DP's Security Bits

After upgrading to Firefox 3.0.2, you may find that you can no longer save new passwords and that previously saved passwords are not automatically filled in when visiting certain web sites.

This is a recently discovered issue with Firefox 3.0.2. The passwords are not lost, however if there are any passwords which contain non-ASCII characters, Firefox 3.0.2 will be unable to read or write your passwords.

Mozilla Knowledgebase Article

Apple has released updates for Java for Mac OS X 10.4 and 10.5 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users to review Apple Article HT3178 and HT3179 and apply any necessary updates to help mitigate the risks.

http://www.us-cert.gov/current/index.html#apple_releases_java_updates_for

What’s New in Firefox 3.0.2 Firefox 3.0.2 contains the following updates:

• Fixed several security issues.
• Fixed several stability issues.
• Official releases for Sinhala and Slovene are now available.
• Beta releases for Bengali, Galician, Hindi, Icelandic, Kannada, Marathi, Telegu, and Thai are available for testing.
• Fixed a number of minor issues with the layout of certain web pages.
• Fixed several theme issues that affected right-to-left locales.
• Fixed issue that caused some users with customized toolbars to have their Back and Forward buttons go missing (bug 426026)
• Add new Extended Validation (EV) roots to Firefox 3.0.2.
• On certain IDN sites, the password manager would not fill in username and password details properly.
• Fixed several hangs and crashes that occurred when using screen readers.
• Fixed Mac-specific issues:
  • Keyboard shortcuts would stop working in some cases.
  • Japanese, Korean, Chinese and Indic characters can not be entered (using IME) into text fields in Flash objects (bug 357670)
  • Firefox 3.0.1 could not be used when the user profile is stored on an AFP directory (bug 417037)

http://www.mozilla.com/en-US/firefox/3.0.2/releasenotes/

VMware has released a Security Advisory indicating it has updated the ESXi and ESX 3.5 packages to address a vulnerability in "openwsman". This vulnerability is due to several buffer overflow conditions in the handling of HTTP basic authentication headers. Exploitation of this vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on the host running ESXi or ESX.

US-CERT encourages users and administrators to review VMware Security Advisory VMSA-0008-0015 and apply any necessary updates to help mitigate the risks.

http://www.us-cert.gov/current/index.html#vmware_releases_security_advisory_vmsa

Adobe has released a Security Advisory to alert users of potential vulnerabilities affecting the Macintosh version of Illustrator CS2. By convincing a user to open a malicious Adobe Illustrator file, an attacker may be able to execute arbitrary code.

In the advisory, Adobe recommends that users exercise caution when receiving unsolicited or suspicious files. Adobe also states that they are currently unaware of any public exploitation of these vulnerabilities.

US-CERT will provide more information as it becomes available.

http://www.us-cert.gov/current/index.html#adobe_releases_security_advisory_for

Issued: September 17, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-052 - Critical

Bulletin Information:

* MS08-052 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx
  - Reason for Revision: V2.1 (September 17, 2008): Changed
    references to Microsoft Office Project 2002 Service Pack 2 as
    affected software to Microsoft Office Project 2002 Service
    Pack 1. This is a name change only. There were no changes to
    the binaries or detection. 
  - Originally posted: September 9, 2008
  - Updated: September 17, 2008
  - Bulletin Severity Rating: Critical
  - Version: 2.1

Apple has released Security Update 2008-006 and Mac OS X v10.5.5 to address multiple vulnerabilities in Mac OS X and related products. The impacts of these vulnerabilities include arbitrary code execution, information disclosure, denial of service, privilege escalation, or DNS cache poisoning.

US-CERT encourages users to review Apple article HT3137 and apply the appropriate updates as soon as possible.

US-CERT will provide additional details as the they become available.

http://www.us-cert.gov/current/index.html#apple_releases_security_updates_for1

Issued: September 15, 2008

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS08-054 - Critical
  * MS08-053 - Critical

Bulletin Information:

* MS08-054 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms08-054.mspx
 - Reason for Revision: V2.0 (September 15, 2008): Added entry to
    the Frequently Asked Questions (FAQ) Related to This Security
    Update section to communicate the re-release of the Norwegian
    language update for Windows Media Player 11 on all supported
    32-bit editions of Windows XP. Customers who require the
    Norwegian language update need to download and install the
    re-released update. Also removed an erroneous entry from the
    Non-Affected software table. 
 - Originally posted: September 9, 2008
 - Updated: September 15, 2008
 - Bulletin Severity Rating: Critical
 - Version: 2.0
   
* MS08-053 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms08-053.mspx
 - Reason for Revision: V2.0 (September 15, 2008): Added entry to
    the Frequently Asked Questions (FAQ) Related to This Security
    Update section to communicate the re-release of the Norwegian
    language update for Windows Media Encoder 9 Series running on
    Microsoft Windows 2000 Service Pack 4, Windows Media Encoder
    9 Series running on Windows XP Service Pack 2 and Windows XP
    Service Pack 3, and Windows Media Encoder 9 Series running on
    Windows Server 2003 Service Pack 1 and Windows Server 2003
    Service Pack 2. Customers who require the Norwegian language
    updates need to download and install the re-released updates. 
 - Originally posted: September 9, 2008
 - Updated: September 15, 2008
 - Bulletin Severity Rating: Critical
 - Version: 2.0

Issued: September 12, 2008

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS08-052 - Critical

Bulletin Information:

* MS08-052 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx
 - Reason for Revision: V2.0 (September 12, 2008): Bulletin updated
    to add Microsoft Office Project 2002 Service Pack 2, all
    Office Viewer software for Microsoft Office 2003, and all
    Office Viewer software for 2007 Microsoft Office System as
    Affected Software. Details for this bulletin revision are
    provided in the Why was this bulletin revised on September
    12, 2008? entry in the Frequently Asked Questions (FAQ)
    Related to this Security Update section. 
 - Originally posted: September 9, 2008
 - Updated: September 12, 2008
 - Bulletin Severity Rating: Critical
 - Version: 2.0

Apple has released four security updates to address multiple vulnerabilities in iTunes, QuickTime, iPod touch, and Bonjour for Windows. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, conduct DNS cache poisoning attacks, spoof or hijack TCP sessions, access the system with escalated privileges, or obtain sensitive information.

US-CERT encourages users and administrators to review the following Apple Security Articles and apply any necessary updates:

• iTunes 8.0 (Article: HT3025)
• QuickTime 7.5.5 (Article: HT3027)
• iPod Touch v2.1 (Article: HT3026)
• Bonjour for Windows 1.0.5 (Article: HT2990)

http://www.us-cert.gov/current/index.html#apple_releases_security_updates1

Issued: September 10, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-055 - Critical
  * MS08-054 - Critical
  * MS08-053 - Critical
  * MS08-051 - Critical
  * MS08-049 - Important
  * MS08-018 - Critical
  * MS08-012 - Critical
  * MS08-009 - Critical
  * MS07-047 - Important

Bulletin Information:

* MS08-055 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-055.mspx
  - Reason for Revision: V1.1 (September 10, 2008): Corrected the
    installation switches and deployment information for OneNote
    2007, and added to the list of non-affected software. Also,
    updated FAQ entries explaining why this update is offered to
    systems with non-affected software. 
  - Originally posted: September 9, 2008
  - Updated: September 10, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-054 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-054.mspx
  - Reason for Revision: V1.1 (September 10, 2008): Removed erroneous
    entry from Mitigating Factors for Windows Media Player
    Sampling Rate Vulnerability - CVE-2008-2253. 
  - Originally posted: September 9, 2008
  - Updated: September 10, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-053 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-053.mspx
  - Reason for Revision: V1.1 (September 10, 2008): Corrected the
    "Installing without user intervention" and "Installing
    without restarting" switches in the Security Update
    Deployment sections for Windows Vista and Windows Server
    2008. Also changed "C:\Program Files"" to "%programfiles%" in
    the Workarounds for Windows Media Encoder Buffer Overrun
    Vulnerability - CVE-2008-3008 commands. 
  - Originally posted: September 9, 2008
  - Updated: September 10, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-051 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-051.mspx
  - Reason for Revision: V2.1 (September 10, 2008): Added Microsoft
    Office Live Meeting 2005 client and Microsoft Office Live
    Meeting 2007 client to the list of non-affected software. 
  - Originally posted: August 12, 2008
  - Updated: September 10, 2008
  - Bulletin Severity Rating: Critical
  - Version: 2.1
   
* MS08-049 - Important

  -http://www.microsoft.com/technet/security/bulletin/ms08-049.mspx
  - Reason for Revision: V1.1 (September 10, 2008): Corrected a
    registry key verification entry for Windows XP. 
  - Originally posted: August 12, 2008
  - Updated: September 10, 2008
  - Bulletin Severity Rating: Important
  - Version: 1.1
   
* MS08-018 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-018.mspx
  - Reason for Revision: V1.3 (September 10, 2008): Bulletin updated:
    Added entry to Update FAQ to clarify why this update is
    Critical for Project 2000 but only Important for all other
    affected versions of Project. 
  - Originally posted: April 8, 2008
  - Updated: September 10, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.3
   
* MS08-012 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-012.mspx
  - Reason for Revision: V1.2 (September 10, 2008): Bulletin updated
    to add FAQ entry to clarify why non-vulnerable versions of
    Microsoft Office can be offered this update. 
  - Originally posted: February 12, 2008
  - Updated: September 10, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2
   
* MS08-009 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-009.mspx
  - Reason for Revision: V1.2 (September 10, 2008): Bulletin updated:
    Added entry to Update FAQ to clarify why non-vulnerable
    versions of Microsoft Office can be offered this update. 
  - Originally posted: February 12, 2008
  - Updated: September 10, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2
   
* MS07-047 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms07-047.mspx
  - Reason for Revision: V2.1 (September 10, 2008): Removed Windows
    Media Player 9 on Windows XP Service Pack 3 from the Affected
    Software table. This is a bulletin change only; there were no
    changes to detection or to the binaries. Customers who have
    successfully updated their systems do not need to reinstall
    this update. 
  - Originally posted: August 14, 2007
  - Updated: September 10, 2008
  - Bulletin Severity Rating: Important
  - Version: 2.1

Note: There may be latency issues due to replication, if the page does not display keep refreshing
September 9

Today Microsoft released the following Security Bulletin(s). 

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

September Bulletin Summary

Critical (4)

MS08-054 - Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)
MS08-052 - Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)
MS08-053 - Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)
MS08-055 - Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.

Issued: September 3, 2008

Summary

The following bulletin has undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-022 - Critical


Bulletin Information:

* MS08-022 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-022.mspx
  - Reason for Revision: V2.1 (September 3, 2008): Corrected
    security update entries for Windows XP and Windows Server 2003
    to include -v2 in the file package names. This is a correction
    to the package names only, customers who have successfully
    updated their systems do not need to reinstall this update.
  - Originally posted: April 8, 2008
  - Updated: September 3, 2008
  - Bulletin Severity Rating: Critical
  - Version: 2.1

Issued: September 4, 2008

This is an advance notification of security bulletins that
Microsoft is intending to release on September 9, 2008.

The full version of the Microsoft Security Bulletin Advance
Notification for September 2008 can be found at
http://www.microsoft.com/technet/security/bulletin/ms08-sep.mspx.

This bulletin advance notification will be replaced with the
September bulletin summary on September 9, 2008. For more information
about the bulletin advance notification service, see
http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

To receive automatic notifications whenever
Microsoft Security Bulletins are issued, subscribe to Microsoft
Technical Security Notifications on
http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft will host a webcast to address customer questions on
these bulletins on Wednesday, September 10, 2008,
at 11:00 AM Pacific Time (US & Canada). Register for the September
Security Bulletin Webcast at
http://www.microsoft.com/technet/security/bulletin/summary.mspx.

Microsoft also provides information to help customers prioritize
monthly security updates with any non-security, high-priority
updates that are being released on the same day as the monthly
security updates. Please see the section, Other Information.

This advance notification provides the software subject as the
bulletin identifier, because the official Microsoft Security
Bulletin numbers are not issued until release. The bulletin summary
that replaces this advance notification will have the proper
Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the
bulletin identifier. The security bulletins for this month are as
follows, in order of severity:

Critical Security Bulletins

Windows Media Player Bulletin

  - Affected Software:
    - Windows Media Player 11 on
      Windows XP Service Pack 2 and
      Windows XP Service Pack 3
    - Windows Media Player 11 on
      Windows XP Professional x64 Edition and
      Windows XP Professional x64 Edition Service Pack 2
    - Windows Media Player 11 on
      Windows Vista and
      Windows Vista Service Pack 1
    - Windows Media Player 11 on
      Windows Vista x64 Edition and
      Windows Vista x64 Edition Service Pack 1
    - Windows Media Player 11 on
      Windows Server 2008 for 32-bit Systems
      (Windows Server 2008 Server Core installation not affected)
    - Windows Media Player 11 on
      Windows Server 2008 for x64-based Systems
      (Windows Server 2008 Server Core installation not affected)

    - Impact: Remote Code Execution
    - Version Number: 1.0

Windows Bulletin

  - Affected Software:
    - Microsoft Internet Explorer 6 on
      Microsoft Windows 2000 Service Pack 4
    - Microsoft .NET Framework 1.0 Service Pack 3 on
      Microsoft Windows 2000 Service Pack 4
    - Microsoft .NET Framework 1.1 Service Pack 1 on
      Microsoft Windows 2000 Service Pack 4
    - Microsoft .NET Framework 2.0 on
      Microsoft Windows 2000 Service Pack 4
    - Microsoft .NET Framework 2.0 Service Pack 1 on
      Microsoft Windows 2000 Service Pack 4
    - Windows XP Service Pack 2 and
      Windows XP Service Pack 3
    - Windows XP Professional x64 Edition and
      Windows XP Professional x64 Edition Service Pack 2
    - Windows Server 2003 Service Pack 1 and
      Windows Server 2003 Service Pack 2
    - Windows Server 2003 x64 Edition and
      Windows 2003 Server x64 Edition Service Pack 2
    - Windows Server 2003 with SP1 for Itanium-based Systems and
      Windows Server 2003 with SP2 for Itanium based Systems
    - Windows Vista and
      Windows Vista Service Pack 1
    - Windows Vista x64 Edition and
      Windows Vista x64 Edition Service Pack 1
    - Windows Server 2008 for 32-bit Systems
      (Windows Server 2008 Server Core installation not affected)
    - Windows Server 2008 for x64-based Systems
      (Windows Server 2008 Server Core installation not affected)
    - Windows Server 2008 for Itanium-based Systems
    - Microsoft Office XP Service Pack 3
    - Microsoft Office 2003 Service Pack 2
    - 2007 Microsoft Office System
    - Microsoft Visio 2002 Service Pack 2
    - Microsoft Office PowerPoint Viewer 2003
    - Microsoft Works 8
    - Microsoft Digital image Suite 2006
    - QFE update for SQL 2000 Reporting Services Service Pack 2
      when installed on Microsoft Windows 2000 Service Pack 4
    - GDR update for SQL Server 2005 Service Pack 2
    - QFE update for SQL Server 2005 Service Pack 2
    - GDR update for SQL Server 2005 x64 Edition Service Pack 2
    - QFE update for SQL Server 2005 x64 Edition Service Pack 2
    - GDR update for SQL Server 2005 for Itanium-based Systems
      Service Pack 2
    - QFE update for SQL Server 2005 for Itanium-based Systems
      Service Pack 2
    - Microsoft Visual Studio .NET 2002 Service Pack 1
    - Microsoft Visual Studio .NET 2003 Service Pack 1
    - Microsoft Visual Studio 2005 Service Pack 1
    - Microsoft Visual Studio 2008
    - Microsoft Report Viewer 2005 Service Pack 1
      Redistributable Package when installed on
      Microsoft Windows 2000 Service Pack 4
    - Microsoft Report Viewer 2008
      Redistributable Package when installed on
      Microsoft Windows 2000 Service Pack 4
    - Microsoft Visual FoxPro 8.0 Service Pack 1
      when installed on Microsoft Windows 2000 Service Pack 4
    - Microsoft Visual FoxPro 9.0 Service Pack 1
      when installed on Microsoft Windows 2000 Service Pack 4
    - Microsoft Visual FoxPro 9.0 Service Pack 2
      when installed on Microsoft Windows 2000 Service Pack 4
    - Microsoft Platform SDK Redistributable: GDI+
    - Microsoft Forefront Client Security 1.0 when installed on
      Microsoft Windows 2000 Service Pack 4

    - Impact: Remote Code Execution
    - Version Number: 1.0

Windows Media Encoder Bulletin

  - Affected Software:
    - Windows Media Encoder 9 Series on
      Microsoft Windows 2000 Service Pack 4
    - Windows Media Encoder 9 Series on
      Windows XP Service Pack 2 and
      Windows XP Service Pack 3
    - Windows Media Encoder 9 Series on
      Windows XP Professional x64 Edition and
      Windows XP Professional x64 Edition Service Pack 2
    - Windows Media Encoder 9 Series x64 Edition on
      Windows XP Professional x64 Edition and
      Windows XP Professional x64 Edition Service Pack 2
    - Windows Media Encoder 9 Series on
      Windows Server 2003 Service Pack 1 and
      Windows Server 2003 Service Pack 2
    - Windows Media Encoder 9 Series on
      Windows Server 2003 x64 Edition and
      Windows Server 2003 x64 Edition Service Pack 2
    - Windows Media Encoder 9 Series x64 Edition on
      Windows Server 2003 x64 Edition and
      Windows Server 2003 x64 Edition Service Pack 2
    - Windows Media Encoder 9 Series on
      Windows Vista and
      Windows Vista Service Pack 1
    - Windows Media Encoder 9 Series on
      Windows Vista x64 Edition and
      Windows Vista x64 Edition Service Pack 1
    - Windows Media Encoder 9 Series x64 Edition on
      Windows Vista x64 Edition and
      Windows Vista x64 Edition Service Pack 1
    - Windows Media Encoder 9 Series on
      Windows Server 2008 for 32-bit Systems
      (Windows Server 2008 Server Core installation not affected)
    - Windows Media Encoder 9 Series on
      Windows Server 2008 for x64-based Systems
      (Windows Server 2008 Server Core installation not affected)
    - Windows Media Encoder 9 Series x64 Edition on
      Windows Server 2008 for x64-based Systems
      (Windows Server 2008 Server Core installation not affected)

    - Impact: Remote Code Execution
    - Version Number: 1.0

Office Bulletin

  - Affected Software:
    - Microsoft Office XP Service Pack 3
    - Microsoft Office 2003 Service Pack 2
    - Microsoft Office 2003 Service Pack 3
    - 2007 Microsoft Office System
    - 2007 Microsoft Office System Service Pack 1
    - Microsoft Office OneNote 2007
    - Microsoft Office OneNote 2007 Service Pack 1

    - Impact: Remote Code Execution
    - Version Number: 1.0

Other Information


Microsoft Windows Malicious Software Removal Tool:

Microsoft will release an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Update, Microsoft Update,
Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS:

For information about non-security releases on Windows Update and
Microsoft
update, please see:
* http://support.microsoft.com/kb/894199: Microsoft Knowledge Base
  Article 894199, Description of Software Update Services and
  Windows Server Update Services changes in content for 2008.
  Includes all Windows content.
* http://technet.microsoft.com/en-us/wsus/bb466214.aspx: New,
  Revised, and Released Updates for Microsoft Products Other Than
  Microsoft Windows

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new replica wave of fake celebrity news being sent out via spam emails. Similar to previous attacks related to 'MSNBC.com Breaking News' and 'Bogus CNN Custom Alerts ', these emails contain links to a malicious Web page on a compromised site, that is designed to encourage users to download a malicious application posing as a video codec. This malicious Web page also holds Iframes leading to an exploit site.

Over the last few days, the ThreatSeeker Network has seen huge volumes of spam wrapped up in CNN and MSNBC themed templates. Recently, email alerts listing different popular events and news articles also encouraged users to download a video codec, which was actually a malicious file.

Details ...

On Wednesday, researchers announced a flaw in how the Google Chrome browser behaves with undefined handlers. An exploit provided as a demonstration crashes the new browser.

In an article on the Securiteam site, Rishi Narang from Evilfingers says a crash can occur without user interaction. If a user is provided a malicious link with an undefined handler followed by a special character, Chrome crashes.

Story continues at news.cnet.com

VMware has released a security announcement to address multiple vulnerabilities in VMware Workstation, VMware Player, VMware ACE, VMware Server, and VMware ESX. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, access the system with elevated privileges, or obtain sensitive information.

US-CERT encourages users and administrators to review the VMware security announcement and apply any necessary updates.

http://www.us-cert.gov/current/index.html#vmware_releases_security_announcement