Adobe has released a security bulletin for Adobe Flash Player to address multiple vulnerabilities. These vulnerabilities affect Adobe Flash Player 11.4.402.278 and earlier versions for Windows, Adobe Flash Player 11.4.402.265 and earlier versions for Macintosh, Adobe Flash Player 11.2.202.238 and earlier versions for Linux, Adobe Flash Player 11.1.115.17 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.16 and earlier versions for Android 3.x and 2.x. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.
US-CERT encourages users and administrators to review Adobe Security Bulletin APSB12-22 and apply any necessary updates to help mitigate the risks.
This product is provided subject to this Notification and this Privacy & Use policy.
Microsoft has released updates to address vulnerabilities in Microsoft Windows, SQL Server, Server Software, Office, and Lync as part of the Microsoft Security Bulletin summary for October 2012. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or operate with elevated privileges.
US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine which updates should be applied.
This product is provided subject to this Notification and this Privacy & Use policy.
Adobe has released a security bulletin to address an issue with a current Adobe code signing certificate. The certificate to be revoked has been used to sign malicious code. The certificate will be revoked on October 4, 2012 for all software code signed after July 10, 2012. Adobe is issuing a new digital certificate for all affected products.
US-CERT encourages users and administrators to review the Adobe Security Bulletin ASPA12-01 and take any necessary actions to help mitigate the risk.
This product is provided subject to this Notification and this Privacy & Use policy.
US-CERT is aware of recent increases in the exploitation of known vulnerabilities in web content management systems (CMSs) such as Wordpress and Joomla. Compromised CMS installations can be used to host malicious content.
US-CERT recommends that users and administrators ensure that their CMS installations are patched or upgraded to remove known vulnerabilities. This may require contacting the hosting provider. Also, users and administrators can check for known vulnerabilities in the National Vulnerability Database by searching their CMS by name.
This product is provided subject to this Notification and this Privacy & Use policy.
Microsoft has released Security Advisory 2757760 to address a vulnerability in Microsoft Internet Explorer 6, 7 , 8, and 9. This vulnerability may allow an attacker to execute arbitrary code if a user accesses specially crafted HTML documents (e.g., a web page or an HTML email message or attachment).
US-CERT encourages users and administrators to review Microsoft Security Advisory 2757760. This advisory indicates that the workaround does not correct the vulnerability, but it may help mitigate the risk against known attack vectors.
Additional information regarding CVE-2012-4969 can be found in the US-CERT Technical Alert TA12-262A and Vulnerability Note VU#480095.
Update: Microsoft has released an out-of-band patch to address this vulnerability. US-CERT encourages users and administrators to review Microsoft Security Bulletin MS12-063 and apply any necessary updates to help mitigate the risk.
This product is provided subject to this Notification and this Privacy & Use policy.
Microsoft has released updates to address vulnerabilities in Microsoft Development Tools and Server Software as part of the Microsoft Security Bulletin summary for September 2012. These vulnerabilities may allow an attacker to operate with elevated privileges.
US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine which updates should be applied.
This product is provided subject to this Notification and this Privacy & Use policy.
US-CERT has released Vulnerability Note VU#636312 to address a vulnerability in Oracle Java Runtime Environment (JRE) 1.7. This vulnerability may allow an attacker to execute arbitrary code on a vulnerable system.
US-CERT encourages users and administrators to review Vulnerability Note VU#636312. This advisory includes possible workarounds that help mitigate the risk against known attack vectors by disabling the Java plug-in.
Update: Oracle has released an out-of-band patch to address this vulnerability. US-CERT encourages users and administrators to review the Oracle Security Alert for CVE-2012-4681 and apply any necessary updates to help mitigate the risk.
This product is provided subject to this Notification and this Privacy & Use policy.
US-CERT is aware of multiple malware campaigns impersonating multiple U.S. government agencies, including the United States Cyber Command (USCYBERCOM) and the Federal Bureau of Investigation (FBI). Once installed on a system, the malware displays a screen claiming that a Federal Government agency has identified the user's computer as being associated with one or more crimes. The user is told to pay a fine to regain the use of the computer, usually through prepaid money card services.
Affected users should not follow the payment instructions. US-CERT encourages users to follow the recommendations in Security Tip ST05-006, Recovering from Viruses, Worms, and Trojan Horses. Users may also choose to file a complaint with the FBI's Internet Crime Complaint Center (IC3).
This product is provided subject to this Notification and this Privacy & Use policy.
Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, Office, SQL Server, Server Software, Developer Tools, and Exchange Server as part of the Microsoft Security Bulletin summary for August 2012. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or operate with elevated privileges.
US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine which updates should be applied.
Additional information regarding the bulletin can be found in US-CERT Technical Alert TA12-227A.
This product is provided subject to this Notification and this Privacy & Use policy.
The Mozilla Foundation has released updates for the following products to address multiple vulnerabilities:
These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, disclose sensitive information, operate with elevated privileges, bypass security restrictions, or perform a cross-site scripting attack.
US-CERT encourages users and administrators to review the Mozilla Foundation Advisory for Firefox 14, Firefox ESR 10.0.6, Thunderbird 14, Thunderbird ESR 10.0.6, and SeaMonkey 2.11 and apply any necessary updates to help mitigate the risk.
This product is provided subject to this Notification and this Privacy & Use policy.
Oracle has released its Critical Patch Update for July 2012 to address 87 vulnerabilities across multiple products. This update contains the following security fixes:
US-CERT encourages users and administrators to review the July 2012 Critical Patch Update and apply any necessary updates to help mitigate the risks.
Update: Additional information regarding Outside In vulnerabilities can be found in US-CERT Vulnerability Note VU#118913.
This product is provided subject to this Notification and this Privacy & Use policy.
Google has released Google Chrome 20.0.1132.57 for Linux, Mac, Windows, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.
US-CERT encourages users and administrators to review the Google Chrome Release blog entry and update to Chrome 20.0.1132.57.
This product is provided subject to this Notification and this Privacy & Use policy.
Microsoft has released security advisory 2719662 to address a vulnerability in Microsoft Windows Sidebar and Gadgets. This vulnerability may allow an attacker to execute arbitrary code, take control of an affected system, or disclose sensitive information.
US-CERT encourages users and administrators to review Microsoft Security Advisory 2719662. This advisory indicates that the workaround does not correct the vulnerability, but it may help mitigate the risk against known attack vectors by disabling the Windows Sidebar and Gadgets.
US-CERT will provide additional information as it becomes available.
This product is provided subject to this Notification and this Privacy & Use policy.
Microsoft has released security advisory 2728973 to replace a number of certificates that did not meet Microsoft's high standard of Public-Key Infrastructure (PKI) management. This update places the intermediate certificate authority (CA) certificates in the Untrusted Certificate Store and replaces them with new certificates that meet Microsoft's PKI standards.
US-CERT encourages users and administrators to review Microsoft Security Advisory 2728973 and take any necessary action to help mitigate this risk.
This product is provided subject to this Notification and this Privacy & Use policy.
Cisco has released security advisories to address multiple vulnerabilities affecting the following products:
These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or inject commands.
US-CERT encourages users and administrators to review Cisco Security Advisories cisco-sa20120711-ctrs, cisco-sa20120711-ctms, cisco-sa20120711-ctsman, and cisco-sa20120711-cts and apply any necessary updates to help mitigate the risk.
This product is provided subject to this Notification and this Privacy & Use policy.
Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, Office, Developer Tools, and Server Software as part of the Microsoft Security Bulletin summary for July 2012. These vulnerabilities may allow an attack to execute arbitrary code, operate with elevated privileges, or disclose sensitive information.
US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine which updates should be applied.
This product is provided subject to this Notification and this Privacy & Use policy.
Cisco has released a security advisory to address vulnerabilities affecting the following products:
These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.
US-CERT encourages users and administrators to review Cisco Security Advisory cisco-sa-20120627-webex and apply any necessary updates to help mitigate this risk.
This product is provided subject to this Notification and this Privacy & Use policy.
Google has released Google Chrome 20.0.1132.43 for Linux, Mac, Windows, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.
US-CERT encourages users and administrators to review the Google Chrome Release blog entry and update to Chrome 20.0.1132.43.
This product is provided subject to this Notification and this Privacy & Use policy.
Microsoft has released Security Advisory 2719615 to address a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0. This vulnerability may allow an attacker to execute arbitrary code if a user accesses specially crafted web pages using Internet Explorer. According to the advisory, this vulnerability is currently being exploited in the wild.
US-CERT encourages users and administrators to review Microsoft Security Advisory 2719615. The advisory indicates that the workaround does not correct the vulnerability, but it may help mitigate the risk against known attack vectors.
Update: Additional information regarding CVE-2012-1889 can be found in the US-CERT Technical Alert TA12-174A.
This product is provided subject to this Notification and this Privacy & Use policy.
Cisco has released three security advisories to address vulnerabilities affecting the following products:
These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.
US-CERT encourages users and administrators to review Cisco Security Advisories cisco-sa-20120620-asaipv6, cisco-sa-20120620-ac, and cisco-sa-20120620-ace and apply any necessary updates to help mitigate the risk.
This product is provided subject to this Notification and this Privacy & Use policy.
Apple has released a Java update to address multiple vulnerabilities for the following products:
These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.
US-CERT encourages users and administrators to review Apple article HT5319 and apply any necessary updates to help mitigate the risks.
This product is provided subject to this Notification and this Privacy & Use policy.
Oracle released its Critical Patch Update for June 2012 containing 14 security fixes for the following products:
US-CERT encourages users and administrators to review Oracle Java SE Critical Patch Update Advisory for June 2012 and apply any necessary updates to help mitigate the risk.
This product is provided subject to this Notification and this Privacy & Use policy.
Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, .NET Framework, Lync, and Dynamics AX as part of the Microsoft Security Bulletin Summary for June 2012. These vulnerabilities may allow an attacker to execute arbitrary code or operate with elevated privileges.
US-CERT encourages users and administrators to review the bulletin and follow best-practices security policies to determine which updates should be applied.
Additional information regarding CVE-2012-0217 can be found in the US-CERT Vulnerability Note VU#649219.
This product is provided subject to this Notification and this Privacy & Use policy.
Apple has released iTunes 10.6.3 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.
US-CERT encourages users and administrators to review Apple Support Article HT5318 and apply any necessary updates to help mitigate the risk.
This product is provided subject to this Notification and this Privacy & Use policy.
Adobe has released a Security Bulletin for Adobe Flash Player to address vulnerabilities affecting the following software versions:
These vulnerabilities may allow an attacker to take control of the affected system or cause a denial-of-service condition.
US-CERT encourages users and administrators to review Adobe Security Bulletin APSB12-14 and apply any necessary updates to help mitigate the risk.
This product is provided subject to this Notification and this Privacy & Use policy.
The Mozilla Foundation has released updates for the following products to address multiple vulnerabilities:
These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, disclose sensitive information, operate with elevated privileges, or perform a cross-site scripting attack.
US-CERT encourages users and administrators to review the Mozilla Foundations Advisory for Firefox 13, Firefox ESR 10.0.5, Thunderbird 13, Thunderbird ESR 10.0.5, SeaMonkey 2.10 and apply any necessary updates to help mitigate the risk.
This product is provided subject to this Notification and this Privacy & Use policy.
Adobe has released security bulletins to address multiple vulnerabilities for the following products:
Exploitation of these vulnerabilities may allow an attacker to take control of an affected system.
US-CERT encourages users and administrators to review Adobe Security Bulletin APSB12-10 and APSB12-11 and apply any necessary updates to help mitigate the risk.
This product is provided subject to this Notification and this Privacy & Use policy.
Microsoft has released a security advisory to address the revocation of a number of unauthorized digital certificates. Maintaining these certificates within your certificate store may allow an attacker to spoof content, perform a phishing attack, or perform a man-in-the-middle attack.
The following certificates have been revoked by this update:
This product is provided subject to this Notification and this Privacy & Use policy.
Google has released Google Chrome 19.0.1084.52 for Linux, Mac, Windows, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.
US-CERT encourages users and administrators to review the Google Chrome Release blog entry and update to Chrome 19.0.1084.52.
This product is provided subject to this Notification and this Privacy & Use policy.
Apple has released QuickTime 7.7.2 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.
US-CERT encourages users and administrators to review Apple Support Article HT5261 and apply any necessary updates to help mitigate the risk.
This product is provided subject to this Notification and this Privacy & Use policy.