DP's Security Bits

On November 3, 2009, Sun will release the following security updates:

• JDK and JRE 6 Update 17
• JDK and JRE 5.0 Update 22
• SDK and JRE 1.4.2_24
• SDK and JRE 1.3.1_27

http://blogs.sun.com/security/entry/advance_notification_of_security_updates6

Issued: October 29, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-052 - Critical

Bulletin Information:

* MS09-052 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-052.mspx
- Reason for Revision: V1.1 (October 29, 2009): Removed a
workaround. Also added an entry in the section, Frequently
Asked Questions (FAQ) Related to This Security Update, to
clarify why some customers without Windows Media Player 6.4
on their systems may be offered this update.
- Originally posted: October 13, 2009
- Updated: October 29, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

Issued: October 28, 2009

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-062 - Critical

Bulletin Information:

* MS09-062 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
- Reason for Revision: V2.0 (October 28, 2009): Added Microsoft
Office Visio Viewer 2007, Microsoft Office Visio Viewer 2007
Service Pack 1, and Microsoft Office Visio Viewer 2007
Service Pack 2 as affected software, and added SQL Server
2008 and SQL Server 2008 Service Pack 1 to the Non-Affected
Software table. Also added notes to the Affected Software
table for SQL Server 2005 customers with a Reporting Services
SharePoint dependency; corrected the MBSA detection entries
for Microsoft Report Viewer; and corrected the log file and
registry key verification information for Microsoft Internet
Explorer 6 Service Pack 1 when installed on Microsoft Windows
2000 Service Pack 4.
- Originally posted: October 13, 2009
- Updated: October 28, 2009
- Bulletin Severity Rating: Critical
- Version: 2.0

The Federal Deposit Insurance Corporation (FDIC) has released information warning the public about fraudulent email messages purporting to come from the FDIC. These email messages provides a link to a fraudulent FDIC website. Users are then instructed to download their "personal FDIC Insurance File."

More information regarding these messages can be found in the Federal Deposit Insurance Corporation's Consumer Alerts website.

Users are encouraged to take the following measures to protect themselves from this type of phishing scam:

Source: US-CERT

Firefox 3.5.4 is available for download.

Fixed in Firefox 3.5.4:

MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-61 Cross-origin data theft through document.getSelection()
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
MFSA 2009-56 Heap buffer overflow in GIF color map parser
MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
MFSA 2009-54 Crash with recursive web-worker calls
MFSA 2009-53 Local downloaded file tampering
MFSA 2009-52 Form history vulnerable to stealing

Issued: October 27, 2009

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-043 - Critical

Bulletin Information:

* MS09-043 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx
- Reason for Revision: V2.0 (October 27, 2009): Bulletin revised to
communicate the rerelease of the update for Microsoft Office
2003 Service Pack 3 and Microsoft Office 2003 Web Components
Service Pack 3 to fix a detection issue. This is a detection
change only; there were no changes to the binaries. Customers
who have successfully updated their systems do not need to
reinstall this update.
- Originally posted: August 11, 2009
- Updated: October 27, 2009
- Bulletin Severity Rating: Critical
- Version: 2.0

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new wave of malicious email attacks claiming to be a password reset confirmation from Facebook. The From: address on the messages is spoofed using support@facebook.com to make the messages believable to recipients. The messages contain a .zip file attachment with an .exe file inside. The .exe file currently has a detection rate of about 30 percent on VirusTotal. Our ThreatSeeker™ Network has seen up to 90,000 of these messages sent out so far today.

Alert Details

Issued: October 21, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-061 - Critical
* MS09-060 - Critical

Bulletin Information:

* MS09-061 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx
- Reason for Revision: V1.1 (October 21, 2009): Corrected the
deployment information for Microsoft .NET Framework on all
supported releases of Microsoft Windows. This is an
informational change only. Customers who have successfully
installed this update do not need to reinstall.
- Originally posted: October 13, 2009
- Updated: October 21, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS09-060 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx
- Reason for Revision: V1.1 (October 21, 2009): Added entries to
the section, Frequently Asked Questions (FAQ) Related to This
Security Update, to describe the known issue update available
from KB974554, KB974556, or KB974234.
- Originally posted: October 13, 2009
- Updated: October 21, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

Oracle has released its Critical Patch Update for October 2009 to address 38 vulnerabilities across several products. This update contains the following security fixes:

• 16 for the Oracle Database
• 3 for the Oracle Application Server
• 8 for the Oracle E-Business Suite and Applications
• 4 for the Oracle PeopleSoft and JD Edwards Suite
• 6 for the Oracle BEA Products Suite
• 1 for the Oracle Industry Applications Products Suite

US-CERT encourages users and administrators to review the October Critical Patch Update and apply any necessary updates.

Source: US-CERT

Issued: October 19, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-054 - Critical
* MS09-053 - Important

Bulletin Information:

* MS09-054 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
- Reason for Revision: V1.2 (October 19, 2009): Added a link to
Microsoft Knowledge Base Article 974455 under Known Issues in
the Executive Summary.
- Originally posted: October 13, 2009
- Updated: October 19, 2009
- Bulletin Severity Rating: Critical
- Version: 1.2

* MS09-053 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx
- Reason for Revision: V1.1 (October 19, 2009): Removed the
acknowledgments section. Corrected the affected software and
severity tables to reclassify Windows XP Professional x64
Edition Service Pack 2 as running IIS 6.0.
- Originally posted: October 13, 2009
- Updated: October 19, 2009
- Bulletin Severity Rating: Important
- Version: 1.1

Issued: October 19, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-053 - Important

Bulletin Information:

* MS09-053 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx
- Reason for Revision: V1.1 (October 19, 2009): Removed the
acknowledgments section. Corrected the affected software and
severity tables to reclassify Windows XP Professional x64
Edition Service Pack 2 as running IIS 6.0.
- Originally posted: October 13, 2009
- Updated: October 19, 2009
- Bulletin Severity Rating: Important
- Version: 1.1

Issued: October 18, 2009

Summary

The following bulletin has undergone a minor revision increment.

* MS09-054 - Critical

Bulletin Information:

* MS09-054 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
- Reason for Revision: V1.1 (October 18, 2009): Revised the
Executive Summary and added FAQ entries for CVE-2009-2529 to
provide direction for Firefox users.
- Originally posted: October 13, 2009
- Updated: October 18, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new wave of malicious attacks claiming to be an update for Microsoft Outlook Web Access (OWA). Victims receive a message leading to a site to apply mailbox settings which were supposedly changed due to a "security upgrade." The especially dangerous thing about these messages is that they are very deceiving. The messages and attack pages are personalized for the To: email address to imply the message is being sent from tech support of the domain. The URL in the email looks like it leads to the company's own OWA system. We have seen upwards of 30,000 of these messages per hour and they have low AV detection.

Alert Details

Issued: October 14, 2009

Security Advisory Updated or Released Today

* Microsoft Security Advisory (973811)
- Title: Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
- Revision Note: V1.1 (October 14, 2009): Updated the FAQ
with information about a non-security update included in
MS09-054 relating to WinINET.

Issued: October 14, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-062 - Critical
* MS09-059 - Important
* MS09-055 - Critical
* MS09-051 - Critical
* MS09-050 - Critical
* MS09-046 - Critical

Bulletin Information:

* MS09-062 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
- Reason for Revision: V1.1 (October 14, 2009): Added Microsoft SQL
Server 2005 Express Edition Service Pack 3 to the
Non-Affected Software table, and updated the Developer Tools
entries in the Detection and Deployment Tools and Guidance section.
- Originally posted: October 13, 2009
- Updated: October 14, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS09-059 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-059.mspx
- Reason for Revision: V1.1 (October 14, 2009): Corrected the
introductory description for CVE-2009-2524 in the
vulnerability information section.
- Originally posted: October 13, 2009
- Updated: October 14, 2009
- Bulletin Severity Rating: Important
- Version: 1.1

* MS09-055 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-055.mspx
- Reason for Revision: V1.1 (October 14, 2009): Corrected the
download link for Windows XP x64 Edition Service Pack2. Also
removed an erroneous entry from the FAQ for CVE-2009-2493.
- Originally posted: October 13, 2009
- Updated: October 14, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS09-051 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx
- Reason for Revision: V1.1 (October 14, 2009): Clarified the
entry, "I have Windows Media Player installed on my system.
Why am I not being offered some of the updates?" in the FAQ
section. Also corrected the FAQ for CVE-2009-0555 to indicate
that Microsoft is aware of limited attacks attempting to
exploit the vulnerability.
- Originally posted: October 13, 2009
- Updated: October 14, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS09-050 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx
- Reason for Revision: V1.1 (October 14, 2009): Clarified the
entry, "When this security bulletin was issued, had Microsoft
received any reports that this vulnerability was being
exploited?" in the section, FAQ for SMBv2 Negotiation
Vulnerability - CVE-2009-3103.
- Originally posted: October 13, 2009
- Updated: October 14, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS09-046 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-046.mspx
- Reason for Revision: V1.0 (October 14, 2009): Corrected the class
identifier for the ActiveX control in the workaround,
"Prevent the DHTML ActiveX control COM object from running in
Internet Explorer."
- Originally posted: September 8, 2009
- Updated: October 14, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

Issued: October 13, 2009

Summary

The following bulletin has undergone a minor revision increment.


* MS09-024 - Critical

Bulletin Information:

* MS09-024 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-024.mspx
- Reason for Revision: V1.1 (October 13, 2009): Bulletin revised to
announce the addition of language localizations to the update
for Works 9. Customers who have already successfully applied
the original update to Works 9 are not affected by this revision.
- Originally posted: June 9, 2009
- Updated: October 13, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

Issued: October 13, 2009

Security Advisories Updated or Released Today

* Microsoft Security Advisory (975497)
- Title: Vulnerabilities in SMB Could Allow Remote
Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
- Revision Note: V2.0 (October 13, 2009): Advisory updated to
reflect publication of security bulletin.

* Microsoft Security Advisory (975191)
- Title: Vulnerabilities in the FTP Service in
Internet Information Services
- http://www.microsoft.com/technet/security/advisory/975191.mspx
- Revision Note: V3.0 (October 13, 2009): Advisory updated to
reflect publication of security bulletin.

* Microsoft Security Advisory (973882)
- Title: Vulnerabilities in Microsoft Active Template
Library (ATL) Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/973882.mspx
- Revision Note: V4.0 (October 13, 2009): Advisory revised to
add an entry in the Updates related to ATL section to
communicate the release of Microsoft Security Bulletin
MS09-060, "Vulnerabilities in Microsoft Active Template
Library (ATL) ActiveX Controls for Microsoft Office Could
Allow Remote Code Execution."

Issued: October 13, 2009

Summary

The following bulletin has undergone a major revision increment.

* MS08-069 - Critical

Bulletin Information:

* MS08-069 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
- Reason for Revision: V3.0 (October 13, 2009): Added Microsoft XML
Core Services 4.0 (KB954430) when installed on 32-bit and
x64-based editions of Windows 7 and on x64-based and
Itanium-based editions of Windows Server 2008 R2 as affected
software. This is a detection change only; there were no
changes to the binaries. Customers who have already
successfully installed KB954430 do not need to reinstall.
- Originally posted: November 11, 2008
- Updated: October 13, 2009
- Bulletin Severity Rating: Critical
- Version: 3.0

Summary

Critical vulnerabilities have been identified in Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. This update represents the second quarterly security update for Adobe Reader and Acrobat.

Adobe recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2. Adobe recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates. Updates apply to all platforms: Windows, Macintosh and UNIX.

Affected software versions

Adobe Reader 9.1.3 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.1.3 and earlier versions for Windows and Macintosh

Full Security Bulletin

Register Online