Technical Cyber Security Alerts

US-CERT Alerts

US-CERT Alerts provide timelyinformation about current security issues, vulnerabilities, andexploits.

TA12-129A: Microsoft Updates for Multiple Vulnerabilities
Tuesday, 8 May 2012, 9:01 pm

Original release date: May 08, 2012 | Last revised: –


Systems Affected

  • Microsoft Windows
  • Microsoft .NET Framework
  • Microsoft Office
  • Microsoft Silverlight


Overview

Select Microsoft software products contain multiple vulnerabilities.  Microsoft has released updates to address these vulnerabilities.


Description

The Microsoft Security Bulletin Summary for May 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.


Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.


Solution

Apply updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for May 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.


References


Revision History

  • May 08, 2012: Initial release

———————————————————————-

TA12-101B: Adobe Reader and Acrobat Security Updates and Architectural Improvements
Tuesday, 10 April 2012, 10:02 pm

Original release date: April 10, 2012 | Last revised: –


Systems Affected

  • Adobe Reader X (10.1.2) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5 and earlier 9.x versions for Windows, Macintosh, and UNIX
  • Adobe Acrobat X (10.1.2) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5 and earlier 9.x versions for Windows and Macintosh


Overview

Adobe has released Security Bulletin APSB12-08, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. As part of this update, Adobe Reader and Acrobat 9.x will use the system-wide Flash Player browser plug-in instead of the Authplay component. In addition, Reader and Acrobat now disable the rendering of 3D content by default.


Description

Adobe Security Bulletin APSB12-08 describes a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Adobe Reader and Acrobat versions 9.x through 9.5, and Reader X and Acrobat X versions prior to 10.1.3.

The Adobe ASSET blog provides additional details on new security architecture changes to Adobe Reader and Acrobat. Adobe Reader and Acrobat 9.5.1 will use the Adobe Flash Player plug-in version installed on the user’s system rather than the Authplay component that ships with Adobe Reader and Acrobat. This change helps limit the number of out-of-date, vulnerable Flash runtimes available to an attacker. Adobe Reader and Acrobat 9.5.1 also now disable rendering of 3D content by default because the 3D rendering components have a history of vulnerabilities.

US-CERT recommends that Flash users upgrade to the latest version of Adobe Flash Player and turn on automatic updates.

An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. This can happen automatically as the result of viewing a webpage.


Impact

These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF file.


Solution

Update Reader

Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB12-08 and update vulnerable versions of Adobe Reader and Acrobat.

In addition to updating, please consider the following mitigations.

Disable JavaScript in Adobe Reader and Acrobat

Disabling JavaScript may prevent some exploits from resulting in code execution. You can disable Acrobat JavaScript using the Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable Acrobat JavaScript).

Adobe provides a framework to blacklist specific JavaScipt APIs. If JavaScript must be enabled, this framework may be useful when specific APIs are known to be vulnerable or used in attacks.

Prevent Internet Explorer from automatically opening PDF files

The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00

Disable the display of PDF files in the web browser

Preventing PDF files from opening inside a web browser will partially mitigate this vulnerability. Applying this workaround may also mitigate future vulnerabilities.

To prevent PDF files from automatically being opened in a web browser, do the following:

1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the Preferences option.
4. Choose the Internet section.
5. Uncheck the "Display PDF in browser" checkbox.

Do not access PDF files from untrusted sources

Do not open unfamiliar or unexpected PDF files, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010.


References


Revision History

  • April 10, 2012: Initial release

———————————————————————-

TA12-101A: Microsoft Updates for Multiple Vulnerabilities
Tuesday, 10 April 2012, 6:37 pm

Original release date: April 10, 2012 | Last revised: –


Systems Affected

  • Microsoft Windows
  • Microsoft Internet Explorer
  • Microsoft .NET Framework
  • Microsoft Office
  • Microsoft Server Software
  • Microsoft SQL Server
  • Microsoft Developer Tools
  • Microsoft Forefront United Access Gateway


Overview

There are multiple vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft .NET Framework, Microsoft Office, Microsoft Server Software, Microsoft SQL Server, Microsoft Developer Tools, and Microsoft Forefront United Access Gateway.  Microsoft has released updates to address these vulnerabilities.


Description

The Microsoft Security Bulletin Summary for April 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.


Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.


Solution

Apply updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for April 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.


References


Revision History

  • April 10, 2012: Initial release

———————————————————————-

TA12-073A: Microsoft Updates for Multiple Vulnerabilities
Tuesday, 13 March 2012, 6:34 pm

Original release date: March 13, 2012
Last revised: –
Source: US-CERT


Systems Affected

  • Microsoft Windows
  • Microsoft Visual Studio
  • MicrosoftExpression Design


Overview

There are multiple vulnerabilities in Microsoft Windows, Microsoft VisualStudio, and Microsoft Expression Design. Microsoft has released updates toaddress these vulnerabilities.


I. Description

The MicrosoftSecurity Bulletin Summary for March 2012 describes multiple vulnerabilitiesin Microsoft Windows, Microsoft Visual Studio, and Microsoft Expression Design.Microsoft has released updates to address the vulnerabilities.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code, cause adenial of service, or gain unauthorized access to your files or system.


III. Solution

Apply updates

Microsoft has provided updates forthese vulnerabilities in the MicrosoftSecurity Bulletin Summary for March 2012, which describes any known issuesrelated to the updates. Administrators are encouraged to note these issues andtest for any potentially adverse effects. In addition, administrators shouldconsider using an automated update distribution system such as Windows ServerUpdate Services (WSUS). Home users are encouraged to enable automaticupdates.


IV. References

Feedback can be directed to US-CERT.

Produced 2012 by US-CERT, a government organization. Terms of use


Revision History

March 13, 2012: Initial release

———————————————————————-

TA12-045A: Microsoft Updates for Multiple Vulnerabilities
Tuesday, 14 February 2012, 6:37 pm

Original release date: February 14, 2012
Last revised: –
Source: US-CERT


Systems Affected

  • Microsoft Windows
  • Microsoft Internet Explorer
  • Microsoft.NET Framework
  • Microsoft Silverlight
  • MicrosoftOffice
  • Microsoft Server Software


Overview

There are multiple vulnerabilities in Microsoft Windows, Internet Explorer,Microsoft .NET Framework, Silverlight, Office, and Microsoft Server Software.Microsoft has released updates to address these vulnerabilities.


I. Description

The MicrosoftSecurity Bulletin Summary for February 2012 describes multiplevulnerabilities in Microsoft Windows. Microsoft has released updates to addressthe vulnerabilities.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code, cause adenial of service, or gain unauthorized access to your files or system.


III. Solution

Apply updates

Microsoft has provided updates forthese vulnerabilities in the MicrosoftSecurity Bulletin Summary for February 2012, which describes any knownissues related to the updates. Administrators are encouraged to note theseissues and test for any potentially adverse effects. In addition, administratorsshould consider using an automated update distribution system such as Windows ServerUpdate Services (WSUS). Home users are encouraged to enable automaticupdates.


IV. References

Feedback can be directed to US-CERT.

Produced 2012 by US-CERT, a government organization. Terms of use


Revision History

February 14, 2012: Initial release

———————————————————————-

TA12-024A: "Anonymous" DDoS Activity
Wednesday, 25 January 2012, 3:53 am

Original release date: January 24, 2012
Last revised: –
Source: US-CERT


Overview

US-CERT has received information from multiple sources about coordinateddistributed denial-of-service (DDoS) attacks with targets that includedU.S. government agency and entertainment industry websites. The looselyaffiliated collective "Anonymous" allegedly promoted the attacks inresponse to the shutdown of the file hosting site MegaUpload and in protest ofproposed U.S. legislation concerning online trafficking in rightsedintellectual property and counterfeit goods (Stop Online Piracy Act, or SOPA,and Preventing Real Online Threats to Economic Creativity and Theft ofIntellectual Property Act, or PIPA).


I. Description

US-CERT has evidence of two types of DDoS attacks: One using HTTP GETrequests and another using a simple UDP flood.

The Low Orbit Ion Cannon(LOIC) is a denial-of-service attack tool associated with previous Anonymousactivity. US-CERT has reviewed at least two implementations of LOIC. One variantis written in JavaScript and is designed to be used from a web browser. Anattacker can access this variant of LOIC on a website and select targets,specify an optional message, throttle attack traffic, and monitor attackprogress. A binary variant of LOIC includes the ability to join a botnet toallow nodes to be controlled via IRC or RSS command channels (the"HiveMind" feature).

The following is a sample of LOIC trafficrecorded in a web server log:

"GET/?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1" 200 99406"hxxp://pastehtml.com/view/blafp1ly1.html" "Mozilla/5.0 (WindowsNT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"

Thefollowing sites have been identified in HTTP referrer headers of suspected LOICtraffic. This list may not be complete. Please do not visit any of the links asthey may still host functioning LOIC or other malicious code.

"hxxp://3g.bamatea.com/loic.html"
"hxxp://anonymouse.org/cgi-bin/anon-www.cgi/"
"hxxp://chatimpacto.org/Loic/"
"hxxp://cybercrime.hostzi.com/Ym90bmV0/loic/"
"hxxp://event.seeho.co.kr/loic.html"
"hxxp://pastehtml.com/view/bl3weewxq.html"
"hxxp://pastehtml.com/view/bl7qhhp5c.html"
"hxxp://pastehtml.com/view/blafp1ly1.html"
"hxxp://pastehtml.com/view/blakyjwbi.html"
"hxxp://pastehtml.com/view/blal5t64j.html"
"hxxp://pastehtml.com/view/blaoyp0qs.html"
"hxxp://www.lcnongjipeijian.com/loic.html"
"hxxp://www.rotterproxy.info/browse.php/704521df/ccc21Oi8/vY3liZXJ/jcmltZS5/ob3N0emk/uY29tL1l/tOTBibVY/wL2xvaWM/v/b5/fnorefer"
"hxxp://www.tandycollection.co.kr/loic.html"
"hxxp://www.zgon.cn/loic.html"
"hxxp://zgon.cn/loic.html"
"hxxp://www.turbytoy.com.ar/admin/archivos/hive.html"

Thefollowing are the A records for the referrer sites as of January, 20,2012:

3g[.]bamatea[.]com               A    218[.]5[.]113[.]218
cybercrime[.]hostzi[.]com        A    31[.]170[.]161[.]36
event[.]seeho[.]co[.]kr          A    210[.]207[.]87[.]195
chatimpacto[.]org                A    66[.]96[.]160[.]151  
anonymouse[.]org                 A    193[.]200[.]150[.]125
pastehtml[.]com                  A    88[.]90[.]29[.]58
lcnongjipeijian[.]com            A    49[.]247[.]252[.]105
www[.]rotterproxy[.]info         A    208[.]94[.]245[.]131
www[.]tandycollection[.]co[.]kr   A   121[.]254[.]168[.]87
www[.]zgon[.]cn                  A    59[.]54[.]54[.]204
www[.]turbytoy[.]com[.]ar        A    190[.]228[.]29[.]84

The HTTP requestscontained an "id" value based on UNIX time and user-defined"msg" value, for example:

GET/?id=1327014189930&msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20

Other"msg" examples:

msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20
msg=:)
msg=:D
msg=Somos%20Legion!!!
msg=Somos%20legi%C3%B3n!
msg=Stop%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB HTTP/1.1" 200 99406"http://pastehtml.com/view/bl7qhhp5c.html"
msg=We%20Are%20Legion!
msg=gh
msg=open%20megaupload
msg=que%20sepan%20los%20nacidos%20y%20los%20que%20van%20a%20nacer%20que%20nacimos%20para%20vencer%20y%20no%20para%20ser%20vencidos
msg=stop%20SOPA!!
msg=We%20are%20Anonymous.%20We%20are%20Legion.%20We%20do%20not%20forgive.%20We%20do%20not%20forget.%20Expect%20us!

The"msg" field can be arbitrarily set by the attacker.

As ofJanuary 20, 20012, US-CERT has observed another attack that consists of UDPpackets on ports 25 and 80. The packets contained a message followed by variableamounts of padding, for example:

66:6c:6f:6f:64:00:00:00:00:00:00:00:00:00 |flood.........

Target selection, timing, and other attack activityis often coordinated through social media sites or online forums.

US-CERTis continuing research efforts and will provide additional data as it becomesavailable.


III. Solution

There are a number of mitigation strategies available for dealing with DDoSattacks, depending on the type of attack as well as the target networkinfrastructure. In general, the best practice defense for mitigating DDoSattacks involves advanced preparation.

  • Develop a checklist orStandard Operating Procedure (SOP) to follow in the event of a DDoS attack. Onecritical point in a checklist or SOP is to have contact information for your ISPand hosting providers. Identify who should be contacted during a DDoS, whatprocesses should be followed, what information is needed, and what actions willbe taken during the attack with each entity.
  • The ISP or hosting providermay provide DDoS mitigation services. Ensure your staff is aware of theprovisions of your service level agreement (SLA).
  • Maintain contactinformation for firewall teams, IDS teams, network teams and ensure that it iscurrent and readily available.
  • Identify critical services that must bemaintained during an attack as well as their priority. Services should beprioritized beforehand to identify what resources can be turned off or blockedas needed to limit the effects of the attack. Also, ensure that critical systemshave sufficient capacity to withstand a DDoS attack.
  • Have currentnetwork diagrams, IT infrastructure details, and asset inventories. This willassist in determining actions and priorities as the attackprogresses.
  • Understand your current environment and have a baseline ofdaily network traffic volume, type, and performance. This will allow staff tobetter identify the type of attack, the point of attack, and the attack vectorused. Also, identify any existing bottlenecks and remediation actions ifrequired.
  • Harden the configuration settings of your network, operatingsystems, and applications by disabling services and applications not requiredfor a system to perform its intended function. 
  • Implement a bogon block list at thenetwork boundary.
  • Employ service screening on edge routers whereverpossible in order to decrease the load on stateful security devices such asfirewalls.
  • Separate or compartmentalize criticalservices:
    • Separate public and private services
    • Separate intranet,extranet, and internet services
    • Create single purpose servers for eachservice such as HTTP, FTP, and DNS
  • Review the US-CERT CyberSecurity Tip UnderstandingDenial-of-Service Attacks.


IV. References

Feedback can be directed to US-CERT.

Produced 2012 by US-CERT, a government organization. Terms of use


Revision History

January 24, 2012: Initial release

———————————————————————-

TA12-010A: Microsoft Updates for Multiple Vulnerabilities
Tuesday, 10 January 2012, 7:11 pm

Original release date: January 10, 2012
Last revised: –
Source: US-CERT


Systems Affected

  • Microsoft Windows
  • Microsoft Developer Tools andSoftware


Overview

There are multiple vulnerabilities in Microsoft Windows and MicrosoftDeveloper Tools and Software. Microsoft has released updates to address thesevulnerabilities.


I. Description

The MicrosoftSecurity Bulletin Summary for January 2012 describes multiplevulnerabilities in Microsoft Windows. Microsoft has released updates to addressthe vulnerabilities.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code, cause adenial of service, or gain unauthorized access to your files or system.


III. Solution

Apply updates

Microsoft has provided updates forthese vulnerabilities in the MicrosoftSecurity Bulletin Summary for January 2012. That bulletin describes anyknown issues related to the updates. Administrators are encouraged to note theseissues and test for any potentially adverse effects. In addition, administratorsshould consider using an automated update distribution system such as Windows ServerUpdate Services (WSUS).


IV. References

Feedback can be directed to US-CERT.

Produced 2012 by US-CERT, a government organization. Terms of use


Revision History

January 10, 2012: Initial release

———————————————————————-

TA12-006A: Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack
Friday, 6 January 2012, 8:49 pm

Original release date: January 06, 2012
Last revised: –
Source: US-CERT


Systems Affected

Most Wi-Fi access points that support Wi-Fi Protected Setup (WPS) areaffected.


Overview

Wi-Fi Protected Setup (WPS) provides simplified mechanisms to configuresecure wireless networks. The external registrar PIN exchange mechanism issusceptible to brute force attacks that could allow an attacker to gain accessto an encrypted Wi-Fi network.


I. Description

WPS uses a PIN as a shared secret to authenticate an access point and aclient and provide connection information such as WEP and WPA passwords andkeys. In the external registrar exchange method, a client needs to provide thecorrect PIN to the access point.

An attacking client can try to guess thecorrect PIN. A design vulnerability reduces the effective PIN space sufficientlyto allow practical brute force attacks. Freely available attack tools canrecover a WPS PIN in 4-10 hours.

For further details, please seeVulnerability Note VU#723755and further documentation by StefanViehbock and TacticalNetwork Solutions.


II. Impact

An attacker within radio range can brute-force the WPS PIN for a vulnerableaccess point. The attacker can then obtain WEP or WPA passwords and likely gainaccess to the Wi-Fi network. Once on the network, the attacker can monitortraffic and mount further attacks.


III. Solution

Update Firmware

Check your access point vendor'ssupport website for updated firmware that addresses this vulnerability. Furtherinformation may be available in the Vendor Informationsection of VU#723755 and in a Google spreadsheet called WPSVulnerability Testing.

Disable WPS

Depending onthe access point, it may be possible to disable WPS. Note that some accesspoints may not actually disable WPS when the web management interface indicatesthat WPS is disabled.


IV. References

Feedback can be directed to US-CERT.

Produced 2012 by US-CERT, a government organization. Terms of use


Revision History

January 06, 2012: Initial release

———————————————————————-

TA11-350A: Adobe Updates for Multiple Vulnerabilities
Friday, 16 December 2011, 7:19 pm

Original release date: December 16, 2011
Last revised: –
Source: US-CERT


Systems Affected

  • Adobe Reader X (10.1.1) and earlier 10.x versions for Windows andMacintosh
  • Adobe Reader 9.4.6 and earlier 9.x versions for Windows,Macintosh, and UNIX
  • Adobe Acrobat X (10.1.1) and earlier 10.x versionsfor Windows and Macintosh
  • Adobe Acrobat 9.4.6 and earlier 9.x versionsfor Windows and Macintosh


Overview

Adobe has released Security Bulletin APSB11-30,which describes multiple vulnerabilities affecting Adobe Reader and Acrobat.


I. Description

Adobe Security Bulletin APSB11-30and Adobe Security Advisory APSA11-04describe a number of vulnerabilities affecting Adobe Reader and Acrobat.These vulnerabilities affect Reader and Acrobat 9.4.6 and earlier 9.x versions.These vulnerabilities also affect Reader X and Acrobat X 10.1.1 and earlier 10.xversions.

An attacker could exploit these vulnerabilities by convincing auser to open a specially crafted PDF file. The Adobe Reader browser plug-in,which can automatically open PDF documents hosted on a website, is available formultiple web browsers and operating systems.

Adobe Reader X and AdobeAcrobat X will be patched in the next quarterly update scheduled for January 10,2012.

Additional details for the U3D memory corruption vulnerability canbe found in US-CERTVulnerability Note VU#759307.


II. Impact

These vulnerabilities could allow a remote attacker to execute arbitrarycode, write arbitrary files or folders to the file system, escalate localprivileges, or cause a denial of service on an affected system as the result ofa user opening a malicious PDF file.


III. Solution

Update Reader

Adobe has released updates to addressthis issue. Users are encouraged to read Adobe Security Bulletin APSB11-30and update vulnerable versions of Adobe Reader and Acrobat.

Inaddition to updating, please consider the followingmitigations.

Disable Flash in Adobe Reader andAcrobat

Disabling Flash in Adobe Reader will mitigate attacksthat rely on Flash content embedded in a PDF file. Disabling 3D & Multimediasupport does not directly address the vulnerability, but it does provideadditional mitigation and results in a more user-friendly error message insteadof a crash. To disable Flash and 3D & Multimedia support in Adobe Reader 9,delete, rename, or remove access to these files:

Microsoft Windows
"%ProgramFiles%\Adobe\Reader9.0\Reader\authplay.dll"
"%ProgramFiles%\Adobe\Reader9.0\Reader\rt3d.dll"

Apple Mac OSX
"/Applications/Adobe Reader 9/AdobeReader.app/Contents/Frameworks/AuthPlayLib.bundle"
"/Applications/Adobe Reader 9/AdobeReader.app/Contents/Frameworks/Adobe3D.framework"

GNU/Linux (locations may vary among distributions)
"/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so"
"/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so"

Filelocations may be different for Adobe Acrobat or other Adobe products thatinclude Flash and 3D & Multimedia support. Disabling these plugins willreduce functionality and will not protect against Flash content that is hostedon websites. Depending on the update schedule for products other than FlashPlayer, consider leaving Flash and 3D & Multimedia support disabled unlessthey are absolutely required.

Disable JavaScript in Adobe Reader andAcrobat

Disabling JavaScript may prevent some exploits from resultingin code execution. Acrobat JavaScript can be disabled using the Preferences menu(Edit -> Preferences -> JavaScript; uncheckEnable Acrobat JavaScript).

Adobe provides a framework to blacklist specificJavaScipt APIs. If JavaScript must be enabled, this framework may be usefulwhen specific APIs are known to be vulnerable or used in attacks.

Prevent Internet Explorer from automatically opening PDF files

The installer for Adobe Reader and Acrobat configures Internet Explorer toautomatically open PDF files without any user interaction. This behavior can bereverted to a safer option that prompts the user by importing the following as a.REG file:

Windows Registry Editor Version5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00

Disable the display of PDFfiles in the web browser

Preventing PDF files from opening insidea web browser will partially mitigate this vulnerability. If this workaround isapplied, it may also mitigate future vulnerabilities.

To prevent PDFfiles from automatically being opened in a web browser, do the following:

1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the Preferences option.
4. Choose theInternet section.
5. Uncheck the "Display PDF inbrowser" checkbox.

Remove or restrict access to3difr.x3d

By removing or restricting access to the 3difr.x3dfile, Adobe Reader and Acrobat will fail to render U3D content, which helps tomitigate this vulnerability. PDF documents that use the PRC format for 3Dcontent will continue to function on Windows and Linux platforms.

Todisable U3D support in Adobe Reader 9 on Microsoft Windows, delete or renamethis file:

    "%ProgramFiles%\Adobe\Reader9.0\Reader\plug_ins3d\3difr.x3d"

For Apple Mac OS X, delete orrename this directory:

    "/Applications/AdobeReader 9/AdobeReader.app/Contents/Frameworks/Adobe3D.framework"

ForGNU/Linux, delete or rename this file (locations may vary amongdistributions):

   "/opt/Adobe/Reader9/Reader/intellinux/plug_ins3d/3difr.x3d"

Filelocations may be different for Adobe Acrobat or other Adobe products orversions.

Do not access PDF files from untrusted sources

Do not open unfamiliar or unexpected PDF files, particularly those hosted onwebsites or delivered as email attachments. Please see Cyber Security Tip ST04-010.


IV. References

Feedback can be directed to US-CERT.

Produced 2011 by US-CERT, a government organization. Terms of use


Revision History

December 16, 2011: Initial release

———————————————————————-

TA11-347A: Microsoft Updates for Multiple Vulnerabilities
Tuesday, 13 December 2011, 8:47 pm

Original release date: December 13, 2011
Last revised: –
Source: US-CERT


Systems Affected

  • Microsoft Windows
  • Microsoft Office
  • InternetExplorer


Overview

There are multiple vulnerabilities in Microsoft Windows, Office, and InternetExplorer. Microsoft has released updates to address these vulnerabilities.


I. Description

The MicrosoftSecurity Bulletin Summary for December 2011 describes multiplevulnerabilities in Microsoft Windows. Microsoft has released updates to addressthe vulnerabilities. Additional details for MS11-091 can be found in US-CERT vulnerability noteVU#361441.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code, cause adenial of service, or gain unauthorized access to your files or system.


III. Solution

Apply updates

Microsoft has provided updates forthese vulnerabilities in the MicrosoftSecurity Bulletin Summary for December 2011. That bulletin describes anyknown issues related to the updates. Administrators are encouraged to note theseissues and test for any potentially adverse effects. In addition, administratorsshould consider using an automated update distribution system such as Windows ServerUpdate Services (WSUS).


IV. References

Feedback can be directed to US-CERT.

Produced 2011 by US-CERT, a government organization. Terms of use


Revision History

December 13, 2011: Initial release

———————————————————————-