| Jun 26, 2008 |
Microsoft Internet Explorer 6 Cross-Domain Vulnerability US-CERT is aware of publicly available proof-of-concept code for a new vulnerability in Microsoft Internet Explorer 6. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. This could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials. At this time, Internet Explorer 7 does not appear to be affected by this issue. US-CERT strongly encourages users to upgrade to Microsoft Internet Explorer 7 and follow the best security practices as outlined in the Securing Your Web Browser document to help mitigate the risk. Additional information about this vulnerability can be found in the Vulnerability Notes Database. US-CERT will provide additional information as it becomes available. |
| Jun 24, 2008 |
Microsoft Releases Security Advisory Microsoft has released a Security Advisory to alert users of a recent increase in SQL injection attacks targeting websites using Microsoft ASP and ASP.NET. These attacks target websites that have inadequate secure coding practices for accessing and manipulating data stored in relational databases. If an attack is successful, an attacker may be able to compromise the website and inject arbitrary content or obtain sensitive data. Any user visiting the compromised site may be unknowingly redirected to a malicious website that could attempt install malicious code onto the system. US-CERT encourages website administrators to review Microsoft Security Advisory 954462 and implement any necessary Suggested Actions listed in the advisory. Users are encouraged to implement best security practices as described in the Securing Your Web Browser document to help mitigate the risk. |
| Jun 24, 2008 |
Adobe Releases Security Bulletin Adobe has released a Security Update for Adobe Reader and Acrobat 8.1.2 to address a vulnerability that may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. The Security Bulletin also indicates there are reports of active exploitation. US-CERT encourages users to review Adobe Security Bulletin APSB08-15 and apply any necessary updates. |
| Jun 20, 2008 |
Apple Releases Safari v3.1.2 for Windows Apple has released Safari v3.1.2 for Windows to address multiple vulnerabilities. These vulnerabilities include the following:
|
| Jun 20, 2008 |
Critical Vulnerability in Microsoft Bluetooth Stack Microsoft has released an update to a previously released security bulletin affecting the Bluetooth stack in Windows. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code. This vulnerability is addressed in Microsoft Security Bulletin MS08-030. US-CERT encourages users to review the updated MS08-030 and apply the patches and workarounds to help mitigate the risks. |
| Jun 19, 2008 |
New Storm Worm Variant Spreading US-CERT has received reports of new Storm Worm related activity. The latest activity is centered around messages related to the recent earthquake in China and the upcoming Olympic Games. This Trojan is spread via an unsolicited email message that contains a link to a malicious website. This website contains a video that when opened may run the executable file "beijing.exe" to infect the user's system with malicious code. Subject lines can change at any time, but the following subject lines are noted as being used:
|
| Jun 19, 2008 |
Cisco Releases Security Advisory Cisco has released a Security Advisory to address a vulnerability in several of their Intrusion Prevention System platforms. This vulnerability is caused by an unspecified error in the handling of Jumbo Ethernet frames received on a Gigabit network interface configured for inline mode. Exploitation of this vulnerability may allow a remote attacker to trigger a kernel panic and cause a denial-of-service condition or bypass security restrictions. At this time, Cisco has not yet released software updates to resolve this issue; however, they have provided a workaround in their advisory. US-CERT encourages users to review Cisco Security Advisory cisco-sa-20080618-ips and apply any necessary workarounds until Cisco releases software updates. US-CERT will provide additional information as it becomes available. |
| Jun 10, 2008 |
Microsoft Releases June Security Bulletin Microsoft has released updates to address vulnerabilities in Microsoft Windows and Internet Explorer as part of the Microsoft Security Bulletin Summary for June 2008. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, or cause a denial-of-service condition. US-CERT encourages users to review the bulletins and follow best-practice security policies to determine which updates should be applied. |
| Jun 10, 2008 |
SNMPv3 Authentication Bypass Vulnerability US-CERT is aware of a vulnerability in implementations of SNMPv3. This vulnerability is due to an error in the way the authenticator field handles shortened hash message authentication code (HMAC). Exploitation of this vulnerability may allow an attacker to read and modify any SNMP object or the configuration of the affected device using the credentials that got them onto the system. US-CERT encourages users to review Vulnerability Notes VU#878044 and apply the solutions or workarounds listed in the document to help mitigate the risks. US-CERT will provide additional information as it becomes available. |
| Jun 10, 2008 |
Apple Releases QuickTime 7.5 Apple has released QuickTime 7.5 to address multiple vulnerabilities. These vulnerabilities include the following:
|