From security em unicamp.br Thu Nov 9 16:34:45 2006 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 9 Nov 2006 16:34:45 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA06-312A -- Mozilla Updates for Multiple Vulnerabilities Message-ID: <20061109183445.GA53935@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA06-312A -- Mozilla Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Wed, 8 Nov 2006 15:18:05 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-312A Mozilla Updates for Multiple Vulnerabilities Original release date: November 08, 2006 Last revised: -- Source: US-CERT Systems Affected * Mozilla SeaMonkey * Mozilla Firefox * Mozilla Thunderbird * Netscape web browser Overview The Mozilla web browser and derived products contain several vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. I. Description Several vulnerabilities have been reported in the Mozilla web browser and derived products. Mozilla has released three security advisories to describe the vulnerabilities: Mozilla Foundation Security Advisory 2006-67 addresses a remote code execution vulnerability in the way JavaScript is handled by Firefox, Thunderbird, and SeaMonkey. More information can be found in VU#714496. Mozilla Foundation Security Advisory 2006-66 addresses a vulnerability in the way RSA signatures are handled by Firefox, Thunderbird, and SeaMonkey. More information can be found in VU#335392. Mozilla Foundation Security Advisory 2006-65 addresses three memory corruption vulnerabilities in Firefox, Thunderbird, and SeaMonkey. More information can be found in VU#815432, VU#390480, and VU#495288. Any products based on Mozilla components, specifically Gecko, may also be affected by VU#714496, VU#815432, VU#390480, and VU#495288. Any software that uses the Mozilla Network Security Services (NSS) library may be affected by VU#335392. II. Impact The most severe impact of these vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running the affected application. Other effects include forging an RSA signatures and denial of service. A remote, unauthenticated attacker could execute arbitrary code, or cause a denial of service. Forging an RSA signature (VU#335392) may allow an attacker to craft a TLS/SSL or email certificate that will not be detected as invalid. This may allow that attacker to impersonate a website or email system that relies on certificates for authentication. III. Solution Upgrade These vulnerabilities are addressed in Mozilla Firefox 1.5.0.8, Mozilla Thunderbird 1.5.0.8, and SeaMonkey 1.0.6. According to Mozilla: Firefox 1.5.0.x will be maintained with security and stability updates until April 24, 2007. All users are strongly encouraged to upgrade to Firefox 2. IV. References * Vulnerability Note VU#714496 - * Vulnerability Note VU#335392 - * Vulnerability Note VU#815432 - * Vulnerability Note VU#390480 - * Vulnerability Note VU#495288 - * Mozilla Foundation Security Advisories - * Known Vulnerabilities in Mozilla Products - * Securing Your Web Browser - * Mozilla Hall of Fame - * Site Controls - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA06-312A Feedback VU#335392" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History November 08, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRVI1JexOF3G+ig+rAQL7pQf8DmvvfwWnGi2Js7TmuLZZOzts2mR/ICoc sz2xxsSNqKcqe95x9iAtYkUQf4QpCby42GpXvKfpa4WX/ZLpzZQuTO2es09QL5k5 Or9HVDn/klDN9tVL6/gwOtn5tBhaCyJJoWX7Gx/HU6Uur0Y8UhRfvNnIqfZdaeoe p6z8gnYY49c2y9vMeUeABTva2MHXzj1mfkwfREG/JelshfC/eEtTQ0LOqvK4SdGw F5AF01na+rMKFNiveB3VlGx9zpD/zO8yaxVwG+yiepVJIuZi+V468TvWDFR/fh1H a1yWXL3H3ejV0Zwjvy/dEDnN2ShN1lHx+k3HWi6eUc5BkVkLWFdCeQ== =RJRT -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Thu Nov 16 10:15:10 2006 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 16 Nov 2006 10:15:10 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA06-318A -- Microsoft Security Updates for Windows, Internet Explorer, and Adobe Flash Message-ID: <20061116121510.GA59815@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA06-318A -- Microsoft Security Updates for Windows, Internet Explorer, and Adobe Flash To: technical-alerts em us-cert.gov Date: Tue, 14 Nov 2006 17:53:25 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-318A Microsoft Security Updates for Windows, Internet Explorer, and Adobe Flash Original release date: November 14, 2006 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Adobe Flash Overview Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Internet Explorer, and Adobe Flash. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system. I. Description Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, and Adobe Flash as part of the Microsoft Security Bulletin Summary for November 2006. The most severe vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system. Microsoft has included updates to Adobe Flash, which is installed with Internet Explorer. Further information is available in the Vulnerability Notes Database. II. Impact A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system. An attacker may also be able to cause a denial of service. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the November 2006 Security Bulletins. The Security Bulletins describe any known issues related to the updates. Note any known issues described in the Bulletins and test for any potentially adverse affects in your environment. System administrators may wish to consider using Windows Server Update Services (WSUS). IV. References * US-CERT Vulnerability Notes for Microsoft November 2006 updates - * Securing Your Web Browser - * Microsoft Security Bulletin Summary for November 2006 - * Microsoft Update - * Windows Server Update Services - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA06-318A Feedback VU#377369" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History November 14, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRVpHwexOF3G+ig+rAQLUEAf9FSKBHOCuPIRuJYJYgY9th7ZRtNdxsWWQ 4ulkdZVv3P682sQEtF6glpLN1h+YHA1oF93uLp6T+7FKlxP1MYrxRPP5p1nH+fCa bRmVxUSATuDrxaTZmJWcJcL8zvaNTqkkDBCpG8GN32OCwgE40xNJRsKiv2UuIAYJ geGl8mK5PGb4Sr0Bjlw2n5fbcKkjoJXYmkxV3CXzvpPrtS1fIq0rZ19sRB4+Jw3I heEM7rKGMo3N4OUEYTpt2yW1Mpj2zVyWo2O8PWJmuMZq1lCsECrvTvfk4/q3s4Yh Z0l6F4Ps6L2D5PkNkg08EgxvbiPHYI8B8VZ1SlitvOcKiVOggyxYrg== =K0Wj -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Thu Nov 30 14:55:49 2006 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 30 Nov 2006 14:55:49 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA06-333A -- Apple Releases Security Update to Address Multiple Vulnerabilities Message-ID: <20061130165549.GA74902@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA06-333A -- Apple Releases Security Update to Address Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Wed, 29 Nov 2006 16:12:44 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-333A Apple Releases Security Update to Address Multiple Vulnerabilities Original release date: November 29, 2006 Last revised: -- Source: US-CERT Systems Affected * Apple Mac OS X version 10.3.x and 10.4.x * Apple Mac OS X Server version 10.3.x and 10.4.x * Apple Safari web browser These vulnerabilities affect both Intel-based and PowerPC-based Apple systems. Overview Apple has released Security Update 2006-007 to correct multiple vulnerabilities affecting Mac OS X, Mac OS X Server, Safari web browser. Vulnerabilities in OpenSSL, gzip, and other products are also addressed. The most serious of these vulnerabilities may allow a remote attacker to execute arbitrary code. Attackers may take advantage of the less serious vulnerabilities to bypass security restrictions or cause a denial of service. I. Description Apple Security Update 2006-007 addresses a number of vulnerabilities affecting Mac OS X, OS X Server, Safari web browser, and other products. Further details are available in the related vulnerability notes. This security update also addresses previously known vulnerabilities in PHP, Perl, OpenSSL, and gzip, which are shipped with Mac OS X. The OpenSSL vulnerabilities are documented in multiple vulnerability notes. Information is also available through the OpenSSL vulnerabilities page. Information about the vulnerabilities in gzip is available in a series of vulnerability notes. II. Impact The impacts of these vulnerabilities vary. For specific details, see the appropriate vulnerability notes. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. Solution Install updates Install Apple Security Update 2006-007. This and other updates are available via Apple Update or via Apple Downloads. IV. References * Vulnerability Notes for Apple Security Update 2006-007 - * Vulnerability Notes for OpenSSL Security Advisory [28th September 2006] - * Vulnerability Note VU#845620 - * Vulnerability Note VU#933712 - * Vulnerability Note VU#381508 - * Vulnerability Note VU#554780 - * Vulnerability Note VU#596848 - * Vulnerability Note VU#773548 - * About the security content of Security Update 2006-007 - * Mac OS X: Updating your software - * Apple Downloads - * OpenSSL: OpenSSL vulnerabilities - * Securing Your Web Browser - _________________________________________________________________ The most recent version of this document can be found at: _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA06-333A Feedback VU#191336" in the subject. _________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: _________________________________________________________________ Revision History November 29, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRW33NuxOF3G+ig+rAQJtiggApJKRh7x+z8vp0xb26sE16RUOD3epcrk6 lJZ4rXnqVqoFacAt0Ucb8T43/Uc4N85UMa695YbFspYZum3hcGZo+WnNPolGUeRz iN/4bfKgzekfpbHxf6T3YvQYp+PVMRfHPUcxfaZDYXhu2813N4SSQpM59KRL5BD7 xr+5VvB09biVKlzpEdgtk2EHcqc+sMF5+o3cCgDJCnJNL+NG4J6d/hsyNP15ekTf 8m0W4rJonUe2gR2Bp7F1Y47KgRr3BT1aH2gxUSim9qEJpPdP/CkmGoFp+BfrFP9q A580LOrqFK8HIly1fbPKb26p2theUUESnQqM9Ob8xolkCDLy6h7ssg== =f7N+ -----END PGP SIGNATURE----- ----- End forwarded message -----