Forbidden Web

Oracle has issued a critical patch update pre-release announcement indicating that its July release will contain 78 new vulnerability fixes. Release of the critical patch update is scheduled for Tuesday, July 19, 2011.

US-CERT will provide additional information as it becomes available.

VideoLAN has released Security Advisory 1105 and Security Advisory 1106 for VLC Media Player 1.1.10 and older to address two vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to do the following to help mitigate the risks:

• Do not open untrusted files or files of unknown origins.
• Update to VLC Media Player 1.1.11 when it becomes available.
• Review Security Advisory 1105 and Security Advisory 1106.

The Mozilla Foundation has released Firefox 5.0.1 to address an issue with Mac OS X 10.7 and Java for Mac OS X 10.6 Update 5. These issues could cause Firefox to crash.

US-CERT encourages users and administrators to review the Mozilla Foundation Firefox 5.0.1 Release Notes and apply any necessary updates to help mitigate the risks.

Microsoft has issued a Security Bulletin Advance Notification indicating that its July release will contain four bulletins. These bulletins will have the severity ratings of critical and important and will be for Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Microsoft Visio 2003. Release of these bulletins is scheduled for Tuesday, July 12, 2011.

US-CERT will provide additional information as it becomes available.

The Internet System Consortium has released updates for BIND to address multiple vulnerabilities. CVE-2011-2464 affects the following versions: 9.6.3; 9.6-ESV-R4 and later; 9.7.0 and later; 9.7.1 and later; 9.7.2 and later; 9.7.3 and later; 9.7.4b1; 9.8.0 and later; and 9.8.1b1. CVE-2011-2465 affects the following versions: 9.8.0 and later, and 9.8.1b1. Exploitation of these vulnerabilities may allow an attacker to cause a denial-of-service condition. Additional information regarding these vulnerabilities can be found in US-CERT Vulnerability Notes VU#142646 and VU#137968.

US-CERT encourages users and administrators to review CVE-2011-2464 and CVE-2011-2465 and apply the respective patches to help mitigate the risks. Since BIND is often packaged in larger third-party applications or operating system distributions, users and administrators should check with their software vendors for updated versions.

WordPress has released WordPress 3.1.4 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to operate with elevated privileges.

US-CERT encourages users and administrators to review the WordPress Codex document for version 3.1.4 and apply any necessary updates to help mitigate the risks.

Apple has released Java for Mac OS X 10.5 Update 10 and Java for Mac OS X 10.6 Update 5 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Apple articles HT4739 and HT4738 and apply any necessary updates to help mitigate the risks.

Apple has released Mac OS X 10.6.8 and Security Update 2011-004 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, disclose sensitive information, or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Apple Support Article HT4723 and apply any necessary updates to help mitigate the risks.

The Mozilla Foundation has released Firefox 5 and Firefox 3.6.18 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, violate the same origin policy, or perform a cross-site scripting attack.

US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories for Firefox 5 and Firefox 3.6.18 and apply any necessary updates to help mitigate the risks.