From security em unicamp.br Fri Jun 1 10:13:12 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Fri, 1 Jun 2007 10:13:12 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA07-151A -- Mozilla Updates for Multiple Vulnerabilities Message-ID: <20070601131311.GA95273@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA07-151A -- Mozilla Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Thu, 31 May 2007 15:41:22 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-151A Mozilla Updates for Multiple Vulnerabilities Original release date: May 31, 2007 Last revised: -- Source: US-CERT Systems Affected * Mozilla Firefox * Mozilla Thunderbird * Mozilla SeaMonkey * Netscape Browser Other products based on Mozilla components may also be affected. Overview The Mozilla web browser and derived products contain several vulnerabilities, the most severe of which could allow a remote attacker to execute arbitrary code on an affected system. I. Description Mozilla has released new versions of Firefox, Thunderbird, and SeaMonkey to address several vulnerabilities. Further details about these vulnerabilities are available from Mozilla and the Vulnerability Notes Database. An attacker could exploit these vulnerabilities by convincing a user to view a specially-crafted HTML document, such as a web page or an HTML email message. Support for Firefox 1.5 is scheduled to end in June 2007. According to Mozilla: Firefox 1.5.0.x will be maintained with security and stability updates until June 2007. All users are strongly encouraged to upgrade to Firefox 2. II. Impact While the impacts of the individual vulnerabilities vary, the most severe could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. An attacker may also be able to cause a denial of service. III. Solution Upgrade These vulnerabilities are addressed in Mozilla Firefox 2.0.0.4, Firefox 1.5.0.12, Thunderbird 2.0.0.4, Thunderbird 1.5.0.12, SeaMonkey 1.0.9, SeaMonkey 1.1.2. By default, Mozilla Firefox, Thunderbird, and SeaMonkey automatically check for updates. IV. References * US-CERT Vulnerability Notes - * Securing Your Web Browser - * Mozilla Foundation Security Advisories - * Known Vulnerabilities in Mozilla Products - * Mozilla Hall of Fame - * Site Controls - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA07-151A Feedback VU#751636" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History May 31, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRl8hMuxOF3G+ig+rAQLIagf/S2DvesVDq/ZeL4vm68xSSniQYCETBYOe fIIluxwNULN0HS3Z6Nyy2B9se0Z9SkIVPEg166nYTMdH3N7DHDJxFVJCwkiUJjV+ EnY4KWg1q/VWJKqislLRCGSV5LbaSkCiHeet228RmpRUlAeoNxkKfdfPdnGP+iTq DVl/fOtDipYLBIRgFpvsqj+iQjWQxScU3LB8pDKSstXKBOUDmxyWTsmYAN1bL4d9 CWuzCYcO7LJl4tyY2nmz+lgCCFVqlu89AWSPD8VNRc4f3V1whDxlHMV83V17jMDx 6F8+3pgmp8GVxf54CgiXegFr67qN2KNxrlzZf0o8jxl9bF83zV0+TQ== =m76L -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jun 13 10:39:18 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 13 Jun 2007 10:39:18 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA07-163A -- Microsoft Updates for Multiple Vulnerabilities Message-ID: <20070613133918.GA24064@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA07-163A -- Microsoft Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 12 Jun 2007 16:24:24 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-163A Microsoft Updates for Multiple Vulnerabilities Original release date: June 12, 2007 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Microsoft Visio * Microsoft Windows Mail * Microsoft Outlook Express * Microsoft Secure Channel * Win32 API Overview Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Windows Secure Channel, Internet Explorer, Win32 API, Windows Mail and Outlook Express. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system. I. Description Microsoft has released updates to address vulnerabilities that affect Microsoft Windows, Windows Secure Channel, Internet Explorer, Win32 API, Visio, Outlook Express and Windows Mail as part of the Microsoft Security Bulletin Summary for June 2007. The most severe vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system. Further information about the vulnerabilities addressed by these updates is available in the Vulnerability Notes Database II. Impact A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system. An attacker may also be able to cause a denial of service. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the June 2007 Security Bulletins. The Security Bulletins describe any known issues related to the updates. Administrators are encouraged to note any known issues that are described in the Bulletins and test for any potentially adverse effects. System administrators may wish to consider using an automated patch distribution system such as Windows Server Update Services (WSUS). IV. References * US-CERT Vulnerability Notes for Microsoft June 2007 updates - * Securing Your Web Browser - * Microsoft Security Bulletin Summary for June 2007 - * Microsoft Update - * Windows Server Update Services - _________________________________________________________________ The most recent version of this document can be found at: _________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA07-163A Feedback VU#457281" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . _________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: _________________________________________________________________ Revision History June 12, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRm8AVOxOF3G+ig+rAQImBgf+JmLm8tdDrkGLisUIEN6A90D3ImxgWbY4 oJEtPr99E0BxvzWuhegmlxbKXyc4zH7QU6L7vf1sR9GHTMWPwaACADFiBR3GEX2K JpjnOGsajQli1IFHIf519gwuqVU5g0iR4yLYZWGJANxNSGjEnIZ7HbRr89aGoGHx jzo0yEgD+KTC4YiK++Bu3FD1sJWB7dPyhDX0Pk69wYCrY8X0grI29EhW/3M2V/kX OaEpAiD8MkEUXzxKBXc3XFV4Q4wBQ8uP2bdf319Mj3xd6ReLZGBwrhdX7ZO7L3vH 0RLqpFE09QqrJIqVJD071iPzRbyHd+VTM+LWfzxEbKSK4GDdHNjn2w== =tNv5 -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jun 27 10:43:09 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 27 Jun 2007 10:43:09 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA07-177A -- MIT Kerberos Vulnerabilities Message-ID: <20070627134309.GA57643@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA07-177A -- MIT Kerberos Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 26 Jun 2007 16:30:56 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-177A MIT Kerberos Vulnerabilities Original release date: June 26, 2007 Last revised: -- Source: US-CERT Systems Affected * MIT Kerberos Other products that use the RPC library provided with MIT Kerberos or other RPC libraries derived from SunRPC may also be affected. Overview The MIT Kerberos 5 implementation contains several vulnerabilities. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system. I. Description There are three vulnerabilities that affect MIT Kerberos 5: * VU#356961 - MIT Kerberos RPC library gssrpc__svcauth_gssapi() uninitialized pointer free vulnerability A vulnerability in the MIT Kerberos administration daemon (kadmind) may allow an uninitialized pointer to be freed, which may allow a remote, unauthenticated user to execute arbitrary code. This vulnerability can be triggered by sending a specially crafted Kerberos message to a vulnerable system. * VU#365313 - MIT Kerberos kadmind RPC library gssrpc__svcauth_unix() integer conversion error An integer conversion error vulnerability exists in the MIT Kerberos kadmind that may allow a remote, unauthenticated user to execute arbitrary code. * VU#554257 - MIT Kerberos kadmind principal renaming stack buffer overflow A stack buffer overflow exists in the way the MIT Kerberos kadmind handles the principle renaming operation, which may allow a remote, authenticated user to execute arbitrary code. II. Impact A remote, unauthenticated attacker may be able to execute arbitrary code on KDCs, systems running kadmind, and application servers that use the RPC library. An attacker could also cause a denial of service on any of these systems. These vulnerabilities could result in the compromise of both the KDC and an entire Kerberos realm. III. Solution Check with your vendors for patches or updates. For information about a vendor, please see the systems affected section in the individual vulnerability notes or contact your vendor directly. Alternatively, apply the appropriate source code patches referenced in MITKRB5-SA-2007-004 and MITKRB5-SA-2007-005 and recompile. These vulnerabilities will also be addressed in the krb5-1.6.2 and krb5-1.5.4 releases. IV. References * US-CERT Vulnerability Note VU#365313 - * US-CERT Vulnerability Note VU#356961 - * US-CERT Vulnerability Note VU#554257 - * MIT krb5 Security Advisory 2007-004 - * MIT krb5 Security Advisory 2007-005 - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA07-177A Feedback VU#554257" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History June 26, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRoF2qexOF3G+ig+rAQJGTgf/TDX6H7Ra80yTOPn4gbIxEt2rXv7zOErl jRbQpYXkyM2cS17PEcA6om+/VpgiwTYQ3+R25gjDO9TBozOSh5gXZLPJiLIG56e/ 5unlug85vAK2atpdpXp2PlJeTtPg7R4T4IayNPJYoVMS25l697EA0AYjsiW6wBLy M8rvsl+TyZoBIbZn06xhVsnZduE+HTKKJX4ZWGSlJjIj6iHIF1zNkvju1J9jSDqq 7QZBaarD3lXCSfukCpeLUEm7T8+9gUXDu+DMSR07NnXpKzQKCHR8fsqT1r9PPXfE zJntAWrmC4xtx3XA+H0/Kjb9JK6L4G/CogNiReEmMkceDjAP4xbpWw== =ALEE -----END PGP SIGNATURE----- ----- End forwarded message -----