May 14, 2008 - Current Activity

Cisco Releases Security Advisories

Cisco has released three security advisories to address vulnerabilities in Cisco Unified Communications Manager, Unified Presence, and the Content Switching Module. These vulnerabilities may allow an attacker to cause a denial-of-service condition on the affected system.

US-CERT encourages users to review the following Cisco Security Advisories and apply any necessary updates or workarounds:

• Cisco Unified Communications Manager Denial of Service Vulnerabilities - cisco-sa-20080514-cucmdos
• Cisco Unified Presence Denial of Service Vulnerabilities - cisco-sa-20080514-cup
• Cisco Content Switching Module Memory Leak Vulnerability - cisco-sa-20080514-csm

Microsoft Releases May Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Office, Live OneCare, Antigen, Windows Defender, and Forefront Security as part of the Microsoft Security Bulletin Summary for May 2008. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users to review the bulletins and follow best-practice security policies to determine which updates should be applied.

Mozilla Releases Thunderbird 2.0.0.14

Mozilla has released Thunderbird 2.0.0.14 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to escalate privileges or execute arbitrary code.

US-CERT encourages users to review Mozilla Foundation Security Advisories 2008-14 and 2008-15 and to update to Thunderbird 2.0.0.14.

Microsoft Releases Advance Notification for May Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that its May release cycle will contain four bulletins, three of which will have a severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows and Office. The notification also states that there will be one Important bulletin for Windows Live OneCare, Antigen, Defender, and Forefront Security. Release of these bulletins is scheduled for Tuesday, May 12.

US-CERT will provide additional information as it becomes available.

Microsoft Releases Windows XP Service Pack 3

Microsoft has released Service Pack 3 for Windows XP. Service Pack 3 includes multiple Hotfixes and security updates and is available through Automatic Updates and Windows Update.

Users should note that Windows XP SP3 does not include Internet Explorer 7, however it does include updates to both IE 6 and IE 7, and will update whichever version is currently installed.

US-CERT encourages users to review the release notes for Service Pack 3 for Windows XP and apply any necessary updates.

PHP 5.2.6 Released

PHP has released version 5.2.6 to address multiple vulnerabilities. These vulnerabilities include

• an error in FastCGI SAPI which may result stack-based buffer overflow
• an integer overflow in printf()
• an error in init_request_info(), which may result in a buffer overflow
  
• an error in cURL, which may result in safe_mode bypass
• improper handling of input passed to escapeshellcmd()
• a boundary error in the bundled version of the PCRE library
  

Common Data Format Buffer Overflow Vulnerability

NASA has issued an advisory regarding a vulnerability in Common Data Format (CDF) version 3.2 and earlier. This vulnerability is due to a buffer overflow condition in the handling of specially-crafted CDF files. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users to review the NASA advisory and update to CDF 3.2.1 to help mitigate the risk.

US-CERT will provide additional information as it becomes available.

WordPress Vulnerabilities

WordPress has released version 2.5.1 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to bypass security restrictions or conduct a cross-site scripting attack.

US-CERT encourages users to review the WordPress 2.5.1 release notes and apply any necessary updates.

Compromised Websites Hosting Malicious JavaScript

US-CERT is following reports of SQL injection attacks that have compromised a large number of legitimate websites. The compromised websites contain injected JavaScript that attempts to exploit multiple, known vulnerabilities. Users who visit a compromised website may unknowingly execute malicious code.

US-CERT encourages users to do the following to help mitigate the risks of this and similar attacks:

• Regularly apply software updates and patches provided by vendors.
• Disable JavaScript and ActiveX as described in the Securing Your Web Browser document.

HP Software Update Vulnerabilities

US-CERT is aware of reports of multiple vulnerabilities affecting HP Software Update. These vulnerabilities are due to insecure methods in multiple ActiveX controls. Exploitation of these vulnerabilities may allow a remote attacker to execute arbitrary code or view or modify sensitive information.

US-CERT encourages users to do the following to help mitigate the risks:

• Review the HP Support document and update to HP Software Update v4.000.010.008.
• Set the kill bit for the CLSIDs listed in the HP Support document.
• Disable ActiveX as described in the Securing Your Web Browser document.