March 24, 2008 - Current Activity

Microsoft Jet Database Engine Vulnerability

Microsoft has released a Security Advisory to address a vulnerability in Microsoft Jet Database Engine. This vulnerability is due to a buffer overflow condition in msjet40.dll. By convincing a user to open a Word document that is designed to load a specially crafted database file using msjet40.dll, an attacker may be able execute arbitrary code.

US-CERT encourages users to review Microsoft Security Advisory 950627 and apply the suggested workarounds.

US-CERT will provide more information as it becomes available.

Apple Aperture and iPhoto Vulnerability

Apple has released Digital Camera RAW Compatibility Update 2.0 to address a vulnerability in Apple Aperture and iPhoto. This vulnerability is due to a boundary error that occurs when processing DNG image files. By convincing a user to open a specially crafted image file, a remote attacker may be able to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users to review Apple knowledgebase article HT1232 and apply any necessary updates.

US-CERT will provide more information as it becomes available.

Microsoft Releases Windows Vista Service Pack 1

Microsoft has released Windows Vista Service Pack 1.  This Service Pack provides updates to increase reliability, performance, compatibility, and security.

US-CERT encourages users review the following Microsoft articles:

• Notable Changes in Windows Vista Service Pack 1
  
• Overview of Windows Vista SP1
• Hotfixes and Security Updates included in Windows Vista Service Pack 1

MIT Kerberos Security Advisories

MIT has released two Security Advisories to address multiple vulnerabilities in Kerberos 5. These vulnerabilities affect krb4-enabled KDC servers and the GSS RPC library used by kadmind. Exploitation of these vulnerabilities may allow a remote attacker to execute arbitrary code, obtain sensitive information, or cause a denial of service condition.

US-CERT encourages users to do the following to help mitigate the risks:

• Review Kerberos Security Advisory 2008-001, 2008-002, and apply any necessary updates.
• Review VU#895609 and VU#374121 in the Vulnerability Notes Database.
• Review Technical Cyber Security Alert TA08-079B.
  

Apple Security Updates

Apple has released Safari 3.1 and Security Update 2008-002 to address multiple vulnerabilities.

These vulnerabilities may allow an attacker to do the following:

• Execute arbitrary code
• Cause a denial-of-service condition
• Bypass authentication
• Elevate privileges
• Obtain sensitive information
• Cause untrusted certificates to appear trusted

• Review Apple Article 307563 and upgrade to Safari 3.1.
• Review Apple Security Update 2008-002 and apply any necessary updates.
• Review Technical Cyber Security Alert TA08-079A.
  

VMware Security Advisory

VMware has released Security Advisory VMSA-2008-0005 to address multiple vulnerabilities in several VMware products. These vulnerabilities may allow an attacker to execute arbitrary code, escalate privileges, or cause a denial-of-service condition.

US-CERT encourages users to review VMware Security Advisory VMSA-2008-0005 and apply any necessary updates.

US-CERT will provide more information as it becomes available.

CA BrightStor ARCserve Backup Vulnerability

US-CERT has seen reports of a vulnerability in CA BrightStor ARCserve Backup. This vulnerability is due to a boundary error within the "AddColumn()" method in the "ListCtrl" ActiveX control. Exploitation of this vulnerability may allow a remote attacker to cause a stack-based buffer overflow and execute arbitrary code.

US-CERT encourages users to do the following to help mitigate the risk:

• Set a kill bit for the CLSID {BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3}.
• Disable ActiveX as described in the Securing Your Web Browser document.

F-Secure Releases Security Bulletin

F-Secure has released Security Bulletin FSC-2008-2 to address vulnerabilities in multiple F-Secure products. These vulnerabilities are caused by improper handling of malformed archives. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users to review F-Secure Security Bulletin FSC-2008-2 and apply the updates.

US-CERT will provide more information as it becomes available.

Microsoft Updates March Security Bulletin

Microsoft has made revisions to all of the March Security Bulletins. These revisions

• Clarify why a non-vulnerable version of Office was offered during this update.
• Correct the registry key for verifying the update for ISA Server.
• Remove MS07-015 as a replaced bulletin for Microsoft Office XP Service Pack 3.
• Update vulnerability FAQs
• Update file information tables for Outlook 2000 and 2003.

Websites Compromised Through SQL Injection

US-CERT has seen reports of an attack that has compromised a large number of legitimate websites. The reports indicate that attackers are modifying the sites and embedding a reference to JavaScript code. Users who visit one of these infected websites may unknowingly execute malicious code. This code attempts to exploit known vulnerabilities for which patches are available but may not have been applied to the victim's system.

This issue is currently exploiting a variety of vulnerabilities:

• Baofeng Storm ActiveX
• Ourgame GLChat ActiveX
• Microsoft Internet Explorer VML (VU#122084)
  
• Qvod Player ActiveX
• Microsoft RDS.Dataspace ActiveX (VU#234812)
  
• RealPlayer playlist ActiveX (VU#871673)
  
• Storm Player ActiveX
• Microsoft Windows WebViewFolderIcon ActiveX (VU#753044)
  
• Xunlei Thunder DapPlayer ActiveX

• Regularly apply software updates and patches provided by vendors.
• Disable JavaScript and ActiveX as described in the Securing Your Web Browser document.