Information Protection and Security

Pidgin has released a a href="http://pidgin.im/news/security/?id=34" target="_self"security advisory/a to address a vulnerability affecting libpurple. This vulnerability is a buffer overflow that may allow an attacker to execute arbitrary code. Libpurple is used by multiple instant messenger (IM) programs including Adium and Pidgin.brbrIM applications that use libpurple may distribute it as a part of their security updates. Users are encouraged to update affected IM software as soon as possible. A partial listing of IM programs that implement libpurple can be found in the "a href="http://developer.pidgin.im/wiki/WhatIsLibpurple" target="_self"What is libpurple?/a" webpage on the Pidgin website. Additional information may be found in the a href="http://www.kb.cert.org/vuls/id/582244" target="_self"US-CERT Vulnerability Notes Database/a.br

Adobe has released security bulletin a href="http://www.adobe.com/support/security/bulletins/apsb09-13.html" target="_self"APSB09-13/a to address a vulnerability in Flex 3.3 SDK and earlier versions. This vulnerability may allow an attacker to conduct a cross-site scripting attack.brbrUS-CERT encourages users and administrators to review Adobe security bulletin a href="http://www.adobe.com/support/security/bulletins/apsb09-13.html" target="_self"APSB09-13/a and update to a href="http://opensource.adobe.com/wiki/display/flexsdk/Download+Flex+3" target="_self"Flex 3.4 SDK/a to help mitigate the risks. Additionally, the bulletin indicates that this update includes the latest version of Adobe Flash Player.br

Cisco has released a security advisory to address a vulnerability in the Firewall Services Module (FWSM) for the Catalyst 6500 series switches and the 7600 series routers. By sending specially crafted ICMP messages to the Firewall Services Module, an attacker can cause a denial-of-service condition.brbrUS-CERT encourages users and administrators to review Cisco security advisory a href="http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml" target="_self"cisco-sa-20090819-fwsm/a and apply any necessary updates or workarounds to help mitigate the risks.br

Adobe has released hotfixes to address multiple vulnerabilities in JRun 4.0 and ColdFusion 8.0.1 and earlier versions. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, or operate with escalated privileges.brbrUS-CERT encourages users and administrators to review Adobe security bulletin a href="http://www.adobe.com/support/security/bulletins/apsb09-12.html" target="_self"APSB09-12/a and apply any necessary hotfixes to help mitigate the risks.br

Apple has released Safari 4.0.3 for Windows and Mac OS X to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof a website.brbrUS-CERT encourages users and administrators to review Apple article a href="http://support.apple.com/kb/HT3733" target="_self"HT3733/a and upgrade to Safari 4.0.3 to help mitigate the risks.br

Microsoft has released an update to address vulnerabilities in Microsoft Windows, Office, Visual Studio, ISA Server, BizTalk Server, Remote Desktop Connection Client for Mac, and .NET Framework as part of the a href="http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx" target="_self"Microsoft Security Bulletin Summary for August 2009/a. These vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, or cause a denial-of-service condition.brbrUS-CERT encourages users and administrators to review the a href="http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx" target="_self"bulletins/a and follow best-practice security policies to determine which updates should be applied. Additional information regarding these vulnerabilities can be found in US-CERT Technical Cyber Security Alert a href="http://www.us-cert.gov/cas/techalerts/TA09-223A.html" target="_self"TA09-223A/a.br

Microsoft has issued a a href="http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx" target="_self"Security Bulletin Advance Notification/a indicating that the August release cycle will contain nine bulletins, five of which will have a severity rating of critical. The notification states that these critical bulletins are for Microsoft Office, Visual Studio, ISA Server, BizTalk Server, Windows, and Client for Mac. There will also be four important bulletins for Microsoft Windows and .NET Framework. Release of these bulletins is scheduled for Tuesday, August 11.brbrUS-CERT will provide additional information as it becomes available.br

Apple has released Mac OS X v10.5.8 and Security Update 2009-003 to address multiple vulnerabilities in a number of applications. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, bypass security mechanisms, operate with escalated privileges, or obtain sensitive information.brbrUS-CERT encourages users and administrators to review Apple articlenbsp;a href="http://support.apple.com/kb/HT3757" target="_self"HT3757/a and apply any necessary updates to help mitigate the risks. Additional information can be found in US-CERT Technical Cyber Security Alert a href="http://www.us-cert.gov/cas/techalerts/TA09-218A.html" target="_self"TA09-218A/a.br

Sun has released update 15 for the Java SE JDK 6 and the Java SE JRE 6 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, or bypass authentication methods.brbrUS-CERT encourages users and administrators to review the Java SE 6 Update 15 a href="http://java.sun.com/javase/6/webnotes/6u15.html" target="_self"release notes/a and apply any necessary a href="http://java.sun.com/javase/downloads/index.jsp" target="_self"updates/a to help mitigate the risks.br

Apple has released iPhone OS 3.0.1 to address a vulnerability in the CoreTelephony component. By sending a specially crafted SMS message to a user, an attacker may be able to execute arbitrary code or cause a denial-of-service condition.brbrUS-CERT encourages users review Apple article a href="http://support.apple.com/kb/HT3754" target="_self"HT3754/a and apply any necessary updates to help mitigate the risk.br