Original release date: April 20, 2016

Cisco has released security updates to address vulnerabilities in multiple products. Exploitation of these vulnerabilities could allow a remote attacker to cause a denial-of-service condition on an affected system.

US-CERT encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates:

• Cisco Wireless LAN Controller Management Interface Denial of Service Vulnerability
• Cisco Adaptive Security Appliance Software DHCPv6 Relay Denial of Service Vulnerability
• Cisco Wireless LAN Controller Denial of Service Vulnerability
• Cisco Wireless LAN Controller HTTP Parsing Denial of Service Vulnerability
• Multiple Cisco Products libSRTP Denial of Service Vulnerability

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: April 19, 2016

Oracle has released its Critical Patch Update for April 2016 to address 136 vulnerabilities across multiple products. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review the Oracle April 2016 Critical Patch Update and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: April 19, 2016

Symantec has released security updates to address vulnerabilities in its Messaging Gateway (SMG) Appliance software. Exploitation of one of these vulnerabilities could allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review Symantec Security Advisory and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: April 18, 2016

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

• High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

• Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

• Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: April 14, 2016

VMware has released security updates to address a vulnerability in vCenter Server, vCloud Director, vRealize Automation Identity Appliance, and the Client Integration Plugin. Exploitation of this vulnerability may allow a remote attacker to obtain sensitive information.

Users and administrators are encouraged to review VMware Security Advisory VMSA-2016-0004 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: April 14, 2016

Systems Affected

Microsoft Windows with Apple QuickTime installed

Overview

According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation. [1]

Description

All software products have a lifecycle. Apple will no longer be providing security updates for QuickTime for Windows. [1]

The Zero Day Initiative has issued advisories for two vulnerabilities found in QuickTime for Windows. [2] [3]

Impact

Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.

Solution

Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime page. [4]

References

• [1] Trend Micro – Urgent Call to Action: Uninstall QuickTime for Windows Today
• [2] Zero Day Initiative Advisory ZDI 16-241: (0Day) Apple QuickTime moov Atom Heap Corruption Remote Code Execution Vulnerabilit
• [3] Zero Day Initiative Advisory ZDI 16-242: (0Day) Apple QuickTime Atom Processing Heap Corruption Remote Code Execution Vulner
• [4] Apple – Uninstall QuickTime 7 for Windows

Revision History

• April 14, 2016: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: April 13, 2016

The Internal Revenue Service (IRS) has issued a press release to warn of a potential increase in scams targeting taxpayers around the April 18 tax deadline. Before and after the deadline, scammers may tempt or pressure taxpayers into revealing personal information. US-CERT and IRS recommend taxpayers prepare for heightened risk this tax season and remain vigilant year-round.

US-CERT encourages users and administrators to review the IRS news release for details and refer to US-CERT Security Tip ST15-001 for information on tax-themed phishing attacks.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: April 13, 2016

Google has released Chrome version 50.0.2661.75 to address multiple vulnerabilities for Windows, Mac, and Linux. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review the Chrome Releases page and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: April 13, 2016

Cisco has released a security update to address a vulnerability in its Cisco Unified Computing System (UCS) Central Software. Exploitation of this vulnerability could allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review the Cisco Security Advisory and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: April 12, 2016

The Samba Team has released security updates that address vulnerabilities, collectively known as Badlock, affecting both Windows operating systems and Samba in UNIX-like platforms. Exploitation of these vulnerabilities may allow a remote attacker to take control of an affected system or create a denial-of-service condition.

Users and administrators are encouraged to review Samba Release News and Vulnerability Note VU#813296 for more information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.