-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA06-354A
Mozilla Addresses Multiple Vulnerabilities
Original release date: December 20, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Mozilla Firefox
* Mozilla Thunderbird
* Mozilla SeaMonkey
* Netscape Browser
Other products based on Mozilla components may also be affected.
Overview
Mozilla Firefox, Thunderbird, and derived products contain
several vulnerabilities. By taking advantage of one or more of
these vulnerabilities, an attacker may be able to take control of
your computer.
Solution
Upgrade to the latest versions of Firefox, Thunderbird, and
SeaMonkey
Mozilla has released Firefox 1.5.0.9, Firefox 2.0.0.1,
Thunderbird 1.5.0.9 and SeaMonkey 1.0.7 to correct these
problems. Mozilla Firefox, Thunderbird, and SeaMonkey
automatically check for updates by default.
Security updates for Firefox 1.5 are scheduled to end in April
2007. According to Mozilla:
Firefox 1.5.0.x will be maintained with security and stability
updates until April 24, 2007. All users are strongly encouraged
to upgrade to Firefox 2.
Disable JavaScript and Java
These vulnerabilities can be mitigated by disabling JavaScript
and Java. For more information about configuring Firefox, please
see the "Securing Your Web Browser" document. Netscape users
should see the "Site Controls" document for details. Thunderbird
disables JavaScript and Java by default.
Description
Mozilla products, including the Firefox web browser and
Thunderbird email application, contain a number of
vulnerabilities. These vulnerabilities may allow an attacker to
access your computer, run programs that could cause your computer
to crash, or gain control of your computer. An attacker could
exploit these vulnerabilities by convincing you to visit a web
site or read an HTML formatted email message.
For more technical information, please see US-CERT Technical
Alert TA06-354A.
References
* US-CERT Technical Alert TA06-354A -
<http://www.us-cert.gov/cas/techalerts/TA06-354A.html>
* US-CERT Vulnerability Notes -
<http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_2006121
9>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/browser_secu
rity.html#Mozilla_Firefox>
* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>
* Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>
* Thunderbird - Reclaim your inbox -
<http://www.mozilla.com/thunderbird/>
* The SeaMonkey Project -
<http://www.mozilla.org/projects/seamonkey/>
* Mozilla Hall of Fame -
<http://www.mozilla.org/university/HOF.html>
* Site Controls -
<http://browser.netscape.com/ns8/help/options-site.jsp>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA06-354A.html>
____________________________________________________________________
Feedback can be directed to US-CERT. Please send email to
<cert@cert.org> with "SA06-354A Feedback VU#606260" in the subject.
____________________________________________________________________
Mailing list information:
<http://www.us-cert.gov/cas/>
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
December 20, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRYn5XOxOF3G+ig+rAQJMUQf+OGcGlComGK40XdWdRvEbWjVycYPOpIYA
9Ffd98ji7981t0zJcZh+Il9xO1uoowl587wNSrEPzi5uc0kt1kTGaRB4QZmtW3U6
59ZwLgA4rig7ZHoxWBYcQQ1kvGZ9mf+t4nz/0NsBVdo/bXwg52pCwbKHLrpsX/lk
P+bl9OAm+hhM4p3BvpkyHIlO2gn/82TU8j4563RMO9WwVqOS9mHjB7R3ZaoC954v
eVG+hUofdPUdxOgGp3YdX+ajBEkUx7OSva3YmKKD9VQstx4zN5kmfNnCNh0fJzG1
6rZi4TG61soorGMDPKf2N3PvsRkURUxgudk/XU/YoP+dw2qZXRChCQ==
=t7p2
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA06-346A
Vulnerabilities in Microsoft Products
Original release date: December 12, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Visual Studio
* Microsoft Outlook Express
* Microsoft Media Player
* Microsoft Internet Explorer
* Microsoft Office 2004 for Mac
* Microsoft Office v. X for Mac
Overview
Vulnerabilities in Microsoft Windows and Visual Studio could allow
an attacker to gain control of your computer.
Solution
Apply Update
Microsoft has provided updates to remedy these vulnerabilities. To
obtain these updates, visit the Microsoft Update web site. We also
recommend enabling Automatic Updates.
Description
Vulnerabilities in Microsoft Windows, Visual Studio, Outlook
Express, Media Player, Internet Explorer, Office 2004 for Mac, and
Microsoft Office v. X for Mac may allow an attacker to access your
computer, install and run malicious software on your computer, or
cause it to crash. An attacker could exploit these vulnerabilities
by using specially crafted network traffic, or by convincing you to
view a specially crafted web site or HTML email message.
For more technical information, see US-CERT Technical Alert
TA06-346A.
References
* Technical Alert TA06-346A -
<http://www.us-cert.gov/cas/techalerts/TA06-346A.html>
* Vulnerability Notes for Microsoft December 2006 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms06-dec>
* Microsoft Security Essentials -
<http://www.microsoft.com/protect/>
* Microsoft security updates for December 2006 -
<http://www.microsoft.com/athome/security/update/bulletins/200612.mspx>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>
* Microsoft Automatic Updates -
<http://www.microsoft.com/athome/security/update/msupdate_keep_current.mspx#EZB>
* Microsoft Office 2004 for Mac 11.3.1 Update -
<http://www.microsoft.com/mac/downloads.aspx?pid=download&location=/mac/download/office2004/Office2004_11.3.1.xml>
* Microsoft Office v. X for Mac Security Update (2006-12-12) -
<http://www.microsoft.com/mac/downloads.aspx?pid=download&location=/mac/download/officex/OfficeX_12_12_2006.xml>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA06-346A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "SA06-346 Feedback VU#622008"
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History:
December 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRX8qhuxOF3G+ig+rAQKB1gf8D1pPK0c2mmZ40cXuC7BhusZ2I/9Y8miu
BR/Ef4XlcruI7jsqG4zZeXzesdWPm0NgLKVGe3Eet/vLuahK4P2UFVQDDI57gYkX
1ARRCxRVEloyC04gRmHcD4ZBm5yDx/Y6anNRHcpos8GtCCOfOIQptS3KtllWJFrl
+yinDQ9q2WRgTwK/GhvGkoMSXza8FAgfJJdCOngr0Xph44TGQVNYz73U+BaqayVC
Q+gaKmP3Y8zwhuhSwOJxsxBCdUyd2M6J8MSOQmRGcSzdffohIeTfXFTnZ0cmclHB
BZ5vd3jO+M5lCyF9px3FXSwy3A78AOc89ExCumEP0Q3mfJzSd7Us9Q==
=F04J
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA06-333A
Apple Releases Security Update to Address Multiple Vulnerabilities
Original release date: November 29, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Apple Mac OS X version 10.3.9 (Panther) and version 10.4.8 (Tiger)
* Safari web browser
These vulnerabilities affect both Intel-based and PowerPC-based Apple
systems.
Overview
Mac OS X, Safari, and other products are affected by multiple
vulnerabilities. Apple has released Security Update 2006-007 to
address these vulnerabilities, the most serious of which may allow
a remote attacker to place and run malicious programs on your
computer.
Solution
Install an Update
Install Apple Security Update 2006-007 through Apple Update.
Description
Mac OS X, Safari, and other products are affected by multiple
vulnerabilities. Some of these vulnerabilities could allow an
attacker to run malicious programs on your computer.
For more technical information, see US-CERT Technical Alert
TA06-333A.
References
* US-CERT Technical Cyber Security Alert TA06-333A -
<http://www.us-cert.gov/cas/techalerts/TA06-333A.html>
* About the security content of Security Update 2006-007 -
<http://docs.info.apple.com/article.html?artnum=304829>
* Vulnerability Notes for Apple Security Update 2006-007 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple-2006-007>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#Safari>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA06-333A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "SA06-333A Feedback VU#191336" in the subject.
_________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
November 29, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRW3vUexOF3G+ig+rAQLH1ggAs+/as8bZmws1t7MQf7pZzV3tYi/ijNuQ
fOiY9tGziHtpCF89wEgRA+sqGdXpj16S7NoLgfGEp1wsX0NIf1LUF61Ghb2ddCI6
/U63UTYpYg9P3682ucp5Yf99t7AwYHaMWqJ1v46g/1b0C5cJFVx1RQ6+bv6tuDeE
OEFgKk2n+nbaFzt7YTnMIc4EOA9lZEC65XFyCM9ryUppmHb5Xcw+bTWJOBleHxZw
YatKMgH9kVeMj6Z8ZTyGFEsETfkCZsVT+fCL4iF+elJLauJ8G6lIEkO09Tm14ERg
KR/hqK/x4W2Yz7CdpG0Vpk1I8GIVbZybyWYX9blcV3dSks/zlXvOWg==
=nskZ
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA06-318A
Microsoft Security Updates for Windows, Internet Explorer, and Adobe Flash
Original release date: November 14, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
* Adobe Flash
Overview
Vulnerabilities in Microsoft Windows, Internet Explorer, and Adobe
Flash could allow an attacker to gain control of your computer.
Solution
Apply Update
Microsoft has provided updates to remedy these vulnerabilities. To
obtain these updates, visit the Microsoft Update web site. US-CERT
also recommends enabling Automatic Updates.
Description
Vulnerabilities in Microsoft Windows, Internet Explorer, and Adobe
Flash may allow an attacker to access your computer, install and
run malicious software on your computer, or cause it to crash. An
attacker could exploit these vulnerabilities by using specially
crafted network traffic, or by convincing you to view a specially
crafted web site or HTML email message.
For more technical information, see US-CERT Technical Alert
TA06-318A.
References
* US-CERT Technical Alert TA06-318A -
<http://www.us-cert.gov/cas/techalerts/TA06-318A.html>
* US-CERT Vulnerability Notes for Microsoft November 2006 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms06-nov>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* Using Caution with Email Attachments -
<http://www.us-cert.gov/cas/tips/ST04-010.html>
* Microsoft Security Essentials -
<http://www.microsoft.com/protect/>
* Microsoft security updates for November 2006 -
<http://www.microsoft.com/athome/security/update/bulletins/200611.mspx>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>
* Microsoft Automatic Updates -
<http://www.microsoft.com/athome/security/update/msupdate_keep_current.mspx#EZB>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA06-318A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "SA06-318A Feedback VU#377369" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 14, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRVpLRexOF3G+ig+rAQI9eQgAq3rSxJ3pBlODPNOuGpl1Snyg7qOIzeDr
3KCQE02qgNyQtWa5xpwgyqx9wIp4nta0xJwnw2CLZYl577Sm5FdDboyOVT95zv3q
SSGABvDR2xEaUquoWFnJXwl+NZf/xGFZvNzh366AiwZGCTxaDG+gZxvQPF1xqWc7
DTz55aEXS4sSaTB7J7D28oWVq6qkLa390tf0o7J50Vs4DPUH+uKzZufc9tiF9+eq
Qut99IdrrKdqxh6XihOKvBAM0JuyCeWiCuydgsAOlYmJrQDxO2IKCKQck5kWELOg
pbGr7tymZhk9/lrNHkJa5yD2oYS+8uyrpEjOAmqu9PF53Ku9nYcPLA==
=5Fyx
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA06-312A
Mozilla Products Contain Multiple Vulnerabilities
Original release date: November 8, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Mozilla Firefox web browser
* Mozilla SeaMonkey web browser
* Mozilla Thunderbird email application
* Netscape web browser
Any products based on Mozilla components may also be affected.
Overview
The Mozilla web browser and derived products contain several
vulnerabilities. By taking advantage of one or more of these
vulnerabilities, an attacker may be able to take control of your
computer.
Solution
Upgrade to the latest versions of Firefox, Thunderbird, and SeaMonkey
Mozilla has released Firefox 1.5.0.8, Thunderbird 1.5.0.8 and
SeaMonkey 1.0.6 to correct these problems.
According to Mozilla:
Firefox 1.5.0.x will be maintained with security and stability
updates until April 24, 2007. All users are strongly encouraged to
upgrade to Firefox 2.
Netscape users should disable JavaScript as specified in the
Netscape Site Controls web page.
Description
Mozilla products, including the Firefox web browser and Thunderbird
email application, contain a number of vulnerabilities. These
vulnerabilities may allow an attacker to access your computer, run
programs that could cause your computer to crash, or gain control
of your computer.
For more technical information, see US-CERT Technical Alert
TA06-312A.
References
* US-CERT Vulnerability Notes Related to November Mozilla Security
Advisories -
<http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_1508>
* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>
* Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>
* Thunderbird - Reclaim your inbox -
<http://www.mozilla.com/thunderbird/>
* The SeaMonkey Project -
<http://www.mozilla.org/projects/seamonkey/>
* Site Controls -
<http://browser.netscape.com/ns8/help/options-site.jsp>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA06-312A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "SA06-312A Feedback VU#495288" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
November 8, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRVIrVOxOF3G+ig+rAQLpFggAl61WMMJMKIXacCvMnNFUmb1vfUIM5PRB
FqAMQpslP+fWICFaHv6XSPKvlCAdDvTF1sf/1rnuJOftCt5P6UQDvkVLAjNSDxQH
jTsQ02cft6ktewMjq6CuZzSjC5elGQL27DBgFoSt6LsBhQUQ3/HvzsUh7QdPfp/3
xwyeYJl1AI8TJVZ9XnpsWAyP2srDRQ3SJHWXf0haCeeV2gPTZUB2w03JR0d93Qdf
wO20GqAobJN4Mml9y8XNCAOTtdQzU5lGIO6AxidFWnVzqjQ11M1Dh46JrEz3OsjF
AAVBUcMPike0CWoLonXR+xFE8TPwmoE0mgQFQH807pox7fQsBudbWw==
=nwoo
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-291A
Oracle Updates for Multiple Vulnerabilities
Original release date: October 18, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Oracle10g Database
* Oracle9i Database
* Oracle8i Database
* Oracle Application Express (formerly known as Oracle HTML DB)
* Oracle Application Server 10g
* Oracle Collaboration Suite 10g
* Oracle9i Collaboration Suite
* Oracle E-Business Suite Release 11i
* Oracle E-Business Suite Release 11.0
* Oracle Pharmaceutical Applications
* Oracle PeopleSoft Enterprise Portal Solutions
* Oracle PeopleSoft Enterprise PeopleTools
* JD Edwards EnterpriseOne Tools
* JD Edwards OneWorld Tools
* Oracle Reports Developer client-only installations
* Oracle Containers for J2EE client-only installations
For more information regarding affected product versions, please see
the Oracle Critical Patch Update - October 2006.
Overview
Oracle has released patch to address numerous vulnerabilities in
different Oracle products. The impacts of these vulnerabilities
include remote execution of arbitrary code, information disclosure,
and denial of service.
I. Description
Oracle has released the Critical Patch Update - October 2006.
According to Oracle, this CPU contains:
* 22 new security fixes for the Oracle Database
* 6 new security fixes for Oracle HTTP Server
* 35 new security fixes for Oracle Application Express
* 14 new security fixes for the Oracle Application Server
* 13 new security fixes for the Oracle E-Business Suite
* 8 new security fixes for Oracle PeopleSoft Enterprise PeopleTools
and Enterprise Portal Solutions
* 1 new security fix for JD Edwards EnterpriseOne
* 1 new security fix for Oracle Pharmaceutical Applications
Many Oracle products include or share code with other vulnerable
Oracle products and components. Therefore, one vulnerability may
affect multiple Oracle products and components. For example, the
October 2006 CPU does not contain any fixes specifically for Oracle
Collaboration Suite. However, Oracle Collaboration Suite is affected
by vulnerabilities in Oracle Database and Oracle Application Server,
so sites running Oracle Collaboration suite should install fixes for
Oracle Database and Oracle Application Server. Refer to the October
2006 CPU for details regarding which vulnerabilities affect specific
Oracle products and components.
For a list of publicly known vulnerabilities addressed in the October
2006 CPU, refer to the Map of Public Vulnerability to Advisory/Alert.
The October 2006 CPU does not associate Vuln# identifiers (e.g., DB01)
with other available information, even in the Map of Public
Vulnerability to Advisory/Alert document. As more details about
vulnerabilities and remediation strategies become available, we will
update the individual vulnerability notes.
II. Impact
The impact of these vulnerabilities varies depending on the product,
component, and configuration of the system. Potential consequences
include remote execution of arbitrary code or commands, sensitive
information disclosure, and denial of service. Vulnerable components
may be available to unauthenticated, remote attackers. An attacker who
compromises an Oracle database may be able to gain access to sensitive
information or take complete control of the host system.
III. Solution
Apply patches from Oracle
Apply the appropriate patches or upgrade as specified in the Critical
Patch Update - October 2006. Note that this Critical Patch Update only
lists newly corrected vulnerabilities.
As noted in the update, some patches are cumulative, others are not:
The Oracle Database, Oracle Application Server, Oracle Enterprise
Manager Grid Control, Oracle Collaboration Suite, JD Edwards
EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise
Portal Applications and PeopleSoft Enterprise PeopleTools patches
in the Updates are cumulative; each Critical Patch Update contains
the fixes from the previous Critical Patch Updates.
Oracle E-Business Suite and Applications patches are not
cumulative, so E-Business Suite and Applications customers should
refer to previous Critical Patch Updates to identify previous fixes
they want to apply.
The October 2006 CPU lists 35 vulnerabilities affecting Oracle
Application Express. These vulnerabilities are addressed in Oracle
Application Express version 2.2.1. Oracle Application Express users
are encouraged to upgrade to version 2.2.1 as soon as possible.
Vulnerabilities described in the October 2006 CPU may affect Oracle
Database 10g Express Edition (XE). According to Oracle, Oracle
Database XE is based on the Oracle Database 10g Release 2 code.
Patches for some platforms and components were not available when the
Critical Patch Update was published on October 17, 2006. Please see
MetaLink Note 391563.1 (login required) for more information about
patch availability.
Known issues with Oracle patches are documented in the
pre-installation notes and patch readme files. Please consult these
documents and test before making changes to production systems.
IV. References
* US-CERT Vulnerability Notes Related to Critical Patch Update -
October 2006 -
<http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_oct_2006>
* Critical Patch Update - October 2006 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/public_vuln_to_advisory_mapping.html>
* Oracle Database Security Checklist (PDF) -
<http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf>
* Critical Patch Update Implementation Best Practices (PDF) -
<http://www.oracle.com/technology/deploy/security/pdf/cpu_whitepaper.pdf>
* Oracle Application Express 2.2 Downloads -
<http://www.oracle.com/technology/products/database/application_express/download.html>
* Oracle Metalink Note 391563.1 -
<http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=391563.1>
* Oracle Database 10g Express Edition -
<http://www.oracle.com/technology/products/database/xe/index.html>
* Analysis of the October 2006 Critical Patch Update for the Oracle
RDBMS -
<http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf>
* Details Oracle Critical Patch Update October 2006 -
<http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-291A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-291A Feedback VU#717140" in the subject.
_________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
October 18, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRTZ35exOF3G+ig+rAQLbQQf/SjzV86X/E2WLcr2Y986MlPvgVNE/yzz8
LEJERUtIcWkii3t1UW7+T1D9jVToAajndSRs3AhLJLcH5qrcqTDR8Q16wRnPX/lN
VX0SzxWoi2WqX6BgmCUuAQOeODgdb9eoGHZDBGXpIXJMnKhyVCkwvGL1Gk5vmoSZ
YxqYZCwwkQHa+XXU1/SsA/caTBGszlCDBcUbBrAQ7ecC9k8HOH80V/FGdYk2GUEy
D/cATXeXMaYFtX4VQKt7y8N4f478TkmP5bZPTJJQNHJOyLr6nUDnW1SqE7VrSaWr
qsFFf/+Lhro4qAwa8kxj4Yb3nsDS09sgnWIjnZsbrkTcDAH0y4SWxQ==
=HHF5
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-283A
Microsoft Updates for Vulnerabilities in Windows, Office, and Internet Explorer
Original release date: October 10, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Office
* Microsoft Internet Explorer
Overview
Microsoft has released updates that address critical vulnerabilities
in Microsoft Windows, Internet Explorer, and Microsoft Office.
Exploitation of these vulnerabilities could allow a remote,
unauthenticated attacker to execute arbitrary code or cause a denial
of service on a vulnerable system.
I. Description
Microsoft has released updates to address vulnerabilities in Microsoft
Windows, Internet Explorer, and Microsoft Office as part of the
Microsoft Security Bulletin Summary for October 2006. The summary
lists ten Microsoft Security Bulletins. Two of the Bulletins discuss
previously disclosed vulnerabilities that are actively being
exploited:
Microsoft Security Bulletin MS06-057 addresses a remote code
execution vulnerability in the WebFolderIcon ActiveX control. More
information is available in VU#753044.
Microsoft Security Bulletin MS06-058 addresses a remote code
execution vulnerability in Microsoft PowerPoint. More information
is available in VU#231204.
Further information on vulnerabilities addressed by the October 2006
Security Bulletins will be available in Vulnerability Notes.
Microsoft has announced the end of support for Windows XP Service Pack
1. According to Microsoft:
On October 10, 2006, Microsoft will end all public assisted support
for Windows XP Service Pack 1 (SP1). After this date, Microsoft
will no longer provide any incident support options or security
updates for this retired service pack under the policies defined by
the Microsoft Support Lifecycle policy.
We strongly encourage Windows XP users to upgrade to Windows XP
Service Pack 2 (SP2) as soon as possible.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code on a
vulnerable system. An attacker may also be able to cause a denial of
service.
III. Solution
Apply updates from Microsoft
Microsoft has provided updates for these vulnerabilities in the
October 2006 Security Bulletins. The Security Bulletins describe any
known issues related to the updates. Note any known issues described
in the Bulletins and test for any potentially adverse affects in your
environment.
Updates for Microsoft Windows and Microsoft Office XP and later are
available on the Microsoft Update site. Microsoft Office 2000 updates
are available on the Microsoft Office Update site.
System administrators may wish to consider using Windows Server Update
Services (WSUS).
References
* US-CERT Vulnerability Notes for Microsoft October 2006 updates -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms06-oct>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* Microsoft Security Bulletin Summary for October 2006 -
<http://www.microsoft.com/technet/security/bulletin/ms06-oct.mspx>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>
* Microsoft Office Update - <http://officeupdate.microsoft.com/>
* End of support for Windows 98, Windows Me, and Windows XP Service
Pack 1 -
<http://www.microsoft.com/windows/support/endofsupport.mspx#EHB>
* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-283A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-283A Feedback VU#703936" in the subject.
_________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
October 10, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRSvzt+xOF3G+ig+rAQJmAggAkNBW57N0Ob9Mvelr+ByiV4PZUGkoibdl
6wB7wTYSD4C2YhlQGlbgaEk5H2ZahC6Q+s18BuEtPwuxOHqbws/ycaiAoeiH+J0m
xIXKpzC17pzcnk9qfPBmjNrsdFuzbcL1N47l2VAKLoVnlMj1IH+NHJMBVMbtLSrZ
OD7PxlmAoaALsnapRySgJJAb06oPwBSPdOEazIofWL48bz1JFLwOSHn4EtTbqD7K
8AGbWGix7RloRx6Q39Th3DdRPEy3xEM5q5dIAIKaF5s21HT5p5PPH+VYmZE6l9e3
RZ7FUIqZBucFFHW/XQFvEveoGjrX2Vng+qerUHy76uU37wzG49urXQ==
=8Gam
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-275A
Multiple Vulnerabilities in Apple and Adobe Products
Original release date: October 02, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Apple Mac OS X version 10.3.9 and earlier (Panther)
* Apple Mac OS X version 10.4.7 and earlier (Tiger)
* Apple Mac OS X Server version 10.3.9 and earlier
* Apple Mac OS X Server version 10.4.7 and earlier
* Safari web browser
* Adobe Flash Player 8.0.24 and earlier
These vulnerabilities affect both Intel-based and PowerPC-based Apple
systems.
Overview
Apple has released Security Update 2006-006 and Mac OS X 10.4.8 Update
to correct multiple vulnerabilities affecting Mac OS X, OS X Server,
Safari, Adobe Flash Player, and other products. The most serious of
these vulnerabilities may allow a remote attacker to execute arbitrary
code. Impacts of other vulnerabilities include bypass of security
restrictions and denial of service.
I. Description
Apple has released Security Update 2006-006 to address numerous
vulnerabilities affecting Mac OS X, OS X Server, Safari, Adobe Flash
Player, and other products.
Further details are available in the individual Vulnerability Notes
for Apple Security Update 2006-006.
Apple has also released Mac OS X 10.4.8 Update (Intel) for Intel-based
Apple systems. This update addresses the vulnerabilities described in
Apple Security Update 2006-006 for Intel-based Apple systems.
This security update also addresses previously known vulnerabilities
in Adobe Flash Player. More information on those vulnerabilities can
be found in Adobe Security Bulletin APSB06-11 and the Vulnerability
Notes for Adobe Security Bulletin APSB06-11.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes for Apple
Security Update 2006-006. Potential consequences include remote
execution of arbitrary code or commands, bypass of security
restrictions, and denial of service.
III. Solution
Install updates
Install Apple Security Update 2006-006. This and other updates are
available via Apple Update or via Apple Downloads.
Users with Intel-based Apple systems should upgrade to Mac OS X 10.4.8
Update (Intel) to receive the necessary security updates.
IV. References
* Vulnerability Notes for Apple Security Update 2006-006 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple-2006-006>
* About the security content of the Mac OS X 10.4.8 Update and
Security Update 2006-006 -
<http://docs.info.apple.com/article.html?artnum=304460>
* Mac OS X 10.4.8 Update (Intel) -
<http://www.apple.com/support/downloads/macosx1048updateintel.html>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Apple Downloads - <http://www.apple.com/support/downloads/>
* Vulnerability Notes for Adobe Security Bulletin APSB06-11 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apsb06-11>
* Adobe Security Bulletin APSB06-11 -
<http://www.adobe.com/support/security/bulletins/apsb06-11.html>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#Safari>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-275A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-275A Feedback VU#546772" in the subject.
_________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
October 02, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRSFT/exOF3G+ig+rAQIF0gf+KI8EWp1iNaVOYe2YgcRRMF27K8VFz5Rn
Y81SRMZk4M1m9/4/7oJG7obEiGr4LqD/EjxT23ctuQ4KBKysokv7F+FrLwMHbRGY
my6x7mmLy+JEydQrMFk8u/2ZdVZjvxnhBUmH9nuwgjhqaJ0Ez1GAbmkmJ/TV5pbY
gOWOu5oe2zpkf3fpLRWY+XxctHukgl8SlN0ucyRSRPlWmO7rR8di/rujWMRRAlep
fEkTeq6Z5X4Ep6lwxoWX5z+a5oPz4tLHMIbjGZlV3FGa7ii6GTBWmQSN42yTW9tZ
ELoLtXeHgiSy27n7G6VMOIzKEu7V8mHt3L3ZFrF+O/Xx5KBb/b/xQg==
=nP7Y
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-270A
Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability
Original release date: September 27, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
Overview
The Microsoft Windows WebViewFolderIcon ActiveX control contains an
integer overflow vulnerability that could allow a remote attacker
to execute arbitrary code.
I. Description
The Microsoft Windows WebViewFolderIcon ActiveX control contains an
integer overflow vulnerability. An attacker could exploit this
vulnerability through Microsoft Internet Explorer (IE) or any other
application that hosts the WebViewFolderIcon control. More
information is available in Vulnerability Note VU#753044.
Exploit code for this vulnerability is publicly available.
II. Impact
By convincing a user to open a specially crafted HTML document,
such as a web page or HTML email message, a remote attacker could
execute arbitrary code with the privileges of the user who is
running the program that hosts the WebViewFolderIcon control.
III. Solution
Microsoft has not released an update for this
vulnerability. Consider the following workarounds and best
practices:
Disable the WebViewFolderIcon ActiveX control
To protect against this specific vulnerability, disable the
WebViewFolderIcon control by setting the kill bit for the
following CLSID:
{844F4806-E8A8-11d2-9652-00C04FC30871}
More information about how to set the kill bit is available in
Microsoft Support Document 240797.
Disable ActiveX
To protect against this and other ActiveX and COM
vulnerabilities, disable ActiveX in the Internet Zone and any
other zone that might be used by an attacker. Instructions for
disabling ActiveX in the Internet Zone can be found in the
"Securing Your Web Browser" document and the Malicious Web
Scripts FAQ.
Render email as plain text
To protect against this and other vulnerabilities that require a
victim to load a malicious HTML document, configure email clients
to render email as plain text.
Do not follow unsolicited links
To protect against this and other vulnerabilities that require a
victim to load a malicious HTML document, do not follow
unsolicited or untrusted links.
In order to convince users to visit their sites, attackers often
use URL encoding, IP address variations, long URLs, intentional
misspellings, and other techniques to create misleading links. Do
not click on unsolicited links received in email, instant
messages (IMs), web forums, or internet relay chat (IRC)
channels. Type URLs directly into the browser to avoid these
misleading links. While these are generally good security
practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if
a trusted site has been compromised or allows cross-site
scripting.
IV. References
* Vulnerability Note VU#753044 -
<http://www.kb.cert.org/vuls/id/753044>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html>
* CVE-2006-3730 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3730>
* Microsoft Support Document 240797 -
<http://support.microsoft.com/kb/240797>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-270A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-270A Feedback VU#753044" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
September 27, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRRr/eexOF3G+ig+rAQIhyAf/fQEq6CeRusvnGxVXAq3DlDtStv2bKOAX
aL7ynLjuyiMk6/oqOmzhuY9hu8zLaTXo2O3KhUpt+27KuxSEf+Kc1I9K2d19IP/P
vgNxQaqh2wzdW+iXv18c8sYU4SA+bTXdvpQp1oVmJ1oZiyBYrQjSGFxjZ4PJXD5k
02YUoQNk6tWWDvA4Fe3bDhx3J8NqTcht/+mcJkAzL0TmE7bYDE+cNkqLLbQ7BTa6
M8RkH/DMkOM9mSoFIFAszSbTcMJJmH0yM3948+rrL0Wr/rAC4h9pCKMWA8w4k0bp
enXfYh2B1utRJs/AZSz83wRGO/DdD5x4xQ0OWsMYDAzGudYr6MycfQ==
=2nCt
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-262A
Microsoft Internet Explorer VML Buffer Overflow
Original release date: September 19, 2006
Last revised: September 26, 2006
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
Overview
Microsoft Internet Explorer (IE) fails to properly handle Vector
Markup Language (VML) tags. This creates a buffer overflow
vulnerability that could allow a remote attacker to execute arbitrary
code.
I. Description
Microsoft Internet Explorer contains a stack buffer overflow in code
that handles VML. More information is available in Vulnerability Note
VU#416092, Microsoft Security Advisory (925568), and Microsoft
Security Bulletin MS06-055.
Note that this vulnerability is being exploited.
II. Impact
By convincing a user to open a specially crafted HTML document, such
as a web page or HTML email message, a remote attacker could execute
arbitrary code with the privileges of the user running IE.
III. Solution
Apply update from Microsoft
Microsoft has provided an update to correct this vulnerability in
Microsoft Security Bulletin MS06-055.
This update is available on the Microsoft Update site.
System administrators may wish to consider using Windows Server Update
Services (WSUS).
Disable VML support
Microsoft Security Advisory (925568) suggests the following techniques
to disable VML support:
* Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP
Service Pack 2; Windows Server 2003 and Windows Server 2003
Service Pack 1
* Modify the Access Control List on Vgx.dll to be more restrictive
* Configure Internet Explorer 6 for Microsoft Windows XP Service
Pack 2 to disable Binary and Script Behaviors in the Internet and
Local Intranet security zone
Disabling VML support may cause web sites and applications that use
VML to function improperly.
Render email as plain text
Microsoft Security Advisory (925568) suggests configuring Microsoft
Outlook and Outlook Express to render email messages in plain text
format.
Do not follow unsolicited links
In order to convince users to visit their sites, attackers often use
URL encoding, IP address variations, long URLs, intentional
misspellings, and other techniques to create misleading links. Do not
click on unsolicited links received in email, instant messages, web
forums, or internet relay chat (IRC) channels. Type URLs directly into
the browser to avoid these misleading links. While these are generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if a
trusted site has been compromised or allows cross-site scripting.
IV. References
* Vulnerability Note VU#416092 -
<http://www.kb.cert.org/vuls/id/416092>
* Microsoft Security Bulletin MS06-055-
<http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx>
* Microsoft Security Advisory (925568) -
<http://www.microsoft.com/technet/security/advisory/925568.mspx>
* Securing Your Web Browser-
<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>
* CVE-2006-3866 -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3866>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-262A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-262A Feedback VU#416092" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
September 19, 2006: Initial release
September 21, 2006: Fixed misspelling and removed IE-specific language from Solution section
September 26, 2006: Added update information and added a reference to Microsoft Update
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRRmv0exOF3G+ig+rAQIdWggAq2T6Bj+3EWc2nlkr4bibfzZ1E9n+rluo
+76A1YO0EbV0NjRkj4u12nofUu0XfaGAo/V3R00SjfEYH3OWMky6zyf+PCq7v3NQ
tOUCtwo0gzxRZDeTsiOqmMdY57kbfdeJ+lFYF5Tr07IEMB/gmZjkEqiNPLhyJC5w
zHc51Jo1Favq3XHw5W0x5wd41jTNjt2BkFz44daNIR244HtraMsgK9tiaod8krnF
E8V74cBnTV7Rhhxw+icNANp7CdluriKmh/lemTHU+vKASzpL8QRM18a/Y2zqKL7A
p3Jzns5WzWkYDYkCOrwLFbQGWPlUEMHIR+eOmWdgCyKpEG0OW7H0Qg==
=xk4s
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-262A
Microsoft Internet Explorer VML Buffer Overflow
Original release date: September 19, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
Overview
Microsoft Internet Explorer (IE) fails to properly handle Vector
Markup Language (VML) tags. This creates a buffer overflow
vulnerability that could allow a remote attacker to execute
arbitrary code.
I. Description
Microsoft Internet Explorer contains a stack buffer overflow in
code that handles VML. More information is available in
Vulnerability Note VU#416092 and Microsoft Security Advisory
(925568).
Note that this vulnerability is being exploited.
II. Impact
By convincing a user to open a specially crafted HTML document,
such as a web page or HTML email message, a remote attacker could
execute arbitrary code with the privileges of the user running IE.
III. Solution
We are currently unaware of a complete solution to this
problem. Until an update is available, consider the following
workarounds.
Disable VML support in IE
Microsoft Security Advisory (925568) suggests the following
techinques to disable VML support in IE:
* Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP
Service Pack 2; Windows Server 2003 and Windows Server 2003
Service Pack 1
* Modify the Access Control List on Vgx.dll to be more restrictive
* Configure Internet Explorer 6 for Microsoft Windows XP Service
Pack 2 to disable Binary and Script Behaviors in the Internet
and Local Intranet security zone
Disabling VML support may cause web sites that use VML to function
improperly.
Render email as plain text
Microsoft Security Advisory (925568) suggests configuring Microsoft
Outlook and Outlook Express to render email messages in plain text
format.
Do not follow unsolicited links
In order to convince users to visit their sites, attackers often
use URL encoding, IP address variations, long URLs, intentional
misspellings, and other techniques to create misleading links. Do
not click on unsolicited links received in email, instant messages,
web forums, or internet relay chat (IRC) channels. Type URLs
directly into the browser to avoid these misleading links. While
these are generally good security practices, following these
behaviors will not prevent exploitation of this vulnerability in
all cases, particularly if a trusted site has been compromised or
allows cross-site scripting.
IV. References
* Vulnerability Note VU#416092 -
<http://www.kb.cert.org/vuls/id/416092>
* Securing Your Web Browser-
<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Ex
plorer>
* Microsoft Security Advisory (925568) -
<http://www.microsoft.com/technet/security/advisory/925568.mspx>
* CVE-2006-3866 -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3866>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-262A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-262A Feedback VU#416092" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Sep 19, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRRBphexOF3G+ig+rAQKjKwf/SqhuYNpSDw7n677sSaIPQArefSWbVZOy
oTDVz6Xg9bJ5mMiueAQY+OYDn/kHo3WepBdRjx+Cj36Js+9l2lTF+MO5S3k4AFWW
vG8RHLAvpaxCGWAupy8HjMW3MG+1unioJZYd8Xu916RUjgyVq36V0uSsAhaaBv2h
oRA7fft30VtTlOQ0TQFd+cJSH7uyfXA31e3tVTzDpclXvskm8Rb5h/KFP56i52ld
Uz/SSXPIIoFM0GTMknOSPh32Itp+MJj7ZDKQ2E2GR1GurUC33MObOUeRINrLndfX
9I2bbDcTw5vVnWFWqm45KRZTEvbBXNOXhAtgZmYje2NF4IxxvMiGhw==
=I3e8
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA06-258A
Microsoft Internet Explorer ActiveX Vulnerability
Original release date: September 15, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Internet Explorer
Overview
A vulnerability in ActiveX and Internet Explorer could allow an
attacker to take control of your computer.
Solution
Microsoft has not yet released an update to address this
vulnerability. From Microsoft Security Advisory (925444):
We are currently investigating the issue to determine the
appropriate course of action for customers. We will include the
fix for this issue in an upcoming security bulletin.
Until an update is available, consider the following best
practices.
Disable ActiveX
Disabling ActiveX will prevent exploitation of this and other
ActiveX vulnerabilities. Instructions for disabling ActiveX in
the Internet Zone can be found in "Securing Your Web Browser" and
"4 steps to help ward off hackers and attackers."
Do not follow unsolicited links
Do not click on unsolicited URLs, including those received in
email, instant messages, web forums, or internet relay chat (IRC)
channels.
Description
An attacker could exploit a vulnerability in an ActiveX control
by convincing a user to visit a web site with Internet
Explorer. The attacker could then take any action as the user,
including installing malicious software and accessing sensitive
personal information.
For more technical information, see Vulnerability Note VU#377369.
References
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* Vulnerability Note VU#377369 -
<http://www.kb.cert.org/vuls/id/377369>
* Vulnerability Note VU#377369 -
<http://www.kb.cert.org/vuls/id/377369>
* Microsoft Security Advisory (925444) -
<http://www.microsoft.com/technet/security/advisory/925444.mspx>
* 4 steps to help ward off hackers and attackers -
<http://www.microsoft.com/athome/security/online/browsing_safety.mspx>
* Microsoft Security Essentials -
<http://www.microsoft.com/protect/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA06-258A.html>
____________________________________________________________________
Feedback can be directed to US-CERT. Please send email to
<cert@cert.org> with "SA06-258A Feedback VU#377369" in the subject.
____________________________________________________________________
Mailing list information:
<http://www.us-cert.gov/cas/>
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
September 15, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRQsBh+xOF3G+ig+rAQIgYgf+Jn4spjxVeJVhQ+sRE/nCWG3uHc2WvZ2D
fUc9yu5kvqS4rtzILznyCDl3NbB7K5ge5ye4tB4vfEfAafg7KukGHSsheZxQDJ5j
oXB+7tHke7ci28eKl4wmYHl0DwBLApgEAZ+iTXacTnL0jXvYM4M7gO794eW6JE16
LTD2PeMtThuEMg8UkKXWQ2J6zHVWnPfe9m4s3hCxC3nmhBuGDctY3lhoRuUGhz8M
XjEz7ccmAGJCGPO833c1aeoEQSj6IlOqqmw8iObtAjhm5lQyKz3kTi9rCtE5WcKS
x9VKxKqSHguy7LX8i9GZto1dJlnVus7PnfA86tCWjFMb9CHCRaP6nw==
=jyB0
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA06-256A
Apple QuickTime Vulnerabilities
Original release date: September 13, 2006
Last revised: --
Source: US-CERT
Systems Affected
Apple QuickTime for
* Apple Mac OS X
* Microsoft Windows
Overview
Apple has released Apple QuickTime 7.1.3 to correct several
vulnerabilities. These vulnerabilities could allow an attacker to
gain access to your computer.
Solution
Install an Update
OS X users should use the Mac OS X Software Update feature to
download and install Apple QuickTime 7.1.3. Consider scheduling
Software Update to check for updates automatically (this option
is enabled by default).
Microsoft Windows users should upgrade to Apple QuickTime 7.1.3.
Description
QuickTime prior to version 7.1.3 has multiple image and media
file handling vulnerabilities that could allow an attacker to run
malicious programs on your computer. This could happen by
visiting a malicious web site. Upgrading to Apple QuickTime
version 7.1.3 will correct these vulnerabilities.
Note that QuickTime is included with Apple iTunes.
For more technical information, see US-CERT Technical Alert
TA06-256A and the Apple QuickTime Security Update.
References
* US-CERT Technical Alert TA06-256A -
<http://www.us-cert.gov/cas/techalerts/TA06-256A.html>
* Vulnerability Notes for QuickTime 7.1.3 -
<http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_713>
* About the security content of the QuickTime 7.1.3 Update -
<http://docs.info.apple.com/article.html?artnum=304357>
* Apple QuickTime 7.1.3 -
<http://www.apple.com/support/downloads/quicktime713.html>
* Standalone Apple QuickTime Player -
<http://www.apple.com/quicktime/download/standalone.html>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA06-256A.html>
____________________________________________________________________
Feedback can be directed to US-CERT. Please send email to
<cert@cert.org> with "SA06-256A Feedback VU#540348" in the subject.
____________________________________________________________________
Mailing list information:
<http://www.us-cert.gov/cas/>
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
September 13, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRQg44OxOF3G+ig+rAQI+/wf/QdAxWPQpX5oT8CpmhreCBgQDhYGGgSmD
bTSZ0tGKaAgW1Q61Ei0tHkFF3Nb/70YvXu7fmGwHtdwrwEm5eOAe/F485n6Kwvnn
dkGLripZuMvd/vFQUvmOBZmJxhuW1IpdQn8KxXfDqtz3fsLkA68xX3sFkACq9wYc
Ihp8efBZtARYOLavhMJbzwTL+9Z0v4sCVZFvH6D5/TNVY25JHex1S+WIQbMv148w
AcfNt1dSzABCHt9KjcxgREb9Mc7lp+CGIgkP1thl/QUflLhOPgeZhXJUAsgxroNO
rNxDejSrjSeAQeGX4LR/UbyioKwg1V9mWCAK7/vPhqLMNOegVHuMmQ==
=wGC3
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA06-255A
Microsoft Windows and Publisher Vulnerabilities
Original release date: September 12, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Publisher
Overview
Vulnerabilities in Microsoft Windows and Microsoft Publisher
could allow an attacker to gain control of your computer.
Solution
Apply Update
Microsoft has provided updates to remedy these
vulnerabilities. To obtain these updates, visit the Microsoft
Update web site. US-CERT also recommends enabling Automatic
Updates.
Microsoft Office Publisher 2000 users must visit the Microsoft
Office Update web site to get the appropriate updates.
Do not open untrusted documents
Do not open unfamiliar or unexpected Publisher or other Office
documents, including those received as email attachments or
hosted on a web site. For more information, please see Using
Caution with Email Attachments.
Description
Vulnerabilities in Microsoft Windows and Microsoft Office
Publisher may allow an attacker to access your computer, install
and run malicious software on your computer, or cause it to
crash. An attacker could exploit these vulnerabilities by using
specially crafted network traffic, by convincing you to click on
a specially crafted URL, or by convincing you to open a specially
crafted Publisher document. A Publisher document could be
attached to an email message, hosted on a web site, or included
in another Office document.
For more technical information, see US-CERT Technical Alert
TA06-255A.
References
* US-CERT Technical Alert TA06-255A -
<http://www.us-cert.gov/cas/techalerts/TA06-255A.html>
* Using Caution with Email Attachments -
<http://www.us-cert.gov/cas/tips/ST04-010.html>
* Microsoft Security Essentials -
<http://www.microsoft.com/protect/>
* Microsoft security updates for September 2006 -
<http://www.microsoft.com/athome/security/update/bulletins/200609.
mspx>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA06-255A.html>
____________________________________________________________________
Feedback can be directed to US-CERT. Please send email to
<cert@cert.org> with "SA06-255A Feedback VU#406236" in the subject.
____________________________________________________________________
Mailing list information:
<http://www.us-cert.gov/cas/>
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
September 12, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRQcQH+xOF3G+ig+rAQLPlwf/ZG8zbut9fTHTfPFCtKGGhd8V91RVMO7q
tTMHwr0RgIsIQh5eeJJZA3kbwYuiqKOOEpzvjskJb+djQeRk9iwNm5xjg6zXQG4w
wExoo954gZPdsGM5gp/vin0H//Ug1CNYqrCOWzV2yOm2QKqTlU3yeu1bVaLhO552
sjrUUPxNyzTP3rRLwTSxd6jMtHYm5ahwxVVX/N6QBfqT6/ZGpY1C2aWovSlkMgBM
/zzcn1c/S2nY/cfJI59VSKBu3xWsCUY5Nhzhodivzro316832sRy8MbDUygJqA4r
KROZcMM8/ef4C+hpFLrxuPZJk7fSGYkpn/WBWWc6tDK3HiMApdq38g==
=xVmG
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Cyber Security Alert SA06-250A
Microsoft Word Vulnerability
Original release date: September 7, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Word 2000
Other versions of Word and other Microsoft Office programs may also
be affected.
Overview
A vulnerability in Microsoft Word 2000 could allow an attacker to
gain control of your computer.
Solution
Do not open untrusted documents
Microsoft has not yet released an update to address this
vulnerability. Do not open unfamiliar or unexpected Word or other
Office documents, including those received as email attachments
or hosted on a web site. For more information, please see Using
Caution with Email Attachments.
Description
An attacker could exploit a vulnerability in Microsoft Word 2000
by convincing a user to open a specially crafted Word document. A
Word document could be attached to an email message, hosted on a
web site, or included in another Office document. This
vulnerability may affect other versions of Word and other
Microsoft Office programs.
For more technical information, see Vulnerability Note VU#806548
and Microsoft Security Advisory (925059).
References
* Vulnerability Note VU#806548 -
<http://www.kb.cert.org/vuls/id/806548>
* Using Caution with Email Attachments -
<http://www.us-cert.gov/cas/tips/ST04-010.html>
* Microsoft Security Advisory (925059) -
<http://www.microsoft.com/technet/security/advisory/925059.mspx>
* Microsoft Security Essentials -
<http://www.microsoft.com/protect/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/alerts/SA06-250A.html>
____________________________________________________________________
Feedback can be directed to US-CERT. Please send email to
<cert@cert.org> with "SA06-250A Feedback VU#806548" in the subject.
____________________________________________________________________
Mailing list information:
<http://www.us-cert.gov/cas/>
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
September 7, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRQB6aexOF3G+ig+rAQL9oAgAvr37d9b0JgIzS2g0ZObcdR4a2pVPS7OG
MOOELtIDTIu3fgxEBZE7V6ouK56uWFDFddw9cnkQ0U6CRWClltLwa8z1i9682l+K
fUSPhfGmD3rTxUwlO4ekJuPbsQIRgbQGo4WYhJ7li1CrJAfCUciK7LYFbSPY4mWJ
Pjprrtno1k57o0mIxiDtU88qcx9Wk7wTirI920fT3JNoaqidV+4+BDYoQh1LSajc
HYdaOEbCYflsw8md7Xxe6RCITnWmAkB00Y9EVinlBWlOGNAohEoId//SQefzlpg1
posJ38Us0Jb2Y73228gKHyz3o+UN+PHRZAYYz5YR6kZJbd5McMCNuw==
=VZwi
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-220A
Microsoft Windows, Office, and Internet Explorer Vulnerabilities
Original release date: August 08, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Office (Windows and Mac)
* Microsoft Internet Explorer
Overview
Microsoft has released updates that address critical
vulnerabilities in Microsoft Windows, Office, and Internet
Explorer. Exploitation of these vulnerabilities could allow a
remote, unauthenticated attacker to execute arbitrary code or cause
a denial of service on a vulnerable system.
Note that one of the updates released today addresses a critical
vulnerability in the Microsoft Server Service (MS06-040). We have
received reports that this vulnerability is actively being
exploited.
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-220A.html>
I. Description
Microsoft Security Bulletin Summary for August 2006 addresses
vulnerabilities in Microsoft products including Windows, Office,
and Internet Explorer.
One of the updates released today addresses a critical
vulnerability in the Microsoft Server Service (MS06-040). More
details are available in Vulnerability Note VU#650769.
Note that we have received reports that VU#650769 is actively being
exploited.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system. An attacker may also be able to cause a denial
of service.
III. Solution
Apply updates from Microsoft
Microsoft has provided updates for these vulnerabilities in the
Security Bulletins released on August 8, 2006.
When prioritizing, it is strongly encouraged that the update for
VU#650769 be applied first.
Updates for Microsoft Windows and Microsoft Office XP and later are
available on the Microsoft Update site. Microsoft Office 2000 updates
are available on the Microsoft Office Update site. Apple Mac OS X
users should obtain updates from the Mactopia web site.
System administrators may wish to consider using Windows Server Update
Services (WSUS).
Appendix B. References
* Microsoft Security Bulletin Summary for August 2006 -
<http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx>
* US-CERT Vulnerability Note VU#650769 -
<http://www.kb.cert.org/vuls/id/650769>
* US-CERT Vulnerability Notes -
<http://www.kb.cert.org/vuls/byid?searchview&query=ms06-aug>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>
* Microsoft Office Update - <http://officeupdate.microsoft.com/>
* Mactopia - <http://www.microsoft.com/mac>
* Windows Server Update Services -
<http://www.microsoft.com/windowsserversystem/updateservices/defau
lt.mspx>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-220A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-220A Feedback VU#650769" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Aug 8, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRNj76+xOF3G+ig+rAQK5wwf/Z1yrHq03IODWL747llDlE6qz4vyg9cYa
DZdlRuc7q7kho0fw2lOFXJluuo6V65+n4cWo4ySS5dr+YJLXkr6g8XY/4tR/l/s4
+NJgXN8u8Gd9c3xNSLtpHaPC7ZaIPe092cIuuDV7xV4ktpi3FiAmJ2nAfCEvvaht
djnVQ/OHI7Vh1eFHarcqP0p56FKeTph3qGzaP8nNQexArgyoO6wda6oBt+uuJe3k
3rFr6+JkJ+sqgm5v3pnNqboHXkXyywx8jLZK14KMl7pxIVyXMEgpUg4no5PlyQck
Ny5N4bXzu4y7RvAS17BLrthFTa0PgBkalRJ8y68uxLvYK3ahKXFfiQ==
=h9ZT
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-214A
Apple Mac Products Affected by Multiple Vulnerabilities
Original release date: August 02, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Apple Mac OS X version 10.3.9 and earlier (Panther)
* Apple Mac OS X version 10.4.7 and earlier (Tiger)
* Apple Mac OS X Server version 10.3.9 and earlier
* Apple Mac OS X Server version 10.4.7 and earlier
* Apple Safari web browser
* Apple Mail
Overview
Apple has released Security Update 2006-004 to correct multiple
vulnerabilities affecting Mac OS X, Mac OS X Server, Safari web
browser, Mail, and other products. The most serious of these
vulnerabilities may allow a remote attacker to execute arbitrary code.
Impacts of other vulnerabilities include bypass of security
restrictions and denial of service.
I. Description
Apple Security Update 2006-004 resolves a number of vulnerabilities
affecting Mac OS X, OS X Server, Safari web browser, Mail, and other
products. Further details are available in the individual
Vulnerability Notes.
This security update addresses vulnerabilities in a range of different
components, including the handling of a number of different image file
formats, ZIP archive files, and HTML web pages, among others.
II. Impact
The impacts of these vulnerabilities vary. For information about
specific impacts, please see the Vulnerability Notes. Potential
consequences include remote execution of arbitrary code or commands,
bypass of security restrictions, and denial of service.
III. Solution
Install an update
Install Apple Security Update 2006-004. This and other updates are
available via Apple Update.
Workaround
Disable "Open 'safe' files after downloading"
For additional protection, disable the Safari web browser option to
"Open 'safe' files after downloading," as specified in "Securing Your
Web Browser."
Note that this workaround will not mitigate all of the vulnerabilities
described in the Apple Security Update, only those which are
exacerbated by the default behavior of the Safari web browser.
Appendix A. References
* Vulnerability Notes for Apple Security Update 2006-004 -
<http://www.kb.cert.org/vuls/byid?searchview&query=apple-2006-004>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/#Safari>
* Apple Security Update 2006-004 -
<http://docs.info.apple.com/article.html?artnum=304063>
* Mac OS X: Updating your software -
<http://docs.info.apple.com/article.html?artnum=106704>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-214A.html>
_________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-214A Feedback VU#566132" in the
subject.
_________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
August 02, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRNEIu+xOF3G+ig+rAQKbvwf+N6TRnpwqcmrlUfA7k1yuRCLCf3yo854x
JVy2Uq7Zs5WEqWK1qusPl3thyUS5JYCZzzPQI6pKq5zOOzyu5dqmHLFzstoZAhaz
pMTVX4PmMalFEFQV0o4pOi1/pGgu+2PXN8qo2LjSsFwr6xP9FfBQTI8Jov33cLsb
WjQyfxj/J8+nMQnCUlL84p7CuK4TdPRwuMVNMGYb8b9pB3SQ1XJ0EFt4UvO8VNqp
J32UCJw+LwSKpcBzjQRpw3ZBUpmFgOkZzLux/SiP8+1cyjmbWxxGjW21EfNExOXS
C2UpM+CQmoPMLAhTTPbKWs18qSdwcmeRLTeOW4Ao3oUj0QRD5QCFpA==
=RByX
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-208A
Mozilla Products Contain Multiple Vulnerabilities
Original release date: July 27, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Mozilla SeaMonkey
* Mozilla Firefox
* Mozilla Thunderbird
Any products based on Mozilla components, specifically Gecko, may also
be affected.
Overview
The Mozilla web browser and derived products contain several
vulnerabilities, the most serious of which could allow a remote
attacker to execute arbitrary code on an affected system.
I. Description
Several vulnerabilities have been reported in the Mozilla web browser
and derived products. More detailed information is available in the
individual vulnerability notes, including the following:
VU#476724 - Mozilla products fail to properly handle frame references
Mozilla products fail to properly handle frame or window references.
This may allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CVE-2006-3801)
VU#670060 - Mozilla fails to properly release JavaScript references
Mozilla products fail to properly release memory. This vulnerability
may allow a remote attacker to execute code on a vulnerable system.
(CVE-2006-3677)
VU#239124 - Mozilla fails to properly handle simultaneous XPCOM events
Mozilla products are vulnerable to memory corruption via simultaneous
XPCOM events. This may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3113)
VU#265964 - Mozilla products contain a race condition
Mozilla products contain a race condition. This vulnerability may
allow a remote attacker to execute code on a vulnerable system.
(CVE-2006-3803)
VU#897540 - Mozilla products VCard attachment buffer overflow
Mozilla products fail to properly handle malformed VCard attachments,
allowing a buffer overflow to occur. This vulnerability may allow a
remote attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-3804)
VU#876420 - Mozilla fails to properly handle garbage collection
The Mozilla JavaScript engine fails to properly perform garbage
collection, which may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3805)
VU#655892 - Mozilla JavaScript engine contains multiple integer
overflows
The Mozilla JavaScript engine contains multiple integer overflows.
This vulnerability may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3806)
VU#687396 - Mozilla products fail to properly validate JavaScript
constructors
Mozilla products fail to properly validate references returned by
JavaScript constructors. This vulnerability may allow a remote
attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-3807)
VU#527676 - Mozilla contains multiple memory corruption
vulnerabilities
Mozilla products contain multiple vulnerabilities that can cause
memory corruption. This may allow a remote attacker to execute
arbitrary code on a vulnerable system.
(CVE-2006-3811)
II. Impact
A remote, unauthenticated attacker could execute arbitrary code on a
vulnerable system. An attacker may also be able to cause the
vulnerable application to crash.
III. Solution
Upgrade
Upgrade to Mozilla Firefox 1.5.0.5, Mozilla Thunderbird 1.5.0.5, or
SeaMonkey 1.0.3.
Disable JavaScript and Java
These vulnerabilities can be mitigated by disabling JavaScript and
Java in all affected products. Instructions for disabling Java in
Firefox can be found in the "Securing Your Web Browser" document.
Appendix A. References
* US-CERT Vulnerability Notes Related to July Mozilla Security
Advisories -
<http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1505>
* CVE-2006-3081 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801>
* CVE-2006-3677 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677>
* CVE-2006-3113 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113>
* CVE-2006-3803 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803>
* CVE-2006-3804 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804>
* CVE-2006-3805 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805>
* CVE-2006-3806 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806>
* CVE-2006-3807 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807>
* CVE-2006-3811 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811>
* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>
* Known Vulnerabilities in Mozilla Products -
<http://www.mozilla.org/projects/security/known-vulnerabilities.html>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-208A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-208A Feedback VU#239124" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
Jul 27, 2006: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRMkgNexOF3G+ig+rAQIFsAgAoWoMkxxhkzb+xgLVCJF7h4k4EBCgJGWa
BSOiFfL4Gs4vv4lNooDRCIOdxiBfXYL71XsIOT4aWry5852/6kyYnyAiXXYj1Uv0
SbPY2sQSZ5EaG+G9i8HDIy3fpJN4XgH3ng1uzUnJihY19IfndbXicpZE+debIUri
qt9NRD2f5FW5feKo1cBpYxtmxQAEePOa2dJHh7I7cnFGtG3MixHx4kVEyuYUutCX
5tHDsfTIdySNkIdCQ4vhk846bErB/kaHiKMQDfMglllb3GOSc07OQ0CDo2eTPVsA
9DtKkiDP1C4dh1mxco8CWlS6327+EB0KXGGoqDF2+j/rrpsW0oc8nA==
=HwuK
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-200A
Oracle Products Contain Multiple Vulnerabilities
Original release date: July 19, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Oracle10g Database
* Oracle9i Database
* Oracle8i Database
* Oracle Enterprise Manager 10g Grid Control
* Oracle Application Server 10g
* Oracle Collaboration Suite 10g
* Oracle9i Collaboration Suite
* Oracle E-Business Suite Release 11i
* Oracle E-Business Suite Release 11.0
* Oracle Pharmaceutical Applications
* JD Edwards EnterpriseOne, OneWorld Tools
* Oracle PeopleSoft Enterprise Portal Solutions
For more information regarding affected product versions, please see
the Oracle Critical Patch Update - July 2006.
Overview
Oracle products and components are affected by multiple
vulnerabilities. The impacts of these vulnerabilities include remote
execution of arbitrary code, information disclosure, and denial of
service.
I. Description
Oracle has released Critical Patch Update - July 2006. This update
addresses numerous vulnerabilities in different Oracle products and
components.
The Critical Patch Update provides information about affected
components, access and authorization required, and the impact of the
vulnerabilities on data confidentiality, integrity, and availability.
MetaLink customers should refer to MetaLink Note 293956.1 (login
required) for more information on terms used in the Critical Patch
Update.
According to Oracle, four of the vulnerabilities corrected in the
Oracle Critical Patch Update - July 2006 affect Oracle Database
client-only installations.
We believe that the Oracle Database vulnerability identified as Oracle
Vuln# DB06 in the Oracle Critical Patch Update corresponds to US-CERT
Vulnerability Note VU#932124, which includes further details as well
as workarounds. In most cases, Oracle does not associate Vuln#
identifiers (e.g., DB01) with other available information. As more
details about vulnerabilities and remediation strategies become
available, we will update the individual
vulnerability notes.
II. Impact
The impact of these vulnerabilities varies depending on the product,
component, and configuration of the system. Potential consequences
include the execution of arbitrary code or commands, information
disclosure, and denial of service. Vulnerable components may be
available to unauthenticated, remote attackers. An attacker who
compromises an Oracle database may be able to gain access to sensitive
information.
III. Solution
Apply a patch from Oracle
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update - April 2006. Note that this Critical Patch
Update only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
As noted in the update, some patches are cumulative, others are not:
The Oracle Database, Oracle Application Server, Oracle Enterprise
Manager Grid Control, Oracle Collaboration Suite, JD Edwards
EnterpriseOne and OneWorld Tools, and PeopleSoft Enterprise Portal
Applications patches in the Updates are cumulative; each successive
Critical Patch Update contains the fixes from the previous Critical
Patch Updates.
Oracle E-Business Suite and Applications patches are not
cumulative, so E-Business Suite and Applications customers should
refer to previous Critical Patch Updates to identify previous fixes
they want to apply.
Patches for some platforms and components were not available when the
Critical Patch Update was published on July 18, 2006. Please see
MetaLink Note 372930.1 (login required) for more information.
Appendix A. References
* US-CERT Vulnerability Note VU#932124 -
<http://www.kb.cert.org/vuls/id/932124>
* US-CERT Vulnerability Notes Related to Critical Patch Update -
July 2006 -
<http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_july
_2006>
* Critical Patch Update - July 2006 -
<http://www.oracle.com/technology/deploy/security/pdf/cpujul2006.h
tml>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Oracle Database Security Checklist (PDF) -
<http://www.oracle.com/technology/deploy/security/pdf/twp_security
_checklist_db_database
