Language:
switch to room list switch to menu My folders
Go to page: First ... 8 9 10 11 [12] 13 14 15
[#] Wed Oct 17 2007 15:13:29 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-290A -- Oracle Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA07-290A


Oracle Updates for Multiple Vulnerabilities

Original release date: October 17, 2007
Last revised: --
Source: US-CERT

Systems Affected

* Oracle Database 10g
* Oracle 9i Database
* Oracle Enterprise Manager 10g Database Control
* Oracle Application Server 10g
* Oracle Collaboration Suite 10g
* Oracle PeopleSoft Enterprise
* Oracle E-Business Suite
* Oracle PeopleSoft Enterprise Human Capital Management

For more information regarding affected product versions, please see
the Oracle Critical Patch Update - October 2007.


Overview

Oracle products and components are affected by multiple
vulnerabilities. The impacts of these vulnerabilities include remote
execution of arbitrary code, information disclosure, and denial of
service.


I. Description

Oracle has released Critical Patch Update - October 2007. This update
addresses more than forty vulnerabilities in different Oracle products
and components.

The Critical Patch Update provides information about affected
components, access and authorization required, and the impact from the
vulnerabilities on data confidentiality, integrity, and availability.
MetaLink customers should refer to MetaLink Note 394487.1 (login
required) for more information on terms used in the Critical Patch
Update.

According to Oracle, none of the vulnerabilities corrected in the
Oracle Critical Patch Update affect Oracle Database Client-only
installations.

In most cases, Oracle does not associate Vuln# identifiers (e.g.,
DB01) with other available information. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.


II. Impact

The impact of these vulnerabilities varies depending on the product,
component, and configuration of the system. Potential consequences
include the execution of arbitrary code or commands, information
disclosure, and denial of service. Vulnerable components may be
available to unauthenticated, remote attackers. An attacker who
compromises an Oracle database may be able to gain access to sensitive
information.


III. Solution

Apply a patch

Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update - October 2007. Note that this Critical Patch
Update only lists newly corrected issues. Updates to patches for
previously known issues are not listed.

As noted in the update, some patches are cumulative, others are not:

The Oracle Database, Oracle Application Server, Oracle Enterprise
Manager Grid Control, Oracle Collaboration Suite, JD Edwards
EnterpriseOne and OneWorld Tools, and PeopleSoft Enterprise Portal
Applications patches in the Updates are cumulative; each successive
Critical Patch Update contains the fixes from the previous Critical
Patch Updates.
Oracle E-Business Suite and Applications patches are not
cumulative, so E-Business Suite and Applications customers should
refer to previous Critical Patch Updates to identify previous fixes
they wish to apply.

Patches for some platforms and components were not available when the
Critical Patch Update was published on October 17, 2007. Please see
MetaLink Note 360465.1 (login required) for more information.

Known issues with Oracle patches are documented in the
pre-installation notes and patch readme files. Please consult these
documents specific to your system before applying patches.

Appendix A. Vendor Information

Oracle

Please see Oracle Critical Patch Update - October 2007 and Critical
Patch Updates and Security Alerts.

Appendix B. References

* Critical Patch Update - October 2007 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html>

* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>

* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>

* Oracle Database Security Checklist (PDF) -
<http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf>

* MetaLink Note 360465.1 (login required) -
<https://metalink.oracle.com/metalink/plsql/f?p=200:37:386501049664454700::::p_database_id,p_id,p_template:Not,360465.1,0>

* Details Oracle Critical Patch Update October 2007 -
<http://www.red-database-security.com/advisory/oracle_cpu_oct_2007.html>


_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-290A.html>
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

October 17, 2007: Initial release



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRxZc1PRFkHkM87XOAQIyogf+PJ0RLVWBZMzR+Jn8pQ3398NbqIERMLPA
xqxrWbPAu0EChmguWg4eYUzfMMg6W0rbmVVgmilZsW8eL3UVeMjzX8hBVhyaQUXy
RXsKJIpTVhL3dgHr6z9mA+Y2VfQspYstAXtVAGjEvCvzuJJqoY/R5ZRitXuRgfGY
i1l1mt4rc/A2IoaanlJSJJtH6kxZ42dZWiGZCRdqemmBIUvL9kWY7jlgOh7Hifdc
U2zkCNioBLYFxk+cn9CKAvMlBOtbcsryRLPt5e32lCE7I4NSA87xM/4c8J86Weyw
y0prw11nwX3LXa7k96b5Kmb/bjDovgQ/O12SkRs9XS2+uHtvEbUXFw==
=1546
-----END PGP SIGNATURE-----

[#] Wed Oct 24 2007 15:04:09 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-297A -- RealNetworks RealPlayer ActiveX Playlist Buffer Overflow

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System
Technical Cyber Security Alert TA07-297A


RealNetworks RealPlayer ActiveX Playlist Buffer Overflow

Original release date: October 24, 2007
Last revised: --
Source: US-CERT

Systems Affected

Windows systems with
* RealPlayer 11 beta
* RealPlayer 10.5
* RealPlayer 10
* RealOne Player v2
* RealOne Player

Overview

RealNetworks RealPlayer client for Microsoft Windows contains a stack
buffer overflow in the playlist paramater passed to the client by an
ActiveX control. This vulnerability could allow a remote,
unauthenticated attacker to execute arbitrary code using a specially
crafted web page or HTML email message.

I. Description

RealNetworks RealPlayer is a multimedia application that allows users
to view local and remote audio and video content. RealPlayer for
Microsoft Windows includes the IERPCtl ActiveX control that can be
used with Internet Explorer to import a local file into a playlist.
RealPlayer does not adequately validate the playlist paramater passed
from the ActiveX control, resulting in stack buffer overflow
vulnerability. The IERPCtl ActiveX control is present in RealOne
Player and later versions.

RealNetworks has released a patch for this vulnerability as described
in RealPlayer Security Vulnerability. There are public reports that
this vulnerability is being actively exploited.

This vulnerability can be exploited using the IERPCtl ActiveX control,
which effectively means that only Windows Internet Explorer users are
affected. The ActiveX control was introduced in RealOne Player, so
Windows versions of RealPlayer 8 and earlier are not affected.
Mactintosh and Linux versions of RealPlayer are not affected.

II. Impact

By convincing a user to view a specially crafted HTML document or HTML
mail message, a remote, unauthenticated attacker may be able to
execute arbitrary code with the privileges of the user on a vulnerable
system. Note that the RealPlayer software does not need to be running
for this vulnerability to be exploited.

For more information, please see US-CERT Vulnerability Note VU#871673.

III. Solution

Upgrade and apply a patch

See RealPlayer Security Vulnerability for information about upgrading
and patching RealPlayer. RealPlayer 10.5 and RealPlayer 11 beta users
should install the patch specified in the RealNetworks document.
RealOne, RealOne Player v2, and RealPlayer 10 users should upgrade to
RealPlayer 10.5 or RealPlayer 11 beta and install the patch.

Disable the IERPCtl ActiveX control

Disable the IERPCtl AcctiveX control by setting the kill bit for the
following CLSID:
{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}

More information about how to set the kill bit is available in
Microsoft Support Document 240797. Alternatively, the following text
can be saved with a .reg file and imported into the Windows registry:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}]
"Compatibility Flags"=dword:00000400

Disable ActiveX

Disabling ActiveX in the Internet Zone (or any zone used by an
attacker) reduces the chances of exploitation of this and other
vulnerabilities. Instructions for disabling ActiveX in the Internet
Zone can be found in the "Securing Your Web Browser" document.

Appendix A. Vendor Information

RealNetworks

For information about updating RealPlayer, see the RealPlayer Security
Vulnerability and Security Update for Real Player.

Appendix B. References

* Customer Support - Real Security Updates -
<http://service.real.com/realplayer/security/191007_player/en/>

* Security Update for RealPlayer -
<http://docs.real.com/docs/security/SecurityUpdate101907Player.pdf>

* US-CERT Vulnerability Note VU#871673 -
<http://www.kb.cert.org/vuls/id/871673>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-297A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-297A Feedback VU#871673" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

Revision History

October 24, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRx+V7fRFkHkM87XOAQI30gf/TvEjRojRbGghMIW/Ky72nn8iGyyAcdzt
eOe8e08SxfqMr2zz4RTe8zQBvf3v3MvTv0a8N2Z5eyBarHEQzvWohtshubIJUXWy
WygaRqr4cTVX2S7dbA7EBIXJfbH8xmCDQe2OGzSprNwELZ6JJAQ3XiuoM0jsCtI1
uElilw8CqHZMOZM8GJLmj6exstljAL2JNd4icnG1kSGrCs0gJkPVOFgH/tdrJ2cu
TUZ4ypRyjpMJ2Lcz7lNkF0Y3lZCVmsOOefKV+tvsK4IerexI7Zcq1Kyu90IjXNzQ
5Ix9pEX4kbpv/7wfLeRFO5rWjA019wUtPeMZ3+kf6vp7GaWqR+WnMg==
=MlFp
-----END PGP SIGNATURE-----

[#] Wed Oct 24 2007 17:45:09 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-297B -- Adobe Updates for Microsoft Windows URI Vulnerability

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System
Technical Cyber Security Alert TA07-297B


Adobe Updates for Microsoft Windows URI Vulnerability

Original release date: October 24, 2007
Last revised: --
Source: US-CERT

Systems Affected

Microsoft Windows XP and Windows Server 2003 systems with Internet
Explorer 7 and any of the following Adobe products:
* Adobe Reader 8.1 and earlier
* Adobe Acrobat Professional, 3D, and Standard 8.1 and earlier
* Adobe Reader 7.0.9 and earlier
* Adobe Acrobat Professional, 3D, Standard, and Elements 7.0.9 and
earlier

Overview

Adobe has released updates for the Adobe Reader and Adobe Acrobat
product families. The update addresses a URI handling vulnerability in
Microsoft Windows XP and Server 2003 systems with Internet Explorer 7.

I. Description

Installing Microsoft Internet Explorer (IE) 7 on Windows XP or Server
2003 changes the way Windows handles Uniform Resource Identifiers
(URIs). This change has introduced a flaw that can cause Windows to
incorrectly determine the appropriate handler for the protocol
specified in a URI. By creating a specially crafted URI in a PDF
document, an attacker can execute arbitrary commands on a vulnerable
system. More information about this vulnerability is available in
US-CERT Vulnerability Note VU#403150.

Public reports indicate that this vulnerability is being actively
exploited with malicious PDF files. Adobe has released Adobe Reader
8.1.1 and Adobe Acrobat 8.1.1, which mitigate this vulnerability.

II. Impact

By convincing a user to open a specially crafted PDF file, a remote,
unauthenticated attacker may be able to execute arbitrary commands.

III. Solution

Apply an update

Adobe has released Adobe Reader 8.1.1 and Adobe Acrobat 8.1.1 to
address this issue. These Adobe products handle URIs in a way that
mitigates the vulnerability in Microsoft Windows.

Disable the mailto: URI in Adobe Reader and Adobe Acrobat

If you are unable to install an updated version of the software, this
vulnerability can be mitigated by disabling the mailto: URI handler in
Adobe Reader and Adobe Acrobat. Please see Adobe Security Bulletin
APSB07-18 for details.


Appendix A. Vendor Information

Adobe

For information about updating affected Adobe products, see Adobe
Security Bulletin APSB07-18.

Appendix B. References

* Adobe Security Bulletin APSB07-18 -
<http://www.adobe.com/support/security/bulletins/apsb07-18.htm>

* Microsoft Security Advisory (943521) -
<http://www.microsoft.com/technet/security/advisory/943521.mspx>

* US-CERT Vulnerability Note VU#403150 -
<http://www.kb.cert.org/vuls/id/403150>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-297B.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-297B Feedback VU#403150" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

Revision History

October 24, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRx+8WPRFkHkM87XOAQIrOQf/USsBbfDmKZ4GCi8W2466mI+kZoEHoe/H
3l3p4/1cuFGoPHFfeDLbG+alXiHSAdXoX7Db34InEUKMs7kRUVPEdW9LggI9VaTJ
lKnZJxM3dXL+zPCWcDkNqrmmzyJuXwN5FmSXhlcnN4+FRzNrZYwDe1UcOk3q6m1s
VNPIBTrqfSuFRllNt+chV1vQ876LLweS+Xh1DIQ/VIyduqvTogoYZO4p2A0YJD57
4y0obNuk+IhgzyhZHtSsR0ql7rGrFr4S97XUQGbKOAZWcDzNGiXJ5FkrMTaP25OI
LazBVDofVz8ydUcEkb4belgv5REpfYUJc9hRbRZ+IpbAay2j42m8NQ==
=PgB9
-----END PGP SIGNATURE-----

[#] Tue Nov 06 2007 18:13:07 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-310A -- Apple QuickTime Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System
Technical Cyber Security Alert TA07-310A


Apple QuickTime Updates for Multiple Vulnerabilities

Original release date: November 06, 2007
Last revised: --
Source: US-CERT

Systems Affected

Vulnerabilities in Apple QuickTime affect
* Apple Mac OS X
* Microsoft Windows

Overview

Apple QuickTime contains multiple vulnerabilities. Exploitation of
these vulnerabilities could allow a remote attacker to execute
arbitrary code or cause a denial-of-service condition.

I. Description

Apple QuickTime 7.3 resolves multiple vulnerabilities in the way
different types of image and media files are handled. An attacker
could exploit these vulnerabilities by convincing a user to access a
specially crafted image or media file that could be hosted on a web
page.

Note that Apple iTunes installs QuickTime, so any system with iTunes
is vulnerable.

II. Impact

These vulnerabilities could allow a remote, unauthenticated attacker
to execute arbitrary code or commands and cause a denial-of-service
condition. For further information, please see About the security
content of QuickTime 7.3.

III. Solution

Upgrade QuickTime

Upgrade to QuickTime 7.3. This and other updates for Mac OS X are
available via Apple Update.

Secure your web browser

To help mitigate these and other vulnerabilities that can be exploited
via a web browser, refer to Securing Your Web Browser.

References

* About the security content of the QuickTime 7.3 Update -
<http://docs.info.apple.com/article.html?artnum=306896>

* How to tell if Software Update for Windows is working correctly when no updates are available -
<http://docs.info.apple.com/article.html?artnum=304263>

* Apple QuickTime Download - <http://www.apple.com/quicktime/download/>

* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-310A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-310A Feedback VU#208011" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

Revision History

November 6, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRzD0F/RFkHkM87XOAQLSVwf+LsCvcentaE5ATCISYhYd31ionkGNS9cn
LeBC+yCyR330ztfQ9iBphoxxp+fYKpa/RRfnFHqJlv80HYYOiJvnunCdOY5IAbo5
ZyS2vou/ArW5WzJqk9Yq+31hClKQOIoLf/+NcUc7iKkfSBUC8/RsspascX31a1U+
dMF217Q/i9imjMhHr+PXZagRT1naUo8ygeDZ+94Vq+3XUB6qZb6rux8vFdVX3nEY
yvg02JJTVpHy14Nk0KXfXwEq2Hc9uNTa/KwKknJMVqzev4eCAn+/wb424JxoKhqG
lthnzMr/US4Q0NLKpFStcNyETEiKgM9RuZ4v6OWc+nJKVe+QwrDYhQ==
=9WUY
-----END PGP SIGNATURE-----

[#] Tue Nov 13 2007 14:52:57 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-317A -- Microsoft Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA07-317A


Microsoft Updates for Multiple Vulnerabilities

Original release date: November 13, 2007
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Windows DNS Server


Overview

Microsoft has released updates that address critical vulnerabilities
in Microsoft Windows and Microsoft Windows DNS Server. Exploitation of
these vulnerabilities could allow a remote, unauthenticated attacker
to execute arbitrary commands or to cause a Windows DNS server to
provide incorrect DNS responses.


I. Description

Microsoft has released updates to address vulnerabilities that affect
Microsoft Windows and Microsoft Windows DNS Server as part of the
Microsoft Security Bulletin Summary for November 2007. The most severe
vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary commands or cause a Windows DNS server to provide
incorrect DNS responses.

Further information about the vulnerabilities addressed by these
updates is available in the Vulnerability Notes Database.


II. Impact

A remote, unauthenticated attacker could execute arbitrary commands on
a vulnerable system. An attacker may also be able to cause a Windows
DNS server to provide incorrect responses to DNS queries.


III. Solution

Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the
November 2007 security bulletins. The security bulletins describe any
known issues related to the updates. Administrators are encouraged to
note any known issues that are described in the bulletins and test for
any potentially adverse effects.

System administrators should consider using an automated patch
distribution system such as Windows Server Update Services (WSUS).


IV. References

* US-CERT Vulnerability Notes for Microsoft November 2007 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms07-nov>

* Microsoft Security Bulletin Summary for November 2007 -
<http://www.microsoft.com/technet/security/bulletin/ms07-nov.mspx>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>

* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>

* Securing Your Web Browser -
<http://www.cert.org/tech_tips/securing_browser/>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-317A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-317A Feedback VU#484649" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

November 13, 2007: Initial release





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRzn+L/RFkHkM87XOAQIP7wgAmXsO3NefxyFn/eFlaLvWeGpVNLUQKdso
VuU2/ktEtMNKQeFgsoZnFMHuKWp2hIMXZPCrelegVHszYHwSmE92QsHvumxVg863
iP3e4wXoL5uYpoYXJuZRl8Ee65GdRlsZBp2HS5bqDm2yWAdKLyEfyVArkmvjJFkM
LydRRMVYnyl4aLBGDh/xzowu6jtKmdMRtFQYDac6A/lNdJpAm6lo8OKPG2mY80vh
8acL6ObfFT45UpYkxCFaCvRMn4/Ts24j3cpnQxmNE9/veENVJxumT6sUH56rrkw/
vLZIK1QMWGPXOXOg9rc7UktWqc9iYFsHmTVC8kwB8ksfk26drpmu1w==
=24yY
-----END PGP SIGNATURE-----

[#] Thu Nov 15 2007 13:34:33 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-319A -- Apple Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA07-319A


Apple Updates for Multiple Vulnerabilities

Original release date: November 15, 2007
Last revised: --
Source: US-CERT


Systems Affected

* Apple Mac OS X version 10.3.x and 10.4.x
* Apple Mac OS X Server version 10.3.x and 10.4.x

These vulnerabilities affect both Intel-based and PowerPC-based Apple
systems.


Overview

Apple has released Mac OS X 10.4.11 and Security Update 2007-008 to
address multiple vulnerabilities affecting Apple Mac OS X and Mac OS X
Server. The most serious of these vulnerabilities may allow a remote
attacker to execute arbitrary code. Attackers may take advantage of
the less serious vulnerabilities to bypass security restrictions or
cause a denial of service.


I. Description

Apple Mac OS X 10.4.11 and Security Update 2007-008 address a number
of vulnerabilities affecting Apple Mac OS X and OS X Server. Further
details are available in the related vulnerability notes.

Several of the fixes included in this update address vulnerabilities
in products from other vendors that ship with Apple OS X or OS X
Server. These products include

* BIND
* bzip2
* Adobe Flash
* MIT Kerberos

Apple Mac OS X 10.4.11 and Security Update 2007-008 address
vulnerabilities for versions 10.3.x and 10.4.x.


II. Impact

The impacts of these vulnerabilities vary. Potential consequences
include remote execution of arbitrary code or commands, bypass of
security restrictions, and denial of service.


III. Solution

Install updates from Apple

Install Mac OS X 10.4.11 or Apple Security Update 2007-008. This and
other updates are available via Apple Update or via Apple Downloads.


IV. References

* Vulnerability notes for Apple Security Update 2007-008 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple_2007_008>

* About the security content of Mac OS X 10.4.11 and Security Update
2007-008 - <http://docs.info.apple.com/article.html?artnum=307041>

* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>

* Apple downloads - <http://www.apple.com/support/downloads/>

* ISC BIND - <http://www.isc.org/sw/bind/>

* bzip2 : Home - <http://www.bzip.org/>

* Adobe - Adobe Flash Player -
<http://www.adobe.com/products/flashplayer/>

* Kerberos: The Network Authentication Protocol -
<http://web.mit.edu/Kerberos/>


____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-319A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

November 15, 2007: Initial release





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9
OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi
sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F
4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB
AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2
LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ==
=AgEr
-----END PGP SIGNATURE-----

[#] Fri Nov 30 2007 10:28:38 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-334A -- Apple QuickTime RTSP Buffer Overflow

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System
Technical Cyber Security Alert TA07-334A


Apple QuickTime RTSP Buffer Overflow

Original release date: November 30, 2007
Last revised: --
Source: US-CERT

Systems Affected

A buffer overflow in Apple QuickTime affects:
* Apple QuickTime for Windows
* Apple QuickTime for Apple Mac OS X

Overview

Apple QuickTime contains a buffer overflow vulnerability in the way
QuickTime processes Real Time Streaming Protocol (RTSP) streams.
Exploitation of this vulnerability could allow an attacker to execute
arbitrary code.

I. Description

Apple QuickTime contains a stack buffer overflow vulnerability in the
way QuickTime handles the RTSP Content-Type header. Most versions of
QuickTime prior to and including 7.3 running on all supported Apple
Mac OS X and Microsoft Windows platforms are vulnerable. Since
QuickTime is a component of Apple iTunes, iTunes installations are
also affected by this vulnerability.

An attacker could exploit this vulnerability by convincing a user to
access a specially crafted HTML document such as a web page or email
message. The HTML document could use a variety of techniques to cause
QuickTime to load a specially crafted RTSP stream. Common web
browsers, including Microsoft Internet Explorer, Mozilla Firefox, and
Apple Safari can be used to pass RTSP streams to QuickTime, exploit
the vulnerability, and execute arbitrary code.

Exploit code for this vulnerability was first posted publicly on
November 25, 2007.

II. Impact

This vulnerability could allow a remote, unauthenticated attacker to
execute arbitrary code or commands and cause a denial-of-service
condition.

III. Solution

As of November 30, 2007, a QuickTime update for this vulnerability is
not available. To block attack vectors, consider the following
workarounds.

Block the rtsp:// protocol

Using a proxy or firewall capable of recognizing and blocking RTSP
traffic can mitigate this vulnerability. Known public exploit code for
this vulnerability uses the default RTSP port 554/tcp, however RTSP
can use a variety of ports.

Disable file association for QuickTime files

Disable the file association for QuickTime file types. This can be
accomplished by deleting the following registry keys:
HKEY_CLASSES_ROOT\QuickTime.*

This will remove the association for approximately 32 file types that
are configured to open with QuickTime Player.

Disable the QuickTime ActiveX controls in Internet Explorer

The QuickTime ActiveX controls can be disabled in Internet Explorer by
setting the kill bit for the following CLSIDs:
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
{4063BE15-3B08-470D-A0D5-B37161CFFD69}

More information about how to set the kill bit is available in
Microsoft Knolwedgebase Article 240797. Alternatively, the following
text can be saved as a .REG file and imported to set the kill bit for
these controls:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{4063BE15-3B08-470D-A0D5-B37161CFFD69}]
"Compatibility Flags"=dword:00000400

Disable the QuickTime plug-in for Mozilla-based browsers

Users of Mozilla-based browsers, such as Firefox can disable the
QuickTime plugin, as specified in the PluginDoc article Uninstalling
Plugins.

Disable JavaScript

For instructions on how to disable JavaScript, please refer to the
Securing Your Web Browser document. This can help prevent some attack
techniques that use the QuickTime plug-in or ActiveX control.

Secure your web browser

To help mitigate these and other vulnerabilities that can be exploited
via a web browser, refer to Securing Your Web Browser.

Do not access QuickTime files from untrusted sources

Do not open QuickTime files from any untrusted sources, including
unsolicited files or links received in email, instant messages, web
forums, or internet relay chat (IRC) channels.


References

* US-CERT Vulnerability Note VU#659761 - <http://www.kb.cert.org/vuls/id/659761>

* Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/>

* Mozilla Uninstalling Plugins - <http://plugindoc.mozdev.org/faqs/uninstall.html>

* How to stop an ActiveX control from running in Internet Explorer - <http://support.microsoft.com/kb/240797>

* IETF RFC 2326 Real Time Streaming Protocol - <http://tools.ietf.org/html/rfc2326>


_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-334A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-334A Feedback VU#659761" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

Revision History

November 30, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR1ArKvRFkHkM87XOAQJg7wf/X4wAipFWO2ZJ5MdPzTwzE+x1OUIJxenP
cFuLApajAMZ33yAyTTjA0sYhKveYhxSwqQTetEPiAWp5r/KPkJL5ugkeSvtzbAgf
U6rsCICcRpjPJ7IjqsW/u6Hk2PBVqWwgip+FhZG5J5mjRPUdRr3JbmKlsEm/XDxi
+ENxwrAgcoQHkLn76xn/9+1vTbI3zxi0GoyAR+GIFzs+Fsn+LazMCCrDI4ltPMnS
c+Qpa3/qkOC+svz63yyHBjhq6eT2HQBP/X/50syweUOf4SrpDOdexX+mRPr03i6+
9byGzjid5sObMAbpH1AzCtiDB56ai3zf+G5qV0uK2ziXihvNEn7JKA==
=Jc+L
-----END PGP SIGNATURE-----

[#] Tue Dec 11 2007 17:36:30 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-345A -- Microsoft Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA07-345A


Microsoft Updates for Multiple Vulnerabilities

Original release date: December 11, 2007
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer

Overview

Microsoft has released updates that address critical vulnerabilities
in Microsoft Windows and Internet Explorer. Exploitation of these
vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary commands.

I. Description

Microsoft has released updates to address vulnerabilities that affect
Microsoft Windows and Internet Explorer as part of the Microsoft
Security Bulletin Summary for December 2007. The most severe
vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary commands. For more information, see the US-CERT
Vulnerability Notes Database.

II. Impact

A remote, unauthenticated attacker could execute arbitrary commands on
a vulnerable system.

III. Solution

Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the
December 2007 security bulletins. The security bulletins describe any
known issues related to the updates. Administrators are encouraged to
note these issues and test for any potentially adverse effects.
Administrators should consider using an automated update distribution
system such as Windows Server Update Services (WSUS).

IV. References

* US-CERT Vulnerability Notes for Microsoft December 2007 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms07-dec>

* Microsoft Security Bulletin Summary for December 2007 -
<http://www.microsoft.com/technet/security/bulletin/ms07-dec.mspx>

* Microsoft Update - <https://www.update.microsoft.com/microsoftupdate/>

* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>

* Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-345A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-345A Feedback VU#437393" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
______________________________________________________________

Revision History

December 11, 2007: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR18Qd/RFkHkM87XOAQKmPggAizWEwWaIVeYlbdXw6zGMS/zhqNuynvo5
D5gHuhs0UL+V96A8Aa/2c5oLaLDnR6Udk3yC8dSN1tLhwavwlQfXW33kAWWHOHpA
xLzI/szcP/XRS6UgQeWC1caH6SAjdT6wbTBLh4QSa6jODGPpHFyRLbQV2x23XKC7
4ehLACrh+NRpGKSJRffZEkUHDSoFSmSpgQHpOIHHS+mHzJcqtAm8C/v7Y0i5qeRU
uWSqUBLYIhpcOaYGOjbVBOyemRGAUzrNZYbfYhHyP7mF5rYu2jMDF7LwaTwvnKG8
3Ljv6ChkQ+7OzbyFDIDmX1B2ZC/gRUphdZrPkAGqPTChAAv/JbmxkQ==
=lx4/
-----END PGP SIGNATURE-----

[#] Tue Dec 18 2007 18:13:46 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-352A -- Apple Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA07-352A


Apple Updates for Multiple Vulnerabilities

Original release date: December 18, 2007
Last revised: --
Source: US-CERT

Systems Affected

* Apple Mac OS X versions prior to and including 10.4.11 and 10.5.1
* Apple Mac OS X Server versions prior to and including 10.4.11 and
10.5.1

These vulnerabilities affect both Intel and PowerPC platforms.

Overview

Apple has released Security Update 2007-009 to correct multiple
vulnerabilities affecting Apple Mac OS X and Mac OS X Server.
Attackers could exploit these vulnerabilities to execute arbitrary
code, gain access to sensitive information, surreptitiously initiate a
video conference, or cause a denial of service.

I. Description

Apple Security Update 2007-009 addresses a number of vulnerabilities
affecting Apple Mac OS X and OS X Server versions 10.4.11 and 10.5.1.
Further details are available in the related vulnerability notes.

The update addresses vulnerabilities in other vendors' products that
ship with Apple OS X or OS X Server. These products include:
* Adobe Flash
* Adobe Shockwave
* GNU Tar

II. Impact

The impacts of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
surreptitious video conference initiation, and denial of service.

III. Solution

Install updates from Apple

Install Apple Security Update 2007-009. This and other updates are
available via Software Update or via Apple Downloads.

IV. References

* Vulnerability notes for Apple Security Update 2007-009 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple-2007-009>

* About Security Update 2007-009 -
<http://docs.info.apple.com/article.html?artnum=307179>

* Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704>

* Apple - Support - Downloads - <http://www.apple.com/support/downloads/>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-352A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-352A Feedback VU#905292" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

Revision History

December 18, 2007: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR2hR0fRFkHkM87XOAQL7Egf+NvQEwnN2IGDdDwMEb9C2RDw58FXq0EMZ
7SRO8qbrM0c+G3apLFlmCCivWpGHqms2hzrSeon/Ym1YstHQOQeoJANmsHA3SyKz
Wx8TIG10jEiAgytMuyrYjf0w3alXBEsDgXcu8FRc5Z4dg7osMPe7Lco7vVfMvoZG
IpEEQu98zxh2p+Vhf1XKr9UfUnkD4O88rRAs+M1oDZd46GH+JvkYLgLCmkMSwIcs
Vi4M7J+KHUBBkaMZYjnp+YqRwNDq9sGskVEOVDMk9OXw7VhAR7Kf8/zo9Tt1h3P0
h9JeMBHHb0M0MEtYHx/7JxpleXS3LtyiL0kDb9cbMjxU0kKK9SKb/Q==
=Y1jd
-----END PGP SIGNATURE-----

[#] Fri Dec 21 2007 10:28:53 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA07-355A -- Adobe Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA07-355A


Adobe Updates for Multiple Vulnerabilities

Original release date: December 21, 2007
Last revised: --
Source: US-CERT

Systems Affected

* Adobe Flash Player 9.0.48.0 and earlier
* Adobe Flash Player 8.0.35.0 and earlier
* Adobe Flash Player 7.0.70.0 and earlier

Overview

Adobe has released Security bulletin APSB07-20 to address multiple
vulnerabilities affecting Adobe Flash Player. Attackers could exploit
these vulnerabilities to execute arbitrary code, perform DNS rebinding
and cross-site scripting attacks, conduct port scans, or cause a
denial of service.

I. Description

Adobe Security Update APSB07-20 addresses a number of vulnerabilities
affecting Adobe Flash 9.0.48.0 and earlier, 8.0.35.0 and earlier and
7.0.70 and earlier. Further details are available in the related
vulnerability notes.

An attacker could exploit these vulnerabilities by convincing a user
to load a specially crafted Flash file. Flash content is widely
deployed on the internet. An attacker could distribute Flash files
using web sites that allow user-supplied content, like popular social
networking sites.

II. Impact

The impacts of these vulnerabilities vary. An attacker may be able to
execute arbitrary code, perform DNS rebinding or cross-site scripting
attacks, conduct port scans, or cause a denial of service.

III. Solution

Upgrade Flash Player

Upgrade Flash Player according to the information in Adobe Security
bulletin APSB97-20. For the port scanning issue (CVE-2007-4324),
consider ActionScript network socket functionality per TechNote
kb402956.

Adobe provides a way to determine which version of Flash Player is
installed and a way to configure notifications of updates.

IV. References

* Vulnerability notes for Adobe Security Update APSB07-20 -
<http://www.kb.cert.org/vuls/byid?searchview&query=APSB07-20>

* Adobe Security Bulletin APSB07-20 - <http://www.adobe.com/support/security/bulletins/apsb07-20.html>

* Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA07-355A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA07-355A Feedback VU#758769" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________


Revision History

December 21, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR2vXdfRFkHkM87XOAQIkugf+OFoNkAsI7vI15fuTGWKzXTTRazJ/0XjP
8Ao9dQqNJwIBwiyLr/rpuFkV5KuJoU5wr7pj9nG74Nm6VNsTTov52kLa2z4Htx6d
zbDfFADHNpGQvWcXeR+OUsE/yXgMGSfesgooSbLdn9iRLSBZSDDz4WaTdhK4JVkO
snIveVADwWA2vVtGgwclPx0DhxAb57t2nBKQ+pNzsiIedTBiINbWyOG/A8Sst/B9
WuN2GXA1ARmQSTSBy2nuYNeF2g9z3FVRzAcBoMJ0ss0K2RBrcshJcgoZzIatCSlc
z8eQMxldtCaFuyRJTQ2vdwviBWUUlveYANTJJ6sh/rF3/EuwOyS0pg==
=gxJQ
-----END PGP SIGNATURE-----

[#] Tue Jan 08 2008 15:23:33 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA08-008A -- Microsoft Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-008A

Microsoft Updates for Multiple Vulnerabilities

Original release date: January 8, 2008
Last revised: January 8, 2008
Source: US-CERT


Systems Affected

* Microsoft Windows


Overview

Microsoft has released updates that address critical vulnerabilities
in Microsoft Windows. Exploitation of these vulnerabilities could
allow a remote, unauthenticated attacker to execute arbitrary code,
gain elevated privileges, or crash a vulnerable system.


I. Description

Microsoft has released updates to address vulnerabilities that affect
Microsoft Windows as part of the Microsoft Security Bulletin Summary
for January 2008. The most severe vulnerabilities could allow a
remote, unauthenticated attacker to execute arbitrary code. For more
information, see the US-CERT Vulnerability Notes Database.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code, gain
elevated privileges, or cause a denial of service.


III. Solution

Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the
January 2008 security bulletins. The security bulletins describe any
known issues related to the updates. Administrators are encouraged to
note these issues and test for any potentially adverse effects.
Administrators should consider using an automated update distribution
system such as Windows Server Update Services (WSUS).


IV. References

* US-CERT Vulnerability Notes for Microsoft January 2008 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms08-jan>

* Microsoft Security Bulletin Summary for January 2008 -
<http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx>

* Microsoft Update - <https://www.update.microsoft.com/microsoftupdate/>

* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-008A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-008A Feedback VU#410025" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

January 8, 2008: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR4PUm/RFkHkM87XOAQItnAf/S3hTJeDQig/f9LYB5BVrpbdkkLJPD4hc
q7wKW1yS1OoSZlrdOFJyRygmOX/RoRm8eb7MHMJplub9J9mrKLT7SXTdEr4bAedI
Lhillu7xWArmAIuTSqaxZQuFVDZRzuogCxx2Jpn+uQ0S3oikclHvUjoEMup7ieBT
+xCeSfJKGWR+hD4RzC1UlHRxEt8qvG0WH2tzR0a065TaaHhkOsIBlnuJ3iYoeXun
tEOJkyGPtl9C4ro12N1K7vSWllO5kzdokDpnQFI0ijyEATMeddE08dAYYe7Xg+I2
4NSnPEz8n5G9Zoj7l/pxKE9aQ1IvoDXcFAU4Pe/YphGtjsvROHTBsg==
=h5kq
-----END PGP SIGNATURE-----

[#] Wed Jan 16 2008 15:36:17 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA08-016A -- Apple QuickTime Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-016A


Apple QuickTime Updates for Multiple Vulnerabilities

Original release date: January 16, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Apple Mac OS X running versions of QuickTime prior to 7.4
* Microsoft Windows running versions of QuickTime prior to 7.4

Overview

Apple QuickTime contains multiple vulnerabilities. Exploitation of
these vulnerabilities could allow a remote attacker to execute
arbitrary code or cause a denial-of-service condition.


I. Description

Apple QuickTime 7.4 resolves multiple vulnerabilities in the way
different types of image and media files are handled. An attacker
could exploit these vulnerabilities by convincing a user to access a
specially crafted image or media file that could be hosted on a web
page.

Note that Apple iTunes installs QuickTime, so any system with iTunes
is vulnerable.


II. Impact

These vulnerabilities could allow a remote, unauthenticated attacker
to execute arbitrary code or cause a denial-of-service condition. For
further information, please see About the security content of
QuickTime 7.4.


III. Solution

Upgrade QuickTime

Upgrade to QuickTime 7.4. This and other updates for Mac OS X are
available via Apple Update.

Secure your web browser

To help mitigate these and other vulnerabilities that can be exploited
via a web browser, refer to Securing Your Web Browser.


References

* About the security content of the QuickTime 7.4 Update -
<http://docs.info.apple.com/article.html?artnum=307301>

* How to tell if Software Update for Windows is working correctly
when no updates are available -
<http://docs.info.apple.com/article.html?artnum=304263>

* Apple - QuickTime - Download -
<http://www.apple.com/quicktime/download/>

* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-016A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-016A Feedback VU#818697" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2007 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________


Revision History

January 16, 2007: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR45mevRFkHkM87XOAQLP6AgAj7J4sy83ZWEKfcDb2brgHptxAwqvArkZ
HzV+5lGg1A86V4/MARlxXctWv5JH3e2knx5ZoMUN8napP9VEag2Ra68Zdh9lKu1S
nfCRRwcIj38iakuv7xKrNt1AJHj3rHguzCjvWu8gHEJtlb15zqVr97Ci9LuNdLP3
W4hdsIxuzYQl7Ou5+j0Z9bhH1WWZRjmabsop+b0ApxeZI2F6mJn0rscRvxPQYBls
ims6CP7YseK4+ElJHAMEJfW/6gPhwyedjgesd0jssYvhtYdufn4OCZvwL+p9QSlQ
+E+UKcws4BHlEpg0dQhA13REQxwqqMgSWdm3NU8hbGdEJAJGH0cYNQ==
=emKJ
-----END PGP SIGNATURE-----

[#] Thu Mar 06 2008 16:05:16 EST from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA08-066A -- Sun Updates for Multiple Vulnerabilities in Java

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-066A


Sun Updates for Multiple Vulnerabilities in Java

Original release date: March 6, 2008
Last revised: --
Source: US-CERT


Systems Affected

Sun Java Runtime Environment versions
* JDK and JRE 6 Update 4 and earlier
* JDK and JRE 5.0 Update 14 and earlier
* SDK and JRE 1.4.2_16 and earlier
* SDK and JRE 1.3.1_21 and earlier


Overview

Sun has released alerts to address multiple vulnerabilities affecting
the Sun Java Runtime Environment. The most severe of these
vulnerabilities could allow a remote attacker to execute arbitrary
code.


I. Description

The Sun Java Runtime Environment (JRE) allows users to run Java
applications in a browser or as standalone programs. Sun has released
updates to the Java Runtime Environment software to address multiple
vulnerabilities. Further details about these vulnerabilities are
available in the US-CERT Vulnerability Notes Database.

Sun released the following alerts to address these issues:
* 233321 Two Security Vulnerabilities in the Java Runtime
Environment Virtual Machine

* 233322 Security Vulnerability in the Java Runtime Environment With
the Processing of XSLT Transformations

* 233323 Multiple Security Vulnerabilities in Java Web Start May
Allow an Untrusted Application to Elevate Privileges

* 233324 A Security Vulnerability in the Java Plug-in May Allow an
Untrusted Applet to Elevate Privileges

* 233325 Vulnerabilties in the Java Runtime Environment image
Parsing Library

* 233326 Security Vulnerability in the Java Runtime Environment May
Allow Untrusted JavaScript Code to Elevate Privileges Through Java
APIs

* 233327 Buffer Overflow Vulnerability in Java Web Start May Allow
an Untrusted Application to Elevate its Privileges


II. Impact

The impacts of these vulnerabilities vary. The most severe of these
vulnerabilities allows a remote attacker to execute arbitrary code.


III. Solution

Apply an update from Sun

These issues are addressed in the following versions of the Sun Java
Runtime environment:
* JDK and JRE 6 Update 5 or later
* JDK and JRE 5.0 Update 15 or later
* SDK and JRE 1.4.2_17 or later
* SDK and JRE 1.3.1_21 and earlier

If you install the latest version of Java, older versions of Java may
remain installed on your computer. If these versions of Java are not
needed, you may wish to remove them. For instructions on how to remove
older versions of Java, refer to the following instructions from Sun.

Disable Java

Disable Java in your web browser, as specified in the Securing Your
Web Browser document. While this does not fix the underlying
vulnerabilities, it does block a common attack vector.


IV. References

* US-CERT Vulnerability Notes for Sun Alerts -
<http://www.kb.cert.org/vuls/byid?searchview&query=SUNJAVA_020608>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>

* Sun Alert 233321 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233321-1>

* Sun Alert 233322 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233322-1>

* Sun Alert 233323 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233323-1>

* Sun Alert 233324 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233324-1>

* Sun Alert 233325 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233325-1>

* Sun Alert 233326 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233326-1>

* Sun Alert 233327 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233327-1>

* Java SE Technologies at a Glance -
<http://java.sun.com/javase/technologies/>

* Java SE Security -
<http://java.sun.com/javase/technologies/security/index.jsp>

* Can I remove older versions of the JRE after installing a newer
version? - <http://www.java.com/en/download/faq/5000070400.xml>
____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-066A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-066A Feedback VU#223028" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

March 6, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR9BZrfRFkHkM87XOAQLTzQgAnYzrhCIWEuWRlfH8tVWZl159MZ+vEX5Z
TYwjqClljWyy8edzxNWRUV0pqHVe799hJtRA1luKgTEOWqOtXLrw6/AGdpIf+3CB
ikiAEQR4Cirvt5lHRrlZjMG7eBPZwGQtFgHxzVrEE2lwDl5UDGejMDz+rTwJCm7/
HWBkktM7suHWpZu9jKFpfnizFTbzRSXw/CcALe/FwFxjND3hBjnDWv2Gu7bmMaEA
7a/Q8IJ8mNiU6ZIYdriQEVZHZs6IHtzyw39Qh9NpL+NAGuBxna4MXAOtqoIR1Rvt
FyzZUfjMvEBSKHvA6VWrWmt/JlaSlcVUZB7jRIyInYTvbYPwAnylXg==
=U6aE
-----END PGP SIGNATURE-----

[#] Tue Mar 11 2008 17:07:37 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA08-071A -- Microsoft Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA08-071A

Microsoft Updates for Multiple Vulnerabilities

Original release date: March 11, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Office
* Microsoft Outlook
* Microsoft Excel
* Microsoft Excel Viewer
* Microsoft Office for Mac
* Microsoft Office Web Componenets

Overview

Microsoft has released updates that address vulnerabilities in
Microsoft Office, Outlook, Excel, Excel Viewer, Office for Mac, and
Office Web Components.

I. Description

Microsoft has released updates to address vulnerabilities that affect
Microsoft Office, Outlook, Excel, Excel Viewer, Office for Mac, and
Office Web Components as part of the Microsoft Security Bulletin
Summary for March 2008. The most severe vulnerabilities could allow a
remote, unauthenticated attacker to execute arbitrary code. For more
information, see the US-CERT Vulnerability Notes Database.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code, gain
elevated privileges, or cause a denial of service.

III. Solution

Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the March
2008 security bulletin. The security bulletin describe any known
issues related to the updates. Administrators are encouraged to note
these issues and test for any potentially adverse effects.
Administrators should consider using an automated update distribution
system such as Windows Server Update Services (WSUS).

IV. References

* US-CERT Vulnerability Notes for Microsoft March 2008 updates
- <http://www.kb.cert.org/vuls/byid?searchview&query=ms08-mar>

* Microsoft Security Bulletin Summary for March 2008
- <http://www.microsoft.com/technet/security/bulletin/ms08-mar.mspx>

* Microsoft Update - <https://www.update.microsoft.com/microsoftupdate/>

* Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-071A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-071A Feedback VU#393305" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR9b0APRFkHkM87XOAQLTUwf9HHlM9vQfwMpmCv77RuJKdZgdn5bNTPQA
HjsABoxmVZzE4XnArclHPyMivO8x/oel6UFvZgG/h2oGFarK7h1WpvCFQKE/cNO8
c5o0tRhxMx+ri7w7DnkhmhbWTLQ8coqKjzAioKoc2mboNz+PamQO22INjS3ktOyL
dRA+qwxSsPN3Bi7NDS2DOdUeAA+VdMn0cQTDLHJ7ZPhzy7JOiVXwQwyO3CwNDeOl
C6+FGSk8o1BsMjdP6kRaGnQkgivBi1ID4dcAQA8h0K2IGDPkCBIYiGTvj9pNnpwZ
lrP6DdHyd2idzGEXr2R0VlTQPrhabs+YpZq+qzVh6f2tg+Lc9xBwHg==
=aCnE
-----END PGP SIGNATURE-----

[#] Wed Mar 19 2008 12:28:35 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA08-079B -- MIT Kerberos Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-079B


MIT Kerberos Updates for Multiple Vulnerabilities

Original release date: March 19, 2008
Last revised: --
Source: US-CERT

Systems Affected

* MIT Kerberos

Overview

The MIT Kerberos implementation contains several vulnerabilities.
Exploitation of these vulnerabilities could allow a remote,
unauthenticated attacker to execute arbitrary code, compromise the key
database or cause a denial of service on a vulnerable system.

I. Description

The MIT Kerberos Development Team has released MIT krb5 Security
Advisory 2008-002 to address vulnerabilities in multiple versions of
MIT Kerberos. More information about these vulnerabilities can be
found in VU#895609 and VU#374121.

II. Impact

Potential consequences include arbitrary code execution, key database
compromise, and denial of service.

III. Solution

Install updates from your vendor

Check with your vendors for patches or updates. For information about
a vendor, please see the systems affected section in vulnerability
notes VU#895609 and VU#374121 or contact your vendor directly.
Administrators who compile MIT Kerberos from source should refer to
MIT Security Advisory 2008-002 for more information.

IV. References

* US-CERT Vulnerability Note VU#895609 -
<http://www.kb.cert.org/vuls/id/895609>

* US-CERT Vulnerability Note VU#374121 -
<http://www.kb.cert.org/vuls/id/374121>

* MIT krb5 Security Advisory 2008-002 -
<http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt2>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-079B.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-079B Feedback VU#895609" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

March 19, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR+E+pPRFkHkM87XOAQK1jwf/ZDEomMLCZvsmN7KVXa0Il5PqXlfRvG2Y
jdWPUCi92qmgvm8LdqoNgAUxnUGYzCHLQzw8ebmnz37AMigDNsYIzFHStgnoJDVi
iK6UGC6gHLnGJFuG+otEC9jZaVeIiUbKddB2+vzvmDWLnvIsyxzmHf6lJe0IrZlH
ho/cCgpfRctgZHM5Ke+pPPqMjZZ7u0OUQnM7MIcSsZbKxw8x2CyUpaSiheMDhf8p
8JGyx+nkyvZoja6Ee4WCRq3xtVaUlp/sg8IZYY5nav2VuSh15rJXLJCWDBXUU+oV
aAXPa2JEx5Cn3S0CFz8SIJ4NoLUp09usVMFyeNd57FMBKRjTAC/DBw==
=4wkz
-----END PGP SIGNATURE-----

[#] Wed Mar 19 2008 13:00:45 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA08-079A -- Apple Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-079A


Apple Updates for Multiple Vulnerabilities

Original release date: March 19, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Apple Mac OS X versions prior to and including 10.4.11 and 10.5.2
* Apple Mac OS X Server versions prior to and including 10.4.11 and
10.5.1
* Apple Safari prior to 3.1, including both OS X and Windows
versions

Overview

Apple has released the Apple Security Update 2008-002 and Apple Safari
3.1 to correct multiple vulnerabilities affecting Apple Mac OS X, Mac
OS X Server, and Apple Safari. Attackers could exploit these
vulnerabilities to execute arbitrary code, gain access to sensitive
information, execute cross-site scripting attacks or cause a denial of
service.

I. Description

Apple Security Update 2008-002 and Apple Safari 3.1 to address a
number of vulnerabilities affecting Apple Mac OS X, OS X Server, and
Safari. Further details are available in the US-CERT Vulnerability
Notes Database.

II. Impact

The impacts of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
cross-site scripting, and denial of service.

III. Solution

Install updates from Apple

Install Apple Security Update 2008-002. These and other updates are
available via Software Update or via Apple Downloads.

IV. References

* US-CERT Vulnerability Notes for Apple Security Update 2008-002 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple_security_update_2008_002>

* About the security content of Apple Security Update 2008-002 -
<http://docs.info.apple.com/article.html?artnum=307562>

* About the security content of Safari 3.1 -
<http://docs.info.apple.com/article.html?artnum=307563>

* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>

* Apple Support Downloads -
<http://www.apple.com/support/downloads/>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-079A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-079A Feedback VU#766019" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

March 19, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR+FGcPRFkHkM87XOAQK4Owf/XOOgbik8hEhLWJ4JDcP4crvAEqkwYN1+
pqxpSds4aTp2a77DabWbX4CWZvOM9XUSeQU7SzFHYOXtJLQ8Rd0txac1O7plUeuM
W4r2TBdMIGFQfkWJWrQHnbbuA4Cx5M97N5j0CdycISdk2FPgJhQhfCh1GxQ9GcGI
RiNoozyYhXNtOXJzz8XGwTGrVyrxVqE4CPxWNmS4/5DixSlajao0U2TSNQ+1Fhp5
G8L0nGfCdGwpxL901XBWDTOAX/Gfa5O21qsbHR3UwjQynG4s4gbDufvTMLJa0va5
/s7y0KTJWFFDmdZ/s2uqRl4or8et1bYU6vDJhFzbSyKen+Zt0MduVw==
=z3hA
-----END PGP SIGNATURE-----

[#] Thu Mar 27 2008 16:05:20 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA08-087B -- Cisco Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-087B


Cisco Updates for Multiple Vulnerabilities

Original release date: March 27, 2007
Last revised: --
Source: US-CERT


Systems Affected

* Cisco IOS


Overview

Cisco has released Cisco Security Advisory cisco-sa-20080326-bundle to
correct multiple vulnerabilities affecting Cisco IOS. Attackers could
exploit these vulnerabilities to access sensitive information
or cause a denial of service.


I. Description

Cisco Security Advisory cisco-sa-20080326-bundle addresses
a number of vulnerabilities affecting Cisco IOS 12.0, 12.1,
12.2, 12.3, and 12.4. Further details are available in the US-CERT
Vulnerability Notes Database.


II. Impact

The impacts of these vulnerabilities vary. Potential consequences
include disclosure of sensitive information and denial of service.


III. Solution

Upgrade

These vulnerabilities are addressed in Cisco Security Advisory
cisco-sa-20080326-bundle.


IV. References

* US-CERT Vulnerability Notes -
<http://www.kb.cert.org/vuls/byid?searchview&query=cisco-sa-20080326-bundle>

* Cisco Security Advisory cisco-sa-20080326-bundle -
<http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml>

* Cisco Security Advisory: Cisco IOS Virtual Private Dial-up Network
Denial of Service Vulnerability -
<http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml>

* Cisco Security Advisory: Multiple DLSw Denial of Service
Vulnerabilities in Cisco IOS -
<http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml>

* Cisco Security Advisory: Cisco IOS User Datagram Protocol Delivery
Issue For IPv4/IPv6 Dual-stack Routers -
<http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml>

* Cisco Security Advisory: Vulnerability in Cisco IOS with OSPF,
MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch
Processor 720 -
<http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml>

* Cisco Security Advisory: Cisco IOS Multicast Virtual Private
Network (MVPN) Data Leak -
<http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-087B.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-087B Feedback VU#936177" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

March 27, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR+vjW/RFkHkM87XOAQLjnQf+PgUTq9wrF8th28Ur2qUgViOGFbNOzwbp
1Awp1ygPnGsT2BVBdwo7ugfuQXMHiz8rnG/7Ovf5prr3FjI6I/3XRMFTpS/ZmF1W
m0e6H+vhJSmvJp02a4X9Rzm8Rq9jYda7SJHAFiiblxMSKOuOn2bKpOPxyrhnZmcA
UsuFp5A4mHoMqi4LWO0XqCTBzC1r3myx9j3dVg0yJ0LuIvYWUoqOsHI1ywG+ryLO
MfSbpvFgbfU5pn3e61hS++oIpOjmlLuRdu1o/2vHizqcUSfhKx2ccdOUG0c2Opr/
oabL6WpJHRePXbz1jdOPHGVPVH/6OVVSr+L2Ug1Qd8hBLwwbcfGweQ==
=pX05
-----END PGP SIGNATURE-----

[#] Thu Mar 27 2008 16:33:56 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA08-087A -- Mozilla Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-087A


Mozilla Updates for Multiple Vulnerabilities

Original release date: March 27, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Mozilla Firefox
* Mozilla Thunderbird
* Mozilla SeaMonkey

Other products based on Mozilla components may also be affected.

Overview

New versions of Firefox, Thunderbird, and SeaMonkey address several
vulnerabilities, the most severe of which could allow a remote
attacker to execute arbitrary code on an affected system.

I. Description

The Mozilla and the SeaMonkey projects have released new versions of
Firefox, Thunderbird and SeaMonkey to address several vulnerabilities.
Further details about these vulnerabilities are available in Mozilla
Foundation Security Advisories and the Vulnerability Notes Database.
An attacker could exploit these vulnerabilities by convincing a user
to view a specially crafted HTML document, such as a web page or an
HTML email message.

II. Impact

While the impacts of the individual vulnerabilities vary, the most
severe could allow a remote, unauthenticated attacker to execute
arbitrary code on a vulnerable system. An attacker may also be able to
cause a denial of service or execute cross-site scripting attacks.

III. Solution

Upgrade

These vulnerabilities are addressed in Mozilla Firefox 2.0.0.13,
Thunderbird 2.0.0.13, and SeaMonkey 1.1.9.

Disable JavaScript

Some of these vulnerabilities can be mitigated by disabling JavaScript
or by using the NoScript extension. For more information about
configuring Firefox, please see the Securing Your Web Browser
document. Thunderbird disables JavaScript by default.

IV. References

* US-CERT Vulnerability Notes -
<http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_200803>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox>

* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>

* Known Vulnerabilities in Mozilla Products -
<http://www.mozilla.org/projects/security/known-vulnerabilities.html>

* Mozilla Hall of Fame -
<http://www.mozilla.org/university/HOF.html>

* NoScript Firefox Extension - <http://noscript.net/>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-087A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-087A Feedback VU#466521" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

March 27, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR+wDN/RFkHkM87XOAQJAhgf/bIVWAfAziBM4goXAtieyD2iOa3IG+6In
KhYvC97IuQhVi2OBXW6mIBjBIGSg1mPehN9Su1N2/58hHH5yvmH2mhus2unOV6cQ
z+SXE8fuVbWthaeYaAlCRFGjtwek6uaXre1PmfUV4tbrPLZIyo3GgU/W37SIxp3L
BtBJTUL2rnEh+c7GH+6PjY6WNZvLHjuSaktSVXkFZZ7cr8cbVF2Q/qluK0Yb04Zu
sYlzZnI8kqwlck+EuNOgU1BDfkDCz2ZIMcre6/y7og+btXiLeo+f84DfXLlthqyo
Ng4D/I2+9iI/k4QhUOShrOKY3ZQzr9liQn/mtZUFPVxXTuOe9dtK5w==
=Ite0
-----END PGP SIGNATURE-----

[#] Thu Apr 03 2008 15:53:48 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA08-094A -- Apple Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-094A


Apple Updates for Multiple Vulnerabilities

Original release date: April 3, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Apple Mac OS X running versions of QuickTime prior to 7.4.5
* Microsoft Windows running versions of QuickTime prior to 7.4.5

Overview

Apple QuickTime contains multiple vulnerabilities as described in the
Apple Knowledgebase article HT1241. Exploitation of these
vulnerabilities could allow a remote attacker to execute arbitrary
code or cause a denial-of-service condition.

I. Description

Apple QuickTime 7.4.5 vulnerabilities in the way different types of
image and media files are handled. An attacker could exploit these
vulnerabilities by convincing a user to access a specially crafted
image or media file that could be hosted on a web page.

Note that Apple iTunes installs QuickTime, so any system with iTunes
may be vulnerable.

II. Impact

These vulnerabilities could allow a remote, unauthenticated attacker
to execute arbitrary code or cause a denial-of-service condition. For
further information, please see Apple knowledgebase article HT1241
about the security content of QuickTime 7.4.5

III. Solution

Upgrade QuickTime

Upgrade to QuickTime 7.4.5. This and other updates for Mac OS X are
available via Apple Update.

Secure your web browser

To help mitigate these and other vulnerabilities that can be exploited
via a web browser, refer to Securing Your Web Browser.

References

* About the security content of the QuickTime 7.4.5 Update -
<http://support.apple.com/kb/HT1241>

* How to tell if Software Update for Windows is working correctly
when no updates are available -
<http://docs.info.apple.com/article.html?artnum=304263>

* Apple - QuickTime - Download -
<http://www.apple.com/quicktime/download/>

* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>


_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-094A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-094A Feedback VU#931547" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

April 3, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR/UvJvRFkHkM87XOAQIyFAf/RbzzemNIgWIg5js5px9a+1gdaGHxvu/5
SMLzPniRUcOHyKha655bTQSzmZ4bT/j2x24u8NYbZyiWcYphzFmrNTjHCEMs++QP
iTRymTYMC1CthV7J2uFpvNGa9UrIcVmeSJjWJcVw7xdOi2JrcD3pHU62bN0aFNsX
Qtm7w1SlYP0+1y7YzMNP1ZsbCsKBmRfs45x4U8AivZJ6Bewh5uUc0Ic8PGSeLSsA
HUXUQW/ddJREf1TBqgTlDchPHH4s9W4DbjGEdApsIYQJUWOjvZBSeGNzOz4eRpT+
WwDoxQDkBYn7T/ooofDh49L30s5dL4PTvnrb6Btnxr5M0wxduAKOrA==
=cONM
-----END PGP SIGNATURE-----

[#] Tue Apr 08 2008 14:56:05 EDT from "US-CERT Technical Alerts" <technical-alerts@us-cert.gov> to technical-alerts@us-cert.gov

Subject: US-CERT Technical Cyber Security Alert TA08-099A -- Microsoft Updates for Multiple Vulnerabilities

[Reply] [ReplyQuoted] [Headers] [Print]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-099A


Microsoft Updates for Multiple Vulnerabilities

Original release date: April 8, 2008
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Office


Overview

Microsoft has released updates that address vulnerabilities in
Microsoft Windows, Internet Explorer, and Office.


I. Description

Microsoft has released updates to address vulnerabilities that affect
Microsoft Windows, Internet Explorer, and Office as part of the
Microsoft Security Bulletin Summary for April 2008. The most severe
vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary code. For more information, see the US-CERT
Vulnerability Notes Database.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code, gain
elevated privileges, or cause a denial of service.


III. Solution

Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the April
2008 security bulletin. The security bulletin describes any known
issues related to the updates. Administrators are encouraged to note
these issues and test for any potentially adverse effects.
Administrators should consider using an automated update distribution
system such as Windows Server Update Services (WSUS).


IV. References

* US-CERT Vulnerability Notes for Microsoft April 2008 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms08-apr>

* Microsoft Security Bulletin Summary for April 2008 -
<http://www.microsoft.com/technet/security/bulletin/ms08-apr.mspx>

* Microsoft Update -
<https://www.update.microsoft.com/microsoftupdate/>

* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-099A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-099A Feedback VU#155563" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

April 8, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR/u+e/RFkHkM87XOAQLyOAf/ZXYKdLFP8Rukf+SxCdIIAmWnyQMrbPNA
4bEXLy33ExdNe3hCcO4i8AvlxPm6dvzrWR7GDnxr4lwV9jly5QKJ17+cpQpZ5pBt
5lYYOgoRC60IhagH2qYSEieLbMIvlecnUq0DJGWJuD+MBRVEVPDGKqJCsMt7CORS
FgxUQdfFMmv6kZ/JrJ2+x95eUAKBI8vwnggncsZ3z4zYbBuFWWZa6xbNL0O4G+VQ
RcSzpTbi8V7Z2QBkHRJ4PmMQX0zA2VC9/t5kzdaCmmj3lByILFsQxIITq7BHJ3wp
PbPkCcuxw5lcmDaEP0KUSZqPzsYgc1w0euHNmcNv7foUxrpWe42zXw==
=cDS2
-----END PGP SIGNATURE-----

Go to page: First ... 8 9 10 11 [12] 13 14 15