From security em unicamp.br Tue Aug 3 10:54:28 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 3 Aug 2010 10:54:28 -0300 Subject: [SECURITY-L] CAIS-Alerta: Boletim extraordinrio da Microsoft devido vulnerabilidade em arquivos de atalho (.lnk) Message-ID: <20100803135427.GC37141@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Boletim extraordinário da Microsoft devido à vulnerabilidade em arquivos de atalho (.lnk) To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Mon, 2 Aug 2010 18:07:34 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, A Microsoft publicou 01 boletim de segurança extraordinário em 02 de Agosto relativo à vulnerabilidade amplamente divulgada no shell do Windows que permite execução remota de código à partir da manipulação de arquivos de link. No momento da publicação deste resumo há exploração ativa da vulnerabilidade do boletim: MS10-046 (CVE-2010-2568). SEVERIDADE . Crítica - MS10-046: Vulnerabilidade no shell do Windows Vulnerabilidade que permite a execução remota de código . Importante - Nenhum boletim . Moderada - Nenhum boletim . Baixa - Nenhum boletim O sistema de classificação de severidade das vulnerabilidades adotado pelo CAIS neste resumo é o da própria Microsoft. O CAIS recomenda que se aplique, minimamente, as correções para vulnerabilidades classificadas como crítica e importante. No caso de correções para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomendações de mitigação sejam seguidas. . Crítica - Vulnerabilidades cuja exploração possa permitir a propagação de um worm sem a necessidade de interação com o usuário. . Importante - Vulnerabilidades cuja exploração possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usuários ou a integridade ou disponibilidade de recursos de processamento. . Moderada - exploração é mitigada significativamente por fatores como configuração padrão, auditoria ou dificuldade de exploração. . Baixa - uma vulnerabilidade cuja exploração seja extremamente difícil ou cujo impacto seja mínimo. CORREÇÕES DISPONÍVEIS Recomenda-se atualizar os sistemas para as versões disponíveis em: . Microsoft Update https://www.update.microsoft.com/microsoftupdate/ . Windows Server Update Services http://www.microsoft.com/windowsserversystem/updateservices/default.mspx MAIS INFORMAÇÕES . Microsoft Security Bulletin Summary for August 2010 http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx . SANS ISC Handler's Diary 2010-08-02 - Microsoft Out-of-Band bulletin addresses LNK/Shortcut vulnerability http://isc.sans.edu/diary.html?storyid=9313 . MS10-046: Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx . Microsoft TechCenter de Segurança http://technet.microsoft.com/pt-br/security/ . Microsoft Security Response Center - MSRC http://www.microsoft.com/security/msrc/ . Microsoft Security Research & Defense - MSRD http://blogs.technet.com/srd/ . Segurança Microsoft http://www.microsoft.com/brasil/security/ Identificador CVE (http://cve.mitre.org): CVE-2010-2568 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versões e correções oferecidas pelos fabricantes. Os Alertas do CAIS também são oferecidos no formato RSS/RDF e no Twitter: http://www.rnp.br/cais/alertas/rss.xml Siga @cais_rnp Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBTFcznOkli63F4U8VAQESHQP/blprFpSI39VqHdBr/Aphi2Su6FDot2m7 2xAxW46ixJpsb7FjnmLVoAuI+Ef5qb1BRYQ87frN69LAYA9fxTI8ioEsx7Z/Vll5 Tve5vyMWvNJ0QbL3/8xXuxOom7TydjewRSmDAqP0BUBcNOjykkqKQtptZQr0HlSC mv699MOXz1s= =CQph -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Aug 11 09:30:53 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 11 Aug 2010 09:30:53 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA10-222A -- Microsoft Updates for Multiple Vulnerabilities Message-ID: <20100811123053.GB88224@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA10-222A -- Microsoft Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 10 Aug 2010 15:23:14 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-222A Microsoft Updates for Multiple Vulnerabilities Original release date: August 10, 2010 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Office * Internet Explorer * Microsoft .NET Framework * Microsoft Silverlight Overview Microsoft has released updates to address vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, Microsoft .NET Framework, and Microsoft Silverlight. I. Description The Microsoft Security Bulletin Summary for August 2010 describes multiple vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, Microsoft .NET framework, and Microsoft Silverlight. Microsoft has released updates to address the vulnerabilities. One of the bulletins released, MS10-046, addresses a previously identified vulnerability in the Windows Shell that is actively being exploited. This vulnerability was also described in US-CERT Vulnerability Note VU#940193. II. Impact A remote, unauthenticated attacker could execute arbitrary code or cause a vulnerable system or application to crash. III. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for August 2010. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for August 2010 - * Microsoft Security Bulletin MS10-046 - * US-CERT Vulnerability Note VU#940193 - * Microsoft Windows Server Update Services - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA10-222A Feedback VU#505527" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History August 10, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTGGh8j6pPKYJORa3AQKsFggAsrzo1PtpJq5GtMwN1fOuAXXPVmbka/U9 5pskj1MKlXDjWzxC47AAaG4fu7EQ/6flgDhzEifg89Xjmh74abZcwhPxbKHM5Y6+ vgrCmSwINZ0wKiWVmpi3mhIQ4rrjd9N2Db82xtHSv4VRDqpZ3HQreNgV06YsnvAP 6up4qCfL2qKzV7tr2/sCEmbMsjhjc7UK1BNGu1YWNxmHL/ypPF5Mjy7w0FFuOAE8 at64g4/unlRWEi42L+yq/54k41wi3X7s8XecpWgHlgtX9I6kyHKu7QijFB7kOiUd ILCTNCoF5xYIJ4Pdwgsj73rtmHotoRR1uLCLLr1Aisgxluqm61CJpQ== =TqKf -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Aug 11 09:31:19 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 11 Aug 2010 09:31:19 -0300 Subject: [SECURITY-L] CAIS-Alerta: Resumo dos Boletins de Segurana Microsoft - Agosto/2010 Message-ID: <20100811123119.GC88224@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Resumo dos Boletins de Segurança Microsoft - Agosto/2010 To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Tue, 10 Aug 2010 18:01:31 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, A Microsoft publicou 14 boletins de segurança em 10 de Agosto que abordam ao todo 34 vulnerabilidades em produtos da empresa. A exploração destas vulnerabilidades permitem execução remota de código e escalação de privilégios de usuários locais conectados. No momento da publicação deste resumo há exploração ativa de uma das vulnerabilidades do boletim: MS10-046 (CVE-2010-2568). SEVERIDADE . Crítica - MS10-046: Vulnerabilidade no shell do Windows Vulnerabilidade que permite a execução remota de código - MS10-049: Vulnerabilidades no SChannel Vulnerabilidade que permite a execução remota de código - MS10-051: Vulnerabilidade nos serviços principais do Microsoft XML Vulnerabilidade que permite a execução remota de código - MS10-052: Vulnerabilidade nos codecs Microsoft MPEG Layer-3 Vulnerabilidade que permite a execução remota de código - MS10-053: Update de segurança cumulativo para o Internet Explorer Vulnerabilidade que permite a execução remota de código - MS10-054: Vulnerabilidades no servidor SMB Vulnerabilidade que permite a execução remota de código - MS10-055: Vulnerabilidade no codec Cinepak Vulnerabilidade que permite a execução remota de código - MS10-056: Vulnerabilidades no Microsoft Office Word Vulnerabilidade que permite a execução remota de código - MS10-060: Vulnerabilidades no common language runtime do Microsoft .NET e no Microsoft Silverlight Vulnerabilidade que permite a execução remota de código . Importante - MS10-047: Vulnerabilidades no kernel do Windows Vulnerabilidade que permite escalação de privilégios de usuários locais conectados - MS10-048: Vulnerabilidades nos drivers kernel-mode do Windows Vulnerabilidade que permite escalação de privilégios de usuários locais conectados - MS10-050: Vulnerabilidade no Windows Movie Maker Vulnerabilidade que permite a execução remota de código - MS10-057: Vulnerabilidade no Microsoft Office Excel Vulnerabilidade que permite a execução remota de código - MS10-058: Vulnerabilidades na pilha TCP/IP do Windows Vulnerabilidade que permite escalação de privilégios de usuários locais conectados - MS10-059: Vulnerabilidades na função de mapemento de serviços (Tracing Feature for Services) Vulnerabilidade que permite escalação de privilégios de usuários locais conectados . Moderada - Nenhum boletim . Baixa - Nenhum boletim O sistema de classificação de severidade das vulnerabilidades adotado pelo CAIS neste resumo é o da própria Microsoft. O CAIS recomenda que se aplique, minimamente, as correções para vulnerabilidades classificadas como crítica e importante. No caso de correções para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomendações de mitigação sejam seguidas. . Crítica - Vulnerabilidades cuja exploração possa permitir a propagação de um worm sem a necessidade de interação com o usuário. . Importante - Vulnerabilidades cuja exploração possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usuários ou a integridade ou disponibilidade de recursos de processamento. . Moderada - exploração é mitigada significativamente por fatores como configuração padrão, auditoria ou dificuldade de exploração. . Baixa - uma vulnerabilidade cuja exploração seja extremamente difícil ou cujo impacto seja mínimo. CORREÇÕES DISPONÍVEIS Recomenda-se atualizar os sistemas para as versões disponíveis em: . Microsoft Update https://www.update.microsoft.com/microsoftupdate/ . Windows Server Update Services http://www.microsoft.com/windowsserversystem/updateservices/default.mspx MAIS INFORMAÇÕES . Microsoft Security Bulletin Summary for August 2010 http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx . SANS ISC Handler's Diary 2010-08-10 - August 2010 Micrsoft Black Tuesday Summary http://isc.sans.edu/diary.html?storyid=9361 . MS10-046 - Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx . MS10-047 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) http://www.microsoft.com/technet/security/bulletin/MS10-047.mspx . MS10-048 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329) http://www.microsoft.com/technet/security/Bulletin/MS10-048.mspx . MS10-049 - Vulnerabilities in SChannel could allow Remote Code Execution (980436) http://www.microsoft.com/technet/security/bulletin/MS10-049.mspx . MS10-050 - Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997) http://www.microsoft.com/technet/security/bulletin/MS10-050.mspx . MS10-051 - Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403) http://www.microsoft.com/technet/security/bulletin/ms10-051.mspx . MS10-052 - Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168) http://www.microsoft.com/technet/security/Bulletin/MS10-052.mspx . MS10-053 - Cumulative Security Update for Internet Explorer (2183461) http://www.microsoft.com/technet/security/bulletin/ms10-053.mspx . MS10-054 - Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214) http://www.microsoft.com/technet/security/Bulletin/MS10-054.mspx . MS10-055 - Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665) http://www.microsoft.com/technet/security/Bulletin/MS10-055.mspx . MS10-056 - Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638) http://www.microsoft.com/technet/security/Bulletin/MS10-056.mspx . MS10-057 - Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707) http://www.microsoft.com/technet/security/bulletin/ms10-057.mspx . MS10-058 - Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886) http://www.microsoft.com/technet/security/bulletin/MS10-058.mspx . MS10-059 - Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) http://www.microsoft.com/technet/security/Bulletin/MS10-059.mspx . MS10-060 - Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906) http://www.microsoft.com/technet/security/bulletin/MS10-060.mspx . Microsoft TechCenter de Segurança http://technet.microsoft.com/pt-br/security/ . Microsoft Security Response Center - MSRC http://www.microsoft.com/security/msrc/ . Microsoft Security Research & Defense - MSRD http://blogs.technet.com/srd/ . Segurança Microsoft http://www.microsoft.com/brasil/security/ Identificador CVE (http://cve.mitre.org): CVE-2009-3555, CVE-2010-0019, CVE-2010-1258, CVE-2010-1882, CVE-2010-1887, CVE-2010-1888, CVE-2010-1889, CVE-2010-1890, CVE-2010-1892, CVE-2010-1893, CVE-2010-1894, CVE-2010-1895, CVE-2010-1896, CVE-2010-1897, CVE-2010-1898, CVE-2010-1900, CVE-2010-1901, CVE-2010-1902, CVE-2010-1903, CVE-2010-2550, CVE-2010-2551, CVE-2010-2552, CVE-2010-2553, CVE-2010-2554, CVE-2010-2555, CVE-2010-2556, CVE-2010-2557, CVE-2010-2558, CVE-2010-2559, CVE-2010-2560, CVE-2010-2561, CVE-2010-2562, CVE-2010-2564, CVE-2010-2566 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versões e correções oferecidas pelos fabricantes. Os Alertas do CAIS também são oferecidos no formato RSS/RDF e no Twitter: http://www.rnp.br/cais/alertas/rss.xml Siga @cais_rnp Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBTGG+N+kli63F4U8VAQGNHQP+KIzdUUz3QWFtAAm7JT5y0E+NADFD4+oV iKtPffqZrmIfFBclCBC7d1H5AXZYKoA4ZSC1EyQVbw6j9Z0HBvFtuFjrw6ffDoew 54u2Xiop1ZxX3LausNLoNh23cOlOlqk7SBmRPElX3l6ZjWAZ6hmTEikxyTayQHjc lSGUJT/6ZWo= =aGMg -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Thu Aug 12 08:38:16 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 12 Aug 2010 08:38:16 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA10-223A -- Adobe Flash and AIR Vulnerabilities Message-ID: <20100812113815.GA3061@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA10-223A -- Adobe Flash and AIR Vulnerabilities To: technical-alerts em us-cert.gov Date: Wed, 11 Aug 2010 14:13:29 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-223A Adobe Flash and AIR Vulnerabilities Original release date: August 11, 2010 Last revised: -- Source: US-CERT Systems Affected * Adobe Flash Player 10.1.53.64 and earlier 10.x versions * Adobe Flash Player 9.0.277.0 and earlier 9.x versions * Adobe AIR 2.0.2.12610 and earlier versions * Adobe Reader 9.3.3 and earlier 9.x versions Other Adobe products that support Flash may also be vulnerable. Overview According to Adobe Security Bulletin APSB10-16, there are vulnerabilities in Adobe Flash and AIR. These vulnerabilities affect Flash Player, AIR, and possibly other products that support Flash. A remote attacker could exploit these vulnerabilities to execute arbitrary code. I. Description Adobe Security Bulletin APSB10-16 describes vulnerabilities in Adobe Flash that affect Flash Player and AIR. These vulnerabilities may also affect other products that independently support Flash, such as Adobe Reader, Acrobat, Photoshop, Photoshop Lightroom, Freehand MX, and Fireworks. An attacker could exploit these vulnerabilities by convincing a user to open specially crafted Flash content. Flash content is commonly hosted on a web page, but it can also be embedded in a PDF and other documents or provided as a stand-alone file. II. Impact If a user opens specially crafted Flash content, a remote attacker may be able to execute arbitrary code. III. Solution Update Flash and AIR Adobe Security Bulletin APSB10-16 recommends updating to Flash Player 10.1.82.76 or 9.0.280 and to AIR 2.0.3. This will update the Flash web browser plug-in and ActiveX control, as well as AIR. However, it will not update Flash support in Adobe Reader, Acrobat, or other products. To reduce your exposure to these and other Flash vulnerabilities, consider the following mitigation technique. Disable Flash in your web browser Uninstall Flash or restrict which sites are allowed to run Flash. To the extent possible, only run trusted Flash content on trusted domains. For more information, see Securing Your Web Browser. Additional workarounds are available in US-CERT Vulnerability Note VU#660993. IV. References * Adobe Security Bulletin APSB10-16 - * US-CERT Vulnerability Report VU#660993 - * Securing Your Web Browser - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA10-223A Feedback VU#660993" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History August 11, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTGLmxz6pPKYJORa3AQLbCAf9ESAYnc5qpZL+yEfrELUvjs+d4nP+HOwx mmhQakD1TMTbv4ej+A0YhsKdopIULkTnXueq+8CPAV+Ipqb39JiLcjtaQVZczmQt H/bCmus0zzBs3b8uNMGpFD9Q5jFMpFzYsRgJNEpi73VQ4ukR6X/JgcO90DxwNQNe 77kEV57dHj9Iy/8YoTjp7u6dRSpYfe0gr2sPhVz5ekc5BOvo3ULFkeXKNCZTCOqZ q+nHfJuj5AR6eIeoZlbK/gxHXqKH6jeqcwYfKLbUfr/rwJh8TpLcfqW+f02Y+lmg 0NWTfR4SWw9zXa/8lNRpFu1wkmgdjwrqc8a+5HNp3bBoygLPieHsDw== =Exh3 -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Aug 23 11:08:47 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 23 Aug 2010 11:08:47 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA10-231A -- Adobe Reader and Acrobat Vulnerabilities Message-ID: <20100823140846.GA86545@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA10-231A -- Adobe Reader and Acrobat Vulnerabilities To: technical-alerts em us-cert.gov Date: Thu, 19 Aug 2010 17:15:07 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-231A Adobe Reader and Acrobat Vulnerabilities Original release date: August 19, 2010 Last revised: -- Source: US-CERT Systems Affected * Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh, and UNIX * Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh * Adobe Reader 8.2.3 and earlier versions for Windows, Macintosh, and UNIX * Adobe Acrobat 8.2.3 and earlier versions for Windows and Macintosh Overview Adobe has released Security Bulletin APSB10-17, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. I. Description Adobe Security Bulletin APSB10-17 describes a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Reader and Acrobat 9.3.3, earlier 9.x versions, 8.2.3, and earlier 8.x versions. An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in, which can automatically open PDF documents hosted on a website, is available for multiple web browsers and operating systems. II. Impact These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF file. III. Solution Update Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB10-17 and update vulnerable versions of Adobe Reader and Acrobat. Disable JavaScript in Adobe Reader and Acrobat Disabling JavaScript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable Acrobat JavaScript). Adobe provides a framework to blacklist specific JavaScipt APIs. If JavaScript must be enabled, this feature may be useful when specific APIs are known to be vulnerable or used in attacks. Prevent Internet Explorer from automatically opening PDF files The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF files in the web browser Preventing PDF files from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied, it may also mitigate future vulnerabilities. To prevent PDF files from automatically being opened in a web browser, do the following: 1. Open Adobe Acrobat Reader. 2. Open the Edit menu. 3. Choose the Preferences option. 4. Choose the Internet section. 5. Uncheck the "Display PDF in browser" checkbox. Do not access PDF files from untrusted sources Do not open unfamiliar or unexpected PDF files, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010. IV. References * Security update available for Adobe Reader and Acrobat - * Adobe Reader and Acrobat JavaScript Blacklist Framework - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA10-231A Feedback VU#299148" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History August 19, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTG2ePD6pPKYJORa3AQIu6wgAleb6ka6/UmrZ8Eql0oJeCZ2s6G8QU6Xn v8cJ+JcLT/Vtx0UEkd5cxCFoSKw588ypBKqgdSGPWiEb3GjYB+k6RiPX5DG1ijAr xhYAf8UzHW8E8b0KF7jd/DlAoulq5poWP/R6GZRLZwuIwMMVp2WvrtNBTOFt5RBK vboa+aR6ejplLBHOW9DAwkkmLcO6sZHZb26tolZC1H5HOZv3O/WlezBiiUeVFRiF 3C4Whg9Zbz8qcEN9uxaBIDUJncqCFA63zok3Mzd8lTExGcxQgj9mEP6Qt1n5D/hg ez7edKPtWxLPGWy1+iZ5k/uE9maIlWemTqi9nI2QnT605o9au+IKbQ== =iUoW -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Fri Aug 27 10:10:54 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Fri, 27 Aug 2010 10:10:54 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA10-238A -- Microsoft Windows Insecurely Loads Dynamic Libraries Message-ID: <20100827131053.GA14953@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA10-238A -- Microsoft Windows Insecurely Loads Dynamic Libraries To: technical-alerts em us-cert.gov Date: Thu, 26 Aug 2010 16:40:26 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-238A Microsoft Windows Insecurely Loads Dynamic Libraries Original release date: August 26, 2010 Last revised: -- Source: US-CERT Systems Affected Any application running on the Microsoft Windows platform that uses dynamically linked libraries (DLLs) may be affected. Whether or not an application is vulnerable depends on how it specifically loads a DLL. Please see the Vendor Information section of Vulnerability Note VU#707943 for information about specific vendors. Overview Due to the way Microsoft Windows loads dynamically linked libraries (DLLs), an application may load an attacker-supplied DLL instead of the legitimate one, resulting in the execution of arbitrary code. I. Description Microsoft Windows supports dynamically linked libraries (DLLs) that are loaded when needed by an application. DLLs are typically loaded when the application is first started; however DLLs may be loaded and unloaded while the application is running. An application can request a DLL file in a variety of ways, and Windows uses several different search algorithms to find DLL files. The interaction between the application and Windows can result in a DLL file being loaded from the current working directory of the application, instead of the Windows system directory or the directory where the application is installed. The current working directory could be the desktop, a removable storage device such as a USB key, a Windows file share, or a WebDAV location. When a file associated with an application is opened, a DLL in the same directory as the file may be loaded. Although an attacker may not have permission to write to the Windows system or application directories, the attacker may be able to write a DLL to a directory used to store files, or the attacker could provide their own directory. Attacks against this type of vulnerability have been referred to as "binary planting." Please see Vulnerability Note VU#707943 and Microsoft Security Advisory 2269637 for more information. II. Impact By placing a DLL with the correct name (and possibly the relative directory path) in the current working directory, an attacker could execute arbitrary code with the privileges of the application that loads the DLL. III. Solution Individual applications that run on the Windows platform may require patches or updates. Microsoft Knowledge Base article KB2264107 describes an update that provides a registry key that can prevent Windows from searching the current working directory for DLL files. Information about specific solutions for different vendors, general mitigation techniques, and secure ways for applications to load DLLs can be found in the Vendor Information and Solution sections of Vulnerability Note VU#707943. IV. References * Vulnerability Note VU#707943 - * Microsoft Security Advisory (2269637) - * A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA10-238A Feedback VU#707943" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History August 26, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTHbPuj6pPKYJORa3AQI0Rwf+JjLbBdWxKa+8pzCefxhs+maIjzihg/vN ZNF90uuFgMAdIrTD7+Qlv6TUc3ep/O28Dg11K8rXaOfxeyPsItMwpbz7vrpoUC5W qvu6pYQnmhW/egryPPC8cwFecuDaTNNWDShwQ8oULXnp2mfj9q3LUvVOvLXaiwXs rivmLthvhCjWBYpYFBb9yHjHOcQd4JQ0LS4A4BRzXGKTTgMnRvawPeHFQvsMlR0M plrIJ4Lht3eOis97Rot9BIIcYytM74ctz6TwCwOz5JPTA1ncikEzoLhaKCQ2egpq GmyjcQLo83JWRxDkBE9EkBhkpOjyhsvpVLZoJrqpkwKtJMUVeLcBBw== =M/vJ -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Tue Aug 31 12:00:03 2010 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 31 Aug 2010 12:00:03 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade crtica em sistemas embarcados VxWorks Message-ID: <20100831150002.GA42836@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade crítica em sistemas embarcados VxWorks To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Mon, 30 Aug 2010 17:00:49 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS está repassando o alerta do US-CERT, intitulado "Wind River Systems VxWorks debug service enabled by default (VU#362332)" que trata de uma vulnerabilidade em sistemas embarcados VxWorks. O sistema VxWorks foi o sistema embarcado mais popular em 2005 tendo sido desenvolvido pela Wind River Systems, empresa comprada posteriormente pela Intel. Um dos equipamentos que possuem este sistema embarcado são os telefones IP Polycom Soundpoint. A vulnerabilidade está no serviço de debug (WDB agent), que está habilitado por default em alguns equipamentos, rodando na porta UDP/17185. Segundo [1], este serviço utiliza o protocolo SunRPC e permite que um atacante faça leitura e escrita na memória do equipamento e execução de comandos neste, bastando para isto ter acesso remoto à porta. Como o protocolo utilizado por este sistema é UDP e este não provê autenticação, estabelecimento de conexão e sessão, as requisições feitas ao agente WDB podem ser forjadas (spoofed) pelo atacante. No momento já existe código (exploit) que explora esta vulnerabilidade disponível na Internet. A exploração desta vulnerabilidade pode permitir execução remota de comandos. Por esta razão o CAIS recomenda a atualização imediata do sistema embarcado. SISTEMAS AFETADOS No momento é conhecido que produtos dos seguintes fornecedores, que implementam VxWorks, são afetados por esta vulnerabilidade: . 3com Inc . Actelis Networks . Alcatel-Lucent . Allied Telesis . Alvarion . amx . Aperto Networks . Apple Inc. . ARRIS . Avaya, Inc. . Broadcom . Canon . Ceragon Networks Inc . Cisco Systems, Inc. . D-Link Systems, Inc. . Dell Computer Corporation, Inc. . Digicom . DrayTek Corporation . EMC Corporation . Enablence . Enterasys Networks . Epson America, Inc. . Ericsson . Fluke Networks . Foundry Networks, Inc. . Gilat Network Systems . Guangzhou Gaoke Communications . Hewlett-Packard Company . Huawei Technoligies . IWATSU Voice Networks . Keda Communications . Knovative Inc . Lenovo . Lutron Electronics . Maipu Communication Technology . Mitel Networks, Inc. . Motorola, Inc. . Netgear, Inc. . Nokia . Nortel Networks, Inc. . Polycom . Proxim, Inc. . Rad Vision, Inc. . Ricoh Company Ltd. . Rockwell Automation . Shoretel Communications, Inc. . Siemens . SMC Networks, Inc. . TRENDnet . Tut Systems, Inc. . Wind River Systems, Inc. . Xerox O documento VU#362332 (document revision 50) do US-CERT, que descreve a vulnerabilidade em questão, relaciona diversos outros forcenedores com status "desconhecido" na seção "Vendor Information" (Informação dos fornecedores). Desta forma, é possível que mais fornecedores sejam afetados por esta vulnerabilidade. CORREÇÕES DISPONIVEIS Recomenda-se como medida paleativa, bloquear o acesso à porta UDP/17185 e, se possível, desabilitar o sistema de debug (WDB agent). O CAIS recomenda que entre em contato com o fornecedor para obter uma versão atualizada do sistema embarcado com a correção desta vulnerabilidade. Para uma lista mais atualizada de produtos afetados, por favor consulte a referência VU#362332, disponível na seção "Mais informações" deste alerta. MAIS INFORMAÇÕES . VU#362332: Wind River Systems VxWorks debug service enabled by default http://www.kb.cert.org/vuls/id/362332 . Shiny Old VxWorks Vulnerabilities [1] http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html . ICS-CERT ADVISORY - ICSA-10-214-01? VXWORKS VULNERABILITIES http://www.us-cert.gov/control_systems/pdf/ICSA-10-214-01_VxWorks_Vulnerabilities.pdf Identificador CVE (http://cve.mitre.org): CVE-2005-3715,CVE-2005-3804 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versões e correções oferecidas pelos fabricantes. Os Alertas do CAIS também são oferecidos no formato RSS/RDF e no Twitter: http://www.rnp.br/cais/alertas/rss.xml Siga @cais_rnp. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBTHwN/Okli63F4U8VAQFOIwP8DJqMOYPQrXIiORV6NrmxbHVM3B5eHI9u qPsKf2hqu9vWRQ2yYxlW0NFsqDne4X/IBrLeVaKUFr7F6xyci31zLjizXv1+AWO9 GvR4XY/A3BczQgrjB9H8fgdiZg2ENPnqhPqq0o8QLhLcaA5D8fduhlko82JrHO2Q HDH1F8OUR2k= =V76s -----END PGP SIGNATURE----- ----- End forwarded message -----