-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-225A

Microsoft Updates for Multiple Vulnerabilities

Original release date: August 12, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Office including Access, Excel, and Word

Overview

Microsoft has released updates that address vulnerabilities in Microsoft
Windows, Office, and Internet Explorer.

I. Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-193A

Sun Java Updates for Multiple Vulnerabilities

Original release date: July 11, 2008
Last revised:
Source: US-CERT

Systems Affected

Sun Java Runtime Environment versions
* JDK and JRE 6 Update 6 and earlier
* JDK and JRE 5.0 Update 16 and earlier
* SDK and JRE 1.4.2_17 and earlier
* SDK and JRE 1.3.1_22 and earlier

Overview

Sun has released alerts to address multiple vulnerabilities affecting the
Sun Java Runtime Environment. The most severe of these vulnerabilities could
allow a remote attacker to execute arbitrary code.

I. Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-190B

Multiple DNS implementations vulnerable to cache poisoning

Original release date: July 08, 2008
Last revised: --
Source: US-CERT

Systems Affected

Systems implementing:
* Caching DNS resolvers
* DNS stub resolvers

Affected systems include both client and server systems, and any other
networked systems that include this functionality.

Overview

Deficiencies in the DNS protocol and common DNS implementations facilitate
DNS cache poisoning attacks. Effective attack techniques against these
vulnerabilities have been demonstrated.

I. Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-189A

Microsoft Office Snapshot Viewer ActiveX Vulnerability

Original release date: July 7, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Office Access 2000
* Microsoft Office Access XP
* Microsoft Office Access 2003
* Microsoft Office Snapshot Viewer

Overview

An unpatched vulnerability in the Microsoft Office Snapshot Viewer ActiveX
control is being used in attacks.

I. Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA07-DDDA

Microsoft Updates for Multiple Vulnerabilities

Original release date: June 10, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft Windows Server
* Microsoft Internet Explorer

Overview

Microsoft has released updates that address vulnerabilities in
Microsoft Windows, Windows Server, and Internet Explorer.

I. Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-162C

Apple Quicktime Updates for Multiple Vulnerabilities

Original release date: June 10, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Apple Mac OS X running versions of QuickTime prior to 7.5
* Microsoft Windows running versions of QuickTime prior to 7.5

Overview

Apple QuickTime contains multiple vulnerabilities as described in the Apple
Knowledgebase article HT1991. Exploitation of these vulnerabilities could
allow a remote attacker to execute arbitrary code or cause a
denial-of-service condition.

I. Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-162A

SNMPv3 Authentication Bypass Vulnerability

Original release date: June 10, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Multiple Implementations of SNMPv3

Overview

A vulnerability in the way implementations of SNMPv3 handle specially
crafted packets may allow authentication bypass.

I. Description

The Simple Network Management Protocol (SNMP) is a widely deployed
protocol that is commonly used to monitor and manage network devices.
SNMPv3 ( RFC 3410) supports a user-based security...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-150A

Apple Updates for Multiple Vulnerabilities

Original release date: May 29, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Mac OS X prior to v10.5.3
* Mac OS X Server prior to v10.4.11

Overview

Apple has released Security Update 2008-003 and OS X version 10.5.3 to
correct multiple vulnerabilities affecting Apple Mac OS X and Mac OS X
Server. Attackers could exploit these vulnerabilities to execute
arbitrary code, gain access to sensitive information, or cause a
denial of service.

I. Description

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

New US-CERT PGP Key

US-CERT has generated a new PGP key. We use this key to sign all
publications, including documents sent to this list. Effective
immediately, this new key is available and will be valid until Thursday,
October 1, 2009. To obtain further information or to download the new
US-CERT publications PGP key, please visit

<http://www.us-cert.gov/pgp/encryptmail.html> or
<https://www.us-cert.gov/pgp/encryptmail.html>

A copy of the new key has also been included at the bottom of this
message and sent to public PGP key servers.

In accordance with good key management practices, we have also generated
a revocation certificate for the existing PGP key. The revocation
certificate for PGP key id 0x0CF3B5CE has also been included below and
sent to the public PGP key servers.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-137A

Debian/Ubuntu OpenSSL Random Number Generator Vulnerability

Original release date: May 16, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Debian, Ubuntu, and Debian-based distributions

Overview

A vulnerability in the OpenSSL package included with the Debian
GNU/Linux operating system and its derivatives may cause weak
cryptographic keys to be generated. Any package that uses the affected
version of SSL could be vulnerable.

I. Description