From security em unicamp.br Tue Oct 3 08:51:04 2006 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 3 Oct 2006 08:51:04 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA06-275A -- Multiple Vulnerabilities in Apple and Adobe Products Message-ID: <20061003115104.GA73674@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA06-275A -- Multiple Vulnerabilities in Apple and Adobe Products To: technical-alerts em us-cert.gov Date: Mon, 2 Oct 2006 14:08:54 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-275A Multiple Vulnerabilities in Apple and Adobe Products Original release date: October 02, 2006 Last revised: -- Source: US-CERT Systems Affected * Apple Mac OS X version 10.3.9 and earlier (Panther) * Apple Mac OS X version 10.4.7 and earlier (Tiger) * Apple Mac OS X Server version 10.3.9 and earlier * Apple Mac OS X Server version 10.4.7 and earlier * Safari web browser * Adobe Flash Player 8.0.24 and earlier These vulnerabilities affect both Intel-based and PowerPC-based Apple systems. Overview Apple has released Security Update 2006-006 and Mac OS X 10.4.8 Update to correct multiple vulnerabilities affecting Mac OS X, OS X Server, Safari, Adobe Flash Player, and other products. The most serious of these vulnerabilities may allow a remote attacker to execute arbitrary code. Impacts of other vulnerabilities include bypass of security restrictions and denial of service. I. Description Apple has released Security Update 2006-006 to address numerous vulnerabilities affecting Mac OS X, OS X Server, Safari, Adobe Flash Player, and other products. Further details are available in the individual Vulnerability Notes for Apple Security Update 2006-006. Apple has also released Mac OS X 10.4.8 Update (Intel) for Intel-based Apple systems. This update addresses the vulnerabilities described in Apple Security Update 2006-006 for Intel-based Apple systems. This security update also addresses previously known vulnerabilities in Adobe Flash Player. More information on those vulnerabilities can be found in Adobe Security Bulletin APSB06-11 and the Vulnerability Notes for Adobe Security Bulletin APSB06-11. II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes for Apple Security Update 2006-006. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. Solution Install updates Install Apple Security Update 2006-006. This and other updates are available via Apple Update or via Apple Downloads. Users with Intel-based Apple systems should upgrade to Mac OS X 10.4.8 Update (Intel) to receive the necessary security updates. IV. References * Vulnerability Notes for Apple Security Update 2006-006 - * About the security content of the Mac OS X 10.4.8 Update and Security Update 2006-006 - * Mac OS X 10.4.8 Update (Intel) - * Mac OS X: Updating your software - * Apple Downloads - * Vulnerability Notes for Adobe Security Bulletin APSB06-11 - * Adobe Security Bulletin APSB06-11 - * Securing Your Web Browser - _________________________________________________________________ The most recent version of this document can be found at: _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA06-275A Feedback VU#546772" in the subject. _________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: _________________________________________________________________ Revision History October 02, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRSFT/exOF3G+ig+rAQIF0gf+KI8EWp1iNaVOYe2YgcRRMF27K8VFz5Rn Y81SRMZk4M1m9/4/7oJG7obEiGr4LqD/EjxT23ctuQ4KBKysokv7F+FrLwMHbRGY my6x7mmLy+JEydQrMFk8u/2ZdVZjvxnhBUmH9nuwgjhqaJ0Ez1GAbmkmJ/TV5pbY gOWOu5oe2zpkf3fpLRWY+XxctHukgl8SlN0ucyRSRPlWmO7rR8di/rujWMRRAlep fEkTeq6Z5X4Ep6lwxoWX5z+a5oPz4tLHMIbjGZlV3FGa7ii6GTBWmQSN42yTW9tZ ELoLtXeHgiSy27n7G6VMOIzKEu7V8mHt3L3ZFrF+O/Xx5KBb/b/xQg== =nP7Y -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Oct 4 16:15:02 2006 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 4 Oct 2006 16:15:02 -0300 Subject: [SECURITY-L] Horario de verao comeca em 5 de novembro Message-ID: <20061004191501.GA77922@unicamp.br> Quarta, 4 de outubro de 2006, 13h53 Atualizada às 15h48 Horário de verão começa em 5 de novembro O horário de verão deste ano será instituído a partir de 0h do dia 5 de novembro até a 0h de 25 de fevereiro de 2007, de acordo com decreto publicado nesta quarta-feira no Diário Oficial da União. Na data, moradores dos Estados do Rio Grande do Sul, Santa Catarina, Paraná, São Paulo, Rio de Janeiro, Espírito Santo, Minas Gerais, Goiás, Mato Grosso, Mato Grosso do Sul e Distrito Federal devem adiantar o relógio em uma hora. O horário de verão, que geralmente começa em outubro, vai iniciar mais tarde neste ano, devido ao segundo turno das eleições, no próximo dia 29. No mesmo período de 2005 a 2006, a prática de adiantar os relógios acarretou numa redução média de 4 a 5 por cento no consumo em horário de pico, nas regiões que o adotaram. Fonte: http://noticias.terra.com.br/brasil/interna/0,,OI1174145-EI306,00.html From security em unicamp.br Wed Oct 11 09:03:04 2006 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 11 Oct 2006 09:03:04 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA06-283A -- Microsoft Updates for Vulnerabilities in Windows, Office, and Internet Explorer Message-ID: <20061011120304.GA28139@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA06-283A -- Microsoft Updates for Vulnerabilities in Windows, Office, and Internet Explorer To: technical-alerts em us-cert.gov Date: Tue, 10 Oct 2006 15:31:14 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-283A Microsoft Updates for Vulnerabilities in Windows, Office, and Internet Explorer Original release date: October 10, 2006 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Office * Microsoft Internet Explorer Overview Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Internet Explorer, and Microsoft Office. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system. I. Description Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, and Microsoft Office as part of the Microsoft Security Bulletin Summary for October 2006. The summary lists ten Microsoft Security Bulletins. Two of the Bulletins discuss previously disclosed vulnerabilities that are actively being exploited: Microsoft Security Bulletin MS06-057 addresses a remote code execution vulnerability in the WebFolderIcon ActiveX control. More information is available in VU#753044. Microsoft Security Bulletin MS06-058 addresses a remote code execution vulnerability in Microsoft PowerPoint. More information is available in VU#231204. Further information on vulnerabilities addressed by the October 2006 Security Bulletins will be available in Vulnerability Notes. Microsoft has announced the end of support for Windows XP Service Pack 1. According to Microsoft: On October 10, 2006, Microsoft will end all public assisted support for Windows XP Service Pack 1 (SP1). After this date, Microsoft will no longer provide any incident support options or security updates for this retired service pack under the policies defined by the Microsoft Support Lifecycle policy. We strongly encourage Windows XP users to upgrade to Windows XP Service Pack 2 (SP2) as soon as possible. II. Impact A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system. An attacker may also be able to cause a denial of service. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the October 2006 Security Bulletins. The Security Bulletins describe any known issues related to the updates. Note any known issues described in the Bulletins and test for any potentially adverse affects in your environment. Updates for Microsoft Windows and Microsoft Office XP and later are available on the Microsoft Update site. Microsoft Office 2000 updates are available on the Microsoft Office Update site. System administrators may wish to consider using Windows Server Update Services (WSUS). References * US-CERT Vulnerability Notes for Microsoft October 2006 updates - * Securing Your Web Browser - * Microsoft Security Bulletin Summary for October 2006 - * Microsoft Update - * Microsoft Office Update - * End of support for Windows 98, Windows Me, and Windows XP Service Pack 1 - * Windows Server Update Services - _________________________________________________________________ The most recent version of this document can be found at: _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA06-283A Feedback VU#703936" in the subject. _________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: _________________________________________________________________ Revision History October 10, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRSvzt+xOF3G+ig+rAQJmAggAkNBW57N0Ob9Mvelr+ByiV4PZUGkoibdl 6wB7wTYSD4C2YhlQGlbgaEk5H2ZahC6Q+s18BuEtPwuxOHqbws/ycaiAoeiH+J0m xIXKpzC17pzcnk9qfPBmjNrsdFuzbcL1N47l2VAKLoVnlMj1IH+NHJMBVMbtLSrZ OD7PxlmAoaALsnapRySgJJAb06oPwBSPdOEazIofWL48bz1JFLwOSHn4EtTbqD7K 8AGbWGix7RloRx6Q39Th3DdRPEy3xEM5q5dIAIKaF5s21HT5p5PPH+VYmZE6l9e3 RZ7FUIqZBucFFHW/XQFvEveoGjrX2Vng+qerUHy76uU37wzG49urXQ== =8Gam -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Oct 18 16:59:28 2006 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 18 Oct 2006 16:59:28 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA06-291A -- Oracle Updates for Multiple Vulnerabilities Message-ID: <20061018195926.GA21400@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA06-291A -- Oracle Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Wed, 18 Oct 2006 14:56:24 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-291A Oracle Updates for Multiple Vulnerabilities Original release date: October 18, 2006 Last revised: -- Source: US-CERT Systems Affected * Oracle10g Database * Oracle9i Database * Oracle8i Database * Oracle Application Express (formerly known as Oracle HTML DB) * Oracle Application Server 10g * Oracle Collaboration Suite 10g * Oracle9i Collaboration Suite * Oracle E-Business Suite Release 11i * Oracle E-Business Suite Release 11.0 * Oracle Pharmaceutical Applications * Oracle PeopleSoft Enterprise Portal Solutions * Oracle PeopleSoft Enterprise PeopleTools * JD Edwards EnterpriseOne Tools * JD Edwards OneWorld Tools * Oracle Reports Developer client-only installations * Oracle Containers for J2EE client-only installations For more information regarding affected product versions, please see the Oracle Critical Patch Update - October 2006. Overview Oracle has released patch to address numerous vulnerabilities in different Oracle products. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description Oracle has released the Critical Patch Update - October 2006. According to Oracle, this CPU contains: * 22 new security fixes for the Oracle Database * 6 new security fixes for Oracle HTTP Server * 35 new security fixes for Oracle Application Express * 14 new security fixes for the Oracle Application Server * 13 new security fixes for the Oracle E-Business Suite * 8 new security fixes for Oracle PeopleSoft Enterprise PeopleTools and Enterprise Portal Solutions * 1 new security fix for JD Edwards EnterpriseOne * 1 new security fix for Oracle Pharmaceutical Applications Many Oracle products include or share code with other vulnerable Oracle products and components. Therefore, one vulnerability may affect multiple Oracle products and components. For example, the October 2006 CPU does not contain any fixes specifically for Oracle Collaboration Suite. However, Oracle Collaboration Suite is affected by vulnerabilities in Oracle Database and Oracle Application Server, so sites running Oracle Collaboration suite should install fixes for Oracle Database and Oracle Application Server. Refer to the October 2006 CPU for details regarding which vulnerabilities affect specific Oracle products and components. For a list of publicly known vulnerabilities addressed in the October 2006 CPU, refer to the Map of Public Vulnerability to Advisory/Alert. The October 2006 CPU does not associate Vuln# identifiers (e.g., DB01) with other available information, even in the Map of Public Vulnerability to Advisory/Alert document. As more details about vulnerabilities and remediation strategies become available, we will update the individual vulnerability notes. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include remote execution of arbitrary code or commands, sensitive information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to gain access to sensitive information or take complete control of the host system. III. Solution Apply patches from Oracle Apply the appropriate patches or upgrade as specified in the Critical Patch Update - October 2006. Note that this Critical Patch Update only lists newly corrected vulnerabilities. As noted in the update, some patches are cumulative, others are not: The Oracle Database, Oracle Application Server, Oracle Enterprise Manager Grid Control, Oracle Collaboration Suite, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications and PeopleSoft Enterprise PeopleTools patches in the Updates are cumulative; each Critical Patch Update contains the fixes from the previous Critical Patch Updates. Oracle E-Business Suite and Applications patches are not cumulative, so E-Business Suite and Applications customers should refer to previous Critical Patch Updates to identify previous fixes they want to apply. The October 2006 CPU lists 35 vulnerabilities affecting Oracle Application Express. These vulnerabilities are addressed in Oracle Application Express version 2.2.1. Oracle Application Express users are encouraged to upgrade to version 2.2.1 as soon as possible. Vulnerabilities described in the October 2006 CPU may affect Oracle Database 10g Express Edition (XE). According to Oracle, Oracle Database XE is based on the Oracle Database 10g Release 2 code. Patches for some platforms and components were not available when the Critical Patch Update was published on October 17, 2006. Please see MetaLink Note 391563.1 (login required) for more information about patch availability. Known issues with Oracle patches are documented in the pre-installation notes and patch readme files. Please consult these documents and test before making changes to production systems. IV. References * US-CERT Vulnerability Notes Related to Critical Patch Update - October 2006 - * Critical Patch Update - October 2006 - * Critical Patch Updates and Security Alerts - * Map of Public Vulnerability to Advisory/Alert - * Oracle Database Security Checklist (PDF) - * Critical Patch Update Implementation Best Practices (PDF) - * Oracle Application Express 2.2 Downloads - * Oracle Metalink Note 391563.1 - * Oracle Database 10g Express Edition - * Analysis of the October 2006 Critical Patch Update for the Oracle RDBMS - * Details Oracle Critical Patch Update October 2006 - _________________________________________________________________ The most recent version of this document can be found at: _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA06-291A Feedback VU#717140" in the subject. _________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: _________________________________________________________________ Revision History October 18, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRTZ35exOF3G+ig+rAQLbQQf/SjzV86X/E2WLcr2Y986MlPvgVNE/yzz8 LEJERUtIcWkii3t1UW7+T1D9jVToAajndSRs3AhLJLcH5qrcqTDR8Q16wRnPX/lN VX0SzxWoi2WqX6BgmCUuAQOeODgdb9eoGHZDBGXpIXJMnKhyVCkwvGL1Gk5vmoSZ YxqYZCwwkQHa+XXU1/SsA/caTBGszlCDBcUbBrAQ7ecC9k8HOH80V/FGdYk2GUEy D/cATXeXMaYFtX4VQKt7y8N4f478TkmP5bZPTJJQNHJOyLr6nUDnW1SqE7VrSaWr qsFFf/+Lhro4qAwa8kxj4Yb3nsDS09sgnWIjnZsbrkTcDAH0y4SWxQ== =HHF5 -----END PGP SIGNATURE----- ----- End forwarded message -----