US CERT Bulletins for Feb

Mozilla Releases Firefox Updates

added February 4, 2009 at 08:57 am

Mozilla has released Firefox 3.0.6 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, or conduct cross-site scripting attacks. As described in the Mozilla Foundation Security Advisories, some of these vulnerabilities may also affect Thunderbird and SeaMonkey.

US-CERT encourages users to do the following to help mitigate the risks:

Review the Mozilla Foundation Security Advisory.

Update to Firefox 3.0.6.

IRS Stimulus Package Phishing Scam

added February 6, 2009 at 10:03 am | updated February 6, 2009 at 02:43 pm

US-CERT is aware of public reports indicating that phishing scams are circulating via fraudulent U.S. Internal Revenue Service emails offering users stimulus package payments. These emails include text that attempts to convince users to follow a link to a website or to complete an attached document. The website and document request the user to provide personal information.

Users receiving the fraudulent email messages are encouraged to send the email message and the website URL to the IRS at phishing@irs.gov.

US-CERT encourages users to do the following to help mitigate the risks:

• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks (pdf) document for more information on social engineering attacks.
• Review the How to Report and Identify Phishing, E-mail Scams and Bogus IRS Web Sites document on the IRS website.
  

BlackBerry Security Advisory

added February 10, 2009 at 03:39 pm

Research In Motion has released a Security Advisory to address a vulnerability in the BlackBerry Application Web Loader ActiveX control. By convincing a user to view a specially crafted HTML document, an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer to crash.

US-CERT encourages users to review BlackBerry Security Advisory KB16248 and apply the resolution or implement the workaround listed in the document to help mitigate the risk.

Microsoft Releases February Security Bulletin Summary

added February 10, 2009 at 03:37 pm

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Office, Internet Explorer, Exchange Server, and SQL Server as part of the Microsoft Security Bulletin Summary for February 2009. These vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.