft Security Bulletin MS06-055-
<http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx>

* Microsoft Security Advisory (925568) -
<http://www.microsoft.com/technet/security/advisory/925568.mspx>

* Securing Your Web Browser-
<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>

* CVE-2006-3866 -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3866>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-262A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-262A Feedback VU#416092" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________



Revision History

September 19, 2006: Initial release
September 21, 2006: Fixed misspelling and removed IE-specific
language from Solution section
September 26, 2006: Added update information and added a reference
to Microsoft Update




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRRmv0exOF3G+ig+rAQIdWggAq2T6Bj+3EWc2nlkr4bibfzZ1E9n+rluo
+76A1YO0EbV0NjRkj4u12nofUu0XfaGAo/V3R00SjfEYH3OWMky6zyf+PCq7v3NQ
tOUCtwo0gzxRZDeTsiOqmMdY57kbfdeJ+lFYF5Tr07IEMB/gmZjkEqiNPLhyJC5w
zHc51Jo1Favq3XHw5W0x5wd41jTNjt2BkFz44daNIR244HtraMsgK9tiaod8krnF
E8V74cBnTV7Rhhxw+icNANp7CdluriKmh/lemTHU+vKASzpL8QRM18a/Y2zqKL7A
p3Jzns5WzWkYDYkCOrwLFbQGWPlUEMHIR+eOmWdgCyKpEG0OW7H0Qg==
=xk4s
-----END PGP SIGNATURE-----

[#] Wed Sep 27 2006 18:49:09 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-270A -- Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA06-270A


Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability

Original release date: September 27, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer


Overview

The Microsoft Windows WebViewFolderIcon ActiveX control contains an
integer overflow vulnerability that could allow a remote attacker
to execute arbitrary code.


I. Description

The Microsoft Windows WebViewFolderIcon ActiveX control contains an
integer overflow vulnerability. An attacker could exploit this
vulnerability through Microsoft Internet Explorer (IE) or any other
application that hosts the WebViewFolderIcon control. More
information is available in Vulnerability Note VU#753044.

Exploit code for this vulnerability is publicly available.


II. Impact

By convincing a user to open a specially crafted HTML document,
such as a web page or HTML email message, a remote attacker could
execute arbitrary code with the privileges of the user who is
running the program that hosts the WebViewFolderIcon control.


III. Solution

Microsoft has not released an update for this
vulnerability. Consider the following workarounds and best
practices:

Disable the WebViewFolderIcon ActiveX control

To protect against this specific vulnerability, disable the
WebViewFolderIcon control by setting the kill bit for the
following CLSID:

{844F4806-E8A8-11d2-9652-00C04FC30871}

More information about how to set the kill bit is available in
Microsoft Support Document 240797.


Disable ActiveX

To protect against this and other ActiveX and COM
vulnerabilities, disable ActiveX in the Internet Zone and any
other zone that might be used by an attacker. Instructions for
disabling ActiveX in the Internet Zone can be found in the
"Securing Your Web Browser" document and the Malicious Web
Scripts FAQ.

Render email as plain text

To protect against this and other vulnerabilities that require a
victim to load a malicious HTML document, configure email clients
to render email as plain text.

Do not follow unsolicited links

To protect against this and other vulnerabilities that require a
victim to load a malicious HTML document, do not follow
unsolicited or untrusted links.

In order to convince users to visit their sites, attackers often
use URL encoding, IP address variations, long URLs, intentional
misspellings, and other techniques to create misleading links. Do
not click on unsolicited links received in email, instant
messages (IMs), web forums, or internet relay chat (IRC)
channels. Type URLs directly into the browser to avoid these
misleading links. While these are generally good security
practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if
a trusted site has been compromised or allows cross-site
scripting.


IV. References

* Vulnerability Note VU#753044 -
<http://www.kb.cert.org/vuls/id/753044>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>

* Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html>

* CVE-2006-3730 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3730>

* Microsoft Support Document 240797 -
<http://support.microsoft.com/kb/240797>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-270A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-270A Feedback VU#753044" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

September 27, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRRr/eexOF3G+ig+rAQIhyAf/fQEq6CeRusvnGxVXAq3DlDtStv2bKOAX
aL7ynLjuyiMk6/oqOmzhuY9hu8zLaTXo2O3KhUpt+27KuxSEf+Kc1I9K2d19IP/P
vgNxQaqh2wzdW+iXv18c8sYU4SA+bTXdvpQp1oVmJ1oZiyBYrQjSGFxjZ4PJXD5k
02YUoQNk6tWWDvA4Fe3bDhx3J8NqTcht/+mcJkAzL0TmE7bYDE+cNkqLLbQ7BTa6
M8RkH/DMkOM9mSoFIFAszSbTcMJJmH0yM3948+rrL0Wr/rAC4h9pCKMWA8w4k0bp
enXfYh2B1utRJs/AZSz83wRGO/DdD5x4xQ0OWsMYDAzGudYr6MycfQ==
=2nCt
-----END PGP SIGNATURE-----

[#] Mon Oct 02 2006 14:08:41 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-275A -- Multiple Vulnerabilities in Apple and Adobe Products

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-275A


Multiple Vulnerabilities in Apple and Adobe Products

Original release date: October 02, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Apple Mac OS X version 10.3.9 and earlier (Panther)
* Apple Mac OS X version 10.4.7 and earlier (Tiger)
* Apple Mac OS X Server version 10.3.9 and earlier
* Apple Mac OS X Server version 10.4.7 and earlier
* Safari web browser
* Adobe Flash Player 8.0.24 and earlier

These vulnerabilities affect both Intel-based and PowerPC-based Apple
systems.


Overview

Apple has released Security Update 2006-006 and Mac OS X 10.4.8 Update
to correct multiple vulnerabilities affecting Mac OS X, OS X Server,
Safari, Adobe Flash Player, and other products. The most serious of
these vulnerabilities may allow a remote attacker to execute arbitrary
code. Impacts of other vulnerabilities include bypass of security
restrictions and denial of service.


I. Description

Apple has released Security Update 2006-006 to address numerous
vulnerabilities affecting Mac OS X, OS X Server, Safari, Adobe Flash
Player, and other products.

Further details are available in the individual Vulnerability Notes
for Apple Security Update 2006-006.

Apple has also released Mac OS X 10.4.8 Update (Intel) for Intel-based
Apple systems. This update addresses the vulnerabilities described in
Apple Security Update 2006-006 for Intel-based Apple systems.

This security update also addresses previously known vulnerabilities
in Adobe Flash Player. More information on those vulnerabilities can
be found in Adobe Security Bulletin APSB06-11 and the Vulnerability
Notes for Adobe Security Bulletin APSB06-11.

II. Impact

The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes for Apple
Security Update 2006-006. Potential consequences include remote
execution of arbitrary code or commands, bypass of security
restrictions, and denial of service.


III. Solution

Install updates

Install Apple Security Update 2006-006. This and other updates are
available via Apple Update or via Apple Downloads.

Users with Intel-based Apple systems should upgrade to Mac OS X 10.4.8
Update (Intel) to receive the necessary security updates.


IV. References

* Vulnerability Notes for Apple Security Update 2006-006 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple-2006-006>

* About the security content of the Mac OS X 10.4.8 Update and
Security Update 2006-006 -
<http://docs.info.apple.com/article.html?artnum=304460>

* Mac OS X 10.4.8 Update (Intel) -
<http://www.apple.com/support/downloads/macosx1048updateintel.html>

* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>

* Apple Downloads - <http://www.apple.com/support/downloads/>

* Vulnerability Notes for Adobe Security Bulletin APSB06-11 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apsb06-11>

* Adobe Security Bulletin APSB06-11 -
<http://www.adobe.com/support/security/bulletins/apsb06-11.html>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#Safari>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-275A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-275A Feedback VU#546772" in the
subject.
_________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>

_________________________________________________________________

Revision History

October 02, 2006: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRSFT/exOF3G+ig+rAQIF0gf+KI8EWp1iNaVOYe2YgcRRMF27K8VFz5Rn
Y81SRMZk4M1m9/4/7oJG7obEiGr4LqD/EjxT23ctuQ4KBKysokv7F+FrLwMHbRGY
my6x7mmLy+JEydQrMFk8u/2ZdVZjvxnhBUmH9nuwgjhqaJ0Ez1GAbmkmJ/TV5pbY
gOWOu5oe2zpkf3fpLRWY+XxctHukgl8SlN0ucyRSRPlWmO7rR8di/rujWMRRAlep
fEkTeq6Z5X4Ep6lwxoWX5z+a5oPz4tLHMIbjGZlV3FGa7ii6GTBWmQSN42yTW9tZ
ELoLtXeHgiSy27n7G6VMOIzKEu7V8mHt3L3ZFrF+O/Xx5KBb/b/xQg==
=nP7Y
-----END PGP SIGNATURE-----

[#] Tue Oct 10 2006 15:31:02 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-283A -- Microsoft Updates for Vulnerabilities in Windows, Office, and Internet Explorer

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-283A


Microsoft Updates for Vulnerabilities in Windows, Office, and Internet
Explorer

Original release date: October 10, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Office
* Microsoft Internet Explorer


Overview

Microsoft has released updates that address critical vulnerabilities
in Microsoft Windows, Internet Explorer, and Microsoft Office.
Exploitation of these vulnerabilities could allow a remote,
unauthenticated attacker to execute arbitrary code or cause a denial
of service on a vulnerable system.


I. Description

Microsoft has released updates to address vulnerabilities in Microsoft
Windows, Internet Explorer, and Microsoft Office as part of the
Microsoft Security Bulletin Summary for October 2006. The summary
lists ten Microsoft Security Bulletins. Two of the Bulletins discuss
previously disclosed vulnerabilities that are actively being
exploited:

Microsoft Security Bulletin MS06-057 addresses a remote code
execution vulnerability in the WebFolderIcon ActiveX control. More
information is available in VU#753044.

Microsoft Security Bulletin MS06-058 addresses a remote code
execution vulnerability in Microsoft PowerPoint. More information
is available in VU#231204.

Further information on vulnerabilities addressed by the October 2006
Security Bulletins will be available in Vulnerability Notes.

Microsoft has announced the end of support for Windows XP Service Pack
1. According to Microsoft:

On October 10, 2006, Microsoft will end all public assisted support
for Windows XP Service Pack 1 (SP1). After this date, Microsoft
will no longer provide any incident support options or security
updates for this retired service pack under the policies defined by
the Microsoft Support Lifecycle policy.

We strongly encourage Windows XP users to upgrade to Windows XP
Service Pack 2 (SP2) as soon as possible.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code on a
vulnerable system. An attacker may also be able to cause a denial of
service.


III. Solution

Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the
October 2006 Security Bulletins. The Security Bulletins describe any
known issues related to the updates. Note any known issues described
in the Bulletins and test for any potentially adverse affects in your
environment.

Updates for Microsoft Windows and Microsoft Office XP and later are
available on the Microsoft Update site. Microsoft Office 2000 updates
are available on the Microsoft Office Update site.

System administrators may wish to consider using Windows Server Update
Services (WSUS).


References

* US-CERT Vulnerability Notes for Microsoft October 2006 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms06-oct>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>

* Microsoft Security Bulletin Summary for October 2006 -
<http://www.microsoft.com/technet/security/bulletin/ms06-oct.mspx>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>

* Microsoft Office Update - <http://officeupdate.microsoft.com/>

* End of support for Windows 98, Windows Me, and Windows XP Service
Pack 1 -
<http://www.microsoft.com/windows/support/endofsupport.mspx#EHB>

* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>


_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-283A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-283A Feedback VU#703936" in the
subject.
_________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>

_________________________________________________________________

Revision History

October 10, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRSvzt+xOF3G+ig+rAQJmAggAkNBW57N0Ob9Mvelr+ByiV4PZUGkoibdl
6wB7wTYSD4C2YhlQGlbgaEk5H2ZahC6Q+s18BuEtPwuxOHqbws/ycaiAoeiH+J0m
xIXKpzC17pzcnk9qfPBmjNrsdFuzbcL1N47l2VAKLoVnlMj1IH+NHJMBVMbtLSrZ
OD7PxlmAoaALsnapRySgJJAb06oPwBSPdOEazIofWL48bz1JFLwOSHn4EtTbqD7K
8AGbWGix7RloRx6Q39Th3DdRPEy3xEM5q5dIAIKaF5s21HT5p5PPH+VYmZE6l9e3
RZ7FUIqZBucFFHW/XQFvEveoGjrX2Vng+qerUHy76uU37wzG49urXQ==
=8Gam
-----END PGP SIGNATURE-----

[#] Wed Oct 18 2006 14:56:11 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-291A -- Oracle Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-291A


Oracle Updates for Multiple Vulnerabilities

Original release date: October 18, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Oracle10g Database
* Oracle9i Database
* Oracle8i Database
* Oracle Application Express (formerly known as Oracle HTML DB)
* Oracle Application Server 10g
* Oracle Collaboration Suite 10g
* Oracle9i Collaboration Suite
* Oracle E-Business Suite Release 11i
* Oracle E-Business Suite Release 11.0
* Oracle Pharmaceutical Applications
* Oracle PeopleSoft Enterprise Portal Solutions
* Oracle PeopleSoft Enterprise PeopleTools
* JD Edwards EnterpriseOne Tools
* JD Edwards OneWorld Tools
* Oracle Reports Developer client-only installations
* Oracle Containers for J2EE client-only installations

For more information regarding affected product versions, please see
the Oracle Critical Patch Update - October 2006.


Overview

Oracle has released patch to address numerous vulnerabilities in
different Oracle products. The impacts of these vulnerabilities
include remote execution of arbitrary code, information disclosure,
and denial of service.


I. Description

Oracle has released the Critical Patch Update - October 2006.
According to Oracle, this CPU contains:

* 22 new security fixes for the Oracle Database
* 6 new security fixes for Oracle HTTP Server
* 35 new security fixes for Oracle Application Express
* 14 new security fixes for the Oracle Application Server
* 13 new security fixes for the Oracle E-Business Suite
* 8 new security fixes for Oracle PeopleSoft Enterprise PeopleTools
and Enterprise Portal Solutions
* 1 new security fix for JD Edwards EnterpriseOne
* 1 new security fix for Oracle Pharmaceutical Applications

Many Oracle products include or share code with other vulnerable
Oracle products and components. Therefore, one vulnerability may
affect multiple Oracle products and components. For example, the
October 2006 CPU does not contain any fixes specifically for Oracle
Collaboration Suite. However, Oracle Collaboration Suite is affected
by vulnerabilities in Oracle Database and Oracle Application Server,
so sites running Oracle Collaboration suite should install fixes for
Oracle Database and Oracle Application Server. Refer to the October
2006 CPU for details regarding which vulnerabilities affect specific
Oracle products and components.

For a list of publicly known vulnerabilities addressed in the October
2006 CPU, refer to the Map of Public Vulnerability to Advisory/Alert.
The October 2006 CPU does not associate Vuln# identifiers (e.g., DB01)
with other available information, even in the Map of Public
Vulnerability to Advisory/Alert document. As more details about
vulnerabilities and remediation strategies become available, we will
update the individual vulnerability notes.


II. Impact

The impact of these vulnerabilities varies depending on the product,
component, and configuration of the system. Potential consequences
include remote execution of arbitrary code or commands, sensitive
information disclosure, and denial of service. Vulnerable components
may be available to unauthenticated, remote attackers. An attacker who
compromises an Oracle database may be able to gain access to sensitive
information or take complete control of the host system.


III. Solution

Apply patches from Oracle

Apply the appropriate patches or upgrade as specified in the Critical
Patch Update - October 2006. Note that this Critical Patch Update only
lists newly corrected vulnerabilities.

As noted in the update, some patches are cumulative, others are not:

The Oracle Database, Oracle Application Server, Oracle Enterprise
Manager Grid Control, Oracle Collaboration Suite, JD Edwards
EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise
Portal Applications and PeopleSoft Enterprise PeopleTools patches
in the Updates are cumulative; each Critical Patch Update contains
the fixes from the previous Critical Patch Updates.
Oracle E-Business Suite and Applications patches are not
cumulative, so E-Business Suite and Applications customers should
refer to previous Critical Patch Updates to identify previous fixes
they want to apply.

The October 2006 CPU lists 35 vulnerabilities affecting Oracle
Application Express. These vulnerabilities are addressed in Oracle
Application Express version 2.2.1. Oracle Application Express users
are encouraged to upgrade to version 2.2.1 as soon as possible.

Vulnerabilities described in the October 2006 CPU may affect Oracle
Database 10g Express Edition (XE). According to Oracle, Oracle
Database XE is based on the Oracle Database 10g Release 2 code.

Patches for some platforms and components were not available when the
Critical Patch Update was published on October 17, 2006. Please see
MetaLink Note 391563.1 (login required) for more information about
patch availability.

Known issues with Oracle patches are documented in the
pre-installation notes and patch readme files. Please consult these
documents and test before making changes to production systems.


IV. References

* US-CERT Vulnerability Notes Related to Critical Patch Update -
October 2006 -
<http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_oct_2006>

* Critical Patch Update - October 2006 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html>

* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>

* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/public_vuln_to_advisory_mapping.html>

* Oracle Database Security Checklist (PDF) -
<http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf>

* Critical Patch Update Implementation Best Practices (PDF) -
<http://www.oracle.com/technology/deploy/security/pdf/cpu_whitepaper.pdf>

* Oracle Application Express 2.2 Downloads -
<http://www.oracle.com/technology/products/database/application_express/download.html>

* Oracle Metalink Note 391563.1 -
<http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=391563.1>

* Oracle Database 10g Express Edition -
<http://www.oracle.com/technology/products/database/xe/index.html>

* Analysis of the October 2006 Critical Patch Update for the Oracle
RDBMS -
<http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf>

* Details Oracle Critical Patch Update October 2006 -
<http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html>


_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-291A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-291A Feedback VU#717140" in the
subject.
_________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>

_________________________________________________________________

Revision History

[#] Wed Nov 08 2006 15:17:52 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-312A -- Mozilla Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-312A


Mozilla Updates for Multiple Vulnerabilities

Original release date: November 08, 2006
Last revised: --
Source: US-CERT

Systems Affected

* Mozilla SeaMonkey
* Mozilla Firefox
* Mozilla Thunderbird
* Netscape web browser


Overview

The Mozilla web browser and derived products contain several
vulnerabilities, the most serious of which could allow a remote
attacker to execute arbitrary code on an affected system.


I. Description

Several vulnerabilities have been reported in the Mozilla web browser
and derived products. Mozilla has released three security advisories
to describe the vulnerabilities:

Mozilla Foundation Security Advisory 2006-67 addresses a remote
code execution vulnerability in the way JavaScript is handled by
Firefox, Thunderbird, and SeaMonkey. More information can be found
in VU#714496.

Mozilla Foundation Security Advisory 2006-66 addresses a
vulnerability in the way RSA signatures are handled by Firefox,
Thunderbird, and SeaMonkey. More information can be found in
VU#335392.

Mozilla Foundation Security Advisory 2006-65 addresses three memory
corruption vulnerabilities in Firefox, Thunderbird, and SeaMonkey.
More information can be found in VU#815432, VU#390480, and
VU#495288.

Any products based on Mozilla components, specifically Gecko, may also
be affected by VU#714496, VU#815432, VU#390480, and VU#495288.

Any software that uses the Mozilla Network Security Services (NSS)
library may be affected by VU#335392.


II. Impact

The most severe impact of these vulnerabilities could allow a remote
attacker to execute arbitrary code with the privileges of the user
running the affected application. Other effects include forging an RSA
signatures and denial of service. A remote, unauthenticated attacker
could execute arbitrary code, or cause a denial of service.

Forging an RSA signature (VU#335392) may allow an attacker to craft a
TLS/SSL or email certificate that will not be detected as invalid.
This may allow that attacker to impersonate a website or email system
that relies on certificates for authentication.


III. Solution

Upgrade

These vulnerabilities are addressed in Mozilla Firefox 1.5.0.8,
Mozilla Thunderbird 1.5.0.8, and SeaMonkey 1.0.6.

According to Mozilla:

Firefox 1.5.0.x will be maintained with security and stability
updates until April 24, 2007. All users are strongly encouraged to
upgrade to Firefox 2.


IV. References

* Vulnerability Note VU#714496 -
<http://www.kb.cert.org/vuls/id/714496>

* Vulnerability Note VU#335392 -
<http://www.kb.cert.org/vuls/id/335392>

* Vulnerability Note VU#815432 -
<http://www.kb.cert.org/vuls/id/815432>

* Vulnerability Note VU#390480 -
<http://www.kb.cert.org/vuls/id/390480>

* Vulnerability Note VU#495288 -
<http://www.kb.cert.org/vuls/id/495288>

* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>

* Known Vulnerabilities in Mozilla Products -
<http://www.mozilla.org/projects/security/known-vulnerabilities.html>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox>

* Mozilla Hall of Fame -
<http://www.mozilla.org/university/HOF.html>

* Site Controls -
<http://browser.netscape.com/ns8/help/options-site.jsp>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-312A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-312A Feedback VU#335392" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

November 08, 2006: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRVI1JexOF3G+ig+rAQL7pQf8DmvvfwWnGi2Js7TmuLZZOzts2mR/ICoc
sz2xxsSNqKcqe95x9iAtYkUQf4QpCby42GpXvKfpa4WX/ZLpzZQuTO2es09QL5k5
Or9HVDn/klDN9tVL6/gwOtn5tBhaCyJJoWX7Gx/HU6Uur0Y8UhRfvNnIqfZdaeoe
p6z8gnYY49c2y9vMeUeABTva2MHXzj1mfkwfREG/JelshfC/eEtTQ0LOqvK4SdGw
F5AF01na+rMKFNiveB3VlGx9zpD/zO8yaxVwG+yiepVJIuZi+V468TvWDFR/fh1H
a1yWXL3H3ejV0Zwjvy/dEDnN2ShN1lHx+k3HWi6eUc5BkVkLWFdCeQ==
=RJRT
-----END PGP SIGNATURE-----

[#] Tue Nov 14 2006 17:53:12 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-318A -- Microsoft Security Updates for Windows, Internet Explorer, and Adobe Flash

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-318A

Microsoft Security Updates for Windows, Internet Explorer, and Adobe Flash

Original release date: November 14, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer
* Adobe Flash


Overview

Microsoft has released updates that address critical vulnerabilities
in Microsoft Windows, Internet Explorer, and Adobe Flash. Exploitation
of these vulnerabilities could allow a remote, unauthenticated
attacker to execute arbitrary code or cause a denial of service on a
vulnerable system.

I. Description

Microsoft has released updates to address vulnerabilities in Microsoft
Windows, Internet Explorer, and Adobe Flash as part of the Microsoft
Security Bulletin Summary for November 2006. The most severe
vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary code or cause a denial of service on a vulnerable
system. Microsoft has included updates to Adobe Flash, which is
installed with Internet Explorer.

Further information is available in the Vulnerability Notes Database.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code on a
vulnerable system. An attacker may also be able to cause a denial of
service.


III. Solution

Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the
November 2006 Security Bulletins. The Security Bulletins describe any
known issues related to the updates. Note any known issues described
in the Bulletins and test for any potentially adverse affects in your
environment.

System administrators may wish to consider using Windows Server Update
Services (WSUS).


IV. References

* US-CERT Vulnerability Notes for Microsoft November 2006 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms06-nov>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>

* Microsoft Security Bulletin Summary for November 2006 -
<http://www.microsoft.com/technet/security/bulletin/ms06-nov.mspx>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>

* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-318A.html>

____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-318A Feedback VU#377369" in
the subject.

____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

November 14, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRVpHwexOF3G+ig+rAQLUEAf9FSKBHOCuPIRuJYJYgY9th7ZRtNdxsWWQ
4ulkdZVv3P682sQEtF6glpLN1h+YHA1oF93uLp6T+7FKlxP1MYrxRPP5p1nH+fCa
bRmVxUSATuDrxaTZmJWcJcL8zvaNTqkkDBCpG8GN32OCwgE40xNJRsKiv2UuIAYJ
geGl8mK5PGb4Sr0Bjlw2n5fbcKkjoJXYmkxV3CXzvpPrtS1fIq0rZ19sRB4+Jw3I
heEM7rKGMo3N4OUEYTpt2yW1Mpj2zVyWo2O8PWJmuMZq1lCsECrvTvfk4/q3s4Yh
Z0l6F4Ps6L2D5PkNkg08EgxvbiPHYI8B8VZ1SlitvOcKiVOggyxYrg==
=K0Wj
-----END PGP SIGNATURE-----

[#] Wed Nov 29 2006 16:12:32 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-333A -- Apple Releases Security Update to Address Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-333A


Apple Releases Security Update to Address Multiple Vulnerabilities

Original release date: November 29, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Apple Mac OS X version 10.3.x and 10.4.x
* Apple Mac OS X Server version 10.3.x and 10.4.x
* Apple Safari web browser

These vulnerabilities affect both Intel-based and PowerPC-based Apple
systems.


Overview

Apple has released Security Update 2006-007 to correct multiple
vulnerabilities affecting Mac OS X, Mac OS X Server, Safari web
browser. Vulnerabilities in OpenSSL, gzip, and other products are also
addressed. The most serious of these vulnerabilities may allow a
remote attacker to execute arbitrary code. Attackers may take
advantage of the less serious vulnerabilities to bypass security
restrictions or cause a denial of service.


I. Description

Apple Security Update 2006-007 addresses a number of vulnerabilities
affecting Mac OS X, OS X Server, Safari web browser, and other
products. Further details are available in the related vulnerability
notes.

This security update also addresses previously known vulnerabilities
in PHP, Perl, OpenSSL, and gzip, which are shipped with Mac OS X. The
OpenSSL vulnerabilities are documented in multiple vulnerability
notes. Information is also available through the OpenSSL
vulnerabilities page. Information about the vulnerabilities in gzip is
available in a series of vulnerability notes.


II. Impact

The impacts of these vulnerabilities vary. For specific details, see
the appropriate vulnerability notes. Potential consequences include
remote execution of arbitrary code or commands, bypass of security
restrictions, and denial of service.


III. Solution

Install updates

Install Apple Security Update 2006-007. This and other updates are
available via Apple Update or via Apple Downloads.


IV. References

* Vulnerability Notes for Apple Security Update 2006-007 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple-2006-007>

* Vulnerability Notes for OpenSSL Security Advisory [28th September
2006] -
<http://www.kb.cert.org/vuls/byid?searchview&query=openssl_secadv_20060928>

* Vulnerability Note VU#845620 -
<http://www.kb.cert.org/vuls/id/845620>

* Vulnerability Note VU#933712 -
<http://www.kb.cert.org/vuls/id/933712>

* Vulnerability Note VU#381508 -
<http://www.kb.cert.org/vuls/id/381508>

* Vulnerability Note VU#554780 -
<http://www.kb.cert.org/vuls/id/554780>

* Vulnerability Note VU#596848 -
<http://www.kb.cert.org/vuls/id/596848>

* Vulnerability Note VU#773548 -
<http://www.kb.cert.org/vuls/id/773548>

* About the security content of Security Update 2006-007 -
<http://docs.info.apple.com/article.html?artnum=304829>

* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>

* Apple Downloads - <http://www.apple.com/support/downloads/>

* OpenSSL: OpenSSL vulnerabilities -
<http://www.openssl.org/news/vulnerabilities.html>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#Safari>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-333A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-333A Feedback VU#191336" in the
subject.
_________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>

_________________________________________________________________

Revision History

November 29, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRW33NuxOF3G+ig+rAQJtiggApJKRh7x+z8vp0xb26sE16RUOD3epcrk6
lJZ4rXnqVqoFacAt0Ucb8T43/Uc4N85UMa695YbFspYZum3hcGZo+WnNPolGUeRz
iN/4bfKgzekfpbHxf6T3YvQYp+PVMRfHPUcxfaZDYXhu2813N4SSQpM59KRL5BD7
xr+5VvB09biVKlzpEdgtk2EHcqc+sMF5+o3cCgDJCnJNL+NG4J6d/hsyNP15ekTf
8m0W4rJonUe2gR2Bp7F1Y47KgRr3BT1aH2gxUSim9qEJpPdP/CkmGoFp+BfrFP9q
A580LOrqFK8HIly1fbPKb26p2theUUESnQqM9Ob8xolkCDLy6h7ssg==
=f7N+
-----END PGP SIGNATURE-----

[#] Tue Dec 12 2006 17:07:06 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA06-346A -- Microsoft Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-346A


Microsoft Updates for Multiple Vulnerabilities

Original release date: December 12, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Visual Studio
* Microsoft Outlook Express
* Microsoft Media Player
* Microsoft Internet Explorer
* Microsoft Office 2004 for Mac
* Microsoft Office v. X for Mac


Overview

Microsoft has released updates that address critical vulnerabilities
in Microsoft Windows, Visual Studio, Microsoft Outlook Express,
Microsoft Media Player, and Microsoft Internet Explorer. Exploitation
of these vulnerabilities could allow a remote, unauthenticated
attacker to execute arbitrary code or cause a denial of service on a
vulnerable system.


I. Description

Microsoft has released updates to address vulnerabilities in Microsoft
Windows, Visual Studio, Microsoft Outlook Express, Microsoft Media
Player, and Microsoft Internet Explorer as part of the Microsoft
Security Bulletin Summary for December 2006. The most severe
vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary code or cause a denial of service on a vulnerable
system.

Note that in addition to the regular monthly security bulletins,
Microsoft has also published updates for the Apple Mac versions of
Microsoft Office. See the references section of this document for more
details.

Further information is available in the Vulnerability Notes Database.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code on a
vulnerable system. An attacker may also be able to cause a denial of
service.


III. Solution

Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the
December 2006 Security Bulletins. The Security Bulletins describe any
known issues related to the updates. Note any known issues described
in the Bulletins and test for any potentially adverse affects in your
environment. System administrators may wish to consider using an
automated patch distribution system such as Windows Server Update
Services (WSUS).


IV. References

* US-CERT Vulnerability Notes for Microsoft December 2006 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms06-dec>
* Microsoft Security Bulletin Summary for December 2006 -
<http://www.microsoft.com/technet/security/bulletin/ms06-dec.mspx>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>
* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>
* Microsoft Office 2004 for Mac 11.3.1 Update -
<http://www.microsoft.com/mac/downloads.aspx?pid=download&location=/mac/download/office2004/Office2004_11.3.1.xml>
* Microsoft Office v. X for Mac Security Update (2006-12-12) -
<http://www.microsoft.com/mac/downloads.aspx?pid=download&location=/mac/download/officex/OfficeX_12_12_2006.xml>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-346A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-346A Feedback VU#622008" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

December 12, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRX8nIuxOF3G+ig+rAQKLzAf+IYsKY+ZOZagoHjT+q0iTHi9lsLLkx1X3
HP1BlAI0v+rlMMghW+5qTnMKZHnKj8+CQIqCino0HQBfho4SLPrRlR0mdeELyy4G
lsIo+xs04pENJTE0ZVS9k6ip4psjedQZgnc/DOPP9YtVlxPbIeK97p8dpdgZM80X
KN5YXbaQkJZbnAxxQos3r2VVrIAwJWES4xANc5bZv7RS+zNsC35jfh9gQX9wVNIV
1LcMTkE8V7Qa664hEFc7RKWTmxe2NqL45H6MoYYskM0WMDrrJgQx03Zh38FexfLl
MRh+ZUa8YLTeklw+rcdU2LJ7ZsYIWMKzVjCOxG01DFsJkF5udQ7IrA==
=Y7c7
-----END PGP SIGNATURE-----

[#] Fri Jan 05 2007 16:49:26 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-005A -- Apple QuickTime RTSP Buffer Overflow

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA07-005A


Apple QuickTime RTSP Buffer Overflow

Original release date: January 05, 2007
Last revised: --
Source: US-CERT


Systems Affected

Apple QuickTime on systems running

* Apple Mac OS X

* Microsoft Windows

Note that Apple iTunes and other software using the vulnerable
QuickTime components are also affected.


Overview

Apple QuickTime contains a buffer overflow in the handling of RTSP
URLs. This can allow a remote attacker to execute arbitrary code on a
vulnerable system.


I. Description

A vulnerability exists in the way Apple QuickTime handles specially
crafted Real Time Streaming Protocol (RTSP) URL strings. Public
exploit code is available that demonstrates how opening a .QTL file
triggers the buffer overflow. However, we have confirmed that other
attack vectors for the vulnerability also exist.

Possible attack vectors include

* a web page that uses the QuickTime plug-in or ActiveX control

* a web page that uses the rtsp:// protocol

* a file that is associated with the QuickTime Player

US-CERT is tracking this issue as VU#442497. This reference number
corresponds to CVE-2007-0015.

Note that this vulnerability affects QuickTime on Microsoft Windows
and Apple Mac platforms. Although web pages can be used as attack
vectors, this vulnerability is not dependent on the specific web
browser that is used.


II. Impact

By convincing a user to open specially crafted QuickTime content, a
remote, unauthenticated attacker can execute arbitrary code on a
vulnerable system.


III. Solution

We are currently unaware of a solution to this problem. Until a
solution becomes available, the workarounds provided in US-CERT
Vulnerability Note VU#442497 are strongly encouraged.

<http://www.kb.cert.org/vuls/id/442497>


IV. References

* US-CERT Vulnerability Note VU#442497 -
<http://www.kb.cert.org/vuls/id/442497>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>

* CVE-2007-0015 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-005A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-005A Feedback VU#442497" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

January 05, 2007: Initial release





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRZ7D9OxOF3G+ig+rAQLG+Af/e+VhtMJEDuzVbT47HRdINgIRiOceCx4u
DZFbMaUvYu4hjGu9f+T6AaGWR9FQj1ZzWDYf/JHY67NCSkwJdFY4Th1vR09BXJGy
lmAzlj7+l3U4UeR+rEud0ajP8qCO7vwRGP4rPUVkcqgaBXqdyfgQbNHtwIpw6w/z
eFYyUp/2EA1vHeTGdPNAkQTupuC95kA0QsiONCVv9xTqg7xnlcXBTwKz+T/DcWig
LDLgPMupim8+ruhkzCCOVveIFQPBdXN5Aem/Fvpmhi2V5HRBc65vKaDoLzBpt4BZ
Wdbeud6ljPjm0JLPvy84Gn7qFcjCu3WP3Nayd7rhbClFZSWyGilM+Q==
=RrHt
-----END PGP SIGNATURE-----

[#] Tue Jan 09 2007 15:20:35 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-009A -- Microsoft Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA07-009A


Microsoft Updates for Multiple Vulnerabilities

Original release date: January 9, 2007
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Outlook
* Microsoft Excel for Windows and Mac OS X


Overview

Microsoft has released updates that address critical vulnerabilities
in Microsoft Windows, Internet Explorer, Outlook, and Excel.
Exploitation of these vulnerabilities could allow a remote,
unauthenticated attacker to execute arbitrary code or cause a denial
of service on a vulnerable system.


I. Description

Microsoft has released updates to address vulnerabilities that affect
Microsoft Windows, Internet Explorer, Outlook, and Excel as part of
the Microsoft Security Bulletin Summary for January 2007. The most
severe vulnerabilities could allow a remote, unauthenticated attacker
to execute arbitrary code or cause a denial of service on a vulnerable
system.

Note that both Windows and Mac OS X versions of Excel are affected by
the vulnerabilities described in Microsoft Security Bulletin MS07-002.

Further information about the vulnerabilities addressed by these
updates is available in the Vulnerability Notes Database.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code on a
vulnerable system. An attacker may also be able to cause a denial of
service.


III. Solution

Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the
January 2007 Security Bulletins. The Security Bulletins describe any
known issues related to the updates. Note any known issues described
in the Bulletins and test for any potentially adverse affects in your
environment.

System administrators may wish to consider using an automated patch
distribution system such as Windows Server Update Services (WSUS).


IV. References

* US-CERT Vulnerability Notes for Microsoft January 2007 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms07-jan>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>

* Microsoft Security Bulletin Summary for January 2007 -
<http://www.microsoft.com/technet/security/bulletin/ms07-jan.mspx>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>

* Microsoft Office Update - <http://officeupdate.microsoft.com/>

* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-009A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-009A Feedback VU#749964" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

January 09, 2007: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRaPzluxOF3G+ig+rAQIEbAgArexcce8QTgYyxAELky8l2bhj5h7wLC3U
ZDJ47iHxvuVURtgB4SVGfVRS3Du12SkQvd+FEX+7Rt5oGPGmdPQ+uCFpQIubGDdz
dketmWnym0EnNsVHyt66x6VVFbUZccUa7HEwmlZ+Bp7BFkzwu9SoXHM6GfSGbAF7
Rfx28MTVwF8cdXUZDFIpDxWYt8F9KgB/CKWTZcJsjo8FFKwsH8h6gfvyABIqiYNA
Yf/TcmiAoWBs7Fj5eC5rRDlJQlKirZX59uaHVEGM2qTDO9UktCeTwVpYBYwuWefz
5IRxhcgtu9bHbnblH096kzM0VNIBMBhcQtA0zwMPp3QYuhnYqSzX3A==
=89g7
-----END PGP SIGNATURE-----

[#] Tue Jan 09 2007 16:51:50 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-009B -- MIT Kerberos Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA07-009B


MIT Kerberos Vulnerabilities

Original release date: January 09, 2007
Last revised: --
Source: US-CERT


Systems Affected

* MIT Kerberos

Other products based on the GSS-API or the RPC libraries provided with
MIT Kerberos may also be affected.


Overview

The MIT Kerberos administration daemon contains two vulnerabilities
that may allow a remote, unauthenticated attacker to execute arbitrary
code.


I. Description

We are aware of two vulnerabilities that affect the Kerberos
administration daemon:

* VU#481564 - Kerberos administration daemon fails to properly
initialize function pointers
The MIT Kerberos administration daemon contains a vulnerability in
the way pointers are handled that may allow a remote,
unauthenticated user to execute arbitrary code. Other server
applications that utilize the RPC library provided with MIT
Kerberos may also be affected. This vulnerability can be triggered
by sending a specially crafted Kerberos packet to a vulnerable
system. Further details about this vulnerability are available
from the MIT Kerberos Development Team.

* VU#831452 - Kerberos administration daemon may free uninitialized
pointers
The MIT Kerberos administration daemon contains a vulnerability
that may allow an attacker to execute arbitary code. Other server
applications that utilize the GSS-API library provided with MIT
Kerberos may also be affected. Further details about this
vulnerability are available from the MIT Kerberos Development
Team.


II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary
code resulting in the compromise of the Kerberos key database or cause
a denial of service.


III. Solution

These vulnerabilities are addressed in MIT krb5 Security Advisory
2006-002 and MIT krb5 Security Advisory 2006-003. Patches for these
issues are also included in those advisories.


IV. References

* US-CERT Vulnerability Note VU#481564 -
<http://www.kb.cert.org/vuls/id/481564>
* US-CERT Vulnerability Note VU#831452 -
<http://www.kb.cert.org/vuls/id/831452>
* MIT krb5 Security Advisory 2006-002 -
<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-002-rpc.txt>
* MIT krb5 Security Advisory 2006-003 -
<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2006-003-mechglue.txt>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-009B.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-009B Feedback VU#481564" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

January 09, 2007: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRaQNc+xOF3G+ig+rAQKaOQgAjOD7/KVse1tv1gn46WKWVJ4mPajTdn8z
2B7cO52KVKJ6cPvQCXb5Yhy0ljFOqbtZAHyQ/XzdP13CrrQC6ut32aQN+HRSEf3N
3/kwxMxl+QlKUQ97kG3c40XsNClMVDGvWsQj2LRFrzKpTjjPSag+Cdp0eAp0YVx/
6G3WR0HgjoIrfoYgVdqiIz5yeG0O2adLNmjoosDoxV4sro94JbB1iv+SHM+HNCR8
UNIj/kBukOlof0zHapPVofcjJBnxkkRfLrwb1CmrHU5QL6su1GJ4dohlYnnpDevf
NYAoVkr2wni8hjaJezK+jjlp9Q2cEEoRyEHLCS33Q0jOhvSCidXUwQ==
=Ac/A
-----END PGP SIGNATURE-----

[#] Wed Jan 17 2007 11:00:55 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-017A -- Oracle Releases Patches for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA07-017A


Oracle Releases Patches for Multiple Vulnerabilities

Original release date: January 17, 2007
Last revised: --
Source: US-CERT


Systems Affected

* Oracle Database
* Oracle Application Server
* Oracle HTTP Server (Apache)
* Oracle Identity Management
* Oracle Enterprise Manager Grid Control
* Oracle E-Business Suite
* Oracle Collaboration Suite
* Oracle PeopleSoft Enterprise PeopleTools
* Oracle Life Sciences Applications (formerly Oracle Pharmaceutical
Applications)

For more detailed information regarding affected product versions,
refer to the Oracle Critical Patch Update - January 2007.


Overview

Oracle has released patches to address numerous vulnerabilities in
different Oracle products. The impacts of these vulnerabilities
include remote execution of arbitrary code, information disclosure,
and denial of service.


I. Description

Oracle has released the Critical Patch Update - January 2007.
According to Oracle, this Critical Patch Update (CPU) contains:

* 17 new security fixes for the Oracle Database, one of which is for
Oracle Database client-only installations

* 9 new security fixes for the Oracle HTTP Server

* 12 new security fixes for the Oracle Application Server

* 7 new security fixes for the Oracle E-Business Suite

* 6 new security fixes for the Oracle Enterprise Manager

* 3 new security fixes for the Oracle PeopleSoft Enterprise
PeopleTools

Many Oracle products include or share code with other vulnerable
Oracle products and components. Therefore, one vulnerability may
affect multiple Oracle products and components. For example, the
January 2007 CPU does not contain any fixes specifically for Oracle
Collaboration Suite. However, Oracle Collaboration Suite is affected
by vulnerabilities in Oracle Database and Oracle Application Server,
so sites running Oracle Collaboration suite should install fixes for
Oracle Database and Oracle Application Server. Refer to the January
2007 CPU for details regarding which vulnerabilities affect specific
Oracle products and components.

For a list of publicly known vulnerabilities addressed in the January
2007 CPU, refer to the Map of Public Vulnerability to Advisory/Alert.
The January 2007 CPU does not associate Vuln# identifiers (e.g., DB01)
with other available information, even in the Map of Public
Vulnerability to Advisory/Alert document. As more details about
vulnerabilities and remediation strategies become available, we will
update the individual vulnerability notes.


II. Impact

The impact of these vulnerabilities varies depending on the product,
component, and configuration of the system. Potential consequences
include remote execution of arbitrary code or commands, sensitive
information disclosure, and denial of service. Vulnerable components
may be available to unauthenticated, remote attackers. An attacker who
compromises an Oracle database may be able to gain access to sensitive
information or take complete control of the host system.


III. Solution

Apply patches from Oracle

Apply the appropriate patches or upgrade as specified in the Critical
Patch Update - January 2007. Note that this Critical Patch Update only
lists newly corrected vulnerabilities.

As noted in the update, some patches are cumulative, others are not:

The Oracle Database, Oracle Application Server, Oracle Enterprise
Manager Grid Control, Oracle Collaboration Suite, JD Edwards
EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise
Portal Applications and PeopleSoft Enterprise PeopleTools patches
in the Updates are cumulative; each Critical Patch Update contains
the fixes from the previous Critical Patch Updates.

Oracle E-Business Suite and Applications patches are not
cumulative, so E-Business Suite and Applications customers should
refer to previous Critical Patch Updates to identify previous fixes
they want to apply.

Vulnerabilities described in the January 2007 CPU may affect Oracle
Database 10g Express Edition (XE). According to Oracle, Oracle
Database XE is based on the Oracle Database 10g Release 2 code.

Known issues with Oracle patches are documented in the
pre-installation notes and patch readme files. Please consult these
documents and test before making changes to production systems.


IV. References

* US-CERT Vulnerability Notes Related to Critical Patch Update -
January 2007 -
<http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_jan_2007>

* Critical Patch Update - January 2007 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html>

* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>

* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/public_vuln_to_advisory_mapping.html>

* Oracle Database Security Checklist (PDF) -
<http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf>

* Critical Patch Update Implementation Best Practices (PDF) -
<http://www.oracle.com/technology/deploy/security/pdf/cpu_whitepaper.pdf>

* Oracle Database 10g Express Edition -
<http://www.oracle.com/technology/products/database/xe/index.html>

* Details Oracle Critical Patch Update January 2007 -
<http://www.red-database-security.com/advisory/oracle_cpu_jan_2007.html>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-017A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-017A Feedback VU#221788" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRa5DxexOF3G+ig+rAQK39QgAuBGVS0rMyXinEtvG678WejFIBm8PlhXz
CG1Bpo0AIJTWd6Ql3QAPsf+EQ1pJLlsF/Rp/DJBKspaqg7DJ7NrTfCzC8WUb6H19
vch93DVZo20qPFhRLsEWMaUV7cPuekTtwL1yuRjkXrKL+YB8/1kHw2Xpk2BbDn0r
Ix00n5RbXj1zSpau3OYfps5KaLmhppXKjR2KexTe+tV7yS61dTSYdcJsbKvUj/ev
nRrq+BsYHWi7aYsVXKC+XftlVrE7qTFbgPG7JVXEvyql6T3klVigZfjGQPgTT/6d
UdB7dxHIvnoWnIqSFgTKWlm6JpEK0m9yiNDxGat1NW3pOHaEd5x0GA==
=7oQu
-----END PGP SIGNATURE-----

[#] Mon Jan 22 2007 14:34:47 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-022A

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA07-022A


Sun Updates for Multiple Vulnerabilities in Java

Original release date: January 22, 2007
Last revised: --
Source: US-CERT


Systems Affected

Sun Java Runtime Environment versions

* JDK and JRE 5.0 Update 9 and earlier
* SDK and JRE 1.4.2_12 and earlier
* SDK and JRE 1.3.1_18 and earlier


Overview

The Sun Java Runtime Environment contains multiple vulnerabilities
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.


I. Description

The Sun Java Runtime Environment (JRE) allows users to run Java
applications in a browser or as standalone programs. Sun has released
updates to the Java Runtime Environment software to address multiple
vulnerabilities. Further details about these vulnerabilities are
available in the Vulnerability Notes Database.

Note that exploit code is publicly available for at least one of these
vulnerabilities.


II. Impact

By convincing a user to run a specially crafted Java application, a
remote, unauthenticated attacker can execute arbitrary code on a
vulnerable system. A common attack vector would be a web page that
contains a Java applet.


III. Solution

Apply an update from Sun

These issues are addressed in the following versions of the Sun Java
Runtime environment:

* JDK and JRE 5.0 Update 10 or later
* SDK and JRE 1.4.2_13 or later
* SDK and JRE 1.3.1_19 or later

If you install the latest version of Java, older versions of Java may
remain installed on your computer. If these versions of Java are not
needed, you may wish to remove them. For instructions on how to remove
older versions of Java, refer to the following instructions from Sun:

http://www.java.com/en/download/faq/5000070400.xml


Disable Java

Disable Java in your web browser, as specified in the Securing Your
Web Browser document. While this does not fix the underlying
vulnerabilities, it does block the most common attack vector.


IV. References

* US-CERT Vulnerability Note VU#388289 -
<http://www.kb.cert.org/vuls/id/388289>

* US-CERT Vulnerability Note VU#102289 -
<http://www.kb.cert.org/vuls/id/102289>

* US-CERT Vulnerability Note VU#149457 -
<http://www.kb.cert.org/vuls/id/149457>

* US-CERT Vulnerability Note VU#939609 -
<http://www.kb.cert.org/vuls/id/939609>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>

* CVE-2007-0243 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0243>

* CVE-2006-6745 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6745>

* CVE-2006-6731 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6731>

* Java SE Technologies at a Glance -
<http://java.sun.com/javase/technologies/>

* Java SE Security -
<http://java.sun.com/javase/technologies/security/index.jsp>

* Can I remove older versions of the JRE after installing a newer
version? - <http://www.java.com/en/download/faq/5000070400.xml>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-022A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-022A Feedback VU#388289" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

January 22, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRbUP/exOF3G+ig+rAQKNOgf+Oh1aYfHntMxbpjaHSxyNk8Hofr1zBP/i
wNMoYmWNLGmtvoFKHAj22BInWIJ2mKEt+ThpvmGkUmWroNZ7G6U2vNbxdJY0gc+W
VNHoo4Y9NK4W44zDovNb7mVGwIjxON1U8XdvVa872HUbniVp33euiVfOJLL5beSO
obCusVl9+AJDT2KWO/H4QK8hWNgnAR2ciGDU1KFgZfL5PYdT73EywcfKd+8vVVq5
ZQOriDVODZroH3unI0Hsu/VQH5W05VsvGTAbIenmvs+Rf6pW4Vut53/e7QUkckmJ
nQLjcmDbpOr1xRDiHu63tDCA7fXoMpL00J5Ku/eru+lodV98m3NAvg==
=QdZE
-----END PGP SIGNATURE-----

Go to page: First ... 5 6 7 8 [9] 10 11 12 13 ... Last