From security em unicamp.br Tue Jan 27 10:41:10 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 27 Jan 2009 10:41:10 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA09-022A -- Apple QuickTime Updates for Multiple Vulnerabilities Message-ID: <20090127124110.GB73442@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA09-022A -- Apple QuickTime Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Thu, 22 Jan 2009 17:47:47 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-022A Apple QuickTime Updates for Multiple Vulnerabilities Original release date: January 22, 2009 Last revised: -- Source: US-CERT Systems Affected * Apple QuickTime 7.5 for Windows and Mac OS X Overview Apple has released QuickTime 7.6 to correct multiple vulnerabilities affecting QuickTime for Mac OS X and Windows. Attackers may be able to exploit these vulnerabilities to execute arbitrary code or cause a denial of service. I. Description Apple QuickTime 7.6 addresses a number of vulnerabilities affecting QuickTime. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted media or movie file. This file could be hosted on a web page or sent via email. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution and denial of service. III. Solution Upgrade to QuickTime 7.6. This and other updates are available via Software Update or via Apple Downloads. IV. References * About the security content of QuickTime 7.6 - * Apple Support Downloads - * Mac OS X - updating your software - * Securing Your Web Browser - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA09-022A Feedback VU#703068" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History January 22, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely 5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg 7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug== =B5D3 -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Tue Jan 27 10:53:27 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 27 Jan 2009 10:53:27 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA09-020A -- Microsoft Windows Does Not Disable AutoRun Properly Message-ID: <20090127125320.GC73442@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA09-020A -- Microsoft Windows Does Not Disable AutoRun Properly To: technical-alerts em us-cert.gov Date: Tue, 20 Jan 2009 23:42:39 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-020A Microsoft Windows Does Not Disable AutoRun Properly Original release date: January 20, 2009 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows Overview Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability. I. Description Microsoft Windows includes an AutoRun feature, which can automatically run code when removable devices are connected to the computer. AutoRun (and the closely related AutoPlay) can unexpectedly cause arbitrary code execution in the following situations: * A removable device is connected to a computer. This includes, but is not limited to, inserting a CD or DVD, connecting a USB or Firewire device, or mapping a network drive. This connection can result in code execution without any additional user interaction. * A user clicks the drive icon for a removable device in Windows Explorer. Rather than exploring the drive's contents, this action can cause code execution. * The user selects an option from the AutoPlay dialog that is displayed when a removable device is connected. Malicious software, such as W32.Downadup, is using AutoRun to spread. Disabling AutoRun, as specified in the CERT/CC Vulnerability Analysis blog, is an effective way of helping to prevent the spread of malicious code. The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF "disables Autoplay on all types of drives." Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer. II. Impact By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer. III. Solution Disable AutoRun in Microsoft Windows To effectively disable AutoRun in Microsoft Windows, import the following registry value: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist" To import this value, perform the following steps: * Copy the text * Paste the text into Windows Notepad * Save the file as autorun.reg * Navigate to the file location * Double-click the file to import it into the Windows registry Microsoft Windows can also cache the AutoRun information from mounted devices in the MountPoints2 registry key. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin Atac for providing the workaround. IV. References * The Dangers of Windows AutoRun - * US-CERT Vulnerability Note VU#889747 - * Nick Brown's blog: Memory stick worms - * TR08-004 Disabling Autorun - * How to Enable or Disable Automatically Running CD-ROMs - * NoDriveTypeAutoRun - * Autorun.inf Entries - * W32.Downadup - * MS08-067 Worm, Downadup/Conflicker - * Social Engineering Autoplay and Windows 7 - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA09-020A Feedback VU#889747" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History January 20, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSXYqQnIHljM+H4irAQL9EAgAwE5XWd+83CTwTl1vAbDW3sNfCaucmj79 VmXJ+GktQorbcp29fktYaQxXZ2A6qBREJ1FfwlM5BT0WftvGppLoQcQO3vbbwEQF M0VG5xZhTOi8tf4nedBDgDj0ENJBgh6C73G5uZfVatQdFi79TFkf9SVe6xn5BkQm 5kKsly0d/CX/te15zZLd05AJVEVilbZcECUeDVAYDvWcQSkx2OsJFb+WkuWI9Loh zkB7uOeZFY9bgrC04nr9DPHpaPFd8KCXegsxjqN1nIraaCabfvNamriqyUFHwAhK sk/DFSjdI6xJ4fXjDQ77wfgLYyTeYQ/b2U/1sqkbOTdCgXqSop5RrA== =6/cp -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Tue Jan 27 11:03:00 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 27 Jan 2009 11:03:00 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA09-013A -- Microsoft Updates for Multiple SMB Protocol Vulnerabilities Message-ID: <20090127130300.GD73442@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA09-013A -- Microsoft Updates for Multiple SMB Protocol Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 13 Jan 2009 19:19:18 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-013A Microsoft Updates for Multiple SMB Protocol Vulnerabilities Original release date: January 13, 2009 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows 2000, XP, and Vista * Microsoft Windows Server 2000, 2003, and 2008 Overview Microsoft has released updates that address vulnerabilities in Microsoft Windows and Windows Server. I. Description In their bulletin for January 2009, Microsoft released updates to address vulnerabilities in the Server Message Block (SMB) Protocol that affects all supported versions Microsoft Windows. II. Impact A remote, unauthenticated attacker could gain elevated privileges, execute arbitrary code, or cause a denial of service. III. Solution Microsoft has provided updates for this vulnerability in the Microsoft Security Bulletin Summary for January 2009. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should also consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for January 2009 - * Microsoft Windows Server Update Services - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA09-013A Feedback VU#914388" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History January 13, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSW0bDnIHljM+H4irAQLx0Af/b03sL+OgksDzO95k6jApkaMunERyHGu+ e4W4KRZ8e6felHu8bqRlXfiPbJgCXn9JkUPfc+GwhBS0q5QXmLmygLZiSP2KyQFW u2Px2X60OyDveK3Qhl9vd09tmcw1iQYkoq+II7PcmErDwMww8ya/0d+KCBTiB73j 8kf5Odb3aD10iOqwCjJO8N8mq2T1vjb332qnhHLAZFaWArgyE1E8Dukmz6gVT84l mSkQYObCoPIdaUsQgNrOh7pz2TjnI0PCzZoBHmV1ItF8W9vXmTQ1tCPDGHnSCe9q TdjD+UlnowZ4Q8Vnh/XPrUU6IG6CH0lyN2GMBLsgEfnY4DrSmrvLeA== =lISj -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Tue Jan 27 11:03:46 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 27 Jan 2009 11:03:46 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA09-015A -- Oracle Updates for Multiple Vulnerabilities Message-ID: <20090127130344.GE73442@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA09-015A -- Oracle Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Thu, 15 Jan 2009 14:46:51 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-015A Oracle Updates for Multiple Vulnerabilities Original release date: January 15, 2009 Last revised: -- Source: US-CERT Systems Affected * Oracle Database 11g, version 11.1.0.6 * Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, and 10.2.0.4 * Oracle Database 10g, version 10.1.0.5 * Oracle Database 9i Release 2, versions 9.2.0.8 and 9.2.0.8DV * Oracle Secure Backup, versions 10.1.0.1, 10.1.0.2, 10.1.0.3, 10.2.0.2, and 10.2.0.3 * Oracle TimesTen In-Memory Database, versions 7.0.5.1.0, 7.0.5.2.0, 7.0.5.3.0, and 7.0.5.4.0 * Oracle Application Server 10g Release 3 (10.1.3), version 10.1.3.3.0 * Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.2.0 and 10.1.2.3.0 * Oracle Collaboration Suite 10g, version 10.1.2 * Oracle E-Business Suite Release 12, version 12.0.6 * Oracle E-Business Suite Release 11i, version 11.5.10.2 * Oracle Enterprise Manager Grid Control 10g Release 4, version 10.2.0.4 * PeopleSoft Enterprise HRMS, versions 8.9 and 9.0 * JD Edwards Tools, version 8.97 * Oracle WebLogic Server (formerly BEA WebLogic Server) 10.0 released through MP1, 10.3 GA * Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0 GA, 9.1 GA, 9.2 released through MP3 * Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 released through SP6 * Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0 released through SP7 * Oracle WebLogic Portal (formerly BEA WebLogic Portal) 10.0 released through MP1, 10.2 GA, 10.3 GA * Oracle WebLogic Portal (formerly BEA WebLogic Portal) 9.2 released through MP3 * Oracle WebLogic Portal (formerly BEA WebLogic Portal) 8.1 released through SP6 For more information regarding affected product versions, please see the Oracle Critical Patch Update - January 2009. Overview Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description The Oracle Critical Patch Update - January 2009 addresses 41 vulnerabilities in different Oracle products and components. The document provides information about affected components, access and authorization required, and the impact from the vulnerabilities on data confidentiality, integrity, and availability. Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information. III. Solution Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update - January 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed. IV. References * Oracle Critical Patch Update for January 2009 - * Critical Patch Updates and Security Alerts - * Map of Public Vulnerability to Advisory/Alert - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA09-015A Feedback VU#897316" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History January 15, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSW+R2HIHljM+H4irAQLnswf/f0DIMhNOZ/sC88dH+pCeSXEDMl7/HZtL MJEzLABKMeWElPFiA3QY5EVGUEd6CJvdPq9aA2F0f85On+nm6+7SPV2uwc8xl+KM QEkAOc2jS7fvw7QOXbrUo0kgTg8Z4vyR8km6OpCNOIHopCZ2KDwwSEg31UaOCKW1 JumHsB0unwEKoR3s8/OvWUkKgnWuhz4AtrYFZjzSCxrC+S2sB0gukW+z8RffNRgF 82MijTz62S3I9dcV4ssuBXldBMqeGfY40HxduQjoDBrBdmBuWb5+pEeMd3GblJet mxgqACcMLIzozfJZczejK4m+K41RZd1nbEK/rpMCsdr9y+a7qFmM9g== =Wkfo -----END PGP SIGNATURE----- ----- End forwarded message -----